epan/dissectors/packet-cisco-erspan.c

   1 /* packet-erspan.c
   2  * Routines for the disassembly of Cisco's ERSPAN protocol
   3  *
   4  * Copyright 2005 Joerg Mayer (see AUTHORS file)
   5  * Updates for newer versions by Jason Masker <jason at masker.net>
   6  *
   7  * Wireshark - Network traffic analyzer
   8  * By Gerald Combs <gerald@wireshark.org>
   9  * Copyright 1998 Gerald Combs
  10  *
  11  * This program is free software; you can redistribute it and/or
  12  * modify it under the terms of the GNU General Public License
  13  * as published by the Free Software Foundation; either version 2
  14  * of the License, or (at your option) any later version.
  15  *
  16  * This program is distributed in the hope that it will be useful,
  17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19  * GNU General Public License for more details.
  20  *
  21  * You should have received a copy of the GNU General Public License
  22  * along with this program; if not, write to the Free Software
  23  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  24  */
  25
  26 /*
  27  * TODO:
  28  *      Find out the Unknown values
  29  *
  30  * Specs:
  31  *      No real specs exist. Some general description can be found at:
  32  *      http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a008069952a.html
  33  *
  34  *      Some information on ERSPAN type III can be found at:
  35  *      http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3/system_management/configuration/guide/n1000v_system_9span.html
  36  *
  37  *      For ERSPAN packets, the "protocol type" field value in the GRE header
  38  *      is 0x88BE (version 1) or 0x22EB (version 2).
  39  *
  40  *      ERSPAN type II is version 1
  41  *      ERSPAN type III is version 2
  42  *
  43  * 0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000 <-- pcap header
  44  * 0000010: ffff 0000
  45  * 0000010:           7100 0000 <-- 0x71 (DLT_TYPE) = linux_cooked_capture (of course not)
  46  * 0000010:                     7507 f845 11d1 0500 <-- pcap record header
  47  * 0000020: 7a00 0000 7a00 0000
  48  * 0000020:                     0000 030a 0000 0000 <-- unknown
  49  * 0000030: 0000 0000
  50  * 0000030:           0000 88be <-- GRE header (version 1)
  51  * 0000030:                     1002 0001 0000 0380 <-- ERSPAN header (01: erspan-id)
  52  * 0000040: 00d0 b7a7 7480 0015 c721 75c0 0800 4500 <-- Ethernet packet
  53  * ...
  54  *
  55  *
  56  */
  57
  58 #include "config.h"
  59
  60 #include <glib.h>
  61 #include <epan/packet.h>
  62 #include <epan/greproto.h>
  63 #include <epan/prefs.h>
  64 #include <epan/expert.h>
  65
  66 void proto_register_erspan(void);
  67 void proto_reg_handoff_erspan(void);
  68
  69 static int proto_erspan = -1;
  70
  71 static gint ett_erspan = -1;
  72
  73 static int hf_erspan_version = -1;
  74 static int hf_erspan_vlan = -1;
  75 static int hf_erspan_priority = -1;
  76 static int hf_erspan_unknown2 = -1;
  77 static int hf_erspan_direction = -1;
  78 static int hf_erspan_unknown3 = -1;
  79 static int hf_erspan_truncated = -1;
  80 static int hf_erspan_spanid = -1;
  81 static int hf_erspan_timestamp = -1;
  82 static int hf_erspan_unknown4 = -1;
  83 static int hf_erspan_direction2 = -1;
  84 static int hf_erspan_unknown5 = -1;
  85 static int hf_erspan_unknown6 = -1;
  86 static int hf_erspan_unknown7 = -1;
  87
  88 static expert_field ei_erspan_version_unknown = EI_INIT;
  89
  90 #define PROTO_SHORT_NAME "ERSPAN"
  91 #define PROTO_LONG_NAME "Encapsulated Remote Switch Packet ANalysis"
  92
  93 /* Global ERSPAN Preference */
  94 static gboolean pref_fake_erspan = FALSE;
  95
  96 #define ERSPAN_DIRECTION_INCOMING 0
  97 #define ERSPAN_DIRECTION_OUTGOING 1
  98 static const value_string erspan_direction_vals[] = {
  99         {ERSPAN_DIRECTION_INCOMING, "Incoming"},
 100         {ERSPAN_DIRECTION_OUTGOING, "Outgoing"},
 101         {0, NULL},
 102 };
 103
 104 static const value_string erspan_truncated_vals[] = {
 105         {0, "Not truncated"},
 106         {1, "Truncated"},
 107         {0, NULL},
 108 };
 109
 110 static const value_string erspan_version_vals[] = {
 111         {1, "Type II"},
 112         {2, "Type III"},
 113         {0, NULL},
 114 };
 115
 116 static dissector_handle_t ethnofcs_handle;
 117
 118 static void
 119 erspan_fmt_timestamp(gchar *result, guint32 timeval)
 120 {
 121         g_snprintf(result, ITEM_LABEL_LENGTH, "%.4f", (((gfloat)timeval)/10000));
 122 }
 123
 124 static void
 125 dissect_erspan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 126 {
 127         proto_item *ti;
 128         proto_item *ti_ver;
 129         proto_tree *erspan_tree = NULL;
 130         tvbuff_t *eth_tvb;
 131         guint32 offset = 0;
 132         guint16 version;
 133
 134         col_set_str(pinfo->cinfo, COL_PROTOCOL, PROTO_SHORT_NAME);
 135         col_set_str(pinfo->cinfo, COL_INFO, PROTO_SHORT_NAME ":");
 136
 137
 138         if (tree) {
 139                 ti = proto_tree_add_item(tree, proto_erspan, tvb, offset, -1,
 140                     ENC_NA);
 141                 erspan_tree = proto_item_add_subtree(ti, ett_erspan);
 142         }
 143
 144         if(pref_fake_erspan) {
 145                 /* Some vendor don't include ERSPAN Header...*/
 146                 eth_tvb = tvb_new_subset_remaining(tvb, offset);
 147                 call_dissector(ethnofcs_handle, eth_tvb, pinfo, tree);
 148                 return;
 149         }
 150
 151
 152         version = tvb_get_ntohs(tvb, offset) >> 12;
 153         if (tree) {
 154                 ti_ver = proto_tree_add_item(erspan_tree, hf_erspan_version, tvb, offset, 2,
 155                         ENC_BIG_ENDIAN);
 156                 if ((version != 1) && (version != 2 )) {
 157                         expert_add_info(pinfo, ti_ver, &ei_erspan_version_unknown);
 158                         return;
 159                 }
 160                 proto_tree_add_item(erspan_tree, hf_erspan_vlan, tvb, offset, 2,
 161                         ENC_BIG_ENDIAN);
 162                 offset += 2;
 163
 164                 proto_tree_add_item(erspan_tree, hf_erspan_priority, tvb, offset, 2,
 165                         ENC_BIG_ENDIAN);
 166                 proto_tree_add_item(erspan_tree, hf_erspan_unknown2, tvb, offset, 2,
 167                         ENC_BIG_ENDIAN);
 168                 if (version == 1)
 169                         proto_tree_add_item(erspan_tree, hf_erspan_direction, tvb,
 170                                 offset, 2, ENC_BIG_ENDIAN);
 171                 else /* version = 2 */
 172                         proto_tree_add_item(erspan_tree, hf_erspan_unknown3, tvb,
 173                                 offset, 2, ENC_BIG_ENDIAN);
 174                 proto_tree_add_item(erspan_tree, hf_erspan_truncated, tvb, offset, 2,
 175                         ENC_BIG_ENDIAN);
 176                 proto_tree_add_item(erspan_tree, hf_erspan_spanid, tvb, offset, 2,
 177                         ENC_BIG_ENDIAN);
 178                 offset += 2;
 179
 180                 if (version == 2) {
 181                         proto_tree_add_item(erspan_tree, hf_erspan_timestamp, tvb,
 182                                 offset, 4, ENC_BIG_ENDIAN);
 183                         offset += 4;
 184
 185                         proto_tree_add_item(erspan_tree, hf_erspan_unknown4, tvb,
 186                                 offset, 2, ENC_NA);
 187                         offset += 2;
 188
 189                         proto_tree_add_item(erspan_tree, hf_erspan_direction2, tvb,
 190                                 offset, 2, ENC_BIG_ENDIAN);
 191                         proto_tree_add_item(erspan_tree, hf_erspan_unknown5, tvb,
 192                                 offset, 2, ENC_BIG_ENDIAN);
 193                         offset += 2;
 194
 195                         proto_tree_add_item(erspan_tree, hf_erspan_unknown6, tvb,
 196                                 offset, 4, ENC_NA);
 197                         offset += 4;
 198                 }
 199                 proto_tree_add_item(erspan_tree, hf_erspan_unknown7, tvb, offset, 4,
 200                         ENC_NA);
 201                 offset += 4;
 202         }
 203         else {
 204                 offset += 8;
 205                 if (version == 2)
 206                         offset += 12;
 207         }
 208
 209         eth_tvb = tvb_new_subset_remaining(tvb, offset);
 210         call_dissector(ethnofcs_handle, eth_tvb, pinfo, tree);
 211 }
 212
 213 void
 214 proto_register_erspan(void)
 215 {
 216         module_t *erspan_module;
 217         expert_module_t* expert_erspan;
 218
 219         static hf_register_info hf[] = {
 220
 221                 { &hf_erspan_version,
 222                 { "Version",    "erspan.version", FT_UINT16, BASE_DEC, VALS(erspan_version_vals),
 223                         0xf000, NULL, HFILL }},
 224
 225                 { &hf_erspan_vlan,
 226                 { "Vlan",       "erspan.vlan", FT_UINT16, BASE_DEC, NULL,
 227                         0x0fff, NULL, HFILL }},
 228
 229                 { &hf_erspan_priority,
 230                 { "Priority",   "erspan.priority", FT_UINT16, BASE_DEC, NULL,
 231                         0xe000, NULL, HFILL }},
 232
 233                 { &hf_erspan_unknown2,
 234                 { "Unknown2",   "erspan.unknown2", FT_UINT16, BASE_DEC, NULL,
 235                         0x1000, NULL, HFILL }},
 236
 237                 { &hf_erspan_direction,
 238                 { "Direction",  "erspan.direction", FT_UINT16, BASE_DEC, VALS(erspan_direction_vals),
 239                         0x0800, NULL, HFILL }},
 240
 241                 { &hf_erspan_unknown3,
 242                 { "Unknown3",   "erspan.unknown3", FT_UINT16, BASE_DEC, NULL,
 243                         0x0800, NULL, HFILL }},
 244
 245                 { &hf_erspan_truncated,
 246                 { "Truncated",  "erspan.truncated", FT_UINT16, BASE_DEC, VALS(erspan_truncated_vals),
 247                         0x0400, "ERSPAN packet exceeded the MTU size", HFILL }},
 248
 249                 { &hf_erspan_spanid,
 250                 { "SpanID",     "erspan.spanid", FT_UINT16, BASE_DEC, NULL,
 251                         0x03ff, NULL, HFILL }},
 252
 253                 { &hf_erspan_timestamp,
 254                 { "Timestamp",  "erspan.timestamp", FT_UINT32, BASE_CUSTOM, erspan_fmt_timestamp,
 255                         0, NULL, HFILL }},
 256
 257                 { &hf_erspan_unknown4,
 258                 { "Unknown4",   "erspan.unknown4", FT_BYTES, BASE_NONE, NULL,
 259                         0, NULL, HFILL }},
 260
 261                 { &hf_erspan_direction2,
 262                 { "Direction2", "erspan.direction2", FT_UINT16, BASE_DEC, VALS(erspan_direction_vals),
 263                         0x0008, NULL, HFILL }},
 264
 265                 { &hf_erspan_unknown5,
 266                 { "Unknown5",   "erspan.unknown5", FT_UINT16, BASE_HEX, NULL,
 267                         0xfff7, NULL, HFILL }},
 268
 269                 { &hf_erspan_unknown6,
 270                 { "Unknown6",   "erspan.unknown6", FT_BYTES, BASE_NONE, NULL,
 271                         0, NULL, HFILL }},
 272
 273                 { &hf_erspan_unknown7,
 274                 { "Unknown7",   "erspan.unknown7", FT_BYTES, BASE_NONE, NULL,
 275                         0, NULL, HFILL }},
 276
 277         };
 278
 279         static gint *ett[] = {
 280                 &ett_erspan,
 281         };
 282
 283         static ei_register_info ei[] = {
 284                 { &ei_erspan_version_unknown, { "erspan.version.unknown", PI_UNDECODED, PI_WARN, "Unknown version, please report or test to use fake ERSPAN preference", EXPFILL }},
 285         };
 286
 287         proto_erspan = proto_register_protocol(PROTO_LONG_NAME, PROTO_SHORT_NAME, "erspan");
 288         proto_register_field_array(proto_erspan, hf, array_length(hf));
 289         proto_register_subtree_array(ett, array_length(ett));
 290         expert_erspan = expert_register_protocol(proto_erspan);
 291         expert_register_field_array(expert_erspan, ei, array_length(ei));
 292
 293         /* register dissection preferences */
 294         erspan_module = prefs_register_protocol(proto_erspan, NULL);
 295
 296         prefs_register_bool_preference(erspan_module, "fake_erspan",
 297                                 "FORCE to decode fake ERSPAN frame",
 298                                 "When set, dissector will FORCE to decode directly Ethernet Frame"
 299                                 "Some vendor use fake ERSPAN frame (with not ERSPAN Header)",
 300                                 &pref_fake_erspan);
 301 }
 302
 303 void
 304 proto_reg_handoff_erspan(void)
 305 {
 306         dissector_handle_t erspan_handle;
 307
 308         ethnofcs_handle = find_dissector("eth_withoutfcs");
 309
 310         erspan_handle = create_dissector_handle(dissect_erspan, proto_erspan);
 311         dissector_add_uint("gre.proto", GRE_ERSPAN_88BE, erspan_handle);
 312         dissector_add_uint("gre.proto", GRE_ERSPAN_22EB, erspan_handle);
 313
 314 }
 315