3 * Top-most dissector. Decides dissector based on Wiretap Encapsulation Type.
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 2000 Gerald Combs
9 * SPDX-License-Identifier: GPL-2.0-or-later
18 #include <epan/packet.h>
19 #include <epan/capture_dissectors.h>
20 #include <epan/epan.h>
21 #include <epan/exceptions.h>
22 #include <epan/show_exception.h>
23 #include <epan/timestamp.h>
24 #include <epan/prefs.h>
25 #include <epan/to_str.h>
26 #include <epan/sequence_analysis.h>
27 #include <wiretap/wtap.h>
29 #include <epan/expert.h>
30 #include <wsutil/wsgcrypt.h>
31 #include <wsutil/str_util.h>
32 #include <epan/proto_data.h>
33 #include <wmem/wmem.h>
35 #include "packet-frame.h"
36 #include "packet-icmp.h"
39 #include <epan/column-info.h>
40 #include <epan/color_filters.h>
42 void proto_register_frame(void);
43 void proto_reg_handoff_frame(void);
45 static int proto_frame = -1;
46 static int proto_pkt_comment = -1;
47 static int proto_syscall = -1;
49 static int hf_frame_arrival_time = -1;
50 static int hf_frame_shift_offset = -1;
51 static int hf_frame_arrival_time_epoch = -1;
52 static int hf_frame_time_delta = -1;
53 static int hf_frame_time_delta_displayed = -1;
54 static int hf_frame_time_relative = -1;
55 static int hf_frame_time_reference = -1;
56 static int hf_frame_number = -1;
57 static int hf_frame_len = -1;
58 static int hf_frame_capture_len = -1;
59 static int hf_frame_p2p_dir = -1;
60 static int hf_frame_file_off = -1;
61 static int hf_frame_md5_hash = -1;
62 static int hf_frame_marked = -1;
63 static int hf_frame_ignored = -1;
64 static int hf_link_number = -1;
65 static int hf_frame_protocols = -1;
66 static int hf_frame_color_filter_name = -1;
67 static int hf_frame_color_filter_text = -1;
68 static int hf_frame_interface_id = -1;
69 static int hf_frame_interface_name = -1;
70 static int hf_frame_interface_description = -1;
71 static int hf_frame_pack_flags = -1;
72 static int hf_frame_pack_direction = -1;
73 static int hf_frame_pack_reception_type = -1;
74 static int hf_frame_pack_fcs_length = -1;
75 static int hf_frame_pack_reserved = -1;
76 static int hf_frame_pack_crc_error = -1;
77 static int hf_frame_pack_wrong_packet_too_long_error = -1;
78 static int hf_frame_pack_wrong_packet_too_short_error = -1;
79 static int hf_frame_pack_wrong_inter_frame_gap_error = -1;
80 static int hf_frame_pack_unaligned_frame_error = -1;
81 static int hf_frame_pack_start_frame_delimiter_error = -1;
82 static int hf_frame_pack_preamble_error = -1;
83 static int hf_frame_pack_symbol_error = -1;
84 static int hf_frame_wtap_encap = -1;
85 static int hf_comments_text = -1;
87 static gint ett_frame = -1;
88 static gint ett_ifname = -1;
89 static gint ett_flags = -1;
90 static gint ett_comments = -1;
92 static expert_field ei_comments_text = EI_INIT;
93 static expert_field ei_arrive_time_out_of_range = EI_INIT;
94 static expert_field ei_incomplete = EI_INIT;
96 static int frame_tap = -1;
98 static dissector_handle_t docsis_handle;
99 static dissector_handle_t sysdig_handle;
102 static gboolean show_file_off = FALSE;
103 static gboolean force_docsis_encap = FALSE;
104 static gboolean generate_md5_hash = FALSE;
105 static gboolean generate_epoch_time = TRUE;
106 static gboolean generate_bits_field = TRUE;
107 static gboolean disable_packet_size_limited_in_summary = FALSE;
109 static const value_string p2p_dirs[] = {
110 { P2P_DIR_UNKNOWN, "Unknown" },
111 { P2P_DIR_SENT, "Sent" },
112 { P2P_DIR_RECV, "Received" },
116 #define PACKET_WORD_DIRECTION_MASK 0x00000003
117 #define PACKET_WORD_RECEPTION_TYPE_MASK 0x0000001C
118 #define PACKET_WORD_FCS_LENGTH_MASK 0x000001E0
119 #define PACKET_WORD_RESERVED_MASK 0x0000FE00
120 #define PACKET_WORD_CRC_ERR_MASK 0x01000000
121 #define PACKET_WORD_PACKET_TOO_LONG_ERR_MASK 0x02000000
122 #define PACKET_WORD_PACKET_TOO_SHORT_ERR_MASK 0x04000000
123 #define PACKET_WORD_WRONG_INTER_FRAME_GAP_ERR_MASK 0x08000000
124 #define PACKET_WORD_UNALIGNED_FRAME_ERR_MASK 0x10000000
125 #define PACKET_WORD_START_FRAME_DELIMITER_ERR_MASK 0x20000000
126 #define PACKET_WORD_PREAMBLE_ERR_MASK 0x40000000
127 #define PACKET_WORD_SYMBOL_ERR_MASK 0x80000000
129 static const value_string packet_word_directions[] = {
130 { 0x00, "Not available" },
132 { 0x02, "Outbound" },
133 { 0x03, "Undefined" },
137 static const value_string packet_word_reception_types[] = {
138 { 0x00, "Not specified" },
140 { 0x02, "Multicast" },
141 { 0x03, "Broadcast" },
142 { 0x04, "Promiscuous" },
143 { 0x05, "Undefined" },
144 { 0x06, "Undefined" },
145 { 0x07, "Undefined" },
149 static dissector_table_t wtap_encap_dissector_table;
150 static dissector_table_t wtap_fts_rec_dissector_table;
152 /****************************************************************************/
153 /* whenever a frame packet is seen by the tap listener */
154 /* Add a new frame into the graph */
156 frame_seq_analysis_packet( void *ptr, packet_info *pinfo, epan_dissect_t *edt _U_, const void *dummy _U_)
158 seq_analysis_info_t *sainfo = (seq_analysis_info_t *) ptr;
159 seq_analysis_item_t *sai = sequence_analysis_create_sai_with_addresses(pinfo, sainfo);
164 sai->frame_number = pinfo->num;
166 sequence_analysis_use_color_filter(pinfo, sai);
168 sai->port_src=pinfo->srcport;
169 sai->port_dst=pinfo->destport;
171 sequence_analysis_use_col_info_as_label_comment(pinfo, sai);
177 g_queue_push_tail(sainfo->items, sai);
183 * Routine used to register frame end routine. The routine should only
184 * be registered when the dissector is used in the frame, not in the
185 * proto_register_XXX function.
188 register_frame_end_routine(packet_info *pinfo, void (*func)(void))
190 pinfo->frame_end_routines = g_slist_append(pinfo->frame_end_routines, (gpointer)func);
193 typedef void (*void_func_t)(void);
196 call_frame_end_routine(gpointer routine)
198 void_func_t func = (void_func_t)routine;
203 dissect_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data)
205 proto_item *volatile ti = NULL, *comment_item;
206 guint cap_len = 0, frame_len = 0;
207 proto_tree *volatile tree;
208 proto_tree *comments_tree;
209 proto_tree *volatile fh_tree = NULL;
211 const gchar *cap_plurality, *frame_plurality;
212 frame_data_t *fr_data = (frame_data_t*)data;
213 const color_filter_t *color_filter;
217 DISSECTOR_ASSERT(fr_data);
219 switch (pinfo->rec->rec_type) {
221 case REC_TYPE_PACKET:
222 pinfo->current_proto = "Frame";
223 if (pinfo->rec->presence_flags & WTAP_HAS_PACK_FLAGS) {
224 if (pinfo->rec->rec_header.packet_header.pack_flags & 0x00000001)
225 pinfo->p2p_dir = P2P_DIR_RECV;
226 if (pinfo->rec->rec_header.packet_header.pack_flags & 0x00000002)
227 pinfo->p2p_dir = P2P_DIR_SENT;
231 * If the pseudo-header *and* the packet record both
232 * have direction information, the pseudo-header
233 * overrides the packet record.
235 if (pinfo->pseudo_header != NULL) {
236 switch (pinfo->rec->rec_header.packet_header.pkt_encap) {
238 case WTAP_ENCAP_WFLEET_HDLC:
239 case WTAP_ENCAP_CHDLC_WITH_PHDR:
240 case WTAP_ENCAP_PPP_WITH_PHDR:
241 case WTAP_ENCAP_SDLC:
242 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR:
243 pinfo->p2p_dir = pinfo->pseudo_header->p2p.sent ?
244 P2P_DIR_SENT : P2P_DIR_RECV;
247 case WTAP_ENCAP_BLUETOOTH_HCI:
248 pinfo->p2p_dir = pinfo->pseudo_header->bthci.sent ?
249 P2P_DIR_SENT : P2P_DIR_RECV;
252 case WTAP_ENCAP_LAPB:
253 case WTAP_ENCAP_FRELAY_WITH_PHDR:
255 (pinfo->pseudo_header->dte_dce.flags & FROM_DCE) ?
256 P2P_DIR_RECV : P2P_DIR_SENT;
259 case WTAP_ENCAP_ISDN:
260 case WTAP_ENCAP_V5_EF:
261 case WTAP_ENCAP_DPNSS:
262 case WTAP_ENCAP_BACNET_MS_TP_WITH_PHDR:
263 pinfo->p2p_dir = pinfo->pseudo_header->isdn.uton ?
264 P2P_DIR_SENT : P2P_DIR_RECV;
267 case WTAP_ENCAP_LINUX_LAPD:
268 pinfo->p2p_dir = (pinfo->pseudo_header->lapd.pkttype == 3 ||
269 pinfo->pseudo_header->lapd.pkttype == 4) ?
270 P2P_DIR_SENT : P2P_DIR_RECV;
273 case WTAP_ENCAP_MTP2_WITH_PHDR:
274 pinfo->p2p_dir = pinfo->pseudo_header->mtp2.sent ?
275 P2P_DIR_SENT : P2P_DIR_RECV;
276 pinfo->link_number = pinfo->pseudo_header->mtp2.link_number;
279 case WTAP_ENCAP_GSM_UM:
280 pinfo->p2p_dir = pinfo->pseudo_header->gsm_um.uplink ?
281 P2P_DIR_SENT : P2P_DIR_RECV;
287 case REC_TYPE_FT_SPECIFIC_EVENT:
288 pinfo->current_proto = "Event";
291 case REC_TYPE_FT_SPECIFIC_REPORT:
292 pinfo->current_proto = "Report";
295 case REC_TYPE_SYSCALL:
296 pinfo->current_proto = "System Call";
300 g_assert_not_reached();
304 if (fr_data->pkt_comment) {
305 item = proto_tree_add_item(tree, proto_pkt_comment, tvb, 0, 0, ENC_NA);
306 comments_tree = proto_item_add_subtree(item, ett_comments);
307 comment_item = proto_tree_add_string_format(comments_tree, hf_comments_text, tvb, 0, 0,
308 fr_data->pkt_comment, "%s",
309 fr_data->pkt_comment);
310 expert_add_info_format(pinfo, comment_item, &ei_comments_text,
311 "%s", fr_data->pkt_comment);
316 /* if FRAME is not referenced from any filters we don't need to worry about
317 generating any tree items. */
318 if (!proto_field_is_referenced(tree, proto_frame)) {
320 if (pinfo->presence_flags & PINFO_HAS_TS) {
321 if (pinfo->abs_ts.nsecs < 0 || pinfo->abs_ts.nsecs >= 1000000000)
322 expert_add_info(pinfo, NULL, &ei_arrive_time_out_of_range);
325 /* Put in frame header information. */
326 cap_len = tvb_captured_length(tvb);
327 frame_len = tvb_reported_length(tvb);
329 cap_plurality = plurality(cap_len, "", "s");
330 frame_plurality = plurality(frame_len, "", "s");
332 switch (pinfo->rec->rec_type) {
333 case REC_TYPE_PACKET:
334 ti = proto_tree_add_protocol_format(tree, proto_frame, tvb, 0, tvb_captured_length(tvb),
335 "Frame %u: %u byte%s on wire",
336 pinfo->num, frame_len, frame_plurality);
337 if (generate_bits_field)
338 proto_item_append_text(ti, " (%u bits)", frame_len * 8);
339 proto_item_append_text(ti, ", %u byte%s captured",
340 cap_len, cap_plurality);
341 if (generate_bits_field) {
342 proto_item_append_text(ti, " (%u bits)",
345 if (pinfo->rec->presence_flags & WTAP_HAS_INTERFACE_ID) {
346 proto_item_append_text(ti, " on interface %u",
347 pinfo->rec->rec_header.packet_header.interface_id);
349 if (pinfo->rec->presence_flags & WTAP_HAS_PACK_FLAGS) {
350 if (pinfo->rec->rec_header.packet_header.pack_flags & 0x00000001)
351 proto_item_append_text(ti, " (inbound)");
352 if (pinfo->rec->rec_header.packet_header.pack_flags & 0x00000002)
353 proto_item_append_text(ti, " (outbound)");
357 case REC_TYPE_FT_SPECIFIC_EVENT:
358 ti = proto_tree_add_protocol_format(tree, proto_frame, tvb, 0, tvb_captured_length(tvb),
359 "Event %u: %u byte%s on wire",
360 pinfo->num, frame_len, frame_plurality);
361 if (generate_bits_field)
362 proto_item_append_text(ti, " (%u bits)", frame_len * 8);
363 proto_item_append_text(ti, ", %u byte%s captured",
364 cap_len, cap_plurality);
365 if (generate_bits_field) {
366 proto_item_append_text(ti, " (%u bits)",
371 case REC_TYPE_FT_SPECIFIC_REPORT:
372 ti = proto_tree_add_protocol_format(tree, proto_frame, tvb, 0, tvb_captured_length(tvb),
373 "Report %u: %u byte%s on wire",
374 pinfo->num, frame_len, frame_plurality);
375 if (generate_bits_field)
376 proto_item_append_text(ti, " (%u bits)", frame_len * 8);
377 proto_item_append_text(ti, ", %u byte%s captured",
378 cap_len, cap_plurality);
379 if (generate_bits_field) {
380 proto_item_append_text(ti, " (%u bits)",
385 case REC_TYPE_SYSCALL:
387 * This gives us a top-of-tree "syscall" protocol
388 * with "frame" fields underneath. Should we create
389 * corresponding syscall.time, .time_epoch, etc
390 * fields and use them instead or would frame.*
393 ti = proto_tree_add_protocol_format(tree, proto_syscall, tvb, 0, tvb_captured_length(tvb),
394 "System Call %u: %u byte%s",
395 pinfo->num, frame_len, frame_plurality);
399 fh_tree = proto_item_add_subtree(ti, ett_frame);
401 if (pinfo->rec->presence_flags & WTAP_HAS_INTERFACE_ID &&
402 (proto_field_is_referenced(tree, hf_frame_interface_id) || proto_field_is_referenced(tree, hf_frame_interface_name) || proto_field_is_referenced(tree, hf_frame_interface_description))) {
403 const char *interface_name = epan_get_interface_name(pinfo->epan, pinfo->rec->rec_header.packet_header.interface_id);
404 const char *interface_description = epan_get_interface_description(pinfo->epan, pinfo->rec->rec_header.packet_header.interface_id);
408 if (interface_name) {
409 if_item = proto_tree_add_uint_format_value(fh_tree, hf_frame_interface_id, tvb, 0, 0,
410 pinfo->rec->rec_header.packet_header.interface_id, "%u (%s)",
411 pinfo->rec->rec_header.packet_header.interface_id, interface_name);
412 if_tree = proto_item_add_subtree(if_item, ett_ifname);
413 proto_tree_add_string(if_tree, hf_frame_interface_name, tvb, 0, 0, interface_name);
415 if_item = proto_tree_add_uint(fh_tree, hf_frame_interface_id, tvb, 0, 0, pinfo->rec->rec_header.packet_header.interface_id);
418 if (interface_description) {
419 if_tree = proto_item_add_subtree(if_item, ett_ifname);
420 proto_tree_add_string(if_tree, hf_frame_interface_description, tvb, 0, 0, interface_description);
424 if (pinfo->rec->presence_flags & WTAP_HAS_PACK_FLAGS) {
425 proto_tree *flags_tree;
426 proto_item *flags_item;
427 static const int * flags[] = {
428 &hf_frame_pack_direction,
429 &hf_frame_pack_reception_type,
430 &hf_frame_pack_fcs_length,
431 &hf_frame_pack_reserved,
432 &hf_frame_pack_crc_error,
433 &hf_frame_pack_wrong_packet_too_long_error,
434 &hf_frame_pack_wrong_packet_too_short_error,
435 &hf_frame_pack_wrong_inter_frame_gap_error,
436 &hf_frame_pack_unaligned_frame_error,
437 &hf_frame_pack_start_frame_delimiter_error,
438 &hf_frame_pack_preamble_error,
439 &hf_frame_pack_symbol_error,
443 flags_item = proto_tree_add_uint(fh_tree, hf_frame_pack_flags, tvb, 0, 0, pinfo->rec->rec_header.packet_header.pack_flags);
444 flags_tree = proto_item_add_subtree(flags_item, ett_flags);
445 proto_tree_add_bitmask_list_value(flags_tree, tvb, 0, 0, flags, pinfo->rec->rec_header.packet_header.pack_flags);
448 if (pinfo->rec->rec_type == REC_TYPE_PACKET)
449 proto_tree_add_int(fh_tree, hf_frame_wtap_encap, tvb, 0, 0, pinfo->rec->rec_header.packet_header.pkt_encap);
451 if (pinfo->presence_flags & PINFO_HAS_TS) {
452 proto_tree_add_time(fh_tree, hf_frame_arrival_time, tvb,
453 0, 0, &(pinfo->abs_ts));
454 if (pinfo->abs_ts.nsecs < 0 || pinfo->abs_ts.nsecs >= 1000000000) {
455 expert_add_info_format(pinfo, ti, &ei_arrive_time_out_of_range,
456 "Arrival Time: Fractional second %09ld is invalid,"
457 " the valid range is 0-1000000000",
458 (long) pinfo->abs_ts.nsecs);
460 item = proto_tree_add_time(fh_tree, hf_frame_shift_offset, tvb,
461 0, 0, &(pinfo->fd->shift_offset));
462 PROTO_ITEM_SET_GENERATED(item);
464 if (generate_epoch_time) {
465 proto_tree_add_time(fh_tree, hf_frame_arrival_time_epoch, tvb,
466 0, 0, &(pinfo->abs_ts));
469 if (proto_field_is_referenced(tree, hf_frame_time_delta)) {
472 frame_delta_abs_time(pinfo->epan, pinfo->fd, pinfo->num - 1, &del_cap_ts);
474 item = proto_tree_add_time(fh_tree, hf_frame_time_delta, tvb,
475 0, 0, &(del_cap_ts));
476 PROTO_ITEM_SET_GENERATED(item);
479 if (proto_field_is_referenced(tree, hf_frame_time_delta_displayed)) {
482 frame_delta_abs_time(pinfo->epan, pinfo->fd, pinfo->fd->prev_dis_num, &del_dis_ts);
484 item = proto_tree_add_time(fh_tree, hf_frame_time_delta_displayed, tvb,
485 0, 0, &(del_dis_ts));
486 PROTO_ITEM_SET_GENERATED(item);
489 item = proto_tree_add_time(fh_tree, hf_frame_time_relative, tvb,
490 0, 0, &(pinfo->rel_ts));
491 PROTO_ITEM_SET_GENERATED(item);
493 if (pinfo->fd->flags.ref_time) {
494 ti = proto_tree_add_item(fh_tree, hf_frame_time_reference, tvb, 0, 0, ENC_NA);
495 PROTO_ITEM_SET_GENERATED(ti);
499 proto_tree_add_uint(fh_tree, hf_frame_number, tvb,
502 proto_tree_add_uint_format(fh_tree, hf_frame_len, tvb,
503 0, 0, frame_len, "Frame Length: %u byte%s (%u bits)",
504 frame_len, frame_plurality, frame_len * 8);
506 proto_tree_add_uint_format(fh_tree, hf_frame_capture_len, tvb,
507 0, 0, cap_len, "Capture Length: %u byte%s (%u bits)",
508 cap_len, cap_plurality, cap_len * 8);
510 if (generate_md5_hash) {
512 guint8 digest[HASH_MD5_LENGTH];
513 const gchar *digest_string;
515 cp = tvb_get_ptr(tvb, 0, cap_len);
517 gcry_md_hash_buffer(GCRY_MD_MD5, digest, cp, cap_len);
518 digest_string = bytestring_to_str(wmem_packet_scope(), digest, HASH_MD5_LENGTH, '\0');
519 ti = proto_tree_add_string(fh_tree, hf_frame_md5_hash, tvb, 0, 0, digest_string);
520 PROTO_ITEM_SET_GENERATED(ti);
523 ti = proto_tree_add_boolean(fh_tree, hf_frame_marked, tvb, 0, 0,pinfo->fd->flags.marked);
524 PROTO_ITEM_SET_GENERATED(ti);
526 ti = proto_tree_add_boolean(fh_tree, hf_frame_ignored, tvb, 0, 0,pinfo->fd->flags.ignored);
527 PROTO_ITEM_SET_GENERATED(ti);
529 if (pinfo->rec->rec_type == REC_TYPE_PACKET) {
530 /* Check for existences of P2P pseudo header */
531 if (pinfo->p2p_dir != P2P_DIR_UNKNOWN) {
532 proto_tree_add_int(fh_tree, hf_frame_p2p_dir, tvb,
533 0, 0, pinfo->p2p_dir);
536 /* Check for existences of MTP2 link number */
537 if ((pinfo->pseudo_header != NULL) &&
538 (pinfo->rec->rec_header.packet_header.pkt_encap == WTAP_ENCAP_MTP2_WITH_PHDR)) {
539 proto_tree_add_uint(fh_tree, hf_link_number, tvb,
540 0, 0, pinfo->link_number);
545 proto_tree_add_int64_format_value(fh_tree, hf_frame_file_off, tvb,
546 0, 0, pinfo->fd->file_off,
547 "%" G_GINT64_MODIFIER "d (0x%" G_GINT64_MODIFIER "x)",
548 pinfo->fd->file_off, pinfo->fd->file_off);
552 if (pinfo->fd->flags.ignored) {
553 /* Ignored package, stop handling here */
554 col_set_str(pinfo->cinfo, COL_INFO, "<Ignored>");
555 proto_tree_add_boolean_format(tree, hf_frame_ignored, tvb, 0, 0, TRUE, "This frame is marked as ignored");
556 return tvb_captured_length(tvb);
559 /* Portable Exception Handling to trap Wireshark specific exceptions like BoundsError exceptions */
562 /* Win32: Visual-C Structured Exception Handling (SEH) to trap hardware exceptions
563 like memory access violations.
564 (a running debugger will be called before the except part below) */
565 /* Note: A Windows "exceptional exception" may leave the kazlib's (Portable Exception Handling)
566 stack in an inconsistent state thus causing a crash at some point in the
567 handling of the exception.
568 See: https://www.wireshark.org/lists/wireshark-dev/200704/msg00243.html
572 switch (pinfo->rec->rec_type) {
574 case REC_TYPE_PACKET:
575 if ((force_docsis_encap) && (docsis_handle)) {
576 call_dissector_with_data(docsis_handle,
577 tvb, pinfo, parent_tree,
578 (void *)pinfo->pseudo_header);
580 if (!dissector_try_uint_new(wtap_encap_dissector_table,
581 pinfo->rec->rec_header.packet_header.pkt_encap, tvb, pinfo,
583 (void *)pinfo->pseudo_header)) {
584 col_set_str(pinfo->cinfo, COL_PROTOCOL, "UNKNOWN");
585 col_add_fstr(pinfo->cinfo, COL_INFO, "WTAP_ENCAP = %d",
586 pinfo->rec->rec_header.packet_header.pkt_encap);
587 call_data_dissector(tvb, pinfo, parent_tree);
592 case REC_TYPE_FT_SPECIFIC_EVENT:
593 case REC_TYPE_FT_SPECIFIC_REPORT:
595 int file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_UNKNOWN;
597 file_type_subtype = fr_data->file_type_subtype;
599 if (!dissector_try_uint(wtap_fts_rec_dissector_table, file_type_subtype,
600 tvb, pinfo, parent_tree)) {
601 col_set_str(pinfo->cinfo, COL_PROTOCOL, "UNKNOWN");
602 col_add_fstr(pinfo->cinfo, COL_INFO, "WTAP FT ST = %d",
604 call_data_dissector(tvb, pinfo, parent_tree);
609 case REC_TYPE_SYSCALL:
610 /* Sysdig is the only type we currently handle. */
612 call_dissector_with_data(sysdig_handle,
613 tvb, pinfo, parent_tree,
614 (void *)pinfo->pseudo_header);
619 } __except(EXCEPTION_EXECUTE_HANDLER /* handle all exceptions */) {
620 switch (GetExceptionCode()) {
621 case(STATUS_ACCESS_VIOLATION):
622 show_exception(tvb, pinfo, parent_tree, DissectorError,
623 "STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address");
625 case(STATUS_INTEGER_DIVIDE_BY_ZERO):
626 show_exception(tvb, pinfo, parent_tree, DissectorError,
627 "STATUS_INTEGER_DIVIDE_BY_ZERO: dissector tried an integer division by zero");
629 case(STATUS_STACK_OVERFLOW):
630 show_exception(tvb, pinfo, parent_tree, DissectorError,
631 "STATUS_STACK_OVERFLOW: dissector overflowed the stack (e.g. endless loop)");
632 /* XXX - this will have probably corrupted the stack,
633 which makes problems later in the exception code */
635 /* XXX - add other hardware exception codes as required */
637 show_exception(tvb, pinfo, parent_tree, DissectorError,
638 g_strdup_printf("dissector caused an unknown exception: 0x%x", GetExceptionCode()));
643 CATCH_BOUNDS_AND_DISSECTOR_ERRORS {
644 show_exception(tvb, pinfo, parent_tree, EXCEPT_CODE, GET_MESSAGE);
648 if (proto_field_is_referenced(tree, hf_frame_protocols)) {
649 wmem_strbuf_t *val = wmem_strbuf_sized_new(wmem_packet_scope(), 128, 0);
650 wmem_list_frame_t *frame;
651 /* skip the first entry, it's always the "frame" protocol */
652 frame = wmem_list_frame_next(wmem_list_head(pinfo->layers));
654 wmem_strbuf_append(val, proto_get_protocol_filter_name(GPOINTER_TO_UINT(wmem_list_frame_data(frame))));
655 frame = wmem_list_frame_next(frame);
658 wmem_strbuf_append_c(val, ':');
659 wmem_strbuf_append(val, proto_get_protocol_filter_name(GPOINTER_TO_UINT(wmem_list_frame_data(frame))));
660 frame = wmem_list_frame_next(frame);
662 ti = proto_tree_add_string(fh_tree, hf_frame_protocols, tvb, 0, 0, wmem_strbuf_get_str(val));
663 PROTO_ITEM_SET_GENERATED(ti);
666 /* Call postdissectors if we have any (while trying to avoid another
669 if (have_postdissector()) {
672 /* Win32: Visual-C Structured Exception Handling (SEH)
673 to trap hardware exceptions like memory access violations */
674 /* (a running debugger will be called before the except part below) */
675 /* Note: A Windows "exceptional exception" may leave the kazlib's (Portable Exception Handling)
676 stack in an inconsistent state thus causing a crash at some point in the
677 handling of the exception.
678 See: https://www.wireshark.org/lists/wireshark-dev/200704/msg00243.html
682 call_all_postdissectors(tvb, pinfo, parent_tree);
684 } __except(EXCEPTION_EXECUTE_HANDLER /* handle all exceptions */) {
685 switch (GetExceptionCode()) {
686 case(STATUS_ACCESS_VIOLATION):
687 show_exception(tvb, pinfo, parent_tree, DissectorError,
688 "STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address");
690 case(STATUS_INTEGER_DIVIDE_BY_ZERO):
691 show_exception(tvb, pinfo, parent_tree, DissectorError,
692 "STATUS_INTEGER_DIVIDE_BY_ZERO: dissector tried an integer division by zero");
694 case(STATUS_STACK_OVERFLOW):
695 show_exception(tvb, pinfo, parent_tree, DissectorError,
696 "STATUS_STACK_OVERFLOW: dissector overflowed the stack (e.g. endless loop)");
697 /* XXX - this will have probably corrupted the stack,
698 which makes problems later in the exception code */
700 /* XXX - add other hardware exception codes as required */
702 show_exception(tvb, pinfo, parent_tree, DissectorError,
703 g_strdup_printf("dissector caused an unknown exception: 0x%x", GetExceptionCode()));
708 CATCH_BOUNDS_AND_DISSECTOR_ERRORS {
709 show_exception(tvb, pinfo, parent_tree, EXCEPT_CODE, GET_MESSAGE);
714 /* Attempt to (re-)calculate color filters (if any). */
715 if (pinfo->fd->flags.need_colorize) {
716 color_filter = color_filters_colorize_packet(fr_data->color_edt);
717 pinfo->fd->color_filter = color_filter;
718 pinfo->fd->flags.need_colorize = 0;
720 color_filter = pinfo->fd->color_filter;
723 item = proto_tree_add_string(fh_tree, hf_frame_color_filter_name, tvb,
724 0, 0, color_filter->filter_name);
725 PROTO_ITEM_SET_GENERATED(item);
726 item = proto_tree_add_string(fh_tree, hf_frame_color_filter_text, tvb,
727 0, 0, color_filter->filter_text);
728 PROTO_ITEM_SET_GENERATED(item);
731 tap_queue_packet(frame_tap, pinfo, NULL);
734 if (pinfo->frame_end_routines) {
735 g_slist_free_full(pinfo->frame_end_routines, &call_frame_end_routine);
736 pinfo->frame_end_routines = NULL;
739 if (prefs.enable_incomplete_dissectors_check && tree && tree->tree_data->visible) {
746 length = tvb_captured_length(tvb);
747 decoded = proto_find_undecoded_data(tree, length);
749 for (i = 0; i < length; i++) {
752 if (!(decoded[byte] & (1 << bit))) {
753 field_info* fi = proto_find_field_from_offset(tree, i, tvb);
754 if (fi && fi->hfinfo->id != proto_frame) {
755 if (prefs.incomplete_dissectors_check_debug)
756 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_WARNING,
757 "Dissector %s incomplete in frame %u: undecoded byte number %u "
759 (fi ? fi->hfinfo->abbrev : "[unknown]"),
760 pinfo->num, i, i - i % 16, i % 16);
761 proto_tree_add_expert_format(tree, pinfo, &ei_incomplete, tvb, i, 1, "Undecoded byte number: %u (0x%.4X+%u)", i, i - i % 16, i % 16);
767 return tvb_captured_length(tvb);
771 proto_register_frame(void)
773 static hf_register_info hf[] = {
774 { &hf_frame_arrival_time,
775 { "Arrival Time", "frame.time",
776 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0,
777 "Absolute time when this frame was captured", HFILL }},
779 { &hf_frame_shift_offset,
780 { "Time shift for this packet", "frame.offset_shift",
781 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
782 "Time shift applied to this packet", HFILL }},
784 { &hf_frame_arrival_time_epoch,
785 { "Epoch Time", "frame.time_epoch",
786 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
787 "Epoch time when this frame was captured", HFILL }},
789 { &hf_frame_time_delta,
790 { "Time delta from previous captured frame", "frame.time_delta",
791 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
794 { &hf_frame_time_delta_displayed,
795 { "Time delta from previous displayed frame", "frame.time_delta_displayed",
796 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
799 { &hf_frame_time_relative,
800 { "Time since reference or first frame", "frame.time_relative",
801 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
802 "Time relative to time reference or first frame", HFILL }},
804 { &hf_frame_time_reference,
805 { "This is a Time Reference frame", "frame.ref_time",
806 FT_NONE, BASE_NONE, NULL, 0x0,
807 "This frame is a Time Reference frame", HFILL }},
810 { "Frame Number", "frame.number",
811 FT_UINT32, BASE_DEC, NULL, 0x0,
815 { "Frame length on the wire", "frame.len",
816 FT_UINT32, BASE_DEC, NULL, 0x0,
819 { &hf_frame_capture_len,
820 { "Frame length stored into the capture file", "frame.cap_len",
821 FT_UINT32, BASE_DEC, NULL, 0x0,
824 { &hf_frame_md5_hash,
825 { "Frame MD5 Hash", "frame.md5_hash",
826 FT_STRING, BASE_NONE, NULL, 0x0,
830 { "Point-to-Point Direction", "frame.p2p_dir",
831 FT_INT8, BASE_DEC, VALS(p2p_dirs), 0x0,
835 { "Link Number", "frame.link_nr",
836 FT_UINT16, BASE_DEC, NULL, 0x0,
839 { &hf_frame_file_off,
840 { "File Offset", "frame.file_off",
841 FT_INT64, BASE_DEC, NULL, 0x0,
845 { "Frame is marked", "frame.marked",
846 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
847 "Frame is marked in the GUI", HFILL }},
850 { "Frame is ignored", "frame.ignored",
851 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
852 "Frame is ignored by the dissectors", HFILL }},
854 { &hf_frame_protocols,
855 { "Protocols in frame", "frame.protocols",
856 FT_STRING, BASE_NONE, NULL, 0x0,
857 "Protocols carried by this frame", HFILL }},
859 { &hf_frame_color_filter_name,
860 { "Coloring Rule Name", "frame.coloring_rule.name",
861 FT_STRING, BASE_NONE, NULL, 0x0,
862 "The frame matched the coloring rule with this name", HFILL }},
864 { &hf_frame_color_filter_text,
865 { "Coloring Rule String", "frame.coloring_rule.string",
866 FT_STRING, BASE_NONE, NULL, 0x0,
867 "The frame matched this coloring rule string", HFILL }},
869 { &hf_frame_interface_id,
870 { "Interface id", "frame.interface_id",
871 FT_UINT32, BASE_DEC, NULL, 0x0,
874 { &hf_frame_interface_name,
875 { "Interface name", "frame.interface_name",
876 FT_STRING, BASE_NONE, NULL, 0x0,
877 "The friendly name for this interface", HFILL }},
879 { &hf_frame_interface_description,
880 { "Interface description", "frame.interface_description",
881 FT_STRING, BASE_NONE, NULL, 0x0,
882 "The descriptionfor this interface", HFILL }},
884 { &hf_frame_pack_flags,
885 { "Packet flags", "frame.packet_flags",
886 FT_UINT32, BASE_HEX, NULL, 0x0,
889 { &hf_frame_pack_direction,
890 { "Direction", "frame.packet_flags_direction",
891 FT_UINT32, BASE_HEX, VALS(packet_word_directions), PACKET_WORD_DIRECTION_MASK,
894 { &hf_frame_pack_reception_type,
895 { "Reception type", "frame.packet_flags_reception_type",
896 FT_UINT32, BASE_DEC, VALS(packet_word_reception_types), PACKET_WORD_RECEPTION_TYPE_MASK,
899 { &hf_frame_pack_fcs_length,
900 { "FCS length", "frame.packet_flags_fcs_length",
901 FT_UINT32, BASE_DEC, NULL, PACKET_WORD_FCS_LENGTH_MASK,
904 { &hf_frame_pack_reserved,
905 { "Reserved", "frame.packet_flags_reserved",
906 FT_UINT32, BASE_DEC, NULL, PACKET_WORD_RESERVED_MASK,
909 { &hf_frame_pack_crc_error,
910 { "CRC error", "frame.packet_flags_crc_error",
911 FT_BOOLEAN, 32, TFS(&tfs_set_notset), PACKET_WORD_CRC_ERR_MASK,
914 { &hf_frame_pack_wrong_packet_too_long_error,
915 { "Packet too long error", "frame.packet_flags_packet_too_error",
916 FT_BOOLEAN, 32, TFS(&tfs_set_notset), PACKET_WORD_PACKET_TOO_LONG_ERR_MASK,
919 { &hf_frame_pack_wrong_packet_too_short_error,
920 { "Packet too short error", "frame.packet_flags_packet_too_short_error",
921 FT_BOOLEAN, 32, TFS(&tfs_set_notset), PACKET_WORD_PACKET_TOO_SHORT_ERR_MASK,
924 { &hf_frame_pack_wrong_inter_frame_gap_error,
925 { "Wrong interframe gap error", "frame.packet_flags_wrong_inter_frame_gap_error",
926 FT_BOOLEAN, 32, TFS(&tfs_set_notset), PACKET_WORD_WRONG_INTER_FRAME_GAP_ERR_MASK,
929 { &hf_frame_pack_unaligned_frame_error,
930 { "Unaligned frame error", "frame.packet_flags_unaligned_frame_error",
931 FT_BOOLEAN, 32, TFS(&tfs_set_notset), PACKET_WORD_UNALIGNED_FRAME_ERR_MASK,
934 { &hf_frame_pack_start_frame_delimiter_error,
935 { "Start frame delimiter error", "frame.packet_flags_start_frame_delimiter_error",
936 FT_BOOLEAN, 32, TFS(&tfs_set_notset), PACKET_WORD_START_FRAME_DELIMITER_ERR_MASK,
939 { &hf_frame_pack_preamble_error,
940 { "Preamble error", "frame.packet_flags_preamble_error",
941 FT_BOOLEAN, 32, TFS(&tfs_set_notset), PACKET_WORD_PREAMBLE_ERR_MASK,
944 { &hf_frame_pack_symbol_error,
945 { "Symbol error", "frame.packet_flags_symbol_error",
946 FT_BOOLEAN, 32, TFS(&tfs_set_notset), PACKET_WORD_SYMBOL_ERR_MASK,
950 { "Comment", "frame.comment",
951 FT_STRING, BASE_NONE, NULL, 0x0,
955 static hf_register_info hf_encap =
956 { &hf_frame_wtap_encap,
957 { "Encapsulation type", "frame.encap_type",
958 FT_INT16, BASE_DEC, NULL, 0x0,
961 static gint *ett[] = {
968 static ei_register_info ei[] = {
969 { &ei_comments_text, { "frame.comment.expert", PI_COMMENTS_GROUP, PI_COMMENT, "Formatted comment", EXPFILL }},
970 { &ei_arrive_time_out_of_range, { "frame.time_invalid", PI_SEQUENCE, PI_NOTE, "Arrival Time: Fractional second out of range (0-1000000000)", EXPFILL }},
971 { &ei_incomplete, { "frame.incomplete", PI_UNDECODED, PI_NOTE, "Incomplete dissector", EXPFILL }}
974 module_t *frame_module;
975 expert_module_t* expert_frame;
977 if (hf_encap.hfinfo.strings == NULL) {
978 int encap_count = wtap_get_num_encap_types();
982 hf_encap.hfinfo.strings = arr = wmem_alloc_array(wmem_epan_scope(), value_string, encap_count+1);
984 for (i = 0; i < encap_count; i++) {
986 arr[i].strptr = wtap_encap_string(i);
988 arr[encap_count].value = 0;
989 arr[encap_count].strptr = NULL;
992 proto_frame = proto_register_protocol("Frame", "Frame", "frame");
993 proto_pkt_comment = proto_register_protocol_in_name_only("Packet comments", "Pkt_Comment", "pkt_comment", proto_frame, FT_PROTOCOL);
994 proto_syscall = proto_register_protocol("System Call", "Syscall", "syscall");
996 proto_register_field_array(proto_frame, hf, array_length(hf));
997 proto_register_field_array(proto_frame, &hf_encap, 1);
998 proto_register_subtree_array(ett, array_length(ett));
999 expert_frame = expert_register_protocol(proto_frame);
1000 expert_register_field_array(expert_frame, ei, array_length(ei));
1001 register_dissector("frame",dissect_frame,proto_frame);
1003 wtap_encap_dissector_table = register_dissector_table("wtap_encap",
1004 "Wiretap encapsulation type", proto_frame, FT_UINT32, BASE_DEC);
1005 wtap_fts_rec_dissector_table = register_dissector_table("wtap_fts_rec",
1006 "Wiretap file type for file-type-specific records", proto_frame, FT_UINT32, BASE_DEC);
1007 register_capture_dissector_table("wtap_encap", "Wiretap encapsulation type");
1009 /* You can't disable dissection of "Frame", as that would be
1010 tantamount to not doing any dissection whatsoever. */
1011 proto_set_cant_toggle(proto_frame);
1013 register_seq_analysis("any", "All Flows", proto_frame, NULL, TL_REQUIRES_COLUMNS, frame_seq_analysis_packet);
1015 /* Our preferences */
1016 frame_module = prefs_register_protocol(proto_frame, NULL);
1017 prefs_register_bool_preference(frame_module, "show_file_off",
1018 "Show File Offset", "Show offset of frame in capture file", &show_file_off);
1019 prefs_register_bool_preference(frame_module, "force_docsis_encap",
1020 "Treat all frames as DOCSIS frames", "Treat all frames as DOCSIS Frames", &force_docsis_encap);
1021 prefs_register_bool_preference(frame_module, "generate_md5_hash",
1022 "Generate an MD5 hash of each frame",
1023 "Whether or not MD5 hashes should be generated for each frame, useful for finding duplicate frames.",
1024 &generate_md5_hash);
1025 prefs_register_bool_preference(frame_module, "generate_epoch_time",
1026 "Generate an epoch time entry for each frame",
1027 "Whether or not an Epoch time entry should be generated for each frame.",
1028 &generate_epoch_time);
1029 prefs_register_bool_preference(frame_module, "generate_bits_field",
1030 "Show the number of bits in the frame",
1031 "Whether or not the number of bits in the frame should be shown.",
1032 &generate_bits_field);
1033 prefs_register_bool_preference(frame_module, "disable_packet_size_limited_in_summary",
1034 "Disable 'packet size limited during capture' message in summary",
1035 "Whether or not 'packet size limited during capture' message in shown in Info column.",
1036 &disable_packet_size_limited_in_summary);
1038 frame_tap=register_tap("frame");
1042 proto_reg_handoff_frame(void)
1044 docsis_handle = find_dissector_add_dependency("docsis", proto_frame);
1045 sysdig_handle = find_dissector_add_dependency("sysdig", proto_frame);
1049 * Editor modelines - http://www.wireshark.org/tools/modelines.html
1054 * indent-tabs-mode: t
1057 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
1058 * :indentSize=8:tabSize=8:noTabs=false: