2 * Routines for IEEE 802.2 LLC layer
3 * Gilbert Ramirez <gramirez@tivoli.com>
5 * $Id: packet-llc.c,v 1.33 1999/12/13 21:48:18 nneul Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@unicom.net>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_TYPES_H
32 # include <sys/types.h>
39 static int proto_llc = -1;
40 static int hf_llc_dsap = -1;
41 static int hf_llc_ssap = -1;
42 static int hf_llc_dsap_ig = -1;
43 static int hf_llc_ssap_cr = -1;
44 static int hf_llc_ctrl = -1;
45 static int hf_llc_type = -1;
46 static int hf_llc_oui = -1;
47 static int hf_llc_pid = -1;
49 static gint ett_llc = -1;
50 static gint ett_llc_ctrl = -1;
52 typedef void (capture_func_t)(const u_char *, int, guint32, packet_counts *);
53 typedef void (dissect_func_t)(const u_char *, int, frame_data *, proto_tree *);
55 /* The SAP info is split into two tables, one value_string table and one table of sap_info. This is
56 * so that the value_string can be used in the header field registration.
60 capture_func_t *capture_func;
61 dissect_func_t *dissect_func;
64 /* These are for SSAP and DSAP, wth last bit always zero */
65 static const value_string sap_vals[] = {
66 { 0x00, "NULL LSAP" },
67 { 0x02, "LLC Sub-Layer Management" },
68 { 0x04, "SNA Path Control" },
72 { 0x42, "Spanning Tree BPDU" },
73 { 0x7F, "ISO 802.2" },
76 { 0xBA, "Banyan Vines" },
77 { 0xBC, "Banyan Vines" },
80 { 0xF4, "IBM Net Management" },
81 { 0xF8, "Remote Program Load" },
82 { 0xFC, "Remote Program Load" },
83 { 0xFE, "ISO Network Layer" },
84 { 0xFF, "Global LSAP" },
88 static struct sap_info saps[] = {
92 { 0x04, NULL, dissect_sna },
94 { 0x06, capture_ip, dissect_ip },
97 { 0x42, NULL, dissect_bpdu },
100 { 0xAA, NULL, NULL },
101 { 0xBA, NULL, NULL },
102 { 0xBC, NULL, NULL },
103 { 0xE0, capture_ipx, dissect_ipx },
104 { 0xF0, capture_netbios, dissect_netbios },
105 { 0xF4, NULL, NULL },
106 { 0xF5, NULL, NULL },
107 { 0xF8, NULL, NULL },
108 { 0xFC, NULL, NULL },
109 { 0xFE, NULL, dissect_osi },
110 { 0xFF, NULL, NULL },
114 static const value_string llc_ctrl_vals[] = {
115 { 0, "Information Transfer" },
116 { 1, "Supervisory" },
118 { 3, "Unnumbered Information" },
122 #define OUI_ENCAP_ETHER 0x000000
123 #define OUI_APPLE_ATALK 0x080007
125 static const value_string llc_oui_vals[] = {
126 { OUI_ENCAP_ETHER, "Encapsulated Ethernet" },
128 http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/ibm_r/brprt1/brsrb.htm
130 { 0x00000c, "Cisco" },
131 { 0x0000f8, "Cisco 90-Compatible" },
132 { 0x0080c2, "Bridged Frame-Relay" }, /* RFC 2427 */
133 { OUI_APPLE_ATALK, "Apple (AppleTalk)" },
137 static capture_func_t *
138 sap_capture_func(u_char sap) {
141 /* look for the second record where sap == 0, which should
144 while (saps[i].sap > 0 || i == 0) {
145 if (saps[i].sap == sap) {
146 return saps[i].capture_func;
153 static dissect_func_t *
154 sap_dissect_func(u_char sap) {
157 /* look for the second record where sap == 0, which should
160 while (saps[i].sap > 0 || i == 0) {
161 if (saps[i].sap == sap) {
162 return saps[i].dissect_func;
171 capture_llc(const u_char *pd, int offset, guint32 cap_len, packet_counts *ld) {
178 capture_func_t *capture;
180 if (!BYTES_ARE_IN_FRAME(offset, 2)) {
184 is_snap = (pd[offset] == 0xAA) && (pd[offset+1] == 0xAA);
185 llc_header_len = 2; /* DSAP + SSAP */
188 * The low-order bit of the SSAP apparently determines whether this
189 * is a request or a response. (RFC 1390, "Transmission of IP and
190 * ARP over FDDI Networks", says
192 * Command frames are identified by having the low order
193 * bit of the SSAP address reset to zero. Response frames
194 * have the low order bit of the SSAP address set to one.
196 * and a page I've seen seems to imply that's part of 802.2.)
198 * XXX - that page also implies that LLC Type 2 always uses
199 * extended operation, so we don't need to determine whether
200 * it's basic or extended operation; is that the case?
202 control = get_xdlc_control(pd, offset+2, pd[offset+1] & 0x01, TRUE);
203 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
205 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
206 if (!BYTES_ARE_IN_FRAME(offset, llc_header_len)) {
212 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
213 if (XDLC_HAS_PAYLOAD(control)) {
215 * This frame has a payload to be analyzed.
217 etype = pntohs(&pd[offset+6]);
220 case OUI_ENCAP_ETHER:
221 case OUI_APPLE_ATALK:
222 /* No, I have no idea why Apple used
223 one of their own OUIs, rather than
224 OUI_ENCAP_ETHER, and an Ethernet
225 packet type as protocol ID, for
226 AppleTalk data packets - but used
227 OUI_ENCAP_ETHER and an Ethernet
228 packet type for AARP packets. */
229 capture_ethertype(etype, offset+8, pd,
240 if (XDLC_HAS_PAYLOAD(control)) {
242 * This frame has a payload to be analyzed.
244 capture = sap_capture_func(pd[offset]);
247 offset += llc_header_len;
250 capture(pd, offset, cap_len, ld);
260 dissect_llc(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
262 proto_tree *llc_tree = NULL;
263 proto_item *ti = NULL;
269 dissect_func_t *dissect;
271 if (!BYTES_ARE_IN_FRAME(offset, 2)) {
272 dissect_data(pd, offset, fd, tree);
275 is_snap = (pd[offset] == 0xAA) && (pd[offset+1] == 0xAA);
276 llc_header_len = 2; /* DSAP + SSAP */
278 if (check_col(fd, COL_PROTOCOL)) {
279 col_add_str(fd, COL_PROTOCOL, "LLC");
283 ti = proto_tree_add_item(tree, proto_llc, offset, 0, NULL);
284 llc_tree = proto_item_add_subtree(ti, ett_llc);
285 proto_tree_add_item(llc_tree, hf_llc_dsap, offset,
286 1, pd[offset] & 0xFE);
287 proto_tree_add_item(llc_tree, hf_llc_dsap_ig, offset,
288 1, pd[offset] & 0x01);
289 proto_tree_add_item(llc_tree, hf_llc_ssap, offset+1,
290 1, pd[offset+1] & 0xFE);
291 proto_tree_add_item(llc_tree, hf_llc_ssap_cr, offset+1,
292 1, pd[offset+1] & 0x01);
297 * The low-order bit of the SSAP apparently determines whether this
298 * is a request or a response. (RFC 1390, "Transmission of IP and
299 * ARP over FDDI Networks", says
301 * Command frames are identified by having the low order
302 * bit of the SSAP address reset to zero. Response frames
303 * have the low order bit of the SSAP address set to one.
305 * and a page I've seen seems to imply that's part of 802.2.)
307 * XXX - that page also implies that LLC Type 2 always uses
308 * extended operation, so we don't need to determine whether
309 * it's basic or extended operation; is that the case?
311 control = dissect_xdlc_control(pd, offset+2, fd, llc_tree,
312 hf_llc_ctrl, ett_llc_ctrl,
313 pd[offset+1] & 0x01, TRUE);
314 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
316 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
317 if (!BYTES_ARE_IN_FRAME(offset, llc_header_len)) {
318 dissect_data(pd, offset, fd, tree);
322 proto_item_set_len(ti, llc_header_len);
325 * XXX - do we want to append the SAP information to the stuff
326 * "dissect_xdlc_control()" put in the COL_INFO column, rather
327 * than overwriting it?
330 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
331 etype = pntohs(&pd[offset+6]);
332 if (check_col(fd, COL_INFO)) {
333 col_add_fstr(fd, COL_INFO, "SNAP, OUI 0x%06X (%s), PID 0x%04X",
334 oui, val_to_str(oui, llc_oui_vals, "Unknown"),
338 proto_tree_add_item(llc_tree, hf_llc_oui, offset+3, 3,
341 if (XDLC_HAS_PAYLOAD(control)) {
343 * This frame has a payload to be analyzed.
347 case OUI_ENCAP_ETHER:
348 case OUI_APPLE_ATALK:
349 /* No, I have no idea why Apple used
350 one of their own OUIs, rather than
351 OUI_ENCAP_ETHER, and an Ethernet
352 packet type as protocol ID, for
353 AppleTalk data packets - but used
354 OUI_ENCAP_ETHER and an Ethernet
355 packet type for AARP packets. */
356 ethertype(etype, offset+8, pd,
357 fd, tree, llc_tree, hf_llc_type);
361 proto_tree_add_item(llc_tree, hf_llc_pid,
363 dissect_data(pd, offset+8, fd, tree);
369 if (check_col(fd, COL_INFO)) {
370 col_add_fstr(fd, COL_INFO,
371 "DSAP %s %s, SSAP %s %s",
372 val_to_str(pd[offset] & 0xFE, sap_vals, "%02x"),
373 pd[offset] & 0x01 ? "Group" : "Individual",
374 val_to_str(pd[offset+1] & 0xFE, sap_vals, "%02x"),
375 pd[offset+1] & 0x01 ? "Command" : "Response"
379 if (XDLC_HAS_PAYLOAD(control)) {
381 * This frame has a payload to be analyzed.
383 dissect = sap_dissect_func(pd[offset]);
386 offset += llc_header_len;
389 dissect(pd, offset, fd, tree);
392 dissect_data(pd, offset, fd, tree);
399 proto_register_llc(void)
401 static struct true_false_string ig_bit = { "Group", "Individual" };
402 static struct true_false_string cr_bit = { "Response", "Command" };
404 static hf_register_info hf[] = {
406 { "DSAP", "llc.dsap", FT_UINT8, BASE_HEX,
407 VALS(sap_vals), 0x0, "" }},
410 { "IG Bit", "llc.dsap.ig", FT_BOOLEAN, BASE_HEX,
411 &ig_bit, 0x0, "Individual/Group" }},
414 { "SSAP", "llc.ssap", FT_UINT8, BASE_HEX,
415 VALS(sap_vals), 0x0, "" }},
418 { "CR Bit", "llc.ssap.cr", FT_BOOLEAN, BASE_HEX,
419 &cr_bit, 0x0, "Command/Response" }},
422 { "Control", "llc.control", FT_UINT8, BASE_HEX,
423 VALS(llc_ctrl_vals), 0x0, "" }},
425 /* registered here but handled in ethertype.c */
427 { "Type", "llc.type", FT_UINT16, BASE_HEX,
428 VALS(etype_vals), 0x0, "" }},
431 { "Organization Code", "llc.oui", FT_UINT24, BASE_HEX,
432 VALS(llc_oui_vals), 0x0, ""}},
435 { "Protocol ID", "llc.pid", FT_UINT16, BASE_HEX,
438 static gint *ett[] = {
443 proto_llc = proto_register_protocol ("Logical-Link Control", "llc" );
444 proto_register_field_array(proto_llc, hf, array_length(hf));
445 proto_register_subtree_array(ett, array_length(ett));