forked from osmocom/wireshark
Adapt to current WS code base to make it compile and run without warnings or errors
Change-Id: I135df8b0e49346e32a19620d52cd1a9a44b4ac08 Reviewed-on: https://code.wireshark.org/review/26426 Reviewed-by: Jörg Mayer <jmayer@loplof.de>
This commit is contained in:
parent
2a3b58d133
commit
68efae8588
|
@ -100,6 +100,7 @@ Broadcom tags (Broadcom Ethernet switch management frames)
|
|||
CVS password server
|
||||
CAN-ETH
|
||||
Excentis DOCSIS31 XRA header
|
||||
F5ethtrailer
|
||||
FP Mux
|
||||
GRPC (gRPC)
|
||||
IEEE 802.3br Frame Preemption Protocol
|
||||
|
|
|
@ -322,6 +322,7 @@ set(DISSECTOR_PUBLIC_HEADERS
|
|||
packet-epmd.h
|
||||
packet-ess.h
|
||||
packet-eth.h
|
||||
packet-f5ethtrailer.h
|
||||
packet-fc.h
|
||||
packet-fcbls.h
|
||||
packet-fcct.h
|
||||
|
@ -954,6 +955,7 @@ set(DISSECTOR_SRC
|
|||
${CMAKE_CURRENT_SOURCE_DIR}/packet-exec.c
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/packet-exported_pdu.c
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/packet-extreme.c
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/packet-f5ethtrailer.c
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/packet-fc00.c
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/packet-fc.c
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/packet-fcct.c
|
||||
|
|
|
@ -576,6 +576,7 @@ DISSECTOR_SRC = \
|
|||
packet-exec.c \
|
||||
packet-exported_pdu.c \
|
||||
packet-extreme.c \
|
||||
packet-f5ethtrailer.c \
|
||||
packet-fc00.c \
|
||||
packet-fc.c \
|
||||
packet-fcct.c \
|
||||
|
@ -1575,6 +1576,7 @@ DISSECTOR_INCLUDES = \
|
|||
packet-epmd.h \
|
||||
packet-ess.h \
|
||||
packet-eth.h \
|
||||
packet-f5ethtrailer.h \
|
||||
packet-fc.h \
|
||||
packet-fcbls.h \
|
||||
packet-fcct.h \
|
||||
|
|
|
@ -1,279 +0,0 @@
|
|||
F5 Ethernet Trailer Plugin
|
||||
Version 1.11 Aug 19, 2017
|
||||
(c) F5 Networks, 2007-2017
|
||||
|
||||
Supported Platforms:
|
||||
BIGIP 9.4.2 and later.
|
||||
|
||||
Supported Wireshark Versions:
|
||||
Wireshark 2.2, 2.4
|
||||
|
||||
Installation:
|
||||
1. Acquire the Wireshark source tarball at:
|
||||
* http://www.wireshark.org/download/src/wireshark-{version}.tar.bz2
|
||||
2. Extract out the files.
|
||||
3. Enter into the directory, and extract the files in the F5 package:
|
||||
# cd wireshark-{version}/
|
||||
# tar xzf wireshark2.2.plugin.f5ethtrailer.1.11.tar.gz
|
||||
4. (optional) You might want to define the "NO_F5_POP_OTHERFIELDS" macro.
|
||||
Please see the note in the packet-f5ethtrailer.c file for details.
|
||||
5a. If you are on Windows, proceed to compilation following the
|
||||
instructions at:
|
||||
* http://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html
|
||||
5b. If you are on a GNU GCC based platform, proceed to compilation by
|
||||
following the instructions at:
|
||||
* http://www.wireshark.org/docs/wsdg_html_chunked/ChSrcBuildFirstTime.html
|
||||
6. Install Wireshark to your target system
|
||||
|
||||
Usage:
|
||||
|
||||
* Acquire capture files using the following command line:
|
||||
* tcpdump -w capture.pcap -s0 -i internal:nnn
|
||||
* Load the capture file into wireshark.
|
||||
|
||||
* Observe the grammar added to the beginning of each packet in the "Info"
|
||||
column of the packet list pane.
|
||||
* Observe the added "F5 Ethernet trailer" section in the packet detail
|
||||
pane.
|
||||
* These fields are filterable like any other field.
|
||||
* Review the preferences for the dissector.
|
||||
|
||||
* If you are using Wireshark 1.8 or higher, you might be missing the Low
|
||||
details of the trailer for some packets. If this happens, try modifying
|
||||
the settings for the Ethernet dissector. Go to "Edit/Preferences...",
|
||||
expand "Protocols" on the left and select "Ethernet". Disable "Assume
|
||||
short frames which include a trailer contain padding".
|
||||
|
||||
Notes:
|
||||
|
||||
Follow F5 Conversation:
|
||||
|
||||
As an alternative to the Populate Fields for Other Dissectors below, you
|
||||
can now follow a connection through the BIG-IP using the main menu
|
||||
Analyze/Conversation Filter menu. There are three options: follow "F5 IP",
|
||||
"F5 TCP" or "F5 UDP". Select a frame and choose the appropriate menu item.
|
||||
For best results, disable Populate Fields for Other Dissectors. This
|
||||
method of following a conversation should avoid the stray packets problem
|
||||
mentioned below.
|
||||
|
||||
These menu selections will populate an appropriate filter expression with
|
||||
ip.addr, tcp.port or udp.port, f5ethtrailer.peeraddr, f5ethtrailer.peerport
|
||||
and f5ethtrailer.peeripproto.
|
||||
|
||||
You will need to have gathered the capture with high noise (":nnn") to
|
||||
contain the peer flow information in order for this to work.
|
||||
|
||||
Populate Fields for Other Dissectors:
|
||||
|
||||
The populate fields for other dissectors will add hidden fields to the
|
||||
f5ethtrailer for "ip.addr", "ipv6.addr", "tcp.port" and "udp.port" based on
|
||||
information in high noise of a packet. This will allow the "Conversation
|
||||
Filter" option in Wireshark to find both the client-side and server-side
|
||||
flows for a connection.
|
||||
|
||||
In order to use this, you will need to enable the "Populate fields for
|
||||
other dissectors" preference. Note that the fields are registered when the
|
||||
preference is enabled. After changing the preference, you may need to
|
||||
restart Wireshark for proper handling.
|
||||
|
||||
Please note that this may cause some stray packets to show up in filter
|
||||
results since, for example, "tcp.port eq A and tcp.port eq B" can now be
|
||||
matching on at least four fields (tcp.port from the TCP dissector and
|
||||
tcp.port from the f5ethtrailer dissector) and a filter can match on an
|
||||
address/port from the IP/TCP/UDP dissector or an address/port from the
|
||||
f5ethtrailer dissector.
|
||||
|
||||
For example, given two connections:
|
||||
client:12345 <-> VIP:443 {BIGIP} clientS:12346 <-> poolmember:80
|
||||
client:12346 <-> VIP:443 {BIGIP} clientS:12347 <-> poolmember:80
|
||||
Selecting "Conversation Filter->TCP" on the client side of the second
|
||||
connection will result in a filter of:
|
||||
ip.addr eq client and ip.addr eq VIP and
|
||||
tcp.port eq 12346 and tcp.port eq 443
|
||||
All four flows would be displayed by the filter:
|
||||
* From client:12345 <-> VIP:443 (unexpected)
|
||||
- ip.addr from ip.src matches.
|
||||
- ip.addr from ip.dst matches.
|
||||
- tcp.port from f5ethtrailer.peerlocalport matches.
|
||||
- tcp.port from tcp.dstport matches.
|
||||
* From clientS:12346 <-> poolmember:80 (unexpected)
|
||||
- ip.addr from f5ethtrailer.peerremoteaddr matches.
|
||||
- ip.addr from f5ethtrailer.peerlocaladdr matches.
|
||||
- tcp.port from tcp.srcport matches.
|
||||
- tcp.port from f5ethtrailer.peerlocalport matches.
|
||||
* From client:12346 <-> VIP:443 (expected)
|
||||
- ip.addr from ip.src matches.
|
||||
- ip.addr from ip.dst matches.
|
||||
- tcp.port from tcp.srcport matches.
|
||||
- tcp.port from tcp.dstport matches.
|
||||
* From clientS:12347 <-> poolmember:80 (desired)
|
||||
- ip.addr from f5ethtrailer.peerremoteaddr matches.
|
||||
- ip.addr from f5ethtrailer.peerlocaladdr matches.
|
||||
- tcp.port from f5ethtrailer.peerremoteport matches.
|
||||
- tcp.port from f5ethtrailer.peerlocalport matches.
|
||||
|
||||
You can filter based on IP/port information by disabling the "Populate
|
||||
fields for other dissectors" and creating your own filter like:
|
||||
( ip.addr eq client and ip.addr eq VIP and
|
||||
tcp.port eq 12346 and tcp.port eq 443 ) or
|
||||
( f5ethtrailer.peeraddr eq client and f5ethtrailer.peeraddr eq VIP and
|
||||
f5ethtrailer.peerport eq 12346 and f5ethtrailer.peerport eq 443 )
|
||||
|
||||
Since the preference is disabled by default, it should not cause any
|
||||
interference unless the user actively enables the preference. You can
|
||||
remove the option entirely at compile time by defining the compiler macro
|
||||
"NO_F5_POP_OTHERFIELDS".
|
||||
|
||||
Analysis:
|
||||
|
||||
The f5ethtrailer dissector can add an "F5 Analysis" subtree to the "F5
|
||||
Ethernet trailer" protocol tree. The items added here are also added to
|
||||
Wireshark expert info. The analysis done is intended to help spot traffic
|
||||
anomalies.
|
||||
|
||||
Possible Analysis:
|
||||
* Flow reuse or SYN retransmit
|
||||
Filter field name: f5ethtrailer.analysis.flowreuse
|
||||
This is intended to highlight initial packets that arrive that match
|
||||
a pre-existing flow. In other words, a TCP SYN packet that arrives
|
||||
and matches an existing flow. This can indicate:
|
||||
- A prior flow was not properly terminated and a new flow is starting.
|
||||
- A stray SYN has arrived for an existing connection.
|
||||
- A SYN has been retransmitted (the first SYN would have created the
|
||||
flow that subsequent SYNs would match).
|
||||
|
||||
* Flow lost, incorrect VLAN, loose initiation, tunnel or SYN cookie use
|
||||
Filter field name: f5ethtrailer.analysis.flowlost
|
||||
This is intended to highlight non-initial packets that arrive that
|
||||
do not match an existing flow. In other words, a TCP non-SYN packet
|
||||
arriving that does not match an existing flow. This can indicate:
|
||||
- The flow is no longer in the BIGIP's connection table.
|
||||
- VLAN keyed connections is in use (the default) and a packet arrived
|
||||
on an incorrect VLAN.
|
||||
- A stray packet has arrived.
|
||||
- The packet may be handled by a virtual server with loose initiation.
|
||||
In this case, a packet in the middle of a TCP conversation could
|
||||
arrive and then be handled by a virtual server that has loose
|
||||
initiation enabled to create a flow.
|
||||
- The packet may be the inner payload of a tunnel. For inbound tunnel
|
||||
traffic, the encapsulating packet is shown as well as the
|
||||
encapsulated packet (and the encapsulated packet may not have flow
|
||||
information).
|
||||
- SYN cookies are being used (the initial SYN would not have created
|
||||
a flow).
|
||||
|
||||
A few notes. The analysis is implemented by using Wireshark taps and
|
||||
tapping the IP/IPv6/TCP dissectors. The taps are not called until after
|
||||
packet dissection is completely finished. So, the f5ethtrailer dissector
|
||||
may not have the necessary data to draw conclusions. The traffic light
|
||||
in the lower left corner of the Wireshark GUI might not properly reflect
|
||||
the existence of these analysis fields.
|
||||
|
||||
Hiding Slot Information in Info Column:
|
||||
|
||||
You can now specify which platforms will display slot information in the
|
||||
summary in the info columns. In the preferences for the F5 Ethernet
|
||||
trailer dissector, you can provide a regular expression to match the
|
||||
platform in F5 tcpdump header packet. If there is no platform information
|
||||
in the header (or there is no header at all), slot information will always
|
||||
be displayed. A reasonable regular expression would be "^(A.*|Z101)$" to
|
||||
match chassis and vCMP platforms (there is no distinction for vCMP on a
|
||||
chassis versus an appliance). The default is to always display slot
|
||||
information (no regular expression is provided by default).
|
||||
|
||||
Statistics reports (Wireshark 1.12 and later only):
|
||||
|
||||
All statistics are reported as packet counts and byte counts. Byte count
|
||||
statistics do not include the bytes of the trailer.
|
||||
|
||||
Statistics menu now has:
|
||||
F5/Virtual Server Distribution
|
||||
A line for each named virtual server name
|
||||
A line for traffic with a flow ID and no virtual server name
|
||||
A line for traffic without a flow ID.
|
||||
|
||||
F5/tmm Distribution
|
||||
A line for each tmm.
|
||||
A line each for ingress and egress (should add to tmm total)
|
||||
A line each for (should add to tmm total)
|
||||
Traffic with a virtual server name
|
||||
Traffic with a flow ID and no virtual server name
|
||||
Traffic without a flow ID.
|
||||
|
||||
Change Log:
|
||||
-------------------------------------------------------------------------------
|
||||
Version 1.11:
|
||||
* Implemented a tap for the F5 Ethernet trailer dissector
|
||||
* Used the tap datastructures for the trailer analysis
|
||||
* Generate Statistics reports (off of Statistics menu)
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Version 1.10:
|
||||
* Added support for BIG-IP version 12.
|
||||
* Fixed field size problem for peervlan.
|
||||
|
||||
Version 1.9:
|
||||
* Added ability to filter connection through BIG-IP
|
||||
Main Menu/Analyze/Conversation Filter/F5 {IP,TCP,UDP}
|
||||
|
||||
Version 1.8:
|
||||
* Added support for Wireshark 1.12, dropped support for Wireshark 1.6.
|
||||
* Improved analysis. It should now work with tshark.
|
||||
* Ability to restrict slot data in info column to specific platforms.
|
||||
* Ability to reduce the length of summary information in info column.
|
||||
* Fixed display of "(peer)" flag in reset cause in the info column (the peer
|
||||
flag has always been correct in the packet details pane).
|
||||
* Other minor fixes.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Version 1.7:
|
||||
* Support for BIG-IP 11.5.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Version 1.6:
|
||||
* Added support for Wireshark 1.10.
|
||||
* The population of fields for other dissectors is now compiled by default.
|
||||
* Added analysis of trailer information.
|
||||
* High noise (peer flow information) is not rendered if there is not
|
||||
actually a peer flow.
|
||||
* Removed support for Wireshark 1.4.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Version 1.5:
|
||||
* Render tcpdump first pseudo-packet which contains command information.
|
||||
* If there is no peer flow data, don't render high noise, just show a field
|
||||
that says there is no peer flow data.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Version 1.4:
|
||||
* Fixed issue with improper rendering of some v11.2 variable length trailers.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Version 1.3:
|
||||
* Support for BIG-IP v11.2.
|
||||
* Support for BIG-IP v11.0.
|
||||
* With v10 and higher captures, slots start at 1 to match tcpdump output on
|
||||
BIG-IP.
|
||||
* Add "IN" and "OUT" strings to the display of the ingress field in the
|
||||
packet details pane.
|
||||
* Add ability to populate ip.addr, tcp.port, etc. to make following both
|
||||
flows in a connection easier based upon data in the high detail. (This is
|
||||
not compiled in by default, controlled by F5_POP_OTHERFIELDS macro.)
|
||||
* Add preference to put the tmm/blade/ingress in the info column or not.
|
||||
* Add generic peeraddr/peerport fields (to match either local or remote).
|
||||
* Display peer addresses as IPv4 where appropriate.
|
||||
* Display route domain IPv6 format address as IPv4 + route domain ID.
|
||||
* Modest performance improvement.
|
||||
* No longer support WS 1.2.x. 1.4.5 and higher only.
|
||||
* Other minor fixes.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
Version 1.2:
|
||||
* Low detail trailer information is now collapsible.
|
||||
* Fixed display of ingress slot and port fields.
|
||||
* Properly display version 9.4 trailers
|
||||
* Ports to build on WS 1.2
|
||||
* Added an "anyflowid" field so that search for a flowid as either a flowid
|
||||
or a peer flow id is collapsed to one filter:
|
||||
"f5ethtrailer.anyflowid eq X" is equivalent to
|
||||
"(f5ethtrailer.flowid eq X or f5ethtrailer.peerid eq X)"
|
|
@ -1,21 +1,190 @@
|
|||
/* packet-f5ethtrailer.c
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* F5 Ethernet Trailer Copyright 2008-2017 F5 Networks
|
||||
*
|
||||
* SPDX-License-Identifier: GPL-2.0-or-later
|
||||
*/
|
||||
|
||||
/*
|
||||
Supported Platforms:
|
||||
BIGIP 9.4.2 and later.
|
||||
|
||||
Usage:
|
||||
|
||||
* Acquire capture files using the following command line:
|
||||
* tcpdump -w capture.pcap -s0 -i internal:nnn
|
||||
* Load the capture file into wireshark.
|
||||
|
||||
* Observe the grammar added to the beginning of each packet in the "Info"
|
||||
column of the packet list pane.
|
||||
* Observe the added "F5 Ethernet trailer" section in the packet detail
|
||||
pane.
|
||||
* These fields are filterable like any other field.
|
||||
* Review the preferences for the dissector.
|
||||
|
||||
* If you are missing the Low details of the trailer for some packets, try
|
||||
modifying the settings for the Ethernet dissector. Go to "Edit/Preferences...",
|
||||
expand "Protocols" on the left and select "Ethernet". Disable "Assume
|
||||
short frames which include a trailer contain padding".
|
||||
|
||||
Notes:
|
||||
|
||||
Follow F5 Conversation:
|
||||
|
||||
As an alternative to the Populate Fields for Other Dissectors below, you
|
||||
can now follow a connection through the BIG-IP using the main menu
|
||||
Analyze/Conversation Filter menu. There are three options: follow "F5 IP",
|
||||
"F5 TCP" or "F5 UDP". Select a frame and choose the appropriate menu item.
|
||||
For best results, disable Populate Fields for Other Dissectors. This
|
||||
method of following a conversation should avoid the stray packets problem
|
||||
mentioned below.
|
||||
|
||||
These menu selections will populate an appropriate filter expression with
|
||||
ip.addr, tcp.port or udp.port, f5ethtrailer.peeraddr, f5ethtrailer.peerport
|
||||
and f5ethtrailer.peeripproto.
|
||||
|
||||
You will need to have gathered the capture with high noise (":nnn") to
|
||||
contain the peer flow information in order for this to work.
|
||||
|
||||
Populate Fields for Other Dissectors:
|
||||
|
||||
The populate fields for other dissectors will add hidden fields to the
|
||||
f5ethtrailer for "ip.addr", "ipv6.addr", "tcp.port" and "udp.port" based on
|
||||
information in high noise of a packet. This will allow the "Conversation
|
||||
Filter" option in Wireshark to find both the client-side and server-side
|
||||
flows for a connection.
|
||||
|
||||
In order to use this, you will need to enable the "Populate fields for
|
||||
other dissectors" preference. Note that the fields are registered when the
|
||||
preference is enabled. After changing the preference, you may need to
|
||||
restart Wireshark for proper handling.
|
||||
|
||||
Please note that this may cause some stray packets to show up in filter
|
||||
results since, for example, "tcp.port eq A and tcp.port eq B" can now be
|
||||
matching on at least four fields (tcp.port from the TCP dissector and
|
||||
tcp.port from the f5ethtrailer dissector) and a filter can match on an
|
||||
address/port from the IP/TCP/UDP dissector or an address/port from the
|
||||
f5ethtrailer dissector.
|
||||
|
||||
For example, given two connections:
|
||||
client:12345 <-> VIP:443 {BIGIP} clientS:12346 <-> poolmember:80
|
||||
client:12346 <-> VIP:443 {BIGIP} clientS:12347 <-> poolmember:80
|
||||
Selecting "Conversation Filter->TCP" on the client side of the second
|
||||
connection will result in a filter of:
|
||||
ip.addr eq client and ip.addr eq VIP and
|
||||
tcp.port eq 12346 and tcp.port eq 443
|
||||
All four flows would be displayed by the filter:
|
||||
* From client:12345 <-> VIP:443 (unexpected)
|
||||
- ip.addr from ip.src matches.
|
||||
- ip.addr from ip.dst matches.
|
||||
- tcp.port from f5ethtrailer.peerlocalport matches.
|
||||
- tcp.port from tcp.dstport matches.
|
||||
* From clientS:12346 <-> poolmember:80 (unexpected)
|
||||
- ip.addr from f5ethtrailer.peerremoteaddr matches.
|
||||
- ip.addr from f5ethtrailer.peerlocaladdr matches.
|
||||
- tcp.port from tcp.srcport matches.
|
||||
- tcp.port from f5ethtrailer.peerlocalport matches.
|
||||
* From client:12346 <-> VIP:443 (expected)
|
||||
- ip.addr from ip.src matches.
|
||||
- ip.addr from ip.dst matches.
|
||||
- tcp.port from tcp.srcport matches.
|
||||
- tcp.port from tcp.dstport matches.
|
||||
* From clientS:12347 <-> poolmember:80 (desired)
|
||||
- ip.addr from f5ethtrailer.peerremoteaddr matches.
|
||||
- ip.addr from f5ethtrailer.peerlocaladdr matches.
|
||||
- tcp.port from f5ethtrailer.peerremoteport matches.
|
||||
- tcp.port from f5ethtrailer.peerlocalport matches.
|
||||
|
||||
You can filter based on IP/port information by disabling the "Populate
|
||||
fields for other dissectors" and creating your own filter like:
|
||||
( ip.addr eq client and ip.addr eq VIP and
|
||||
tcp.port eq 12346 and tcp.port eq 443 ) or
|
||||
( f5ethtrailer.peeraddr eq client and f5ethtrailer.peeraddr eq VIP and
|
||||
f5ethtrailer.peerport eq 12346 and f5ethtrailer.peerport eq 443 )
|
||||
|
||||
Since the preference is disabled by default, it should not cause any
|
||||
interference unless the user actively enables the preference. You can
|
||||
remove the option entirely at compile time by defining the compiler macro
|
||||
"NO_F5_POP_OTHERFIELDS".
|
||||
|
||||
Analysis:
|
||||
|
||||
The f5ethtrailer dissector can add an "F5 Analysis" subtree to the "F5
|
||||
Ethernet trailer" protocol tree. The items added here are also added to
|
||||
Wireshark expert info. The analysis done is intended to help spot traffic
|
||||
anomalies.
|
||||
|
||||
Possible Analysis:
|
||||
* Flow reuse or SYN retransmit
|
||||
Filter field name: f5ethtrailer.analysis.flowreuse
|
||||
This is intended to highlight initial packets that arrive that match
|
||||
a pre-existing flow. In other words, a TCP SYN packet that arrives
|
||||
and matches an existing flow. This can indicate:
|
||||
- A prior flow was not properly terminated and a new flow is starting.
|
||||
- A stray SYN has arrived for an existing connection.
|
||||
- A SYN has been retransmitted (the first SYN would have created the
|
||||
flow that subsequent SYNs would match).
|
||||
|
||||
* Flow lost, incorrect VLAN, loose initiation, tunnel or SYN cookie use
|
||||
Filter field name: f5ethtrailer.analysis.flowlost
|
||||
This is intended to highlight non-initial packets that arrive that
|
||||
do not match an existing flow. In other words, a TCP non-SYN packet
|
||||
arriving that does not match an existing flow. This can indicate:
|
||||
- The flow is no longer in the BIGIP's connection table.
|
||||
- VLAN keyed connections is in use (the default) and a packet arrived
|
||||
on an incorrect VLAN.
|
||||
- A stray packet has arrived.
|
||||
- The packet may be handled by a virtual server with loose initiation.
|
||||
In this case, a packet in the middle of a TCP conversation could
|
||||
arrive and then be handled by a virtual server that has loose
|
||||
initiation enabled to create a flow.
|
||||
- The packet may be the inner payload of a tunnel. For inbound tunnel
|
||||
traffic, the encapsulating packet is shown as well as the
|
||||
encapsulated packet (and the encapsulated packet may not have flow
|
||||
information).
|
||||
- SYN cookies are being used (the initial SYN would not have created
|
||||
a flow).
|
||||
|
||||
A few notes. The analysis is implemented by using Wireshark taps and
|
||||
tapping the IP/IPv6/TCP dissectors. The taps are not called until after
|
||||
packet dissection is completely finished. So, the f5ethtrailer dissector
|
||||
may not have the necessary data to draw conclusions. The traffic light
|
||||
in the lower left corner of the Wireshark GUI might not properly reflect
|
||||
the existence of these analysis fields.
|
||||
|
||||
Hiding Slot Information in Info Column:
|
||||
|
||||
You can now specify which platforms will display slot information in the
|
||||
summary in the info columns. In the preferences for the F5 Ethernet
|
||||
trailer dissector, you can provide a regular expression to match the
|
||||
platform in F5 tcpdump header packet. If there is no platform information
|
||||
in the header (or there is no header at all), slot information will always
|
||||
be displayed. A reasonable regular expression would be "^(A.*|Z101)$" to
|
||||
match chassis and vCMP platforms (there is no distinction for vCMP on a
|
||||
chassis versus an appliance). The default is to always display slot
|
||||
information (no regular expression is provided by default).
|
||||
|
||||
Statistics reports:
|
||||
|
||||
All statistics are reported as packet counts and byte counts. Byte count
|
||||
statistics do not include the bytes of the trailer.
|
||||
|
||||
Statistics menu now has:
|
||||
F5/Virtual Server Distribution
|
||||
A line for each named virtual server name
|
||||
A line for traffic with a flow ID and no virtual server name
|
||||
A line for traffic without a flow ID.
|
||||
|
||||
F5/tmm Distribution
|
||||
A line for each tmm.
|
||||
A line each for ingress and egress (should add to tmm total)
|
||||
A line each for (should add to tmm total)
|
||||
Traffic with a virtual server name
|
||||
Traffic with a flow ID and no virtual server name
|
||||
Traffic without a flow ID.
|
||||
*/
|
||||
|
||||
|
||||
/* A note about the F5_POP_OTHERFIELDS macro:
|
||||
*
|
||||
* This is used to conditionally compile the population of fields like ip.addr,
|
||||
|
@ -36,18 +205,6 @@
|
|||
* not be a change for people that have been running without it.
|
||||
*/
|
||||
|
||||
/* There is a an issue with the Wireshark Ethernet dissector. It does not call
|
||||
* trailer dissectors if it is not building a tree. The problems with this are
|
||||
* 1. With some invocations of tshark, you will not get the IN/OUT and tmm
|
||||
* information in the default tshark output. This can be fixed by somehow
|
||||
* triggering tshark to build a tree (supply a filter, or add custom
|
||||
* columns to the display, or probably other things).
|
||||
* 2. When performing analysis (and populating expert info) during the first
|
||||
* pass through the capture, the trailer information is not read and there
|
||||
* can be no analysis performed. So, the traffic light in the lower left
|
||||
* corner of the gui will likely be incorrect.
|
||||
*/
|
||||
|
||||
/* Only enable populate othe fields if it has not been requested that it be
|
||||
* built without (-DNO_F5_POP_OTHERFIELDS on the compiler command line). */
|
||||
#ifndef NO_F5_POP_OTHERFIELDS
|
||||
|
@ -72,7 +229,6 @@
|
|||
#include <epan/proto_data.h>
|
||||
#include <epan/dissector_filters.h>
|
||||
#include <epan/dissectors/packet-ip.h>
|
||||
#include <epan/dissectors/packet-ipv6.h>
|
||||
#include <epan/dissectors/packet-tcp.h>
|
||||
#include <epan/etypes.h>
|
||||
#include <epan/to_str.h>
|
||||
|
@ -83,24 +239,18 @@
|
|||
|
||||
#define PROTO_TAG_F5ETHTRAILER "F5ETHTRAILER"
|
||||
|
||||
/*-----------------------------------------------------------------------------------------------*/
|
||||
/** Setup macros to ease the commpilation of this dissector on various versions of Wireshark. */
|
||||
#if defined(VERSION_MAJOR) && defined(VERSION_MINOR)
|
||||
# if VERSION_MAJOR > 2 || (VERSION_MAJOR == 2 && VERSION_MINOR == 2)
|
||||
# define ip6h_nxt ip6_nxt
|
||||
# endif
|
||||
# if VERSION_MAJOR > 2 || (VERSION_MAJOR == 2 && VERSION_MINOR >= 4)
|
||||
/* Nothing at this point. */
|
||||
# endif
|
||||
#endif
|
||||
/*-----------------------------------------------------------------------------------------------*/
|
||||
|
||||
/* Wireshark ID of the F5ETHTRAILER protocol */
|
||||
static int proto_f5ethtrailer = -1;
|
||||
static int tap_f5ethtrailer = -1;
|
||||
static int proto_f5fileinfo = -1;
|
||||
static int tap_f5fileinfo = -1;
|
||||
|
||||
void proto_reg_handoff_f5ethtrailer(void);
|
||||
void proto_register_f5ethtrailer(void);
|
||||
|
||||
void proto_reg_handoff_f5fileinfo(void);
|
||||
void proto_register_f5fileinfo(void);
|
||||
|
||||
gboolean dissect_f5ethtrailer(tvbuff_t *tvb, packet_info *pinfo,
|
||||
proto_tree *tree, void *data);
|
||||
|
||||
|
@ -120,11 +270,8 @@ static gint hf_vip = -1;
|
|||
/* Med */
|
||||
static gint hf_med_id = -1;
|
||||
static gint hf_flow_id = -1;
|
||||
static gint hf_flow_id64 = -1;
|
||||
static gint hf_peer_id = -1;
|
||||
static gint hf_peer_id64 = -1;
|
||||
static gint hf_any_flow = -1;
|
||||
static gint hf_any_flow64 = -1;
|
||||
static gint hf_cf_flags = -1;
|
||||
static gint hf_cf_flags2 = -1;
|
||||
static gint hf_flow_type = -1;
|
||||
|
@ -299,16 +446,16 @@ static gboolean f5_udp_conv_valid(packet_info *pinfo)
|
|||
static gchar *f5_ip_conv_filter(packet_info *pinfo)
|
||||
{
|
||||
gchar *buf = NULL;
|
||||
gchar s_addr[MAX_IP6_STR_LEN];
|
||||
gchar d_addr[MAX_IP6_STR_LEN];
|
||||
gchar s_addr[WS_INET6_ADDRSTRLEN];
|
||||
gchar d_addr[WS_INET6_ADDRSTRLEN];
|
||||
|
||||
if( !f5_ip_conv_valid(pinfo) ) {
|
||||
return(NULL);
|
||||
}
|
||||
*d_addr = *s_addr = '\0';
|
||||
if(pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4) {
|
||||
address_to_str_buf(&pinfo->src, s_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->src, s_addr, WS_INET6_ADDRSTRLEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, WS_INET6_ADDRSTRLEN);
|
||||
if(*s_addr != '\0' && *d_addr != '\0') {
|
||||
buf = g_strdup_printf(
|
||||
"(ip.addr eq %s and ip.addr eq %s) or"
|
||||
|
@ -316,8 +463,8 @@ static gchar *f5_ip_conv_filter(packet_info *pinfo)
|
|||
s_addr, d_addr, s_addr, d_addr);
|
||||
}
|
||||
} else if(pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6) {
|
||||
address_to_str_buf(&pinfo->src, s_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->src, s_addr, WS_INET6_ADDRSTRLEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, WS_INET6_ADDRSTRLEN);
|
||||
if(*s_addr != '\0' && *d_addr != '\0') {
|
||||
buf = g_strdup_printf(
|
||||
"(ipv6.addr eq %s and ipv6.addr eq %s) or"
|
||||
|
@ -354,16 +501,16 @@ static gchar *f5_ip_conv_filter(packet_info *pinfo)
|
|||
static gchar *f5_tcp_conv_filter(packet_info *pinfo)
|
||||
{
|
||||
gchar *buf = NULL;
|
||||
gchar s_addr[MAX_IP6_STR_LEN];
|
||||
gchar d_addr[MAX_IP6_STR_LEN];
|
||||
gchar s_addr[WS_INET6_ADDRSTRLEN];
|
||||
gchar d_addr[WS_INET6_ADDRSTRLEN];
|
||||
|
||||
if( !f5_tcp_conv_valid(pinfo) ) {
|
||||
return(NULL);
|
||||
}
|
||||
*d_addr = *s_addr = '\0';
|
||||
if(pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4) {
|
||||
address_to_str_buf(&pinfo->src, s_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->src, s_addr, WS_INET6_ADDRSTRLEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, WS_INET6_ADDRSTRLEN);
|
||||
if(*s_addr != '\0' && *d_addr != '\0') {
|
||||
buf = g_strdup_printf(
|
||||
"(ip.addr eq %s and ip.addr eq %s and tcp.port eq %d and tcp.port eq %d) or"
|
||||
|
@ -374,8 +521,8 @@ static gchar *f5_tcp_conv_filter(packet_info *pinfo)
|
|||
s_addr, d_addr, pinfo->srcport, pinfo->destport);
|
||||
}
|
||||
} else if(pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6) {
|
||||
address_to_str_buf(&pinfo->src, s_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->src, s_addr, WS_INET6_ADDRSTRLEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, WS_INET6_ADDRSTRLEN);
|
||||
if(*s_addr != '\0' && *d_addr != '\0') {
|
||||
buf = g_strdup_printf(
|
||||
"(ipv6.addr eq %s and ipv6.addr eq %s and tcp.port eq %d and tcp.port eq %d) or"
|
||||
|
@ -415,16 +562,16 @@ static gchar *f5_tcp_conv_filter(packet_info *pinfo)
|
|||
static gchar *f5_udp_conv_filter(packet_info *pinfo)
|
||||
{
|
||||
gchar *buf = NULL;
|
||||
gchar s_addr[MAX_IP6_STR_LEN];
|
||||
gchar d_addr[MAX_IP6_STR_LEN];
|
||||
gchar s_addr[WS_INET6_ADDRSTRLEN];
|
||||
gchar d_addr[WS_INET6_ADDRSTRLEN];
|
||||
|
||||
if( !f5_udp_conv_valid(pinfo) ) {
|
||||
return(NULL);
|
||||
}
|
||||
*d_addr = *s_addr = '\0';
|
||||
if(pinfo->net_src.type == AT_IPv4 && pinfo->net_dst.type == AT_IPv4) {
|
||||
address_to_str_buf(&pinfo->src, s_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->src, s_addr, WS_INET6_ADDRSTRLEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, WS_INET6_ADDRSTRLEN);
|
||||
if(*s_addr != '\0' && *d_addr != '\0') {
|
||||
buf = g_strdup_printf(
|
||||
"(ip.addr eq %s and ip.addr eq %s and udp.port eq %d and udp.port eq %d) or"
|
||||
|
@ -435,8 +582,8 @@ static gchar *f5_udp_conv_filter(packet_info *pinfo)
|
|||
s_addr, d_addr, pinfo->srcport, pinfo->destport);
|
||||
}
|
||||
} else if(pinfo->net_src.type == AT_IPv6 && pinfo->net_dst.type == AT_IPv6) {
|
||||
address_to_str_buf(&pinfo->src, s_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, MAX_IP6_STR_LEN);
|
||||
address_to_str_buf(&pinfo->src, s_addr, WS_INET6_ADDRSTRLEN);
|
||||
address_to_str_buf(&pinfo->dst, d_addr, WS_INET6_ADDRSTRLEN);
|
||||
if(*s_addr != '\0' && *d_addr != '\0') {
|
||||
buf = g_strdup_printf(
|
||||
"(ipv6.addr eq %s and ipv6.addr eq %s and udp.port eq %d and udp.port eq %d) or"
|
||||
|
@ -482,7 +629,7 @@ static const gchar *st_str_virtdist_novirt = "Flow without virtual server name";
|
|||
*
|
||||
* \attention This is an interface function to be called from the rest of wireshark.
|
||||
*
|
||||
* @param st
|
||||
* @param st A pointer to the stats tree to use
|
||||
*
|
||||
*/
|
||||
static void f5eth_tmmdist_stats_tree_init(
|
||||
|
@ -502,7 +649,7 @@ static void f5eth_tmmdist_stats_tree_init(
|
|||
*
|
||||
* @param st A pointer to the stats tree to use
|
||||
* @param pinfo A pointer to the packet info.
|
||||
* @param edt
|
||||
* @param edt Unused
|
||||
* @param data A pointer to the data provided by the tap
|
||||
* @return 1 if the data was actually used to alter the statistics, 0 otherwise.
|
||||
*
|
||||
|
@ -513,7 +660,7 @@ static int f5eth_tmmdist_stats_tree_packet(
|
|||
epan_dissect_t *edt _U_,
|
||||
const void *data
|
||||
) {
|
||||
f5eth_tap_data_t *tdata;
|
||||
const f5eth_tap_data_t *tdata;
|
||||
guint32 pkt_len;
|
||||
int st_node_tot_pkts;
|
||||
int st_node_tot_bytes;
|
||||
|
@ -522,7 +669,7 @@ static int f5eth_tmmdist_stats_tree_packet(
|
|||
char tmm_stat_name_buffer[PER_TMM_STAT_NAME_BUF_LEN];
|
||||
|
||||
if(data == NULL) return 0;
|
||||
tdata = (f5eth_tap_data_t *)data;
|
||||
tdata = (const f5eth_tap_data_t *)data;
|
||||
/* Unnecessary since this tap packet function and the F5 Ethernet trailer dissector are both in
|
||||
* the same source file. If you are using this function as an example in a separate tap source
|
||||
* file, you should uncomment this.
|
||||
|
@ -617,11 +764,11 @@ static int f5eth_virtdist_stats_tree_packet(
|
|||
epan_dissect_t *edt _U_,
|
||||
const void *data
|
||||
) {
|
||||
f5eth_tap_data_t *tdata;
|
||||
const f5eth_tap_data_t *tdata;
|
||||
guint32 pkt_len;
|
||||
|
||||
if(data == NULL) return 0;
|
||||
tdata = (f5eth_tap_data_t *)data;
|
||||
tdata = (const f5eth_tap_data_t *)data;
|
||||
/* Unnecessary since this tap packet function and the F5 Ethernet trailer dissector are both in
|
||||
* the same source file. If you are using this function as an example in a separate tap source
|
||||
* file, you should uncomment this.
|
||||
|
@ -727,7 +874,7 @@ typedef enum {
|
|||
, brief_in_out_only = 7
|
||||
} f5eth_info_type_t;
|
||||
/** Info column display format type strings */
|
||||
static enum_val_t f5eth_display_strings[] = {
|
||||
static const enum_val_t f5eth_display_strings[] = {
|
||||
{ "None", "None", 0 }
|
||||
, { "Full", "Full", 1 }
|
||||
, { "InOutOnly", "In/out only", 3 }
|
||||
|
@ -829,7 +976,7 @@ static void f5eth_set_info_col_inout(
|
|||
packet_info *pinfo,
|
||||
guint ingress,
|
||||
guint slot _U_,
|
||||
guint tm _U_
|
||||
guint tmm _U_
|
||||
) {
|
||||
gboolean col_writable;
|
||||
/*
|
||||
|
@ -839,23 +986,11 @@ static void f5eth_set_info_col_inout(
|
|||
col_writable = col_get_writable(pinfo->cinfo, COL_INFO);
|
||||
col_set_writable(pinfo->cinfo, COL_INFO, TRUE);
|
||||
|
||||
# if ( __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 5))
|
||||
# pragma GCC diagnostic push
|
||||
# pragma GCC diagnostic ignored "-Wformat-security"
|
||||
# endif
|
||||
/** The info_format_in_only and info_format_out_only should not have any format
|
||||
* specifiers in them, and as such, this function should not require additional
|
||||
* paramters. Warning silenced on gcc. There is no col_prepend_fence_str()
|
||||
* function in Wireshark. If you modify the value(s) for
|
||||
* info_format*_{in,out}_only, you do so at your own risk. */
|
||||
if(ingress != 0) {
|
||||
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, info_format_in_only);
|
||||
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "%s", info_format_in_only);
|
||||
} else {
|
||||
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, info_format_out_only);
|
||||
col_prepend_fence_fstr(pinfo->cinfo, COL_INFO, "%s", info_format_out_only);
|
||||
}
|
||||
# if ( __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 5))
|
||||
# pragma GCC diagnostic pop
|
||||
# endif
|
||||
|
||||
/* Reset writable to whatever it was before we got here. */
|
||||
col_set_writable(pinfo->cinfo, COL_INFO, col_writable);
|
||||
|
@ -1093,25 +1228,25 @@ void proto_register_f5ethtrailer (void)
|
|||
}
|
||||
, { &hf_type,
|
||||
{ "Type", "f5ethtrailer.type", FT_UINT8, BASE_DEC, NULL,
|
||||
0x0, "F5ETHTRAILER type", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_length,
|
||||
{ "Trailer length", "f5ethtrailer.length", FT_UINT8, BASE_DEC, NULL,
|
||||
0x0, "F5ETHTRAILER length", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_version,
|
||||
{ "Version", "f5ethtrailer.version", FT_UINT8, BASE_DEC, NULL,
|
||||
0x0, "F5ETHTRAILER version", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
|
||||
/* Low parameters */
|
||||
, { &hf_low_id,
|
||||
{ "F5 Low Details", "f5ethtrailer.low", FT_NONE, BASE_NONE, NULL,
|
||||
0x0, "Low Details", HFILL }
|
||||
{ "Low Details", "f5ethtrailer.low", FT_NONE, BASE_NONE, NULL,
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_ingress,
|
||||
{ "Ingress", "f5ethtrailer.ingress", FT_BOOLEAN, BASE_NONE, NULL,
|
||||
0x0, "Incoming packet?", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_slot0,
|
||||
{ "Slot (0-based)", "f5ethtrailer.slot", FT_UINT8, BASE_DEC, NULL,
|
||||
|
@ -1127,7 +1262,7 @@ void proto_register_f5ethtrailer (void)
|
|||
}
|
||||
, { &hf_vipnamelen,
|
||||
{ "VIP name length", "f5ethtrailer.vipnamelen", FT_UINT8, BASE_DEC, NULL,
|
||||
0x0, "Length of the VIP field", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_vip,
|
||||
{ "VIP", "f5ethtrailer.vip", FT_STRING, BASE_NONE, NULL,
|
||||
|
@ -1136,60 +1271,48 @@ void proto_register_f5ethtrailer (void)
|
|||
|
||||
/* Medium parameters */
|
||||
, { &hf_med_id,
|
||||
{ "F5 Medium Details", "f5ethtrailer.medium", FT_NONE, BASE_NONE, NULL,
|
||||
0x0, "Medium Details", HFILL }
|
||||
{ "Medium Details", "f5ethtrailer.medium", FT_NONE, BASE_NONE, NULL,
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_any_flow,
|
||||
{ "Flow ID or peer flow ID", "f5ethtrailer.anyflowid", FT_UINT32, BASE_HEX, NULL,
|
||||
0x0, "", HFILL }
|
||||
}
|
||||
, { &hf_any_flow64,
|
||||
{ "Flow ID or peer flow ID", "f5ethtrailer.anyflowid", FT_UINT64, BASE_HEX, NULL,
|
||||
0x0, "", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_flow_id,
|
||||
{ "Flow ID", "f5ethtrailer.flowid", FT_UINT32, BASE_HEX, NULL,
|
||||
0x0, "Flow ID", HFILL }
|
||||
}
|
||||
, { &hf_flow_id64,
|
||||
{ "Flow ID", "f5ethtrailer.flowid", FT_UINT64, BASE_HEX, NULL,
|
||||
0x0, "Flow ID", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_peer_id,
|
||||
{ "Peer ID", "f5ethtrailer.peerid", FT_UINT32, BASE_HEX, NULL,
|
||||
0x0, "Peer ID", HFILL }
|
||||
}
|
||||
, { &hf_peer_id64,
|
||||
{ "Peer ID", "f5ethtrailer.peerid", FT_UINT64, BASE_HEX, NULL,
|
||||
0x0, "Peer ID", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_cf_flags,
|
||||
{ "Connflow Flags", "f5ethtrailer.cfflags", FT_UINT32, BASE_HEX, NULL,
|
||||
0x0, "Connflow flags", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_cf_flags2,
|
||||
{ "Connflow Flags High Bits", "f5ethtrailer.cfflags2", FT_UINT32,
|
||||
BASE_HEX, NULL, 0x0, "Connflow flags high bits", HFILL }
|
||||
BASE_HEX, NULL, 0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_flow_type,
|
||||
{ "Flow Type", "f5ethtrailer.flowtype", FT_UINT8, BASE_HEX, NULL,
|
||||
0x0, "Flow type", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_ha_unit,
|
||||
{ "HA Unit", "f5ethtrailer.haunit", FT_UINT8, BASE_HEX, NULL,
|
||||
0x0, "HA unit", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_ingress_slot,
|
||||
{ "Ingress Slot", "f5ethtrailer.ingressslot", FT_UINT16, BASE_DEC, NULL,
|
||||
0x0, "Ingress slot", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_ingress_port,
|
||||
{ "Ingress Port", "f5ethtrailer.ingressport", FT_UINT16, BASE_DEC, NULL,
|
||||
0x0, "Ingress port", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_priority,
|
||||
{ "Priority", "f5ethtrailer.priority", FT_UINT8, BASE_DEC, NULL,
|
||||
0x0, "Packet priority", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_rstcause,
|
||||
{ "RST cause", "f5ethtrailer.rstcause", FT_NONE, BASE_NONE, NULL,
|
||||
|
@ -1222,16 +1345,16 @@ void proto_register_f5ethtrailer (void)
|
|||
|
||||
/* High parameters */
|
||||
, { &hf_high_id,
|
||||
{ "F5 High Details", "f5ethtrailer.high", FT_NONE, BASE_NONE, NULL,
|
||||
0x0, "High Details", HFILL }
|
||||
{ "High Details", "f5ethtrailer.high", FT_NONE, BASE_NONE, NULL,
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_peer_ipproto,
|
||||
{ "Peer IP Protocol", "f5ethtrailer.peeripproto", FT_UINT8, BASE_DEC,
|
||||
NULL, 0x0, "Peer IP", HFILL }
|
||||
NULL, 0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_peer_vlan,
|
||||
{ "Peer VLAN", "f5ethtrailer.peervlan", FT_UINT16, BASE_DEC, NULL,
|
||||
0x0, "Peer VLAN", HFILL }
|
||||
0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_peer_remote_addr,
|
||||
{ "Peer remote address", "f5ethtrailer.peerremoteaddr", FT_IPv4,
|
||||
|
@ -1259,11 +1382,11 @@ void proto_register_f5ethtrailer (void)
|
|||
}
|
||||
, { &hf_peer_remote_rtdom,
|
||||
{ "Peer remote route domain", "f5ethtrailer.peerremotertdom", FT_UINT16,
|
||||
BASE_DEC, NULL, 0x0, "Peer remote route domain", HFILL }
|
||||
BASE_DEC, NULL, 0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_peer_local_rtdom,
|
||||
{ "Peer local route domain", "f5ethtrailer.peerlocalrtdom", FT_UINT16,
|
||||
BASE_DEC, NULL, 0x0, "Peer local route domain", HFILL }
|
||||
BASE_DEC, NULL, 0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_peer_rtdom,
|
||||
{ "Peer remote or local route domain", "f5ethtrailer.peerrtdom", FT_UINT16,
|
||||
|
@ -1271,11 +1394,11 @@ void proto_register_f5ethtrailer (void)
|
|||
}
|
||||
, { &hf_peer_remote_port,
|
||||
{ "Peer remote port", "f5ethtrailer.peerremoteport", FT_UINT16, BASE_DEC,
|
||||
NULL, 0x0, "Peer remote port", HFILL }
|
||||
NULL, 0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_peer_local_port,
|
||||
{ "Peer local port", "f5ethtrailer.peerlocalport", FT_UINT16, BASE_DEC,
|
||||
NULL, 0x0, "Peer local port", HFILL }
|
||||
NULL, 0x0, NULL, HFILL }
|
||||
}
|
||||
, { &hf_peer_port,
|
||||
{ "Peer remote or local port", "f5ethtrailer.peerport", FT_UINT16, BASE_DEC,
|
||||
|
@ -1288,7 +1411,7 @@ void proto_register_f5ethtrailer (void)
|
|||
|
||||
/* Analysis parameters */
|
||||
, { &hf_analysis,
|
||||
{ "F5 Analysis", "f5ethtrailer.analysis", FT_NONE, BASE_NONE, NULL,
|
||||
{ "Analysis", "f5ethtrailer.analysis", FT_NONE, BASE_NONE, NULL,
|
||||
0x0, "Analysis of details", HFILL }
|
||||
}
|
||||
, { &hf_analysis_flowreuse,
|
||||
|
@ -1712,7 +1835,7 @@ static void perform_analysis(struct f5eth_analysis_data_t *ad)
|
|||
* @param tvb A pointer to a TV buffer for the packet.
|
||||
* @param pinfo A pointer to the packet info struction for the packet
|
||||
* @param tree A pointer to the protocol tree structure
|
||||
* @param tdata A pointer to the intra-noise information data
|
||||
* @param ad A pointer to the intra-noise information data
|
||||
*
|
||||
* There is a shortcoming in the Ethernet dissector where the trailer dissectors are not called
|
||||
* when there is no protocol tree. So, for example, when first loading the file, this is not
|
||||
|
@ -1724,7 +1847,7 @@ static void render_analysis(
|
|||
tvbuff_t *tvb,
|
||||
packet_info *pinfo,
|
||||
proto_tree *tree,
|
||||
struct f5eth_analysis_data_t *ad)
|
||||
const struct f5eth_analysis_data_t *ad)
|
||||
{
|
||||
proto_item *pi;
|
||||
proto_tree *pt;
|
||||
|
@ -1756,21 +1879,21 @@ static gboolean ip_tap_pkt(
|
|||
const void *data
|
||||
) {
|
||||
struct f5eth_analysis_data_t *ad;
|
||||
ws_ip *iph;
|
||||
const ws_ip4 *iph;
|
||||
|
||||
if((ad = get_f5eth_analysis_data(pinfo)) == NULL) return(FALSE);
|
||||
if(ad->ip_visited == 1) return(FALSE);
|
||||
ad->ip_visited = 1;
|
||||
|
||||
if(data == NULL) return(FALSE);
|
||||
iph = (ws_ip *)data;
|
||||
iph = (const ws_ip4 *)data;
|
||||
|
||||
/* Only care about TCP at this time */
|
||||
/* We wait until here to make this check so that if TCP in encapsulated in something else, we
|
||||
* don't work on the encapsulated header. So, we only want to work on TCP if it associated
|
||||
* with the first IP header (not if it's embedded in an ICMP datagram or some sort of tunnel).
|
||||
*/
|
||||
if(iph->ip_nxt != IP_PROTO_TCP) {
|
||||
if(iph->ip_proto != IP_PROTO_TCP) {
|
||||
ad->ip_istcp = 0;
|
||||
return(FALSE);
|
||||
}
|
||||
|
@ -1791,14 +1914,14 @@ static gboolean ipv6_tap_pkt(
|
|||
const void *data
|
||||
) {
|
||||
struct f5eth_analysis_data_t *ad;
|
||||
struct ws_ip6_hdr *ipv6h;
|
||||
const struct ws_ip6_hdr *ipv6h;
|
||||
|
||||
if((ad = get_f5eth_analysis_data(pinfo)) == NULL) return(FALSE);
|
||||
if(ad->ip_visited == 1) return(FALSE);
|
||||
ad->ip_visited = 1;
|
||||
|
||||
if(data == NULL) return(FALSE);
|
||||
ipv6h = (struct ws_ip6_hdr *)data;
|
||||
ipv6h = (const struct ws_ip6_hdr *)data;
|
||||
|
||||
/* Only care about TCP at this time */
|
||||
/* We wait until here to make this check so that if TCP in encapsulated in something else, we
|
||||
|
@ -1829,14 +1952,14 @@ static gboolean tcp_tap_pkt(
|
|||
const void *data
|
||||
) {
|
||||
struct f5eth_analysis_data_t *ad;
|
||||
tcp_info_t *tcph;
|
||||
const tcp_info_t *tcph;
|
||||
|
||||
if((ad = get_f5eth_analysis_data(pinfo)) == NULL) return(FALSE);
|
||||
if(ad->tcp_visited == 1) return(FALSE);
|
||||
ad->tcp_visited = 1;
|
||||
|
||||
if(data == NULL) return(FALSE);
|
||||
tcph = (tcp_info_t *)data;
|
||||
tcph = (const tcp_info_t *)data;
|
||||
|
||||
ad->tcp_synset = (tcph->th_flags & TH_SYN) ? 1 : 0;
|
||||
ad->tcp_ackset = (tcph->th_flags & TH_ACK) ? 1 : 0;
|
||||
|
@ -2210,13 +2333,13 @@ dissect_med_trailer(
|
|||
} else {
|
||||
/* After v10, flowIDs are 64bit */
|
||||
tdata->flow = tvb_get_ntoh64(tvb,o);
|
||||
pi = proto_tree_add_item(tree, hf_flow_id64, tvb, o, 8, ENC_BIG_ENDIAN);
|
||||
pi = proto_tree_add_item(tree, hf_any_flow64, tvb, o, 8, ENC_BIG_ENDIAN);
|
||||
pi = proto_tree_add_item(tree, hf_flow_id, tvb, o, 8, ENC_BIG_ENDIAN);
|
||||
pi = proto_tree_add_item(tree, hf_any_flow, tvb, o, 8, ENC_BIG_ENDIAN);
|
||||
PROTO_ITEM_SET_HIDDEN(pi);
|
||||
o += 8;
|
||||
tdata->peer_flow = tvb_get_ntoh64(tvb,o);
|
||||
pi = proto_tree_add_item(tree, hf_peer_id64, tvb, o, 8, ENC_BIG_ENDIAN);
|
||||
pi = proto_tree_add_item(tree, hf_any_flow64, tvb, o, 8, ENC_BIG_ENDIAN);
|
||||
pi = proto_tree_add_item(tree, hf_peer_id, tvb, o, 8, ENC_BIG_ENDIAN);
|
||||
pi = proto_tree_add_item(tree, hf_any_flow, tvb, o, 8, ENC_BIG_ENDIAN);
|
||||
PROTO_ITEM_SET_HIDDEN(pi);
|
||||
o += 8;
|
||||
}
|
||||
|
@ -2283,7 +2406,7 @@ dissect_med_trailer(
|
|||
tvb_get_string_enc(wmem_packet_scope(), tvb, o, rstcauselen-(o-startcause),
|
||||
ENC_ASCII));
|
||||
pi = proto_tree_add_item(rc_tree, hf_rstcause_txt, tvb, o, rstcauselen-(o-startcause),
|
||||
ENC_ASCII);
|
||||
ENC_ASCII|ENC_NA);
|
||||
o += (rstcauselen - (o-startcause)); /* XXX This is strange */
|
||||
break;
|
||||
default:
|
||||
|
@ -2441,7 +2564,7 @@ dissect_low_trailer(
|
|||
PROTO_ITEM_SET_HIDDEN(pi);
|
||||
o += 1;
|
||||
}
|
||||
pi = proto_tree_add_item(tree, hf_vip, tvb, o, vipnamelen, ENC_ASCII);
|
||||
pi = proto_tree_add_item(tree, hf_vip, tvb, o, vipnamelen, ENC_ASCII|ENC_NA);
|
||||
o += vipnamelen;
|
||||
|
||||
return(trailer_length);
|
||||
|
@ -2641,7 +2764,7 @@ dissect_f5ethtrailer(
|
|||
* dissectors have a chance to dissect (and the Ethernet dissector does not
|
||||
* waste its time rendering Ethernet information for no reason).
|
||||
*/
|
||||
gboolean
|
||||
static gboolean
|
||||
dissect_f5fileinfo(
|
||||
tvbuff_t *tvb
|
||||
, packet_info *pinfo
|
||||
|
@ -2687,7 +2810,7 @@ dissect_f5fileinfo(
|
|||
guint i;
|
||||
const guint8 *c;
|
||||
|
||||
proto_tree_add_item(tree, hf_fi_version, tvb, offset+5, objlen-6, ENC_ASCII);
|
||||
proto_tree_add_item(tree, hf_fi_version, tvb, offset+5, objlen-6, ENC_ASCII|ENC_NA);
|
||||
for(c=object; *c && (*c < '0' || *c > '9'); c++);
|
||||
for(i=0; i<6 && *c; c++) {
|
||||
if(*c < '0' || *c > '9') {
|
||||
|
@ -2697,13 +2820,13 @@ dissect_f5fileinfo(
|
|||
}
|
||||
}
|
||||
else if(strncmp(object, "HOST: ", 6) == 0)
|
||||
proto_tree_add_item(tree, hf_fi_hostname, tvb, offset+6, objlen-7, ENC_ASCII);
|
||||
proto_tree_add_item(tree, hf_fi_hostname, tvb, offset+6, objlen-7, ENC_ASCII|ENC_NA);
|
||||
else if(strncmp(object, "PLAT: ", 6) == 0) {
|
||||
proto_tree_add_item(tree, hf_fi_platform, tvb, offset+6, objlen-7, ENC_ASCII);
|
||||
proto_tree_add_item(tree, hf_fi_platform, tvb, offset+6, objlen-7, ENC_ASCII|ENC_NA);
|
||||
platform = tvb_get_string_enc(wmem_packet_scope(), tvb, offset+6, objlen-7, ENC_ASCII);
|
||||
}
|
||||
else if(strncmp(object, "PROD: ", 6) == 0)
|
||||
proto_tree_add_item(tree, hf_fi_product, tvb, offset+6, objlen-7, ENC_ASCII);
|
||||
proto_tree_add_item(tree, hf_fi_product, tvb, offset+6, objlen-7, ENC_ASCII|ENC_NA);
|
||||
|
||||
offset += objlen;
|
||||
}
|
||||
|
|
|
@ -1,19 +1,8 @@
|
|||
/* packet-f5ethtrailer.h
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* F5 Ethernet Trailer Copyright 2008-2017 F5 Networks
|
||||
*
|
||||
* SPDX-License-Identifier: GPL-2.0-or-later
|
||||
*/
|
||||
|
||||
/* How to use the fileinfo version tap
|
||||
|
@ -52,7 +41,7 @@
|
|||
* change.
|
||||
* Example:
|
||||
* #define F5FILEINFO_TAP_POST_FUNC f5info_tap_local
|
||||
* #include <plugins/f5ethtrailer/packet-f5ethtrailer.h>
|
||||
* #include <epan/dissectors/packet-f5ethtrailer.h>
|
||||
* ...
|
||||
* static void f5info_tap_local(struct f5fileinfo_tap_data *tap_data)
|
||||
* {
|
||||
|
|
|
@ -392,6 +392,9 @@ sub is_from_other_protocol_whitelist {
|
|||
if (($proto_filename eq "packet-dvb-ipdc.c") && (index($_[0], "ipdc") >= 0)) {return 1;}
|
||||
if (($proto_filename eq "packet-enip.c") && (index($_[0], "cip") >= 0)) {return 1;}
|
||||
if (($proto_filename eq "packet-extreme.c") && (index($_[0], "llc") >= 0)) {return 1;}
|
||||
if (($proto_filename eq "packet-f5ethtrailer.c") && (index($_[0], "ip") >= 0)) {return 1;}
|
||||
if (($proto_filename eq "packet-f5ethtrailer.c") && (index($_[0], "udp") >= 0)) {return 1;}
|
||||
if (($proto_filename eq "packet-f5ethtrailer.c") && (index($_[0], "tcp") >= 0)) {return 1;}
|
||||
if (($proto_filename eq "packet-fmp_notify.c") && (index($_[0], "fmp") >= 0)) {return 1;}
|
||||
if (($proto_filename eq "packet-foundry.c") && (index($_[0], "llc") >= 0)) {return 1;}
|
||||
if (($proto_filename eq "packet-glusterfs.c") && (index($_[0], "gluster") >= 0)) {return 1;}
|
||||
|
|
Loading…
Reference in New Issue