/* packet-bgp.c * Routines for BGP packet dissection. * Copyright 1999, Jun-ichiro itojun Hagino * * $Id: packet-bgp.c,v 1.9 1999/11/11 21:08:51 itojun Exp $ * * Supports: * RFC1771 A Border Gateway Protocol 4 (BGP-4) * RFC2283 Multiprotocol Extensions for BGP-4 * * TODO: * RFC1863 A BGP/IDRP Route Server alternative to a full mesh routing * RFC1965 Autonomous System Confederations for BGP * RFC1997 BGP Communities Attribute * RFC1998 An Application of the BGP Community Attribute in Multi-home Routing * Destination Preference Attribute for BGP (work in progress) * * Ethereal - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H # include "config.h" #endif #include #include #ifdef HAVE_SYS_TYPES_H # include #endif #ifdef HAVE_NETINET_IN_H # include #endif #ifdef NEED_SNPRINTF_H # ifdef HAVE_STDARG_H # include # else # include # endif # include "snprintf.h" #endif #include #include #include "packet.h" #include "packet-bgp.h" #include "packet-ipv6.h" #include static const value_string bgptypevals[] = { { BGP_OPEN, "OPEN Message" }, { BGP_UPDATE, "UPDATE Message" }, { BGP_NOTIFICATION, "NOTIFICATION Message" }, { BGP_KEEPALIVE, "KEEPALIVE Message" }, { 0, NULL }, }; static const value_string bgpnotify_major[] = { { 1, "Message Header Error" }, { 2, "OPEN Message Error" }, { 3, "UPDATE Message Error" }, { 4, "Hold Timer Expired" }, { 5, "Finite State Machine Error" }, { 6, "Cease" }, { 0, NULL }, }; static const value_string bgpnotify_minor_1[] = { { 1, "Connection Not Synchronized" }, { 2, "Bad Message Length" }, { 3, "Bad Message Type" }, { 0, NULL }, }; static const value_string bgpnotify_minor_2[] = { { 1, "Unsupported Version Number" }, { 2, "Bad Peer AS" }, { 3, "Bad BGP Identifier" }, { 4, "Unsupported Optional Parameter" }, { 5, "Authentication Failure" }, { 6, "Unacceptable Hold Time" }, { 0, NULL }, }; static const value_string bgpnotify_minor_3[] = { { 1, "Malformed Attribute List" }, { 2, "Unrecognized Well-known Attribute" }, { 3, "Missing Well-known Attribute" }, { 4, "Attribute Flags Error" }, { 5, "Attribute Length Error" }, { 6, "Invalid ORIGIN Attribute" }, { 7, "AS Routing Loop" }, { 8, "Invalid NEXT_HOP Attribute" }, { 9, "Optional Attribute Error" }, { 10, "Invalid Network Field" }, { 11, "Malformed AS_PATH" }, { 0, NULL }, }; static const value_string *bgpnotify_minor[] = { NULL, bgpnotify_minor_1, bgpnotify_minor_2, bgpnotify_minor_3, }; static const value_string bgpattr_flags[] = { { 0x80, "Optional" }, { 0x40, "Transitive" }, { 0x20, "Partial" }, { 0x10, "Extended length" }, { 0, NULL }, }; static const value_string bgpattr_origin[] = { { 0, "IGP" }, { 1, "EGP" }, { 2, "INCOMPLETE" }, { 0, NULL }, }; static const value_string bgpattr_type[] = { { BGPTYPE_ORIGIN, "ORIGIN" }, { BGPTYPE_AS_PATH, "AS_PATH" }, { BGPTYPE_NEXT_HOP, "NEXT_HOP" }, { BGPTYPE_MULTI_EXIT_DISC, "MULTI_EXIT_DISC" }, { BGPTYPE_LOCAL_PREF, "LOCAL_PREF" }, { BGPTYPE_ATOMIC_AGGREGATE, "ATOMIC_AGGREGATE" }, { BGPTYPE_AGGREGATOR, "AGGREGATOR" }, { BGPTYPE_MP_REACH_NLRI, "MP_REACH_NLRI" }, { BGPTYPE_MP_UNREACH_NLRI, "MP_UNREACH_NLRI" }, { 0, NULL }, }; /* Subsequent address family identifier, RFC2283 section 7 */ static const value_string bgpattr_nlri_safi[] = { { 0, "Reserved" }, { 1, "Unicast" }, { 2, "Multicast" }, { 3, "Unicast+Multicast" }, { 0, NULL }, }; static const value_string afnumber[] = { { 0, "Reserved" }, { AFNUM_INET, "IPv4" }, { AFNUM_INET6, "IPv6" }, { AFNUM_NSAP, "NSAP" }, { AFNUM_HDLC, "HDLC" }, { AFNUM_BBN1822, "BBN 1822" }, { AFNUM_802, "802" }, { AFNUM_E163, "E.163" }, { AFNUM_E164, "E.164" }, { AFNUM_F69, "F.69" }, { AFNUM_X121, "X.121" }, { AFNUM_IPX, "IPX" }, { AFNUM_ATALK, "Appletalk" }, { AFNUM_DECNET, "Decnet IV" }, { AFNUM_BANYAN, "Banyan Vines" }, { AFNUM_E164NSAP, "E.164 with NSAP subaddress" }, { 65535, "Reserved" }, { 0, NULL }, }; static int proto_bgp = -1; /* * Decode an IPv4 prefix. */ static int decode_prefix4(const u_char *pd, char *buf, int buflen) { guint8 addr[4]; int plen; plen = pd[0]; if (plen < 0 || 32 < plen) return -1; memset(addr, 0, sizeof(addr)); memcpy(addr, &pd[1], (plen + 7) / 8); if (plen % 8) addr[(plen + 7) / 8 - 1] &= ((0xff00 >> (plen % 8)) & 0xff); snprintf(buf, buflen, "%s/%d", ip_to_str(addr), plen); return 1 + (plen + 7) / 8; } /* * Decode an IPv6 prefix. */ static int decode_prefix6(const u_char *pd, char *buf, int buflen) { struct e_in6_addr addr; int plen; plen = pd[0]; if (plen < 0 || 128 < plen) return -1; memset(&addr, 0, sizeof(addr)); memcpy(&addr, &pd[1], (plen + 7) / 8); if (plen % 8) addr.s6_addr[(plen + 7) / 8 - 1] &= ((0xff00 >> (plen % 8)) & 0xff); snprintf(buf, buflen, "%s/%d", ip6_to_str(&addr), plen); return 1 + (plen + 7) / 8; } /* * Dissect a BGP OPEN message. */ static void dissect_bgp_open(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) { struct bgp_open bgpo; /* BGP OPEN message */ int hlen; /* message length */ /* snarf OPEN message */ memcpy(&bgpo, &pd[offset], sizeof(bgpo)); hlen = ntohs(bgpo.bgpo_len); proto_tree_add_text(tree, offset + offsetof(struct bgp_open, bgpo_version), 1, "Version: %u", bgpo.bgpo_version); proto_tree_add_text(tree, offset + offsetof(struct bgp_open, bgpo_myas), 2, "My AS: %u", ntohs(bgpo.bgpo_myas)); proto_tree_add_text(tree, offset + offsetof(struct bgp_open, bgpo_holdtime), 2, "Hold Time: %u", ntohs(bgpo.bgpo_holdtime)); proto_tree_add_text(tree, offset + offsetof(struct bgp_open, bgpo_id), 4, "BGP Identifier: %s", ip_to_str((guint8 *)&bgpo.bgpo_id)); proto_tree_add_text(tree, offset + offsetof(struct bgp_open, bgpo_optlen), 1, "Optional Parameters Length: %u %s", bgpo.bgpo_optlen, (bgpo.bgpo_optlen == 1) ? "byte" : "bytes"); if (hlen > sizeof(struct bgp_open)) { proto_tree_add_text(tree, offset + sizeof(struct bgp_open), hlen - sizeof(struct bgp_open), "Optional Parameters"); } } /* * Dissect a BGP UPDATE message. */ static void dissect_bgp_update(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) { struct bgp bgp; struct bgp_attr bgpa; int hlen; const u_char *p; const u_char *q; const u_char *end; int len; proto_item *ti; proto_tree *subtree; proto_tree *subtree2; proto_tree *subtree3; int i; int j; guint8 length; guint8 type; struct in_addr prefix; char *as_path_str = NULL; char junk_buf[10]; /* snarf UPDATE message */ memcpy(&bgp, &pd[offset], sizeof(bgp)); hlen = ntohs(bgp.bgp_len); p = &pd[offset + BGP_HEADER_SIZE]; /*XXX*/ /* check for withdrawals */ len = ntohs(*(guint16 *)p); proto_tree_add_text(tree, p - pd, 2, "Unfeasible routes length: %u %s", len, (len == 1) ? "byte" : "bytes"); if (len > 0) { ti = proto_tree_add_text(tree, p - pd, len, "Withdrawn routes:"); /* TODO: unfeasible */ subtree = proto_item_add_subtree(ti, ETT_BGP_UNFEAS); } p += 2 + len; /* check for advertisements */ len = ntohs(*(guint16 *)p); proto_tree_add_text(tree, p - pd, 2, "Total path attribute length: %u %s", len, (len == 1) ? "byte" : "bytes"); /* path attributes */ /* --- move --- */ if (len > 0) { ti = proto_tree_add_text(tree, p - pd + 2, len, "Path attributes"); subtree = proto_item_add_subtree(ti, ETT_BGP_ATTRS); i = 2; while (i < len) { int alen, aoff; char *msg; guint16 af; int off, snpa; memcpy(&bgpa, &p[i], sizeof(bgpa)); if (bgpa.bgpa_flags & BGP_ATTR_FLAG_EXTENDED_LENGTH) { alen = ntohs(*(guint16 *)&p[i + sizeof(bgpa)]); aoff = sizeof(bgpa) + 2; } else { alen = p[i + sizeof(bgpa)]; aoff = sizeof(bgpa) + 1; } /* * This is kind of ugly - similar code appears twice, * but it helps browsing attrs. */ switch (bgpa.bgpa_type) { case BGPTYPE_ORIGIN: if (alen != 1) goto default_attribute_top; msg = val_to_str(p[i + aoff], bgpattr_origin, "Unknown"); ti = proto_tree_add_text(subtree, p - pd + i, alen + aoff, "%s: %s (%u %s)", val_to_str(bgpa.bgpa_type, bgpattr_type, "Unknown"), msg, alen + aoff, (alen + aoff == 1) ? "byte" : "bytes"); break; case BGPTYPE_AS_PATH: /* (p + i + 3) = (p + current attribute + 3 bytes to first tuple) */ end = p + alen + i + 3; q = p + i + 3; /* must be freed by second case */ /* "alen * 6" (5 digits + space) should be a good estimate of how long the AS path string could be */ as_path_str = malloc(alen * 6); memset(as_path_str, '\0', alen * 6); if (as_path_str == NULL) break; /* snarf each AS path */ while (q < end) { type = *q++; if (type == AS_SET) { sprintf(as_path_str, "{"); } length = *q++; /* snarf each value in path */ for (j = 0; j < length; j++) { sprintf(junk_buf, "%u%c", pntohs(q), (type == AS_SET) ? ',' : ' '); strcat(as_path_str, junk_buf); q += 2; } /* cleanup end of string */ if (type == AS_SET) { as_path_str[strlen(as_path_str) - 1] = '}'; as_path_str[strlen(as_path_str) + 1] = '\0'; } else { as_path_str[strlen(as_path_str) - 1] = '\0'; } } if (as_path_str[0] == '\0') goto default_attribute_top; ti = proto_tree_add_text(subtree, p - pd + i, alen + aoff, "%s: %s (%u %s)", val_to_str(bgpa.bgpa_type, bgpattr_type, "Unknown"), as_path_str, alen + aoff, (alen + aoff == 1) ? "byte" : "bytes"); break; case BGPTYPE_NEXT_HOP: if (alen != 4) goto default_attribute_top; ti = proto_tree_add_text(subtree, p - pd + i, alen + aoff, "%s: %s (%u %s)", val_to_str(bgpa.bgpa_type, bgpattr_type, "Unknown"), ip_to_str(&p[i + aoff]), alen + aoff, (alen + aoff == 1) ? "byte" : "bytes"); break; case BGPTYPE_MULTI_EXIT_DISC: if (alen != 4) goto default_attribute_top; ti = proto_tree_add_text(subtree, p - pd + i, alen + aoff, "%s: %u (%u %s)", val_to_str(bgpa.bgpa_type, bgpattr_type, "Unknown"), ntohl(*(guint32 *)&p[i + aoff]), alen + aoff, (alen + aoff == 1) ? "byte" : "bytes"); break; case BGPTYPE_LOCAL_PREF: if (alen != 4) goto default_attribute_top; ti = proto_tree_add_text(subtree, p - pd + i, alen + aoff, "%s: %u (%u %s)", val_to_str(bgpa.bgpa_type, bgpattr_type, "Unknown"), ntohl(*(guint32 *)&p[i + aoff]), alen + aoff, (alen + aoff == 1) ? "byte" : "bytes"); break; case BGPTYPE_ATOMIC_AGGREGATE: if (alen != 0) goto default_attribute_top; ti = proto_tree_add_text(subtree, p - pd + i, alen + aoff, "%s: (%u %s)", val_to_str(bgpa.bgpa_type, bgpattr_type, "Unknown"), alen + aoff, (alen + aoff == 1) ? "byte" : "bytes"); break; default: default_attribute_top: ti = proto_tree_add_text(subtree, p - pd + i, alen + aoff, "%s (%u %s)", val_to_str(bgpa.bgpa_type, bgpattr_type, "Unknown"), alen + aoff, (alen + aoff == 1) ? "byte" : "bytes"); } subtree2 = proto_item_add_subtree(ti, ETT_BGP_ATTR); /* figure out flags */ ti = proto_tree_add_text(subtree2, p - pd + i + offsetof(struct bgp_attr, bgpa_flags), 1, "Flags: 0x%02x", bgpa.bgpa_flags); subtree3 = proto_item_add_subtree(ti, ETT_BGP_ATTR_FLAGS); proto_tree_add_text(subtree3, p - pd + i + offsetof(struct bgp_attr, bgpa_flags), 1, "%s", decode_boolean_bitfield(bgpa.bgpa_flags, BGP_ATTR_FLAG_OPTIONAL, 8, "Optional", "Well-known")); proto_tree_add_text(subtree3, p - pd + i + offsetof(struct bgp_attr, bgpa_flags), 1, "%s", decode_boolean_bitfield(bgpa.bgpa_flags, BGP_ATTR_FLAG_TRANSITIVE, 8, "Transitive", "Non-transitive")); proto_tree_add_text(subtree3, p - pd + i + offsetof(struct bgp_attr, bgpa_flags), 1, "%s", decode_boolean_bitfield(bgpa.bgpa_flags, BGP_ATTR_FLAG_PARTIAL, 8, "Partial", "Complete")); proto_tree_add_text(subtree3, p - pd + i + offsetof(struct bgp_attr, bgpa_flags), 1, "%s", decode_boolean_bitfield(bgpa.bgpa_flags, BGP_ATTR_FLAG_EXTENDED_LENGTH, 8, "Extended length", "Regular length")); proto_tree_add_text(subtree2, p - pd + i + offsetof(struct bgp_attr, bgpa_type), 1, "Type code: %s (%u)", val_to_str(bgpa.bgpa_type, bgpattr_type, "Unknown"), bgpa.bgpa_type); /* check for the Extended Length bit */ if (bgpa.bgpa_flags & BGP_ATTR_FLAG_EXTENDED_LENGTH) { proto_tree_add_text(subtree2, p - pd + i + sizeof(bgpa), aoff - sizeof(bgpa), "Length: %d %s", alen, (alen == 1) ? "byte" : "bytes"); } else { proto_tree_add_text(subtree2, p - pd + i + sizeof(bgpa), aoff - sizeof(bgpa), "Length: %d %s", alen, (alen == 1) ? "byte" : "bytes"); } switch (bgpa.bgpa_type) { case BGPTYPE_ORIGIN: if (alen != 1) { proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Origin (invalid): %u %s", alen, (alen == 1) ? "byte" : "bytes"); } else { msg = val_to_str(p[i + aoff], bgpattr_origin, "Unknown"); proto_tree_add_text(subtree2, p - pd + i + aoff, 1, "Origin: %s (%u)", msg, p[i + aoff]); } break; case BGPTYPE_AS_PATH: proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "AS path: %s (%u %s)", as_path_str, alen, (alen == 1) ? "byte" : "bytes"); free(as_path_str); break; case BGPTYPE_NEXT_HOP: if (alen != 4) { proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Next hop (invalid): %u %s", alen, (alen == 1) ? "byte" : "bytes"); } else { proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Next hop: %s", ip_to_str(&p[i + aoff])); } break; case BGPTYPE_MULTI_EXIT_DISC: if (alen != 4) { proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Multi exit discriminator (invalid): %u %s", alen, (alen == 1) ? "byte" : "bytes"); } else { proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Multi exit discriminator: %u", ntohl(*(guint32 *)&p[i + aoff])); } break; case BGPTYPE_LOCAL_PREF: if (alen != 4) { proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Local preference (invalid): %u %s", alen, (alen == 1) ? "byte" : "bytes"); } else { proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Local preference: %u", ntohl(*(guint32 *)&p[i + aoff])); } break; case BGPTYPE_ATOMIC_AGGREGATE: if (alen != 0) { proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Atomic aggregate (invalid): %u %s", alen, (alen == 1) ? "byte" : "bytes"); } else { proto_tree_add_text(subtree2, p - pd + i + aoff, 0, "Atomic aggregate"); } break; case BGPTYPE_AGGREGATOR: if (alen != 6) { proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Aggregator (invalid): %u %s", alen, (alen == 1) ? "byte" : "bytes"); } else { proto_tree_add_text(subtree2, p - pd + i + aoff, 2, "Aggregator AS: %u", ntohs(*(guint16 *)&p[i + aoff])); proto_tree_add_text(subtree2, p - pd + i + aoff + 2, 4, "Aggregator origin: %s", ip_to_str(&p[i + aoff + 2])); } break; case BGPTYPE_MP_REACH_NLRI: af = ntohs(*(guint16 *)&p[i + aoff]); proto_tree_add_text(subtree2, p - pd + i + aoff, 2, "Address family: %s (%u)", val_to_str(af, afnumber, "Unknown"), af); proto_tree_add_text(subtree2, p - pd + i + aoff + 2, 1, "Subsequent address family identifier: %s (%u)", val_to_str(p[i + aoff + 2], bgpattr_nlri_safi, p[i + aoff + 2] >= 128 ? "Vendor specific" : "Unknown"), p[i + aoff + 2]); ti = proto_tree_add_text(subtree2, p - pd + i + aoff + 3, 1, "Next hop network address (%d %s)", p[i + aoff + 3], (p[i + aoff + 3] == 1) ? "byte" : "bytes"); if (af == AFNUM_INET || af == AFNUM_INET6) { int j, advance; const char *s; subtree3 = proto_item_add_subtree(ti, ETT_BGP_MP_REACH_NLRI); j = 0; while (j < p[i + aoff + 3]) { if (af == AFNUM_INET) advance = 4; else if (af == AFNUM_INET6) advance = 16; else break; if (j + advance > p[i + aoff + 3]) break; if (af == AFNUM_INET) s = ip_to_str(&p[i + aoff + 4 + j]); else { s = ip6_to_str((struct e_in6_addr *) &p[i + aoff + 4 + j]); } proto_tree_add_text(subtree3, p - pd + i + aoff + 4 + j, advance, "Next hop: %s", s); j += advance; } } alen -= (p[i + aoff + 3] + 4); aoff += (p[i + aoff + 3] + 4); off = 0; snpa = p[i + aoff]; ti = proto_tree_add_text(subtree2, p - pd + i + aoff, 1, "Subnetwork points of attachment: %u", snpa); off++; if (snpa) subtree3 = proto_item_add_subtree(ti, ETT_BGP_MP_REACH_NLRI); for (/*nothing*/; snpa > 0; snpa--) { proto_tree_add_text(subtree3, p - pd + i + aoff + off, 1, "SNPA length: ", p[i + aoff + off]); off++; proto_tree_add_text(subtree3, p - pd + i + aoff + off, p[i + aoff + off - 1], "SNPA (%u %s)", p[i + aoff + off - 1], (p[i + aoff + off - 1] == 1) ? "byte" : "bytes"); off += p[i + aoff + off - 1]; } alen -= off; aoff += off; ti = proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Network Layer Reachability Information (%u %s)", alen, (alen == 1) ? "byte" : "bytes"); if (alen) subtree3 = proto_item_add_subtree(ti, ETT_BGP_MP_UNREACH_NLRI); while (alen > 0) { int advance; char buf[256]; if (af == AFNUM_INET) { advance = decode_prefix4(&p[i + aoff], buf, sizeof(buf)); } else if (af == AFNUM_INET6) { advance = decode_prefix6(&p[i + aoff], buf, sizeof(buf)); } else break; if (advance < 0) break; if (alen < advance) break; proto_tree_add_text(subtree3, p - pd + i + aoff, advance, "Network Layer Reachability Information: %s", buf); alen -= advance; aoff += advance; } break; case BGPTYPE_MP_UNREACH_NLRI: af = ntohs(*(guint16 *)&p[i + aoff]); proto_tree_add_text(subtree2, p - pd + i + aoff, 2, "Address family: %s (%u)", val_to_str(af, afnumber, "Unknown"), af); proto_tree_add_text(subtree2, p - pd + i + aoff + 2, 1, "Subsequent address family identifier: %s (%u)", val_to_str(p[i + aoff + 2], bgpattr_nlri_safi, p[i + aoff + 2] >= 128 ? "Vendor specific" : "Unknown"), p[i + aoff + 2]); ti = proto_tree_add_text(subtree2, p - pd + i + aoff + 3, alen - 3, "Withdrawn Routes (%u %s)", alen - 3, (alen - 3 == 1) ? "byte" : "bytes"); alen -= 3; aoff += 3; if (alen > 0) subtree3 = proto_item_add_subtree(ti, ETT_BGP_MP_UNREACH_NLRI); while (alen > 0) { int advance; char buf[256]; if (af == AFNUM_INET) { advance = decode_prefix4(&p[i + aoff], buf, sizeof(buf)); } else if (af == AFNUM_INET6) { advance = decode_prefix6(&p[i + aoff], buf, sizeof(buf)); } else break; if (advance < 0) break; if (alen < advance) break; proto_tree_add_text(subtree3, p - pd + i + aoff, advance, "Withdrawn route: %s", buf); alen -= advance; aoff += advance; } break; default: proto_tree_add_text(subtree2, p - pd + i + aoff, alen, "Unknown (%d %s)", alen, (alen == 1) ? "byte" : "bytes"); break; } i += alen + aoff; } /* --- move --- */ p += 2 + len; /* NLRI */ len = hlen - (p - &pd[offset]); ti = proto_tree_add_text(tree, p - pd, len, "Network layer reachability information: %u %s", len, (len == 1) ? "byte" : "bytes"); if (len > 0) { subtree = proto_item_add_subtree(ti, ETT_BGP_NLRI); /* parse prefixes */ end = p + len; while (p < end) { memset(&prefix, 0, sizeof(prefix)); /* snarf length */ length = *p; i = convert_prefix(length); p++; /* snarf prefix */ memcpy(&prefix, p, i); proto_tree_add_text(subtree, p - pd - 1, i + 1, "%s/%d", inet_ntoa(prefix), length); p += i; } } } } /* * Dissect a BGP NOTIFICATION message. */ static void dissect_bgp_notification(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) { struct bgp_notification bgpn; /* BGP NOTIFICATION message */ int hlen; /* message length */ char *p; /* string pointer */ /* snarf message */ memcpy(&bgpn, &pd[offset], sizeof(bgpn)); hlen = ntohs(bgpn.bgpn_len); /* print error code */ proto_tree_add_text(tree, offset + offsetof(struct bgp_notification, bgpn_major), 1, "Error code: %s (%u)", val_to_str(bgpn.bgpn_major, bgpnotify_major, "Unknown"), bgpn.bgpn_major); /* print error subcode */ if (bgpn.bgpn_major < array_length(bgpnotify_minor) && bgpnotify_minor[bgpn.bgpn_major] != NULL) { p = val_to_str(bgpn.bgpn_minor, bgpnotify_minor[bgpn.bgpn_major], "Unknown"); } else if (bgpn.bgpn_minor == 0) p = "Unspecified"; else p = "Unknown"; proto_tree_add_text(tree, offset + offsetof(struct bgp_notification, bgpn_minor), 1, "Error subcode: %s (%u)", p, bgpn.bgpn_minor); /* only print if there is optional data */ if (hlen > BGP_MIN_NOTIFICATION_MSG_SIZE) { proto_tree_add_text(tree, offset + BGP_MIN_NOTIFICATION_MSG_SIZE, hlen - BGP_MIN_NOTIFICATION_MSG_SIZE, "Data"); } } /* * Dissect a BGP packet. */ void dissect_bgp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) { proto_item *ti; /* tree item */ proto_tree *bgp_tree; /* BGP packet tree */ proto_tree *bgp1_tree; /* BGP message tree */ const u_char *p; /* packet offset pointer */ int l, i; /* tmp */ int found; /* number of BGP messages in packet */ static u_char marker[] = { /* BGP message marker */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, }; struct bgp bgp; /* BGP header */ int hlen; /* BGP header length */ char *typ; /* BGP message type */ if (check_col(fd, COL_PROTOCOL)) col_add_str(fd, COL_PROTOCOL, "BGP"); p = &pd[offset]; l = END_OF_FRAME; i = 0; found = -1; /* run through the TCP packet looking for BGP headers */ /* this is done twice, but this way each message type can be printed in the COL_INFO field */ while (i < l) { /* look for bgp header */ if (p[i] != 0xff) { i++; continue; } CHECK_SIZE(i, sizeof(marker), l); if (memcmp(&p[i], marker, sizeof(marker)) != 0) { i++; continue; } memcpy(&bgp, &p[i], sizeof(bgp)); found++; hlen = ntohs(bgp.bgp_len); typ = val_to_str(bgp.bgp_type, bgptypevals, "Unknown Message"); if (check_col(fd, COL_INFO)) { if (found == 0) col_add_fstr(fd, COL_INFO, "%s", typ); else col_append_fstr(fd, COL_INFO, ", %s", typ); } i += hlen; } if (tree) { ti = proto_tree_add_text(tree, offset, END_OF_FRAME, "Border Gateway Protocol"); bgp_tree = proto_item_add_subtree(ti, ETT_BGP); p = &pd[offset]; l = END_OF_FRAME; i = 0; /* now, run through the TCP packet again, this time dissect */ /* each message that we find */ while (i < l) { /* look for bgp header */ if (p[i] != 0xff) { i++; continue; } CHECK_SIZE(i, sizeof(marker), l); if (memcmp(&p[i], marker, sizeof(marker)) != 0) { i++; continue; } memcpy(&bgp, &p[i], sizeof(bgp)); hlen = ntohs(bgp.bgp_len); typ = val_to_str(bgp.bgp_type, bgptypevals, "Unknown Message"); if (END_OF_FRAME < hlen) { ti = proto_tree_add_text(bgp_tree, offset + i, END_OF_FRAME, "%s (truncated)", typ); } else { ti = proto_tree_add_text(bgp_tree, offset + i, hlen, "%s", typ); } /* add a different tree for each message type */ switch (bgp.bgp_type) { case BGP_OPEN: bgp1_tree = proto_item_add_subtree(ti, ETT_BGP_OPEN); break; case BGP_UPDATE: bgp1_tree = proto_item_add_subtree(ti, ETT_BGP_UPDATE); break; case BGP_NOTIFICATION: bgp1_tree = proto_item_add_subtree(ti, ETT_BGP_NOTIFICATION); break; case BGP_KEEPALIVE: bgp1_tree = proto_item_add_subtree(ti, ETT_BGP); break; default: bgp1_tree = proto_item_add_subtree(ti, ETT_BGP); break; } proto_tree_add_text(bgp1_tree, offset + i, BGP_MARKER_SIZE, "Marker", NULL); if (hlen < BGP_HEADER_SIZE || hlen > BGP_MAX_PACKET_SIZE) { proto_tree_add_text(bgp1_tree, offset + i + offsetof(struct bgp, bgp_len), 2, "Length (invalid): %u %s", hlen, (hlen == 1) ? "byte" : "bytes"); } else { proto_tree_add_text(bgp1_tree, offset + i + offsetof(struct bgp, bgp_len), 2, "Length: %u %s", hlen, (hlen == 1) ? "byte" : "bytes"); } proto_tree_add_text(bgp1_tree, offset + i + offsetof(struct bgp, bgp_type), 1, "Type: %s (%u)", typ, bgp.bgp_type); CHECK_SIZE(i, hlen, l); /* handle each message type */ switch (bgp.bgp_type) { case BGP_OPEN: dissect_bgp_open(pd, offset + i, fd, bgp1_tree); break; case BGP_UPDATE: dissect_bgp_update(pd, offset + i, fd, bgp1_tree); break; case BGP_NOTIFICATION: dissect_bgp_notification(pd, offset + i, fd, bgp1_tree); break; case BGP_KEEPALIVE: /* no data in KEEPALIVE messages */ break; default: break; } i += hlen; } } } /* * Register ourselves. */ void proto_register_bgp(void) { proto_bgp = proto_register_protocol("Border Gateway Protocol", "bgp"); }