2 * Routines for IEEE 802.2 LLC layer
3 * Gilbert Ramirez <gram@xiexie.org>
5 * $Id: packet-llc.c,v 1.59 2000/05/12 05:06:26 gram Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_TYPES_H
32 # include <sys/types.h>
41 #include "packet-bpdu.h"
42 #include "packet-cdp.h"
43 #include "packet-cgmp.h"
44 #include "packet-ip.h"
45 #include "packet-ipx.h"
46 #include "packet-netbios.h"
47 #include "packet-osi.h"
48 #include "packet-sna.h"
49 #include "packet-vtp.h"
51 static int proto_llc = -1;
52 static int hf_llc_dsap = -1;
53 static int hf_llc_ssap = -1;
54 static int hf_llc_dsap_ig = -1;
55 static int hf_llc_ssap_cr = -1;
56 static int hf_llc_ctrl = -1;
57 static int hf_llc_type = -1;
58 static int hf_llc_oui = -1;
59 static int hf_llc_pid = -1;
61 static gint ett_llc = -1;
62 static gint ett_llc_ctrl = -1;
64 static dissector_table_t subdissector_table;
66 typedef void (capture_func_t)(const u_char *, int, packet_counts *);
68 /* The SAP info is split into two tables, one value_string table and one
69 * table of sap_info. This is so that the value_string can be used in the
70 * header field registration.
74 capture_func_t *capture_func;
78 * Group/Individual bit, in the DSAP.
80 #define DSAP_GI_BIT 0x01
83 * Command/Response bit, in the SSAP.
85 * The low-order bit of the SSAP apparently determines whether this
86 * is a request or a response. (RFC 1390, "Transmission of IP and
87 * ARP over FDDI Networks", says
89 * Command frames are identified by having the low order
90 * bit of the SSAP address reset to zero. Response frames
91 * have the low order bit of the SSAP address set to one.
93 * and a page I've seen seems to imply that's part of 802.2.)
95 #define SSAP_CR_BIT 0x01
98 * Mask to extrace the SAP number from the DSAP or the SSAP.
100 #define SAP_MASK 0xFE
103 * These are for SSAP and DSAP, wth last bit always zero.
104 * XXX - some DSAPs come in separate "individual" and "group" versions,
105 * with the last bit 0 and 1, respectively (e.g., LLC Sub-layer Management,
106 * IBM SNA Path Control, IBM Net Management), but, whilst 0xFE is
107 * the ISO Network Layer Protocol, 0xFF is the Global LSAP.
109 static const value_string sap_vals[] = {
110 { SAP_NULL, "NULL LSAP" },
111 { SAP_LLC_SLMGMT, "LLC Sub-Layer Management" },
112 { SAP_SNA_PATHCTRL, "SNA Path Control" },
113 { SAP_IP, "TCP/IP" },
116 { SAP_PROWAY_NM_INIT, "PROWAY (IEC955) Network Management and Initialization" },
117 { SAP_TI, "Texas Instruments" },
118 { SAP_BPDU, "Spanning Tree BPDU" },
119 { SAP_RS511, "EIA RS-511 Manufacturing Message Service" },
121 /* XXX - setting the group bit makes this 0x7F; is that just
122 a group version of this? */
123 { 0x7E, "ISO 8208 (X.25 over 802.2 Type 2)" },
125 { 0x7F, "ISO 802.2" },
127 { SAP_NESTAR, "Nestar" },
128 { SAP_PROWAY_ASLM, "PROWAY (IEC955) Active Station List Maintenance" },
129 { SAP_ARP, "ARP" }, /* XXX - hand to "dissect_arp()"? */
130 { SAP_SNAP, "SNAP" },
131 { SAP_VINES1, "Banyan Vines" },
132 { SAP_VINES2, "Banyan Vines" },
133 { SAP_NETWARE, "NetWare" },
134 { SAP_NETBIOS, "NetBIOS" },
135 { SAP_IBMNM, "IBM Net Management" },
136 { SAP_RPL1, "Remote Program Load" },
137 { SAP_UB, "Ungermann-Bass" },
138 { SAP_RPL2, "Remote Program Load" },
139 { SAP_OSINL, "ISO Network Layer" },
140 { SAP_GLOBAL, "Global LSAP" },
144 static struct sap_info saps[] = {
145 { SAP_IP, capture_ip },
146 { SAP_NETWARE, capture_ipx },
147 { SAP_NETBIOS, capture_netbios },
154 * http://www.cisco.com/univercd/cc/td/doc/product/lan/trsrb/vlan.htm
156 * for the PIDs for VTP and DRiP that go with an OUI of OUI_CISCO.
158 const value_string oui_vals[] = {
159 { OUI_ENCAP_ETHER, "Encapsulated Ethernet" },
161 http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/ibm_r/brprt1/brsrb.htm
163 { OUI_CISCO, "Cisco" },
164 { OUI_CISCO_90, "Cisco IOS 9.0 Compatible" },
165 { OUI_BFR, "Bridged Frame-Relay" }, /* RFC 2427 */
166 { OUI_ATM_FORUM, "ATM Forum" },
167 { OUI_APPLE_ATALK, "Apple (AppleTalk)" },
168 { OUI_CABLE_BPDU, "DOCSIS Spanning Tree" }, /* DOCSIS spanning tree BPDU */
172 static capture_func_t *
173 sap_capture_func(u_char sap) {
176 /* look for the second record where sap == 0, which should
179 while (saps[i].sap > 0 || i == 0) {
180 if (saps[i].sap == sap) {
181 return saps[i].capture_func;
189 capture_llc(const u_char *pd, int offset, packet_counts *ld) {
196 capture_func_t *capture;
198 if (!BYTES_ARE_IN_FRAME(offset, 2)) {
202 is_snap = (pd[offset] == SAP_SNAP) && (pd[offset+1] == SAP_SNAP);
203 llc_header_len = 2; /* DSAP + SSAP */
206 * XXX - the page referred to in the comment above about the
207 * Command/Response bit also implies that LLC Type 2 always
208 * uses extended operation, so we don't need to determine
209 * whether it's basic or extended operation; is that the case?
211 control = get_xdlc_control(pd, offset+2, pd[offset+1] & SSAP_CR_BIT,
213 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
215 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
216 if (!BYTES_ARE_IN_FRAME(offset, llc_header_len)) {
222 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
223 if (XDLC_IS_INFORMATION(control)) {
224 etype = pntohs(&pd[offset+6]);
227 case OUI_ENCAP_ETHER:
228 case OUI_APPLE_ATALK:
229 /* No, I have no idea why Apple used
230 one of their own OUIs, rather than
231 OUI_ENCAP_ETHER, and an Ethernet
232 packet type as protocol ID, for
233 AppleTalk data packets - but used
234 OUI_ENCAP_ETHER and an Ethernet
235 packet type for AARP packets. */
236 capture_ethertype(etype, offset+8, pd,
240 capture_ethertype(etype,
250 if (XDLC_IS_INFORMATION(control)) {
251 capture = sap_capture_func(pd[offset]);
254 offset += llc_header_len;
257 capture(pd, offset, ld);
267 dissect_llc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
269 proto_tree *llc_tree = NULL;
270 proto_item *ti = NULL;
281 pinfo->current_proto = "LLC";
283 if (check_col(pinfo->fd, COL_PROTOCOL)) {
284 col_add_str(pinfo->fd, COL_PROTOCOL, "LLC");
287 dsap = tvb_get_guint8(tvb, 0);
288 ssap = tvb_get_guint8(tvb, 1);
290 is_snap = (dsap == SAP_SNAP) && (ssap == SAP_SNAP);
291 llc_header_len = 2; /* DSAP + SSAP */
294 ti = proto_tree_add_item(tree, proto_llc, tvb, 0, 0, NULL);
295 llc_tree = proto_item_add_subtree(ti, ett_llc);
296 proto_tree_add_item(llc_tree, hf_llc_dsap, tvb, 0,
298 proto_tree_add_item(llc_tree, hf_llc_dsap_ig, tvb, 0,
299 1, dsap & DSAP_GI_BIT);
300 proto_tree_add_item(llc_tree, hf_llc_ssap, tvb, 1,
302 proto_tree_add_item(llc_tree, hf_llc_ssap_cr, tvb, 1,
303 1, ssap & SSAP_CR_BIT);
308 * XXX - the page referred to in the comment above about the
309 * Command/Response bit also implies that LLC Type 2 always
310 * uses extended operation, so we don't need to determine
311 * whether it's basic or extended operation; is that the case?
313 tvb_compat(tvb, &pd, &offset);
314 control = dissect_xdlc_control(pd, offset+2, pinfo->fd, llc_tree,
315 hf_llc_ctrl, ett_llc_ctrl,
316 pd[offset+1] & SSAP_CR_BIT, TRUE);
317 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
319 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
322 proto_item_set_len(ti, llc_header_len);
325 * XXX - do we want to append the SAP information to the stuff
326 * "dissect_xdlc_control()" put in the COL_INFO column, rather
327 * than overwriting it?
330 oui = tvb_get_guint8(tvb, 3) << 16 |
331 tvb_get_guint8(tvb, 4) << 8 |
332 tvb_get_guint8(tvb, 5);
333 etype = tvb_get_ntohs(tvb, 6);
335 if (check_col(pinfo->fd, COL_INFO)) {
336 col_add_fstr(pinfo->fd, COL_INFO, "SNAP, OUI 0x%06X (%s), PID 0x%04X",
337 oui, val_to_str(oui, oui_vals, "Unknown"),
341 proto_tree_add_item(llc_tree, hf_llc_oui, tvb, 3, 3,
345 next_tvb = tvb_new_subset(tvb, 8, -1);
346 tvb_compat(next_tvb, &pd, &offset);
350 case OUI_ENCAP_ETHER:
351 case OUI_APPLE_ATALK:
352 /* No, I have no idea why Apple used
353 one of their own OUIs, rather than
354 OUI_ENCAP_ETHER, and an Ethernet
355 packet type as protocol ID, for
356 AppleTalk data packets - but used
357 OUI_ENCAP_ETHER and an Ethernet
358 packet type for AARP packets. */
359 if (XDLC_IS_INFORMATION(control)) {
360 ethertype(etype, offset, pd,
361 pinfo->fd, tree, llc_tree, hf_llc_type);
363 dissect_data_tvb(next_tvb, pinfo, tree);
367 /* So are all CDP packets LLC packets
368 with an OUI of OUI_CISCO and a
369 protocol ID of 0x2000, or
370 are some of them raw or encapsulated
373 proto_tree_add_item(llc_tree,
374 hf_llc_pid, tvb, 6, 2, etype);
376 if (XDLC_IS_INFORMATION(control)) {
381 dissect_drip(pd, offset, pinfo->fd, tree);
386 dissect_cdp(pd, offset, pinfo->fd, tree);
390 dissect_cgmp(pd, offset, pinfo->fd, tree);
394 dissect_vtp(pd, offset, pinfo->fd, tree);
398 dissect_data_tvb(next_tvb, pinfo, tree);
402 dissect_data_tvb(next_tvb, pinfo, tree);
405 case OUI_CABLE_BPDU: /* DOCSIS cable modem spanning tree BPDU */
407 proto_tree_add_item(llc_tree,
408 hf_llc_pid, tvb, 6, 2, etype);
410 dissect_bpdu(pd, offset, pinfo->fd, tree);
415 proto_tree_add_item(llc_tree,
416 hf_llc_pid, tvb, 6, 2, etype);
418 dissect_data_tvb(next_tvb, pinfo, tree);
423 if (check_col(pinfo->fd, COL_INFO)) {
424 col_add_fstr(pinfo->fd, COL_INFO,
425 "DSAP %s %s, SSAP %s %s",
426 val_to_str(dsap & SAP_MASK, sap_vals, "%02x"),
428 "Group" : "Individual",
429 val_to_str(ssap & SAP_MASK, sap_vals, "%02x"),
431 "Response" : "Command"
435 next_tvb = tvb_new_subset(tvb, llc_header_len, -1);
436 if (XDLC_IS_INFORMATION(control)) {
437 tvb_compat(tvb, &pd, &offset);
439 offset += llc_header_len;
441 /* do lookup with the subdissector table */
442 if (!dissector_try_port(subdissector_table, dsap,
443 pd, offset, pinfo->fd, tree)) {
444 dissect_data_tvb(next_tvb, pinfo, tree);
447 dissect_data_tvb(next_tvb, pinfo, tree);
453 proto_register_llc(void)
455 static struct true_false_string ig_bit = { "Group", "Individual" };
456 static struct true_false_string cr_bit = { "Response", "Command" };
458 static hf_register_info hf[] = {
460 { "DSAP", "llc.dsap", FT_UINT8, BASE_HEX,
461 VALS(sap_vals), 0x0, "" }},
464 { "IG Bit", "llc.dsap.ig", FT_BOOLEAN, BASE_HEX,
465 &ig_bit, 0x0, "Individual/Group" }},
468 { "SSAP", "llc.ssap", FT_UINT8, BASE_HEX,
469 VALS(sap_vals), 0x0, "" }},
472 { "CR Bit", "llc.ssap.cr", FT_BOOLEAN, BASE_HEX,
473 &cr_bit, 0x0, "Command/Response" }},
476 { "Control", "llc.control", FT_UINT16, BASE_HEX,
479 /* registered here but handled in ethertype.c */
481 { "Type", "llc.type", FT_UINT16, BASE_HEX,
482 VALS(etype_vals), 0x0, "" }},
485 { "Organization Code", "llc.oui", FT_UINT24, BASE_HEX,
486 VALS(oui_vals), 0x0, ""}},
489 { "Protocol ID", "llc.pid", FT_UINT16, BASE_HEX,
492 static gint *ett[] = {
497 proto_llc = proto_register_protocol ("Logical-Link Control", "llc" );
498 proto_register_field_array(proto_llc, hf, array_length(hf));
499 proto_register_subtree_array(ett, array_length(ett));
501 /* subdissector code */
502 subdissector_table = register_dissector_table("llc.dsap");