1998-09-16 02:39:15 +00:00
|
|
|
/* packet-eth.c
|
|
|
|
* Routines for ethernet packet disassembly
|
|
|
|
*
|
2004-07-18 00:24:25 +00:00
|
|
|
* $Id$
|
1998-09-16 03:22:19 +00:00
|
|
|
*
|
1998-09-16 02:39:15 +00:00
|
|
|
* Ethereal - Network traffic analyzer
|
2001-06-29 09:42:45 +00:00
|
|
|
* By Gerald Combs <gerald@ethereal.com>
|
1998-09-16 02:39:15 +00:00
|
|
|
* Copyright 1998 Gerald Combs
|
2002-08-28 21:04:11 +00:00
|
|
|
*
|
1998-09-16 02:39:15 +00:00
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
2002-08-28 21:04:11 +00:00
|
|
|
*
|
1998-09-16 02:39:15 +00:00
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
2002-08-28 21:04:11 +00:00
|
|
|
*
|
1998-09-16 02:39:15 +00:00
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
# include "config.h"
|
|
|
|
#endif
|
|
|
|
|
1999-03-23 03:14:46 +00:00
|
|
|
#include <glib.h>
|
2002-01-21 07:37:49 +00:00
|
|
|
#include <epan/packet.h>
|
2004-09-27 22:55:15 +00:00
|
|
|
#include <epan/prefs.h>
|
2005-09-17 00:02:31 +00:00
|
|
|
#include <epan/etypes.h>
|
2004-08-06 19:57:49 +00:00
|
|
|
#include <epan/addr_resolv.h>
|
2000-05-19 05:29:44 +00:00
|
|
|
#include "packet-eth.h"
|
2001-02-08 07:08:05 +00:00
|
|
|
#include "packet-ieee8023.h"
|
2000-02-15 21:06:58 +00:00
|
|
|
#include "packet-ipx.h"
|
|
|
|
#include "packet-isl.h"
|
|
|
|
#include "packet-llc.h"
|
2004-09-28 00:06:32 +00:00
|
|
|
#include <epan/crc32.h>
|
2004-09-29 00:06:36 +00:00
|
|
|
#include <epan/tap.h>
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2004-11-24 06:04:43 +00:00
|
|
|
/* Interpret packets as FW1 monitor file packets if they look as if they are */
|
2002-08-08 09:28:11 +00:00
|
|
|
static gboolean eth_interpret_as_fw1_monitor = FALSE;
|
|
|
|
|
1999-07-07 22:52:57 +00:00
|
|
|
/* protocols and header fields */
|
1999-07-29 05:47:07 +00:00
|
|
|
static int proto_eth = -1;
|
|
|
|
static int hf_eth_dst = -1;
|
|
|
|
static int hf_eth_src = -1;
|
|
|
|
static int hf_eth_len = -1;
|
|
|
|
static int hf_eth_type = -1;
|
2000-03-20 21:21:33 +00:00
|
|
|
static int hf_eth_addr = -1;
|
2000-05-17 03:05:39 +00:00
|
|
|
static int hf_eth_trailer = -1;
|
1999-07-07 22:52:57 +00:00
|
|
|
|
1999-11-16 11:44:20 +00:00
|
|
|
static gint ett_ieee8023 = -1;
|
|
|
|
static gint ett_ether2 = -1;
|
|
|
|
|
2002-08-08 09:28:11 +00:00
|
|
|
static dissector_handle_t fw1_handle;
|
2004-02-03 23:19:54 +00:00
|
|
|
static heur_dissector_list_t heur_subdissector_list;
|
Tvbuffify the CDP, CGMP, ISL, and VTP dissectors.
Add a new subdissector table in the LLC dissector for protocol IDs with
a Cisco OUI, and register the CDP, CGMP, and VTMP dissectors in that
table, rather than calling them via a switch statement.
Register the ISL dissector by name, and have the Ethernet dissector call
it via a handle.
Fix the handling of the checksum field in the CDP dissector.
The strings in CDP are counted, not null-terminated; treat them as such.
Fix the handling of the encapsulated frame CRC, and the encapsulated
frame, in the ISL dissector, at least for Ethernet frames; it may not be
correct for encapsulated Token Ring frames.
svn path=/trunk/; revision=2792
2000-12-28 09:49:09 +00:00
|
|
|
|
2003-01-22 01:18:03 +00:00
|
|
|
static int eth_tap = -1;
|
|
|
|
|
1999-08-18 00:57:54 +00:00
|
|
|
#define ETH_HEADER_SIZE 14
|
|
|
|
|
1998-09-16 02:39:15 +00:00
|
|
|
/* These are the Netware-ish names for the different Ethernet frame types.
|
|
|
|
EthernetII: The ethernet with a Type field instead of a length field
|
2000-05-16 06:21:33 +00:00
|
|
|
Ethernet802.2: An 802.3 header followed by an 802.2 header
|
1998-09-16 02:39:15 +00:00
|
|
|
Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
|
2001-01-03 10:34:42 +00:00
|
|
|
There's no 802.2 hdr in this.
|
1998-09-16 02:39:15 +00:00
|
|
|
EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
|
|
|
|
there's no difference between 802.2 and 802.2SNAP, since we just
|
2001-01-03 10:34:42 +00:00
|
|
|
pass it down to the LLC dissector. -- Gilbert
|
1998-09-16 02:39:15 +00:00
|
|
|
*/
|
|
|
|
#define ETHERNET_II 0
|
|
|
|
#define ETHERNET_802_2 1
|
|
|
|
#define ETHERNET_802_3 2
|
|
|
|
#define ETHERNET_SNAP 3
|
|
|
|
|
1999-02-09 00:35:38 +00:00
|
|
|
void
|
2002-08-02 23:36:07 +00:00
|
|
|
capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
|
2000-01-23 08:55:37 +00:00
|
|
|
{
|
|
|
|
guint16 etype, length;
|
1999-08-18 00:57:54 +00:00
|
|
|
int ethhdr_type; /* the type of ethernet frame */
|
1999-09-15 06:26:42 +00:00
|
|
|
|
2001-11-20 21:59:18 +00:00
|
|
|
if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
|
1999-09-15 06:26:42 +00:00
|
|
|
ld->other++;
|
|
|
|
return;
|
|
|
|
}
|
2002-08-28 21:04:11 +00:00
|
|
|
|
2000-01-23 08:55:37 +00:00
|
|
|
etype = pntohs(&pd[offset+12]);
|
1999-02-09 00:35:38 +00:00
|
|
|
|
2004-11-03 20:20:45 +00:00
|
|
|
if (etype <= IEEE_802_3_MAX_LEN) {
|
|
|
|
/* Oh, yuck. Cisco ISL frames require special interpretation of the
|
|
|
|
destination address field; fortunately, they can be recognized by
|
|
|
|
checking the first 5 octets of the destination address, which are
|
|
|
|
01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */
|
|
|
|
if ((pd[offset] == 0x01 || pd[offset] == 0x0C) && pd[offset+1] == 0x00
|
|
|
|
&& pd[offset+2] == 0x0C && pd[offset+3] == 0x00
|
|
|
|
&& pd[offset+4] == 0x00) {
|
|
|
|
capture_isl(pd, offset, len, ld);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2003-01-22 06:26:36 +00:00
|
|
|
/*
|
|
|
|
* If the type/length field is <= the maximum 802.3 length,
|
|
|
|
* and is not zero, this is an 802.3 frame, and it's a length
|
|
|
|
* field; it might be an Novell "raw 802.3" frame, with no
|
|
|
|
* 802.2 LLC header, or it might be a frame with an 802.2 LLC
|
|
|
|
* header.
|
|
|
|
*
|
|
|
|
* If the type/length field is > the maximum 802.3 length,
|
|
|
|
* this is an Ethernet II frame, and it's a type field.
|
|
|
|
*
|
|
|
|
* If the type/length field is zero (ETHERTYPE_UNK), this is
|
|
|
|
* a frame used internally by the Cisco MDS switch to contain
|
|
|
|
* Fibre Channel ("Vegas"). We treat that as an Ethernet II
|
|
|
|
* frame; the dissector for those frames registers itself with
|
|
|
|
* an ethernet type of ETHERTYPE_UNK.
|
|
|
|
*/
|
|
|
|
if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
|
2000-01-23 08:55:37 +00:00
|
|
|
length = etype;
|
1999-02-09 00:35:38 +00:00
|
|
|
|
2000-01-23 08:55:37 +00:00
|
|
|
/* Is there an 802.2 layer? I can tell by looking at the first 2
|
|
|
|
bytes after the 802.3 header. If they are 0xffff, then what
|
|
|
|
follows the 802.3 header is an IPX payload, meaning no 802.2.
|
|
|
|
(IPX/SPX is they only thing that can be contained inside a
|
|
|
|
straight 802.3 packet). A non-0xffff value means that there's an
|
|
|
|
802.2 layer inside the 802.3 layer */
|
|
|
|
if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
|
1999-02-09 00:35:38 +00:00
|
|
|
ethhdr_type = ETHERNET_802_3;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
ethhdr_type = ETHERNET_802_2;
|
|
|
|
}
|
2000-01-23 08:55:37 +00:00
|
|
|
|
|
|
|
/* Convert the LLC length from the 802.3 header to a total
|
2000-01-24 01:15:37 +00:00
|
|
|
frame length, by adding in the size of any data that preceded
|
|
|
|
the Ethernet header, and adding in the Ethernet header size,
|
|
|
|
and set the payload and captured-payload lengths to the minima
|
2000-01-23 08:55:37 +00:00
|
|
|
of the total length and the frame lengths. */
|
2000-01-24 01:15:37 +00:00
|
|
|
length += offset + ETH_HEADER_SIZE;
|
2001-11-20 22:29:07 +00:00
|
|
|
if (len > length)
|
|
|
|
len = length;
|
1999-02-09 00:35:38 +00:00
|
|
|
} else {
|
|
|
|
ethhdr_type = ETHERNET_II;
|
|
|
|
}
|
2000-01-23 08:55:37 +00:00
|
|
|
offset += ETH_HEADER_SIZE;
|
1999-02-09 00:35:38 +00:00
|
|
|
|
|
|
|
switch (ethhdr_type) {
|
|
|
|
case ETHERNET_802_3:
|
2002-04-24 06:03:34 +00:00
|
|
|
capture_ipx(ld);
|
1999-02-09 00:35:38 +00:00
|
|
|
break;
|
|
|
|
case ETHERNET_802_2:
|
2001-11-20 21:59:18 +00:00
|
|
|
capture_llc(pd, offset, len, ld);
|
1999-02-09 00:35:38 +00:00
|
|
|
break;
|
|
|
|
case ETHERNET_II:
|
2001-11-20 21:59:18 +00:00
|
|
|
capture_ethertype(etype, pd, offset, len, ld);
|
1999-02-09 00:35:38 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2001-01-21 20:16:01 +00:00
|
|
|
static void
|
2005-04-11 08:43:51 +00:00
|
|
|
dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
|
2003-10-01 07:11:49 +00:00
|
|
|
int fcs_len)
|
2000-01-24 01:15:37 +00:00
|
|
|
{
|
2000-05-15 06:22:07 +00:00
|
|
|
proto_item *ti;
|
2005-01-01 23:11:46 +00:00
|
|
|
eth_hdr *volatile ehdr;
|
2001-02-08 07:08:05 +00:00
|
|
|
volatile gboolean is_802_2;
|
2001-01-18 08:28:09 +00:00
|
|
|
proto_tree *volatile fh_tree = NULL;
|
2005-07-09 00:53:17 +00:00
|
|
|
const guint8 *src_addr, *dst_addr;
|
2003-08-23 09:09:35 +00:00
|
|
|
static eth_hdr ehdrs[4];
|
|
|
|
static int ehdr_num=0;
|
2005-05-05 11:02:31 +00:00
|
|
|
proto_tree *volatile tree;
|
2003-08-23 09:09:35 +00:00
|
|
|
|
|
|
|
ehdr_num++;
|
|
|
|
if(ehdr_num>=4){
|
|
|
|
ehdr_num=0;
|
|
|
|
}
|
|
|
|
ehdr=&ehdrs[ehdr_num];
|
|
|
|
|
2005-04-11 08:43:51 +00:00
|
|
|
tree=parent_tree;
|
2000-05-15 06:22:07 +00:00
|
|
|
|
2001-12-10 00:26:21 +00:00
|
|
|
if (check_col(pinfo->cinfo, COL_PROTOCOL))
|
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
|
Generalize the "ip_src" and "ip_dst" members of the "packet_info"
structure to "dl_src"/"dl_dst", "net_src"/"net_dst", and "src"/"dst"
addresses, where an address is an address type, an address length in
bytes, and a pointer to that many bytes.
"dl_{src,dst}" are the link-layer source/destination; "net_{src,dst}"
are the network-layer source/destination; "{src,dst}" are the
source/destination from the highest of those two layers that we have in
the packet.
Add a port type to "packet_info" as well, specifying whether it's a TCP
or UDP port.
Don't set the address and port columns in the dissector functions; just
set the address and port members of the "packet_info" structure. Set
the columns in "fill_in_columns()"; this means that if we're showing
COL_{DEF,RES,UNRES}_SRC" or "COL_{DEF,RES,UNRES}_DST", we only generate
the string from "src" or "dst", we don't generate a string for the
link-layer address and then overwrite it with a string for the
network-layer address (generating those strings costs CPU).
Add support for "conversations", where a "conversation" is (at present)
a source and destination address and a source and destination port. (In
the future, we may support "conversations" above the transport layer,
e.g. a TFTP conversation, where the first packet goes from the client to
the TFTP server port, but the reply comes back from a different port,
and all subsequent packets go between the client address/port and the
server address/new port, or an NFS conversation, which might include
lock manager, status monitor, and mount packets, as well as NFS
packets.)
Currently, all we support is a call that takes the source and
destination address/port pairs, looks them up in a hash table, and:
if nothing is found, creates a new entry in the hash table, and
assigns it a unique 32-bit conversation ID, and returns that
conversation ID;
if an entry is found, returns its conversation ID.
Use that in the SMB and AFS code to keep track of individual SMB or AFS
conversations. We need to match up requests and replies, as, for
certain replies, the operation code for the request to which it's a
reply doesn't show up in the reply - you have to find the request with a
matching transaction ID. Transaction IDs are per-conversation, so the
hash table for requests should include a conversation ID and transaction
ID as the key.
This allows SMB and AFS decoders to handle IPv4 or IPv6 addresses
transparently (and should allow the SMB decoder to handle NetBIOS atop
other protocols as well, if the source and destination address and port
values in the "packet_info" structure are set appropriately).
In the "Follow TCP Connection" code, check to make sure that the
addresses are IPv4 addressses; ultimately, that code should be changed
to use the conversation code instead, which will let it handle IPv6
transparently.
svn path=/trunk/; revision=909
1999-10-22 07:18:23 +00:00
|
|
|
|
2003-08-23 09:09:35 +00:00
|
|
|
src_addr=tvb_get_ptr(tvb, 6, 6);
|
|
|
|
SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src_addr);
|
|
|
|
SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src_addr);
|
|
|
|
SET_ADDRESS(&ehdr->src, AT_ETHER, 6, src_addr);
|
|
|
|
dst_addr=tvb_get_ptr(tvb, 0, 6);
|
|
|
|
SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst_addr);
|
|
|
|
SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst_addr);
|
|
|
|
SET_ADDRESS(&ehdr->dst, AT_ETHER, 6, dst_addr);
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2003-08-23 09:09:35 +00:00
|
|
|
ehdr->type = tvb_get_ntohs(tvb, 12);
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2004-02-03 23:19:54 +00:00
|
|
|
/*
|
|
|
|
* In case the packet is a non-Ethernet packet inside
|
|
|
|
* Ethernet framing, allow heuristic dissectors to take
|
|
|
|
* a first look before we assume that it's actually an
|
|
|
|
* Ethernet packet.
|
|
|
|
*/
|
2005-04-11 08:43:51 +00:00
|
|
|
if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, parent_tree))
|
2004-02-03 23:19:54 +00:00
|
|
|
goto end_of_eth;
|
|
|
|
|
2004-11-03 20:20:45 +00:00
|
|
|
if (ehdr->type <= IEEE_802_3_MAX_LEN) {
|
|
|
|
/* Oh, yuck. Cisco ISL frames require special interpretation of the
|
|
|
|
destination address field; fortunately, they can be recognized by
|
|
|
|
checking the first 5 octets of the destination address, which are
|
|
|
|
01-00-0C-00-00 for ISL frames. */
|
|
|
|
if ( (tvb_get_guint8(tvb, 0) == 0x01 ||
|
|
|
|
tvb_get_guint8(tvb, 0) == 0x0C) &&
|
|
|
|
tvb_get_guint8(tvb, 1) == 0x00 &&
|
|
|
|
tvb_get_guint8(tvb, 2) == 0x0C &&
|
|
|
|
tvb_get_guint8(tvb, 3) == 0x00 &&
|
|
|
|
tvb_get_guint8(tvb, 4) == 0x00 ) {
|
2005-04-11 08:43:51 +00:00
|
|
|
dissect_isl(tvb, pinfo, parent_tree, fcs_len);
|
2004-11-03 20:20:45 +00:00
|
|
|
goto end_of_eth;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2003-01-22 06:26:36 +00:00
|
|
|
/*
|
|
|
|
* If the type/length field is <= the maximum 802.3 length,
|
|
|
|
* and is not zero, this is an 802.3 frame, and it's a length
|
|
|
|
* field; it might be an Novell "raw 802.3" frame, with no
|
|
|
|
* 802.2 LLC header, or it might be a frame with an 802.2 LLC
|
|
|
|
* header.
|
|
|
|
*
|
|
|
|
* If the type/length field is > the maximum 802.3 length,
|
|
|
|
* this is an Ethernet II frame, and it's a type field.
|
|
|
|
*
|
|
|
|
* If the type/length field is zero (ETHERTYPE_UNK), this is
|
|
|
|
* a frame used internally by the Cisco MDS switch to contain
|
|
|
|
* Fibre Channel ("Vegas"). We treat that as an Ethernet II
|
|
|
|
* frame; the dissector for those frames registers itself with
|
|
|
|
* an ethernet type of ETHERTYPE_UNK.
|
|
|
|
*/
|
2003-08-23 09:09:35 +00:00
|
|
|
if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) {
|
1999-08-24 06:10:05 +00:00
|
|
|
/* Is there an 802.2 layer? I can tell by looking at the first 2
|
|
|
|
bytes after the 802.3 header. If they are 0xffff, then what
|
|
|
|
follows the 802.3 header is an IPX payload, meaning no 802.2.
|
|
|
|
(IPX/SPX is they only thing that can be contained inside a
|
|
|
|
straight 802.3 packet). A non-0xffff value means that there's an
|
|
|
|
802.2 layer inside the 802.3 layer */
|
2001-02-08 07:08:05 +00:00
|
|
|
is_802_2 = TRUE;
|
2000-05-16 06:21:33 +00:00
|
|
|
TRY {
|
|
|
|
if (tvb_get_ntohs(tvb, 14) == 0xffff) {
|
2001-02-08 07:08:05 +00:00
|
|
|
is_802_2 = FALSE;
|
2000-05-16 06:21:33 +00:00
|
|
|
}
|
1998-09-27 22:12:47 +00:00
|
|
|
}
|
2000-05-16 06:21:33 +00:00
|
|
|
CATCH2(BoundsError, ReportedBoundsError) {
|
|
|
|
; /* do nothing */
|
|
|
|
|
1998-09-27 22:12:47 +00:00
|
|
|
}
|
2000-05-16 06:21:33 +00:00
|
|
|
ENDTRY;
|
1998-09-27 22:12:47 +00:00
|
|
|
|
2001-12-10 00:26:21 +00:00
|
|
|
if (check_col(pinfo->cinfo, COL_INFO)) {
|
|
|
|
col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
|
2001-02-08 07:08:05 +00:00
|
|
|
(is_802_2 ? "" : "Raw "));
|
1999-08-24 06:10:05 +00:00
|
|
|
}
|
1998-09-16 02:39:15 +00:00
|
|
|
if (tree) {
|
2001-01-18 07:44:41 +00:00
|
|
|
ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
|
2001-03-22 23:22:23 +00:00
|
|
|
"IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
|
1999-07-07 22:52:57 +00:00
|
|
|
|
2001-01-18 07:44:41 +00:00
|
|
|
fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
|
2003-08-23 09:09:35 +00:00
|
|
|
}
|
1999-07-07 22:52:57 +00:00
|
|
|
|
2005-04-11 08:43:51 +00:00
|
|
|
/* if IP is not referenced from any filters we dont need to worry about
|
|
|
|
generating any tree items. We must do this after we created the actual
|
|
|
|
protocol above so that proto hier stat still works though.
|
|
|
|
*/
|
|
|
|
if(!proto_field_is_referenced(parent_tree, proto_eth)){
|
|
|
|
tree=NULL;
|
|
|
|
fh_tree=NULL;
|
|
|
|
}
|
|
|
|
|
2003-08-23 09:09:35 +00:00
|
|
|
proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
|
|
|
|
proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
|
2000-03-20 21:21:33 +00:00
|
|
|
|
|
|
|
/* add items for eth.addr filter */
|
2003-08-23 09:09:35 +00:00
|
|
|
proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
|
|
|
|
proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2005-04-11 08:43:51 +00:00
|
|
|
dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, parent_tree, fh_tree,
|
2003-10-01 07:11:49 +00:00
|
|
|
hf_eth_len, hf_eth_trailer, fcs_len);
|
1998-09-27 22:12:47 +00:00
|
|
|
} else {
|
2002-08-08 09:28:11 +00:00
|
|
|
if (eth_interpret_as_fw1_monitor) {
|
2004-11-24 06:04:43 +00:00
|
|
|
if ((dst_addr[0] == 'i') || (dst_addr[0] == 'I') ||
|
|
|
|
(dst_addr[0] == 'o') || (dst_addr[0] == 'O')) {
|
2005-04-11 08:43:51 +00:00
|
|
|
call_dissector(fw1_handle, tvb, pinfo, parent_tree);
|
2004-11-24 06:04:43 +00:00
|
|
|
goto end_of_eth;
|
|
|
|
}
|
2002-08-08 09:28:11 +00:00
|
|
|
}
|
|
|
|
|
2001-12-10 00:26:21 +00:00
|
|
|
if (check_col(pinfo->cinfo, COL_INFO))
|
|
|
|
col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
|
2005-04-11 08:43:51 +00:00
|
|
|
if (parent_tree) {
|
|
|
|
ti = proto_tree_add_protocol_format(parent_tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
|
2005-06-02 00:28:38 +00:00
|
|
|
"Ethernet II, Src: %s (%s), Dst: %s (%s)",
|
|
|
|
get_ether_name(src_addr), ether_to_str(src_addr), get_ether_name(dst_addr), ether_to_str(dst_addr));
|
1999-07-07 22:52:57 +00:00
|
|
|
|
2001-01-18 07:44:41 +00:00
|
|
|
fh_tree = proto_item_add_subtree(ti, ett_ether2);
|
2003-08-23 09:09:35 +00:00
|
|
|
}
|
1999-07-07 22:52:57 +00:00
|
|
|
|
2003-08-23 09:09:35 +00:00
|
|
|
proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
|
|
|
|
proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
|
2000-03-20 21:21:33 +00:00
|
|
|
/* add items for eth.addr filter */
|
2003-08-23 09:09:35 +00:00
|
|
|
proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
|
|
|
|
proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2005-04-11 08:43:51 +00:00
|
|
|
ethertype(ehdr->type, tvb, ETH_HEADER_SIZE, pinfo, parent_tree, fh_tree, hf_eth_type,
|
2003-10-01 07:11:49 +00:00
|
|
|
hf_eth_trailer, fcs_len);
|
1998-09-16 02:39:15 +00:00
|
|
|
}
|
2003-01-22 01:18:03 +00:00
|
|
|
|
|
|
|
end_of_eth:
|
2003-08-23 09:09:35 +00:00
|
|
|
tap_queue_packet(eth_tap, pinfo, ehdr);
|
2003-01-22 01:18:03 +00:00
|
|
|
return;
|
1998-09-16 02:39:15 +00:00
|
|
|
}
|
|
|
|
|
2003-08-21 21:05:30 +00:00
|
|
|
/*
|
|
|
|
* Add an Ethernet trailer - which, for some captures, might be the FCS
|
|
|
|
* rather than a pad-to-60-bytes trailer.
|
2003-10-01 07:11:49 +00:00
|
|
|
*
|
|
|
|
* If fcs_len is 0, we assume the frame has no FCS; if it's 4, we assume
|
|
|
|
* it has an FCS; if it's anything else (such as -1, which means "maybe
|
|
|
|
* it does, maybe it doesn't"), we try to infer whether it has an FCS.
|
2003-08-21 21:05:30 +00:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
add_ethernet_trailer(proto_tree *fh_tree, int trailer_id, tvbuff_t *tvb,
|
2003-10-01 07:11:49 +00:00
|
|
|
tvbuff_t *trailer_tvb, int fcs_len)
|
2003-08-21 21:05:30 +00:00
|
|
|
{
|
|
|
|
/* If there're some bytes left over, show those bytes as a trailer.
|
|
|
|
|
|
|
|
However, if the Ethernet frame was claimed to have had 64 or more
|
|
|
|
bytes - i.e., it was at least an FCS worth of data longer than
|
|
|
|
the minimum payload size - assume the last 4 bytes of the trailer
|
|
|
|
are an FCS. */
|
|
|
|
if (trailer_tvb && fh_tree) {
|
2003-08-26 04:34:26 +00:00
|
|
|
guint trailer_length, trailer_reported_length;
|
2003-08-21 21:05:30 +00:00
|
|
|
gboolean has_fcs = FALSE;
|
|
|
|
|
|
|
|
trailer_length = tvb_length(trailer_tvb);
|
2003-08-26 04:34:26 +00:00
|
|
|
trailer_reported_length = tvb_reported_length(trailer_tvb);
|
2003-10-01 07:11:49 +00:00
|
|
|
if (fcs_len != 0) {
|
|
|
|
/* If fcs_len is 4, we assume we definitely have an FCS.
|
|
|
|
Otherwise, then, if the frame is big enough that, if we
|
|
|
|
have a trailer, it probably inclues an FCS, and we have
|
|
|
|
enough space in the trailer for the FCS, we assume we
|
|
|
|
have an FCS.
|
|
|
|
|
|
|
|
"Big enough" means 64 bytes or more; any frame that big
|
|
|
|
needs no trailer, as there's no need to pad an Ethernet
|
2003-08-26 04:34:26 +00:00
|
|
|
packet past 60 bytes.
|
|
|
|
|
2003-10-01 07:11:49 +00:00
|
|
|
The trailer must be at least 4 bytes long to have enough
|
|
|
|
space for an FCS. */
|
|
|
|
|
|
|
|
if (fcs_len == 4 || (tvb_reported_length(tvb) >= 64 &&
|
|
|
|
trailer_reported_length >= 4)) {
|
|
|
|
/* Either we know we have an FCS, or we believe we have an FCS. */
|
2003-08-26 04:34:26 +00:00
|
|
|
if (trailer_length < trailer_reported_length) {
|
|
|
|
/* The packet is claimed to have enough data for a 4-byte FCS,
|
|
|
|
but we didn't capture all of the packet.
|
|
|
|
Slice off the 4-byte FCS from the reported length, and
|
|
|
|
trim the captured length so it's no more than the reported
|
|
|
|
length; that will slice off what of the FCS, if any, is
|
|
|
|
in the captured packet. */
|
|
|
|
trailer_reported_length -= 4;
|
|
|
|
if (trailer_length > trailer_reported_length)
|
|
|
|
trailer_length = trailer_reported_length;
|
|
|
|
has_fcs = TRUE;
|
|
|
|
} else {
|
|
|
|
/* We captured all of the packet, including what appears to
|
|
|
|
be a 4-byte FCS. Slice it off. */
|
|
|
|
trailer_length -= 4;
|
|
|
|
trailer_reported_length -= 4;
|
|
|
|
has_fcs = TRUE;
|
|
|
|
}
|
|
|
|
}
|
2003-08-21 21:05:30 +00:00
|
|
|
}
|
|
|
|
if (trailer_length != 0) {
|
2005-04-17 05:14:44 +00:00
|
|
|
tvb_ensure_bytes_exist(tvb, 0, trailer_length);
|
2003-08-21 21:05:30 +00:00
|
|
|
proto_tree_add_item(fh_tree, trailer_id, trailer_tvb, 0,
|
|
|
|
trailer_length, FALSE);
|
|
|
|
}
|
|
|
|
if (has_fcs) {
|
2003-08-26 05:09:56 +00:00
|
|
|
guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, trailer_length);
|
2004-06-26 09:48:12 +00:00
|
|
|
guint32 fcs = crc32_802_tvb(tvb, tvb_length(tvb) - 4);
|
2003-08-26 05:09:56 +00:00
|
|
|
if (fcs == sent_fcs) {
|
|
|
|
proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
|
2005-07-08 22:11:13 +00:00
|
|
|
"Frame check sequence: 0x%08x [correct]",
|
2003-08-26 05:09:56 +00:00
|
|
|
sent_fcs);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
|
2005-07-08 22:11:13 +00:00
|
|
|
"Frame check sequence: 0x%08x [incorrect, should be 0x%08x]",
|
2003-08-26 05:09:56 +00:00
|
|
|
sent_fcs, fcs);
|
|
|
|
}
|
2003-08-21 21:05:30 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2003-10-01 07:11:49 +00:00
|
|
|
/* Called for the Ethernet Wiretap encapsulation type; pass the FCS length
|
|
|
|
reported to us. */
|
|
|
|
static void
|
|
|
|
dissect_eth_maybefcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|
|
|
{
|
|
|
|
dissect_eth_common(tvb, pinfo, tree, pinfo->pseudo_header->eth.fcs_len);
|
|
|
|
}
|
|
|
|
|
2004-11-24 09:13:52 +00:00
|
|
|
/* Called by other dissectors This one's for encapsulated Ethernet
|
|
|
|
packets that don't include an FCS. */
|
2003-10-01 07:11:49 +00:00
|
|
|
static void
|
2004-11-24 09:13:52 +00:00
|
|
|
dissect_eth_withoutfcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
2003-10-01 07:11:49 +00:00
|
|
|
{
|
|
|
|
dissect_eth_common(tvb, pinfo, tree, 0);
|
|
|
|
}
|
|
|
|
|
2004-11-24 09:13:52 +00:00
|
|
|
/* ...and this one's for encapsulated packets that do. */
|
|
|
|
static void
|
|
|
|
dissect_eth_withfcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
|
|
|
{
|
|
|
|
dissect_eth_common(tvb, pinfo, tree, 4);
|
|
|
|
}
|
|
|
|
|
1999-07-07 22:52:57 +00:00
|
|
|
void
|
|
|
|
proto_register_eth(void)
|
|
|
|
{
|
1999-07-15 15:33:52 +00:00
|
|
|
static hf_register_info hf[] = {
|
|
|
|
|
|
|
|
{ &hf_eth_dst,
|
1999-10-12 06:21:15 +00:00
|
|
|
{ "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
|
2001-06-18 02:18:27 +00:00
|
|
|
"Destination Hardware Address", HFILL }},
|
1999-07-15 15:33:52 +00:00
|
|
|
|
|
|
|
{ &hf_eth_src,
|
1999-10-12 06:21:15 +00:00
|
|
|
{ "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
|
2001-06-18 02:18:27 +00:00
|
|
|
"Source Hardware Address", HFILL }},
|
1999-07-15 15:33:52 +00:00
|
|
|
|
|
|
|
{ &hf_eth_len,
|
1999-10-12 06:21:15 +00:00
|
|
|
{ "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
|
2001-06-18 02:18:27 +00:00
|
|
|
"", HFILL }},
|
1999-07-15 15:33:52 +00:00
|
|
|
|
|
|
|
/* registered here but handled in ethertype.c */
|
|
|
|
{ &hf_eth_type,
|
1999-10-12 06:21:15 +00:00
|
|
|
{ "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
|
2001-06-18 02:18:27 +00:00
|
|
|
"", HFILL }},
|
2000-03-20 21:21:33 +00:00
|
|
|
{ &hf_eth_addr,
|
|
|
|
{ "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
|
2001-06-18 02:18:27 +00:00
|
|
|
"Source or Destination Hardware Address", HFILL }},
|
2000-05-17 03:05:39 +00:00
|
|
|
|
|
|
|
{ &hf_eth_trailer,
|
|
|
|
{ "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
|
2001-06-18 02:18:27 +00:00
|
|
|
"Ethernet Trailer or Checksum", HFILL }},
|
2000-03-20 21:21:33 +00:00
|
|
|
|
1999-07-08 03:18:20 +00:00
|
|
|
};
|
1999-11-16 11:44:20 +00:00
|
|
|
static gint *ett[] = {
|
|
|
|
&ett_ieee8023,
|
|
|
|
&ett_ether2,
|
|
|
|
};
|
2002-08-08 09:28:11 +00:00
|
|
|
module_t *eth_module;
|
1999-07-08 03:18:20 +00:00
|
|
|
|
2001-01-03 06:56:03 +00:00
|
|
|
proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
|
1999-07-08 03:18:20 +00:00
|
|
|
proto_register_field_array(proto_eth, hf, array_length(hf));
|
1999-11-16 11:44:20 +00:00
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
2000-11-19 02:00:03 +00:00
|
|
|
|
2004-02-03 23:19:54 +00:00
|
|
|
/* subdissector code */
|
|
|
|
register_heur_dissector_list("eth", &heur_subdissector_list);
|
|
|
|
|
2002-08-08 09:28:11 +00:00
|
|
|
/* Register configuration preferences */
|
|
|
|
eth_module = prefs_register_protocol(proto_eth, NULL);
|
|
|
|
prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
|
2004-11-24 06:04:43 +00:00
|
|
|
"Attempt to interpret as FireWall-1 monitor file",
|
|
|
|
"Whether packets should be interpreted as coming from CheckPoint FireWall-1 monitor file if they look as if they do",
|
2002-08-08 09:28:11 +00:00
|
|
|
ð_interpret_as_fw1_monitor);
|
|
|
|
|
2004-11-24 09:13:52 +00:00
|
|
|
register_dissector("eth_withoutfcs", dissect_eth_withoutfcs, proto_eth);
|
|
|
|
register_dissector("eth_withfcs", dissect_eth_withfcs, proto_eth);
|
2003-01-22 01:18:03 +00:00
|
|
|
eth_tap = register_tap("eth");
|
1999-07-07 22:52:57 +00:00
|
|
|
}
|
2000-11-29 05:16:15 +00:00
|
|
|
|
|
|
|
void
|
|
|
|
proto_reg_handoff_eth(void)
|
|
|
|
{
|
2004-11-24 09:13:52 +00:00
|
|
|
dissector_handle_t eth_maybefcs_handle, eth_withoutfcs_handle;
|
2001-12-03 04:00:26 +00:00
|
|
|
|
Tvbuffify the CDP, CGMP, ISL, and VTP dissectors.
Add a new subdissector table in the LLC dissector for protocol IDs with
a Cisco OUI, and register the CDP, CGMP, and VTMP dissectors in that
table, rather than calling them via a switch statement.
Register the ISL dissector by name, and have the Ethernet dissector call
it via a handle.
Fix the handling of the checksum field in the CDP dissector.
The strings in CDP are counted, not null-terminated; treat them as such.
Fix the handling of the encapsulated frame CRC, and the encapsulated
frame, in the ISL dissector, at least for Ethernet frames; it may not be
correct for encapsulated Token Ring frames.
svn path=/trunk/; revision=2792
2000-12-28 09:49:09 +00:00
|
|
|
/*
|
2004-11-24 09:13:52 +00:00
|
|
|
* Get a handle for the Firewall-1 dissector.
|
Tvbuffify the CDP, CGMP, ISL, and VTP dissectors.
Add a new subdissector table in the LLC dissector for protocol IDs with
a Cisco OUI, and register the CDP, CGMP, and VTMP dissectors in that
table, rather than calling them via a switch statement.
Register the ISL dissector by name, and have the Ethernet dissector call
it via a handle.
Fix the handling of the checksum field in the CDP dissector.
The strings in CDP are counted, not null-terminated; treat them as such.
Fix the handling of the encapsulated frame CRC, and the encapsulated
frame, in the ISL dissector, at least for Ethernet frames; it may not be
correct for encapsulated Token Ring frames.
svn path=/trunk/; revision=2792
2000-12-28 09:49:09 +00:00
|
|
|
*/
|
2002-08-08 09:28:11 +00:00
|
|
|
fw1_handle = find_dissector("fw1");
|
Tvbuffify the CDP, CGMP, ISL, and VTP dissectors.
Add a new subdissector table in the LLC dissector for protocol IDs with
a Cisco OUI, and register the CDP, CGMP, and VTMP dissectors in that
table, rather than calling them via a switch statement.
Register the ISL dissector by name, and have the Ethernet dissector call
it via a handle.
Fix the handling of the checksum field in the CDP dissector.
The strings in CDP are counted, not null-terminated; treat them as such.
Fix the handling of the encapsulated frame CRC, and the encapsulated
frame, in the ISL dissector, at least for Ethernet frames; it may not be
correct for encapsulated Token Ring frames.
svn path=/trunk/; revision=2792
2000-12-28 09:49:09 +00:00
|
|
|
|
2003-10-01 07:11:49 +00:00
|
|
|
eth_maybefcs_handle = create_dissector_handle(dissect_eth_maybefcs,
|
|
|
|
proto_eth);
|
|
|
|
dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle);
|
|
|
|
|
2004-11-24 09:13:52 +00:00
|
|
|
eth_withoutfcs_handle = find_dissector("eth_withoutfcs");
|
|
|
|
dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
|
|
|
|
dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
|
|
|
|
dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
|
2000-11-29 05:16:15 +00:00
|
|
|
}
|