2 * Routines for processing Ethernet payloads and payloads like Ethernet
3 * payloads (i.e., payloads when there could be an Ethernet trailer and
8 * Gilbert Ramirez <gram@alumni.rice.edu>
10 * Wireshark - Network traffic analyzer
11 * By Gerald Combs <gerald@wireshark.org>
12 * Copyright 1998 Gerald Combs
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
34 #include <epan/packet.h>
35 #include "packet-eth.h"
36 #include "packet-frame.h"
37 #include "packet-ip.h"
38 #include "packet-ipv6.h"
39 #include "packet-ipx.h"
40 #include "packet-vlan.h"
41 #include "packet-ieee8021ah.h"
42 #include "packet-vines.h"
43 #include <epan/etypes.h>
44 #include <epan/ppptypes.h>
46 static dissector_table_t ethertype_dissector_table;
48 static dissector_handle_t data_handle;
50 const value_string etype_vals[] = {
51 { ETHERTYPE_IP, "IP" },
52 { ETHERTYPE_IPv6, "IPv6" },
53 { ETHERTYPE_VLAN, "802.1Q Virtual LAN" },
54 { ETHERTYPE_ARP, "ARP" },
55 { ETHERTYPE_WLCCP, "Cisco Wireless Lan Context Control Protocol" },
56 { ETHERTYPE_CENTRINO_PROMISC, "IEEE 802.11 (Centrino promiscuous)" },
57 { ETHERTYPE_XNS_IDP, "XNS Internet Datagram Protocol" },
58 { ETHERTYPE_X25L3, "X.25 Layer 3" },
59 { ETHERTYPE_WOL, "Wake on LAN" },
60 { ETHERTYPE_WMX_M2M, "WiMax Mac-to-Mac" },
61 { ETHERTYPE_EPL_V1, "EPL_V1" },
62 { ETHERTYPE_REVARP, "RARP" },
63 { ETHERTYPE_DEC_LB, "DEC LanBridge" },
64 { ETHERTYPE_ATALK, "Appletalk" },
65 { ETHERTYPE_SNA, "SNA-over-Ethernet" },
66 { ETHERTYPE_DLR, "EtherNet/IP Device Level Ring" },
67 { ETHERTYPE_AARP, "AARP" },
68 { ETHERTYPE_IPX, "Netware IPX/SPX" },
69 { ETHERTYPE_VINES_IP, "Vines IP" },
70 { ETHERTYPE_VINES_ECHO, "Vines Echo" },
71 { ETHERTYPE_TRAIN, "Netmon Train" },
72 /* Ethernet Loopback */
73 { ETHERTYPE_LOOP, "Loopback" },
74 { ETHERTYPE_FOUNDRY, "Foundry proprietary" },
75 { ETHERTYPE_WCP, "Wellfleet Compression Protocol" },
76 { ETHERTYPE_STP, "Spanning Tree Protocol" },
77 /* for ISMP, see RFC 2641, RFC 2642, RFC 2643 */
78 { ETHERTYPE_ISMP, "Cabletron Interswitch Message Protocol" },
79 { ETHERTYPE_ISMP_TBFLOOD, "Cabletron SFVLAN 1.8 Tag-Based Flood" },
80 /* In www.iana.org/assignments/ethernet-numbers, 8203-8205 description is
81 * Quantum Software. Now the company is called QNX Software Systems. */
82 { ETHERTYPE_QNX_QNET6, "QNX 6 QNET protocol" },
83 { ETHERTYPE_PPPOED, "PPPoE Discovery" },
84 { ETHERTYPE_PPPOES, "PPPoE Session" },
85 { ETHERTYPE_INTEL_ANS, "Intel ANS probe" },
86 { ETHERTYPE_MS_NLB_HEARTBEAT, "MS NLB heartbeat" },
87 { ETHERTYPE_HOMEPLUG, "Homeplug" },
88 { ETHERTYPE_IEEE_802_1AD, "802.1ad Provider Bridge (Q-in-Q)" },
89 { ETHERTYPE_IEEE_802_1AH, "802.1ah Provider Backbone Bridge (mac-in-mac)" },
90 { ETHERTYPE_EAPOL, "802.1X Authentication" },
91 { ETHERTYPE_RSN_PREAUTH, "802.11i Pre-Authentication" },
92 { ETHERTYPE_MPLS, "MPLS label switched packet" },
93 { ETHERTYPE_MPLS_MULTI, "MPLS multicast label switched packet" },
94 { ETHERTYPE_3C_NBP_DGRAM, "3Com NBP Datagram" },
95 { ETHERTYPE_DEC, "DEC proto" },
96 { ETHERTYPE_DNA_DL, "DEC DNA Dump/Load" },
97 { ETHERTYPE_DNA_RC, "DEC DNA Remote Console" },
98 { ETHERTYPE_DNA_RT, "DEC DNA Routing" },
99 { ETHERTYPE_LAT, "DEC LAT" },
100 { ETHERTYPE_DEC_DIAG, "DEC Diagnostics" },
101 { ETHERTYPE_DEC_CUST, "DEC Customer use" },
102 { ETHERTYPE_DEC_SCA, "DEC LAVC/SCA" },
103 { ETHERTYPE_DEC_LAST, "DEC LAST" },
104 { ETHERTYPE_ETHBRIDGE, "Transparent Ethernet bridging" },
105 { ETHERTYPE_CGMP, "Cisco Group Management Protocol" },
106 { ETHERTYPE_MSRP, "802.1Qat Multiple Stream Reservation Protocol" },
107 { ETHERTYPE_AVBTP, "IEEE 1722 Audio Video Bridging Transport Protocol" },
108 { ETHERTYPE_GIGAMON, "Gigamon Header" },
109 { ETHERTYPE_MAC_CONTROL, "MAC Control" },
110 { ETHERTYPE_SLOW_PROTOCOLS, "Slow Protocols" },
111 { ETHERTYPE_RTMAC, "Real-Time Media Access Control" },
112 { ETHERTYPE_RTCFG, "Real-Time Configuration Protocol" },
113 { ETHERTYPE_CDMA2000_A10_UBS, "CDMA2000 A10 Unstructured byte stream" },
114 { ETHERTYPE_PROFINET, "PROFINET"},
115 { ETHERTYPE_AOE, "ATA over Ethernet" },
116 { ETHERTYPE_ECATF, "EtherCAT frame" },
117 { ETHERTYPE_TELKONET, "Telkonet powerline" },
118 { ETHERTYPE_EPL_V2, "ETHERNET Powerlink v2" },
119 { ETHERTYPE_XIMETA, "XiMeta Technology" },
120 { ETHERTYPE_CSM_ENCAPS, "CSM_ENCAPS Protocol" },
121 { ETHERTYPE_IEEE802_OUI_EXTENDED, "IEEE 802a OUI Extended Ethertype" },
122 { ETHERTYPE_IEC61850_GOOSE, "IEC 61850/GOOSE" },
123 { ETHERTYPE_IEC61850_GSE, "IEC 61850/GSE management services" },
124 { ETHERTYPE_IEC61850_SV, "IEC 61850/SV (Sampled Value Transmission" },
125 { ETHERTYPE_TIPC, "Transparent Inter Process Communication" },
126 { ETHERTYPE_LLDP, "802.1 Link Layer Discovery Protocol (LLDP)" },
127 { ETHERTYPE_3GPP2, "CDMA2000 A10 3GPP2 Packet" },
128 { ETHERTYPE_TTE_PCF, "TTEthernet Protocol Control Frame" },
129 { ETHERTYPE_LLTD, "Link Layer Topology Discovery (LLTD)" },
130 { ETHERTYPE_WSMP, "(WAVE) Short Message Protocol (WSM)" },
131 { ETHERTYPE_VMLAB, "VMware Lab Manager" },
132 { ETHERTYPE_COBRANET, "Cirrus Cobranet Packet" },
133 { ETHERTYPE_NSRP, "Juniper Netscreen Redundant Protocol" },
135 * NDISWAN on Windows translates Ethernet frames from higher-level
136 * protocols into PPP frames to hand to the PPP driver, and translates
137 * PPP frames from the PPP driver to hand to the higher-level protocols.
139 * Apparently the PPP driver, on at least some versions of Windows,
140 * passes frames for internal-to-PPP protocols up through NDISWAN;
141 * the protocol type field appears to be passed through unchanged
142 * (unlike what's done with, for example, the protocol type field
143 * for IP, which is mapped from its PPP value to its Ethernet value).
145 * This means that we may see, on Ethernet captures, frames for
146 * protocols internal to PPP, so we list as "Ethernet" protocol
147 * types the PPP protocol types we've seen.
149 { PPP_IPCP, "PPP IP Control Protocol" },
150 { PPP_LCP, "PPP Link Control Protocol" },
151 { PPP_PAP, "PPP Password Authentication Protocol" },
152 { PPP_CCP, "PPP Compression Control Protocol" },
153 { ETHERTYPE_LLT, "Veritas Low Latency Transport (not officially registered)" },
154 { ETHERTYPE_CFM, "IEEE 802.1ag Connectivity Fault Management (CFM) protocol" },
155 { ETHERTYPE_FCOE, "Fibre Channel over Ethernet" },
156 { ETHERTYPE_FIP, "FCoE Initialization Protocol" },
157 { ETHERTYPE_PTP, "PTPv2 over Ethernet (IEEE1588)" },
158 { ETHERTYPE_PRP, "Parallel Redundancy Protocol (IEC62439 Chapter 6)" },
159 { ETHERTYPE_FLIP, "Flow Layer Internal Protocol" },
160 { ETHERTYPE_ROCE, "RDMA over Converged Ethernet" },
161 { ETHERTYPE_TDMOE, "Digium TDM over Ethernet Protocol" },
162 { ETHERTYPE_WAI, "WAI Authentication Protocol" },
166 static void add_dix_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree,
167 int trailer_id, tvbuff_t *tvb, tvbuff_t *next_tvb, int offset_after_etype,
168 guint length_before, gint fcs_len);
171 capture_ethertype(guint16 etype, const guchar *pd, int offset, int len,
179 capture_ip(pd, offset, len, ld);
182 capture_ipv6(pd, offset, len, ld);
188 capture_vlan(pd, offset, len, ld);
190 case ETHERTYPE_IEEE_802_1AD:
191 case ETHERTYPE_IEEE_802_1AH:
192 capture_ieee8021ah(pd, offset, len, ld);
194 case ETHERTYPE_VINES_IP:
195 case ETHERTYPE_VINES_ECHO:
205 ethertype(guint16 etype, tvbuff_t *tvb, int offset_after_etype,
206 packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree,
207 int etype_id, int trailer_id, int fcs_len)
209 const char *description;
210 tvbuff_t *volatile next_tvb;
212 gint captured_length, reported_length;
213 volatile gboolean dissector_found = FALSE;
214 const char *volatile saved_proto;
217 /* Add the Ethernet type to the protocol tree */
219 proto_tree_add_uint(fh_tree, etype_id, tvb,
220 offset_after_etype - 2, 2, etype);
223 /* Get the captured length and reported length of the data
224 after the Ethernet type. */
225 captured_length = tvb_length_remaining(tvb, offset_after_etype);
226 reported_length = tvb_reported_length_remaining(tvb,
229 /* Remember how much data there is after the Ethernet type,
230 including any trailer and FCS. */
231 length_before = reported_length;
233 /* Construct a tvbuff for the payload after the Ethernet type.
234 If the FCS length is positive, remove the FCS.
235 (If it's zero, there's no FCS; if it's negative,
236 we don't know whether there's an FCS, so we'll
237 guess based on the length of the trailer.) */
239 if (captured_length >= 0 && reported_length >= 0) {
240 if (reported_length >= fcs_len)
241 reported_length -= fcs_len;
242 if (captured_length > reported_length)
243 captured_length = reported_length;
246 next_tvb = tvb_new_subset(tvb, offset_after_etype, captured_length,
249 pinfo->ethertype = etype;
251 /* Look for sub-dissector, and call it if found.
252 Catch exceptions, so that if the reported length of "next_tvb"
253 was reduced by some dissector before an exception was thrown,
254 we can still put in an item for the trailer. */
255 saved_proto = pinfo->current_proto;
256 pd_save = pinfo->private_data;
258 dissector_found = dissector_try_port(ethertype_dissector_table,
259 etype, next_tvb, pinfo, tree);
262 /* Somebody threw BoundsError, which means that:
264 1) a dissector was found, so we don't need to
265 dissect the payload as data or update the
266 protocol or info columns;
268 2) dissecting the payload found that the packet was
269 cut off by a snapshot length before the end of
270 the payload. The trailer comes after the payload,
271 so *all* of the trailer is cut off, and we'll
272 just get another BoundsError if we add the trailer.
274 Therefore, we just rethrow the exception so it gets
275 reported; we don't dissect the trailer or do anything
279 CATCH(OutOfMemoryError) {
283 /* Somebody threw an exception other than BoundsError, which
284 means that a dissector was found, so we don't need to
285 dissect the payload as data or update the protocol or info
286 columns. We just show the exception and then drive on
287 to show the trailer, after noting that a dissector was
288 found and restoring the protocol value that was in effect
289 before we called the subdissector. */
290 show_exception(next_tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE);
292 /* Restore the private_data structure in case one of the
293 * called dissectors modified it (and, due to the exception,
294 * was unable to restore it).
296 pinfo->private_data = pd_save;
297 dissector_found = TRUE;
298 pinfo->current_proto = saved_proto;
302 if (!dissector_found) {
303 /* No sub-dissector found.
304 Label rest of packet as "Data" */
305 call_dissector(data_handle,next_tvb, pinfo, tree);
308 col_add_fstr(pinfo->cinfo, COL_PROTOCOL, "0x%04x", etype);
310 description = match_strval(etype, etype_vals);
312 col_add_str(pinfo->cinfo, COL_INFO, description);
316 add_dix_trailer(pinfo, tree, fh_tree, trailer_id, tvb, next_tvb, offset_after_etype,
317 length_before, fcs_len);
321 add_dix_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree, int trailer_id,
322 tvbuff_t *tvb, tvbuff_t *next_tvb, int offset_after_etype,
323 guint length_before, gint fcs_len)
326 tvbuff_t *trailer_tvb;
329 return; /* we're not building a protocol tree */
331 /* OK, how much is there in that tvbuff now? */
332 length = tvb_reported_length(next_tvb);
334 /* If there's less than there was before, what's left is
336 if (length < length_before) {
338 * Is any of the padding present in the tvbuff?
340 if (tvb_offset_exists(tvb, offset_after_etype + length)) {
342 * Yes - create a tvbuff for the padding.
344 trailer_tvb = tvb_new_subset_remaining(tvb,
345 offset_after_etype + length);
348 * No - don't bother showing the trailer.
349 * XXX - show a Short Frame indication?
354 trailer_tvb = NULL; /* no trailer */
356 add_ethernet_trailer(pinfo, tree, fh_tree, trailer_id, tvb, trailer_tvb, fcs_len);
360 proto_register_ethertype(void)
362 /* subdissector code */
363 ethertype_dissector_table = register_dissector_table("ethertype",
364 "Ethertype", FT_UINT16, BASE_HEX);
368 proto_reg_handoff_ethertype(void)
370 data_handle = find_dissector("data");