2 * Routines for disassembly of packets from Linux "cooked mode" captures
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 #include <epan/arptypes.h>
29 #include <epan/prefs.h>
30 #include <epan/packet.h>
31 #include "packet-sll.h"
32 #include "packet-ipx.h"
33 #include "packet-llc.h"
34 #include "packet-eth.h"
35 #include "packet-ppp.h"
36 #include "packet-gre.h"
37 #include <epan/addr_resolv.h>
38 #include <epan/etypes.h>
40 static int proto_sll = -1;
41 static int hf_sll_pkttype = -1;
42 static int hf_sll_hatype = -1;
43 static int hf_sll_halen = -1;
44 static int hf_sll_src_eth = -1;
45 static int hf_sll_src_ipv4 = -1;
46 static int hf_sll_src_other = -1;
47 static int hf_sll_ltype = -1;
48 static int hf_sll_gretype = -1;
49 static int hf_sll_etype = -1;
50 static int hf_sll_trailer = -1;
52 static gint ett_sll = -1;
55 * A DLT_LINUX_SLL fake link-layer header.
57 #define SLL_HEADER_SIZE 16 /* total header length */
58 #define SLL_ADDRLEN 8 /* length of address field */
61 * The LINUX_SLL_ values for "sll_pkttype".
63 #define LINUX_SLL_HOST 0
64 #define LINUX_SLL_BROADCAST 1
65 #define LINUX_SLL_MULTICAST 2
66 #define LINUX_SLL_OTHERHOST 3
67 #define LINUX_SLL_OUTGOING 4
69 static const value_string packet_type_vals[] = {
70 { LINUX_SLL_HOST, "Unicast to us" },
71 { LINUX_SLL_BROADCAST, "Broadcast" },
72 { LINUX_SLL_MULTICAST, "Multicast" },
73 { LINUX_SLL_OTHERHOST, "Unicast to another host" },
74 { LINUX_SLL_OUTGOING, "Sent by us" },
78 static const value_string ltype_vals[] = {
79 { LINUX_SLL_P_802_3, "Raw 802.3" },
80 { LINUX_SLL_P_ETHERNET, "Ethernet" },
81 { LINUX_SLL_P_802_2, "802.2 LLC" },
82 { LINUX_SLL_P_PPPHDLC, "PPP (HDLC)" },
83 { LINUX_SLL_P_CAN, "CAN" },
84 { LINUX_SLL_P_IRDA_LAP, "IrDA LAP" },
88 static dissector_table_t sll_linux_dissector_table;
89 static dissector_table_t gre_dissector_table;
90 static dissector_handle_t data_handle;
93 capture_sll(const guchar *pd, int len, packet_counts *ld)
97 if (!BYTES_ARE_IN_FRAME(0, len, SLL_HEADER_SIZE)) {
101 protocol = pntohs(&pd[14]);
102 if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
104 * "proto" is *not* a length field, it's a Linux internal
109 case LINUX_SLL_P_802_2:
113 capture_llc(pd, len, SLL_HEADER_SIZE, ld);
116 case LINUX_SLL_P_ETHERNET:
120 capture_eth(pd, SLL_HEADER_SIZE, len, ld);
123 case LINUX_SLL_P_802_3:
125 * Novell IPX inside 802.3 with no 802.2 LLC
131 case LINUX_SLL_P_PPPHDLC:
135 capture_ppp_hdlc(pd, len, SLL_HEADER_SIZE, ld);
143 capture_ethertype(protocol, pd, SLL_HEADER_SIZE, len, ld);
147 dissect_sll(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
151 guint16 hatype, halen;
155 proto_tree *fh_tree = NULL;
157 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SLL");
158 col_clear(pinfo->cinfo, COL_INFO);
160 pkttype = tvb_get_ntohs(tvb, 0);
163 * Set "pinfo->p2p_dir" if the packet wasn't received
169 case LINUX_SLL_BROADCAST:
170 case LINUX_SLL_MULTICAST:
171 pinfo->p2p_dir = P2P_DIR_RECV;
174 case LINUX_SLL_OUTGOING:
175 pinfo->p2p_dir = P2P_DIR_SENT;
179 if (check_col(pinfo->cinfo, COL_INFO))
180 col_add_str(pinfo->cinfo, COL_INFO,
181 val_to_str(pkttype, packet_type_vals, "Unknown (%u)"));
184 ti = proto_tree_add_protocol_format(tree, proto_sll, tvb, 0,
185 SLL_HEADER_SIZE, "Linux cooked capture");
186 fh_tree = proto_item_add_subtree(ti, ett_sll);
187 proto_tree_add_item(fh_tree, hf_sll_pkttype, tvb, 0, 2, ENC_BIG_ENDIAN);
191 * XXX - check the link-layer address type value?
192 * For now, we just assume 6 means Ethernet.
194 hatype = tvb_get_ntohs(tvb, 2);
195 halen = tvb_get_ntohs(tvb, 4);
197 proto_tree_add_uint(fh_tree, hf_sll_hatype, tvb, 2, 2, hatype);
198 proto_tree_add_uint(fh_tree, hf_sll_halen, tvb, 4, 2, halen);
202 src = tvb_get_ptr(tvb, 6, 4);
203 SET_ADDRESS(&pinfo->dl_src, AT_IPv4, 4, src);
204 SET_ADDRESS(&pinfo->src, AT_IPv4, 4, src);
206 proto_tree_add_item(fh_tree, hf_sll_src_ipv4, tvb,
207 6, 4, ENC_BIG_ENDIAN);
211 src = tvb_get_ptr(tvb, 6, 6);
212 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
213 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src);
215 proto_tree_add_ether(fh_tree, hf_sll_src_eth, tvb,
223 proto_tree_add_item(fh_tree, hf_sll_src_other, tvb,
224 6, halen > 8 ? 8 : halen, ENC_NA);
229 protocol = tvb_get_ntohs(tvb, 14);
230 next_tvb = tvb_new_subset_remaining(tvb, SLL_HEADER_SIZE);
231 if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
233 * "proto" is *not* a length field, it's a Linux internal
235 * We therefore cannot say how much of the packet will
237 * XXX - do the same thing we do for packets with Ethertypes?
239 proto_tree_add_uint(fh_tree, hf_sll_ltype, tvb, 14, 2,
242 if(!dissector_try_uint(sll_linux_dissector_table, protocol,
243 next_tvb, pinfo, tree)) {
244 call_dissector(data_handle, next_tvb, pinfo, tree);
249 proto_tree_add_uint(fh_tree, hf_sll_gretype, tvb, 14, 2,
251 dissector_try_uint(gre_dissector_table,
252 protocol, next_tvb, pinfo, tree);
255 ethertype(protocol, tvb, SLL_HEADER_SIZE, pinfo, tree,
256 fh_tree, hf_sll_etype, hf_sll_trailer, 0);
263 proto_register_sll(void)
265 static hf_register_info hf[] = {
267 { "Packet type", "sll.pkttype", FT_UINT16, BASE_DEC,
268 VALS(packet_type_vals), 0x0, NULL, HFILL }},
270 /* ARP hardware type? With Linux extensions? */
272 { "Link-layer address type", "sll.hatype", FT_UINT16, BASE_DEC,
273 NULL, 0x0, NULL, HFILL }},
276 { "Link-layer address length", "sll.halen", FT_UINT16, BASE_DEC,
277 NULL, 0x0, NULL, HFILL }},
279 /* Source address if it's an Ethernet-type address */
281 { "Source", "sll.src.eth", FT_ETHER, BASE_NONE, NULL, 0x0,
282 "Source link-layer address", HFILL }},
284 /* Source address if it's an IPv4 address */
286 { "Source", "sll.src.ipv4", FT_IPv4, BASE_NONE, NULL, 0x0,
287 "Source link-layer address", HFILL }},
289 /* Source address if it's not an Ethernet-type address */
291 { "Source", "sll.src.other", FT_BYTES, BASE_NONE, NULL, 0x0,
292 "Source link-layer address", HFILL }},
294 /* if the protocol field is an internal Linux protocol type */
296 { "Protocol", "sll.ltype", FT_UINT16, BASE_HEX,
297 VALS(ltype_vals), 0x0, "Linux protocol type", HFILL }},
299 /* if the protocol field is a GRE protocol type */
301 { "Protocol", "sll.gretype", FT_UINT16, BASE_HEX,
302 VALS(gre_typevals), 0x0, "GRE protocol type", HFILL }},
304 /* registered here but handled in ethertype.c */
306 { "Protocol", "sll.etype", FT_UINT16, BASE_HEX,
307 VALS(etype_vals), 0x0, "Ethernet protocol type", HFILL }},
310 { "Trailer", "sll.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
313 static gint *ett[] = {
317 proto_sll = proto_register_protocol("Linux cooked-mode capture",
319 proto_register_field_array(proto_sll, hf, array_length(hf));
320 proto_register_subtree_array(ett, array_length(ett));
322 sll_linux_dissector_table = register_dissector_table (
324 "Linux protocol type",
331 proto_reg_handoff_sll(void)
333 dissector_handle_t sll_handle;
336 * Get handles for the IPX and LLC dissectors.
338 gre_dissector_table = find_dissector_table("gre.proto");
339 data_handle = find_dissector("data");
341 sll_handle = create_dissector_handle(dissect_sll, proto_sll);
342 dissector_add_uint("wtap_encap", WTAP_ENCAP_SLL, sll_handle);