git.samba.org / obnox / wireshark / wip.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Break out IG and CR bits of SSAP and DSAP
[obnox/wireshark/wip.git] / packet-llc.c
1 /* packet-llc.c
2  * Routines for IEEE 802.2 LLC layer
3  * Gilbert Ramirez <gramirez@tivoli.com>
4  *
5  * $Id: packet-llc.c,v 1.33 1999/12/13 21:48:18 nneul Exp $
6  *
7  * Ethereal - Network traffic analyzer
8  * By Gerald Combs <gerald@unicom.net>
9  * Copyright 1998 Gerald Combs
10  *
11  * 
12  * This program is free software; you can redistribute it and/or
13  * modify it under the terms of the GNU General Public License
14  * as published by the Free Software Foundation; either version 2
15  * of the License, or (at your option) any later version.
16  * 
17  * This program is distributed in the hope that it will be useful,
18  * but WITHOUT ANY WARRANTY; without even the implied warranty of
19  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20  * GNU General Public License for more details.
21  * 
22  * You should have received a copy of the GNU General Public License
23  * along with this program; if not, write to the Free Software
24  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
25  */
26
27 #ifdef HAVE_CONFIG_H
28 # include "config.h"
29 #endif
30
31 #ifdef HAVE_SYS_TYPES_H
32 # include <sys/types.h>
33 #endif
34
35 #include <glib.h>
36 #include "packet.h"
37 #include "xdlc.h"
38         
39 static int proto_llc = -1;
40 static int hf_llc_dsap = -1;
41 static int hf_llc_ssap = -1;
42 static int hf_llc_dsap_ig = -1;
43 static int hf_llc_ssap_cr = -1;
44 static int hf_llc_ctrl = -1;
45 static int hf_llc_type = -1;
46 static int hf_llc_oui = -1;
47 static int hf_llc_pid = -1;
48
49 static gint ett_llc = -1;
50 static gint ett_llc_ctrl = -1;
51
52 typedef void (capture_func_t)(const u_char *, int, guint32, packet_counts *);
53 typedef void (dissect_func_t)(const u_char *, int, frame_data *, proto_tree *);
54
55 /* The SAP info is split into two tables, one value_string table and one table of sap_info. This is
56  * so that the value_string can be used in the header field registration.
57  */
58 struct sap_info {
59         guint8  sap;
60         capture_func_t *capture_func;
61         dissect_func_t *dissect_func;
62 };
63
64 /* These are for SSAP and DSAP, wth last bit always zero */
65 static const value_string sap_vals[] = {
66         { 0x00, "NULL LSAP" },
67         { 0x02, "LLC Sub-Layer Management" },
68         { 0x04, "SNA Path Control" },
69         { 0x06, "TCP/IP" },
70         { 0x08, "SNA" },
71         { 0x0C, "SNA" },
72         { 0x42, "Spanning Tree BPDU" },
73         { 0x7F, "ISO 802.2" },
74         { 0x80, "XNS" },
75         { 0xAA, "SNAP" },
76         { 0xBA, "Banyan Vines" },
77         { 0xBC, "Banyan Vines" },
78         { 0xE0, "NetWare" },
79         { 0xF0, "NetBIOS" },
80         { 0xF4, "IBM Net Management" },
81         { 0xF8, "Remote Program Load" },
82         { 0xFC, "Remote Program Load" },
83         { 0xFE, "ISO Network Layer" },
84         { 0xFF, "Global LSAP" },
85         { 0x00, NULL }
86 };
87
88 static struct sap_info  saps[] = {
89         { 0x00, NULL,           NULL },
90         { 0x02, NULL,           NULL },
91         { 0x03, NULL,           NULL },
92         { 0x04, NULL,           dissect_sna },
93         { 0x05, NULL,           NULL },
94         { 0x06, capture_ip,     dissect_ip },
95         { 0x08, NULL,           NULL },
96         { 0x0C, NULL,           NULL },
97         { 0x42, NULL,           dissect_bpdu },
98         { 0x7F, NULL,           NULL },
99         { 0x80, NULL,           NULL },
100         { 0xAA, NULL,           NULL },
101         { 0xBA, NULL,           NULL },
102         { 0xBC, NULL,           NULL },
103         { 0xE0, capture_ipx,    dissect_ipx },
104         { 0xF0, capture_netbios, dissect_netbios },
105         { 0xF4, NULL,           NULL },
106         { 0xF5, NULL,           NULL },
107         { 0xF8, NULL,           NULL },
108         { 0xFC, NULL,           NULL },
109         { 0xFE, NULL,           dissect_osi },
110         { 0xFF, NULL,           NULL },
111         { 0x00, NULL,           NULL}
112 };
113
114 static const value_string llc_ctrl_vals[] = {
115         { 0, "Information Transfer" },
116         { 1, "Supervisory" },
117         { 2, "Unknown" },
118         { 3, "Unnumbered Information" },
119         { 0, NULL }
120 };
121
122 #define OUI_ENCAP_ETHER 0x000000
123 #define OUI_APPLE_ATALK 0x080007
124
125 static const value_string llc_oui_vals[] = {
126         { OUI_ENCAP_ETHER, "Encapsulated Ethernet" },
127 /*
128 http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/ibm_r/brprt1/brsrb.htm
129 */
130         { 0x00000c,        "Cisco" },
131         { 0x0000f8,        "Cisco 90-Compatible" },
132         { 0x0080c2,        "Bridged Frame-Relay" }, /* RFC 2427 */
133         { OUI_APPLE_ATALK, "Apple (AppleTalk)" },
134         { 0,               NULL }
135 };
136
137 static capture_func_t *
138 sap_capture_func(u_char sap) {
139         int i=0;
140
141         /* look for the second record where sap == 0, which should
142          * be the last record
143          */
144         while (saps[i].sap > 0 || i == 0) {
145                 if (saps[i].sap == sap) {
146                         return saps[i].capture_func;
147                 }
148                 i++;
149         }
150         return NULL;
151 }
152
153 static dissect_func_t *
154 sap_dissect_func(u_char sap) {
155         int i=0;
156
157         /* look for the second record where sap == 0, which should
158          * be the last record
159          */
160         while (saps[i].sap > 0 || i == 0) {
161                 if (saps[i].sap == sap) {
162                         return saps[i].dissect_func;
163                 }
164                 i++;
165         }
166         return dissect_data;
167 }
168
169
170 void
171 capture_llc(const u_char *pd, int offset, guint32 cap_len, packet_counts *ld) {
172
173         int             is_snap;
174         guint16         control;
175         int             llc_header_len;
176         guint32         oui;
177         guint16         etype;
178         capture_func_t  *capture;
179
180         if (!BYTES_ARE_IN_FRAME(offset, 2)) {
181                 ld->other++;
182                 return;
183         }
184         is_snap = (pd[offset] == 0xAA) && (pd[offset+1] == 0xAA);
185         llc_header_len = 2;     /* DSAP + SSAP */
186
187         /*
188          * The low-order bit of the SSAP apparently determines whether this
189          * is a request or a response.  (RFC 1390, "Transmission of IP and
190          * ARP over FDDI Networks", says
191          *
192          *      Command frames are identified by having the low order
193          *      bit of the SSAP address reset to zero.  Response frames
194          *      have the low order bit of the SSAP address set to one.
195          *
196          * and a page I've seen seems to imply that's part of 802.2.)
197          *
198          * XXX - that page also implies that LLC Type 2 always uses
199          * extended operation, so we don't need to determine whether
200          * it's basic or extended operation; is that the case?
201          */
202         control = get_xdlc_control(pd, offset+2, pd[offset+1] & 0x01, TRUE);
203         llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
204         if (is_snap)
205                 llc_header_len += 5;    /* 3 bytes of OUI, 2 bytes of protocol ID */
206         if (!BYTES_ARE_IN_FRAME(offset, llc_header_len)) {
207                 ld->other++;
208                 return;
209         }
210
211         if (is_snap) {
212                 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
213                 if (XDLC_HAS_PAYLOAD(control)) {
214                         /*
215                          * This frame has a payload to be analyzed.
216                          */
217                         etype = pntohs(&pd[offset+6]);
218                         switch (oui) {
219
220                         case OUI_ENCAP_ETHER:
221                         case OUI_APPLE_ATALK:
222                                 /* No, I have no idea why Apple used
223                                    one of their own OUIs, rather than
224                                    OUI_ENCAP_ETHER, and an Ethernet
225                                    packet type as protocol ID, for
226                                    AppleTalk data packets - but used
227                                    OUI_ENCAP_ETHER and an Ethernet
228                                    packet type for AARP packets. */
229                                 capture_ethertype(etype, offset+8, pd,
230                                     cap_len, ld);
231                                 break;
232
233                         default:
234                                 ld->other++;
235                                 break;
236                         }
237                 }
238         }               
239         else {
240                 if (XDLC_HAS_PAYLOAD(control)) {
241                         /*
242                          * This frame has a payload to be analyzed.
243                          */
244                         capture = sap_capture_func(pd[offset]);
245
246                         /* non-SNAP */
247                         offset += llc_header_len;
248
249                         if (capture) {
250                                 capture(pd, offset, cap_len, ld);
251                         }
252                         else {
253                                 ld->other++;
254                         }
255                 }
256         }
257 }
258
259 void
260 dissect_llc(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
261
262         proto_tree      *llc_tree = NULL;
263         proto_item      *ti = NULL;
264         int             is_snap;
265         guint16         control;
266         int             llc_header_len;
267         guint32         oui;
268         guint16         etype;
269         dissect_func_t  *dissect;
270
271         if (!BYTES_ARE_IN_FRAME(offset, 2)) {
272                 dissect_data(pd, offset, fd, tree);
273                 return;
274         }
275         is_snap = (pd[offset] == 0xAA) && (pd[offset+1] == 0xAA);
276         llc_header_len = 2;     /* DSAP + SSAP */
277
278         if (check_col(fd, COL_PROTOCOL)) {
279                 col_add_str(fd, COL_PROTOCOL, "LLC");
280         }
281
282         if (tree) {
283                 ti = proto_tree_add_item(tree, proto_llc, offset, 0, NULL);
284                 llc_tree = proto_item_add_subtree(ti, ett_llc);
285                 proto_tree_add_item(llc_tree, hf_llc_dsap, offset, 
286                         1, pd[offset] & 0xFE);
287                 proto_tree_add_item(llc_tree, hf_llc_dsap_ig, offset, 
288                         1, pd[offset] & 0x01);
289                 proto_tree_add_item(llc_tree, hf_llc_ssap, offset+1, 
290                         1, pd[offset+1] & 0xFE);
291                 proto_tree_add_item(llc_tree, hf_llc_ssap_cr, offset+1, 
292                         1, pd[offset+1] & 0x01);
293         } else
294                 llc_tree = NULL;
295
296         /*
297          * The low-order bit of the SSAP apparently determines whether this
298          * is a request or a response.  (RFC 1390, "Transmission of IP and
299          * ARP over FDDI Networks", says
300          *
301          *      Command frames are identified by having the low order
302          *      bit of the SSAP address reset to zero.  Response frames
303          *      have the low order bit of the SSAP address set to one.
304          *
305          * and a page I've seen seems to imply that's part of 802.2.)
306          *
307          * XXX - that page also implies that LLC Type 2 always uses
308          * extended operation, so we don't need to determine whether
309          * it's basic or extended operation; is that the case?
310          */
311         control = dissect_xdlc_control(pd, offset+2, fd, llc_tree,
312                                 hf_llc_ctrl, ett_llc_ctrl,
313                                 pd[offset+1] & 0x01, TRUE);
314         llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
315         if (is_snap)
316                 llc_header_len += 5;    /* 3 bytes of OUI, 2 bytes of protocol ID */
317         if (!BYTES_ARE_IN_FRAME(offset, llc_header_len)) {
318                 dissect_data(pd, offset, fd, tree);
319                 return;
320         }
321         if (tree)
322                 proto_item_set_len(ti, llc_header_len);
323
324         /*
325          * XXX - do we want to append the SAP information to the stuff
326          * "dissect_xdlc_control()" put in the COL_INFO column, rather
327          * than overwriting it?
328          */
329         if (is_snap) {
330                 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
331                 etype = pntohs(&pd[offset+6]);
332                 if (check_col(fd, COL_INFO)) {
333                         col_add_fstr(fd, COL_INFO, "SNAP, OUI 0x%06X (%s), PID 0x%04X",
334                             oui, val_to_str(oui, llc_oui_vals, "Unknown"),
335                             etype);
336                 }
337                 if (tree) {
338                         proto_tree_add_item(llc_tree, hf_llc_oui, offset+3, 3,
339                                 oui);
340                 }
341                 if (XDLC_HAS_PAYLOAD(control)) {
342                         /*
343                          * This frame has a payload to be analyzed.
344                          */
345                         switch (oui) {
346
347                         case OUI_ENCAP_ETHER:
348                         case OUI_APPLE_ATALK:
349                                 /* No, I have no idea why Apple used
350                                    one of their own OUIs, rather than
351                                    OUI_ENCAP_ETHER, and an Ethernet
352                                    packet type as protocol ID, for
353                                    AppleTalk data packets - but used
354                                    OUI_ENCAP_ETHER and an Ethernet
355                                    packet type for AARP packets. */
356                                 ethertype(etype, offset+8, pd,
357                                     fd, tree, llc_tree, hf_llc_type);
358                                 break;
359
360                         default:
361                                 proto_tree_add_item(llc_tree, hf_llc_pid,
362                                     offset+6, 2, etype);
363                                 dissect_data(pd, offset+8, fd, tree);
364                                 break;
365                         }
366                 }
367         }               
368         else {
369                 if (check_col(fd, COL_INFO)) {
370                         col_add_fstr(fd, COL_INFO, 
371                                 "DSAP %s %s, SSAP %s %s",
372                                 val_to_str(pd[offset] & 0xFE, sap_vals, "%02x"),
373                                 pd[offset] & 0x01 ? "Group" : "Individual",
374                                 val_to_str(pd[offset+1] & 0xFE, sap_vals, "%02x"),
375                                 pd[offset+1] & 0x01 ? "Command" : "Response"
376                                 );
377                 }
378
379                 if (XDLC_HAS_PAYLOAD(control)) {
380                         /*
381                          * This frame has a payload to be analyzed.
382                          */
383                         dissect = sap_dissect_func(pd[offset]);
384
385                         /* non-SNAP */
386                         offset += llc_header_len;
387
388                         if (dissect) {
389                                 dissect(pd, offset, fd, tree);
390                         }
391                         else {
392                                 dissect_data(pd, offset, fd, tree);
393                         }
394                 }
395         }
396 }
397
398 void
399 proto_register_llc(void)
400 {
401         static struct true_false_string ig_bit = { "Group", "Individual" };
402         static struct true_false_string cr_bit = { "Response", "Command" };
403
404         static hf_register_info hf[] = {
405                 { &hf_llc_dsap,
406                 { "DSAP",       "llc.dsap", FT_UINT8, BASE_HEX, 
407                         VALS(sap_vals), 0x0, "" }},
408
409                 { &hf_llc_dsap_ig,
410                 { "IG Bit",     "llc.dsap.ig", FT_BOOLEAN, BASE_HEX, 
411                         &ig_bit, 0x0, "Individual/Group" }},
412
413                 { &hf_llc_ssap,
414                 { "SSAP", "llc.ssap", FT_UINT8, BASE_HEX, 
415                         VALS(sap_vals), 0x0, "" }},
416
417                 { &hf_llc_ssap_cr,
418                 { "CR Bit", "llc.ssap.cr", FT_BOOLEAN, BASE_HEX, 
419                         &cr_bit, 0x0, "Command/Response" }},
420
421                 { &hf_llc_ctrl,
422                 { "Control", "llc.control", FT_UINT8, BASE_HEX, 
423                         VALS(llc_ctrl_vals), 0x0, "" }},
424
425                 /* registered here but handled in ethertype.c */
426                 { &hf_llc_type,
427                 { "Type", "llc.type", FT_UINT16, BASE_HEX, 
428                         VALS(etype_vals), 0x0, "" }},
429
430                 { &hf_llc_oui,
431                 { "Organization Code",  "llc.oui", FT_UINT24, BASE_HEX, 
432                         VALS(llc_oui_vals), 0x0, ""}},
433
434                 { &hf_llc_pid,
435                 { "Protocol ID", "llc.pid", FT_UINT16, BASE_HEX, 
436                         NULL, 0x0, ""}}
437         };
438         static gint *ett[] = {
439                 &ett_llc,
440                 &ett_llc_ctrl,
441         };
442
443         proto_llc = proto_register_protocol ("Logical-Link Control", "llc" );
444         proto_register_field_array(proto_llc, hf, array_length(hf));
445         proto_register_subtree_array(ett, array_length(ett));
446 }
git mirror of the wireshark svn