osmocom
/
wireshark
14
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Don't interpret NET_HDLC as LAPB/X.25 - sometimes it's some other 

HDLC-flavored encapsulation (or, at least, it was in at least one
capture).  Instead, treat it as WTAP_ENCAP_PER_PACKET, and infer the
packet type, as we do for NET_ROUTER.

For NET_ROUTER captures, if the ISDN channel number is zero, infer the
packet type from the contents, rather than wiring it to PPP - it might
be, for example, Cisco or Wellfleet HDLC.

Fix the check for Cisco HDLC to look for 0x0F 0x00 and 0x8F 0x00, as
0x0F, not 0x08, is the unicast address in Cisco HDLC.

When fixing the pseudo-header, fix it for WTAP_ENCAP_WFLEET_HDLC,
WTAP_ENCAP_CHDLC, and WTAP_ENCAP_PPP_WITH_PHDR, as well as for
WTAP_ENCAP_ISDN, as the three ones listed don't use x25.flags, they use
p2p.sent.

svn path=/trunk/; revision=6850
This commit is contained in:
Guy Harris 2003-01-06 00:03:43 +00:00
parent f7501c1331
commit 705bf9a6cb
1 changed files with 34 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
wiretap/ngsniffer.c
View File

@ -1,6 +1,6 @@
/* ngsniffer.c /* ngsniffer.c
* *
* $Id: ngsniffer.c,v 1.99 2003/01/03 22:31:26 guy Exp $ * $Id: ngsniffer.c,v 1.100 2003/01/06 00:03:43 guy Exp $
* *
* Wiretap Library * Wiretap Library
* Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
@ -766,12 +766,17 @@ process_rec_header2_v45(wtap *wth, unsigned char *buffer, guint16 length,
* at the traffic; it's not clear whether it stores in the file * at the traffic; it's not clear whether it stores in the file
* an indication of the protocol it inferred was being used. * an indication of the protocol it inferred was being used.
* *
* For now, we interpret NET_HDLC as X.25 (LAPB) and NET_ROUTER * Unfortunately, it also appears that NET_HDLC is used for
* as "per-packet encapsulation". We remember that we saw * stuff other than X.25 as well, so we can't just interpret
* NET_ROUTER, though, as it appears that we can infer whether * it unconditionally as X.25.
* a packet is PPP or ISDN based on the channel number subfield *
* of the frame error status bits - if it's 0, it's PPP, otherwise * For now, we interpret both NET_HDLC and NET_ROUTER as "per-packet
* it's ISDN and the channel number indicates which channel it is. * encapsulation". We remember that we saw NET_ROUTER, though,
* as it appears that we can infer whether a packet is PPP or
* ISDN based on the channel number subfield of the frame error
* status bits - if it's 0, it's PPP, otherwise it's ISDN and
* the channel number indicates which channel it is. We assume
* NET_HDLC isn't used for ISDN.
*/ */
switch (buffer[4]) { switch (buffer[4]) {
@ -780,7 +785,7 @@ process_rec_header2_v45(wtap *wth, unsigned char *buffer, guint16 length,
break; break;
case NET_HDLC: case NET_HDLC:
wth->file_encap = WTAP_ENCAP_LAPB; wth->file_encap = WTAP_ENCAP_PER_PACKET;
break; break;
case NET_FRAME_RELAY: case NET_FRAME_RELAY:
@ -1196,19 +1201,17 @@ static int set_pseudo_header_frame2(wtap *wth,
* correlation with anything. See previous comment * correlation with anything. See previous comment
* about display filters. * about display filters.
* *
* In some PPP and ISDN captures, with subtype NET_ROUTER, * In some NET_ROUTER captures, the 0x18 bits in "frame2.fs" are
* the 0x18 bits in "frame2.fs" are 0 for frames in a PPP * 0 for frames in a non-ISDN capture and non-zero for frames in
* capture and non-zero for frames in an ISDN capture, specifying * an ISDN capture, specifying the channel number in the fashion
* the channel number in the fashion described in the Sniffer * described in the Sniffer manual, so we use that to distinguish
* manual. * between ISDN frames and non-ISDN frames.
*/ */
if (wth->file_encap == WTAP_ENCAP_PER_PACKET && if (wth->file_encap == WTAP_ENCAP_PER_PACKET &&
wth->capture.ngsniffer->is_router) { wth->capture.ngsniffer->is_router &&
if ((frame2->fs & 0x18) == 0) (frame2->fs & 0x18) != 0)
pkt_encap = WTAP_ENCAP_PPP_WITH_PHDR; pkt_encap = WTAP_ENCAP_ISDN;
else else
pkt_encap = WTAP_ENCAP_ISDN;
} else
pkt_encap = wth->file_encap; pkt_encap = wth->file_encap;
switch (pkt_encap) { switch (pkt_encap) {
@ -1581,8 +1584,8 @@ static int infer_pkt_encap(const guint8 *pd, int len)
/* /*
* Frame Relay. * Frame Relay.
* *
* XXX - in version 4 captures, wouldn't this just have * XXX - in version 4 and 5 captures, wouldn't this just
* a capture subtype of NET_FRAME_RELAY? Or is this * have a capture subtype of NET_FRAME_RELAY? Or is this
* here only to handle other versions of the capture * here only to handle other versions of the capture
* file, where we might just not yet have found where * file, where we might just not yet have found where
* the subtype is specified in the capture? * the subtype is specified in the capture?
@ -1596,7 +1599,7 @@ static int infer_pkt_encap(const guint8 *pd, int len)
* Wellfleet HDLC. * Wellfleet HDLC.
*/ */
return WTAP_ENCAP_WFLEET_HDLC; return WTAP_ENCAP_WFLEET_HDLC;
} else if ((pd[0] == 0x08 && pd[1] == 0x00) || } else if ((pd[0] == 0x0F && pd[1] == 0x00) ||
(pd[0] == 0x8F && pd[1] == 0x00)) { (pd[0] == 0x8F && pd[1] == 0x00)) {
/* /*
* Cisco HDLC. * Cisco HDLC.
@ -1634,6 +1637,15 @@ static void fix_pseudo_header(int encap,
{ {
switch (encap) { switch (encap) {
case WTAP_ENCAP_WFLEET_HDLC:
case WTAP_ENCAP_CHDLC:
case WTAP_ENCAP_PPP_WITH_PHDR:
if (pseudo_header->x25.flags == 0)
pseudo_header->p2p.sent = TRUE;
else
pseudo_header->p2p.sent = FALSE;
break;
case WTAP_ENCAP_ISDN: case WTAP_ENCAP_ISDN:
if (pseudo_header->x25.flags == 0x00) if (pseudo_header->x25.flags == 0x00)
pseudo_header->isdn.uton = FALSE; pseudo_header->isdn.uton = FALSE;