2 * Routines for ethernet packet disassembly
4 * $Id: packet-eth.c,v 1.79 2003/01/22 06:26:33 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #include <epan/packet.h>
33 #include <epan/resolv.h>
34 #include "packet-eth.h"
35 #include "packet-ieee8023.h"
36 #include "packet-ipx.h"
37 #include "packet-isl.h"
38 #include "packet-llc.h"
41 /* Interpret capture file as FW1 monitor file */
42 static gboolean eth_interpret_as_fw1_monitor = FALSE;
44 /* protocols and header fields */
45 static int proto_eth = -1;
46 static int hf_eth_dst = -1;
47 static int hf_eth_src = -1;
48 static int hf_eth_len = -1;
49 static int hf_eth_type = -1;
50 static int hf_eth_addr = -1;
51 static int hf_eth_trailer = -1;
53 static gint ett_ieee8023 = -1;
54 static gint ett_ether2 = -1;
56 static dissector_handle_t isl_handle;
57 static dissector_handle_t fw1_handle;
59 static int eth_tap = -1;
61 #define ETH_HEADER_SIZE 14
63 /* These are the Netware-ish names for the different Ethernet frame types.
64 EthernetII: The ethernet with a Type field instead of a length field
65 Ethernet802.2: An 802.3 header followed by an 802.2 header
66 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
67 There's no 802.2 hdr in this.
68 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
69 there's no difference between 802.2 and 802.2SNAP, since we just
70 pass it down to the LLC dissector. -- Gilbert
73 #define ETHERNET_802_2 1
74 #define ETHERNET_802_3 2
75 #define ETHERNET_SNAP 3
78 capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
80 guint16 etype, length;
81 int ethhdr_type; /* the type of ethernet frame */
83 if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
88 etype = pntohs(&pd[offset+12]);
91 * If the type/length field is <= the maximum 802.3 length,
92 * and is not zero, this is an 802.3 frame, and it's a length
93 * field; it might be an Novell "raw 802.3" frame, with no
94 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
97 * If the type/length field is > the maximum 802.3 length,
98 * this is an Ethernet II frame, and it's a type field.
100 * If the type/length field is zero (ETHERTYPE_UNK), this is
101 * a frame used internally by the Cisco MDS switch to contain
102 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
103 * frame; the dissector for those frames registers itself with
104 * an ethernet type of ETHERTYPE_UNK.
106 if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
109 /* Is there an 802.2 layer? I can tell by looking at the first 2
110 bytes after the 802.3 header. If they are 0xffff, then what
111 follows the 802.3 header is an IPX payload, meaning no 802.2.
112 (IPX/SPX is they only thing that can be contained inside a
113 straight 802.3 packet). A non-0xffff value means that there's an
114 802.2 layer inside the 802.3 layer */
115 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
116 ethhdr_type = ETHERNET_802_3;
119 ethhdr_type = ETHERNET_802_2;
122 /* Oh, yuck. Cisco ISL frames require special interpretation of the
123 destination address field; fortunately, they can be recognized by
124 checking the first 5 octets of the destination address, which are
125 01-00-0C-00-00 for ISL frames. */
126 if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
127 && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
128 capture_isl(pd, offset, len, ld);
132 /* Convert the LLC length from the 802.3 header to a total
133 frame length, by adding in the size of any data that preceded
134 the Ethernet header, and adding in the Ethernet header size,
135 and set the payload and captured-payload lengths to the minima
136 of the total length and the frame lengths. */
137 length += offset + ETH_HEADER_SIZE;
141 ethhdr_type = ETHERNET_II;
143 offset += ETH_HEADER_SIZE;
145 switch (ethhdr_type) {
150 capture_llc(pd, offset, len, ld);
153 capture_ethertype(etype, pd, offset, len, ld);
159 dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
163 volatile gboolean is_802_2;
164 proto_tree *volatile fh_tree = NULL;
166 if (check_col(pinfo->cinfo, COL_PROTOCOL))
167 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
169 tvb_memcpy(tvb, ehdr.src, 6, 6);
170 tvb_memcpy(tvb, ehdr.dst, 0, 6);
171 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, ehdr.src);
172 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, ehdr.src);
173 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, ehdr.dst);
174 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, ehdr.dst);
176 ehdr.type = tvb_get_ntohs(tvb, 12);
179 * If the type/length field is <= the maximum 802.3 length,
180 * and is not zero, this is an 802.3 frame, and it's a length
181 * field; it might be an Novell "raw 802.3" frame, with no
182 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
185 * If the type/length field is > the maximum 802.3 length,
186 * this is an Ethernet II frame, and it's a type field.
188 * If the type/length field is zero (ETHERTYPE_UNK), this is
189 * a frame used internally by the Cisco MDS switch to contain
190 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
191 * frame; the dissector for those frames registers itself with
192 * an ethernet type of ETHERTYPE_UNK.
194 if (ehdr.type <= IEEE_802_3_MAX_LEN && ehdr.type != ETHERTYPE_UNK) {
195 /* Oh, yuck. Cisco ISL frames require special interpretation of the
196 destination address field; fortunately, they can be recognized by
197 checking the first 5 octets of the destination address, which are
198 01-00-0C-00-00 for ISL frames. */
199 if ( tvb_get_guint8(tvb, 0) == 0x01 &&
200 tvb_get_guint8(tvb, 1) == 0x00 &&
201 tvb_get_guint8(tvb, 2) == 0x0C &&
202 tvb_get_guint8(tvb, 3) == 0x00 &&
203 tvb_get_guint8(tvb, 4) == 0x00 ) {
204 call_dissector(isl_handle, tvb, pinfo, tree);
208 /* Is there an 802.2 layer? I can tell by looking at the first 2
209 bytes after the 802.3 header. If they are 0xffff, then what
210 follows the 802.3 header is an IPX payload, meaning no 802.2.
211 (IPX/SPX is they only thing that can be contained inside a
212 straight 802.3 packet). A non-0xffff value means that there's an
213 802.2 layer inside the 802.3 layer */
216 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
220 CATCH2(BoundsError, ReportedBoundsError) {
226 if (check_col(pinfo->cinfo, COL_INFO)) {
227 col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
228 (is_802_2 ? "" : "Raw "));
231 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
232 "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
234 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
236 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, ehdr.dst);
237 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, ehdr.src);
239 /* add items for eth.addr filter */
240 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, ehdr.dst);
241 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, ehdr.src);
244 dissect_802_3(ehdr.type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
245 hf_eth_len, hf_eth_trailer);
247 if (eth_interpret_as_fw1_monitor) {
248 call_dissector(fw1_handle, tvb, pinfo, tree);
252 if (check_col(pinfo->cinfo, COL_INFO))
253 col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
255 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
256 "Ethernet II, Src: %s, Dst: %s",
257 ether_to_str(ehdr.src), ether_to_str(ehdr.dst));
259 fh_tree = proto_item_add_subtree(ti, ett_ether2);
261 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, ehdr.dst);
262 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, ehdr.src);
263 /* add items for eth.addr filter */
264 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, ehdr.dst);
265 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, ehdr.src);
268 ethertype(ehdr.type, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, hf_eth_type,
273 tap_queue_packet(eth_tap, pinfo, &ehdr);
278 proto_register_eth(void)
280 static hf_register_info hf[] = {
283 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
284 "Destination Hardware Address", HFILL }},
287 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
288 "Source Hardware Address", HFILL }},
291 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
294 /* registered here but handled in ethertype.c */
296 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
299 { "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
300 "Source or Destination Hardware Address", HFILL }},
303 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
304 "Ethernet Trailer or Checksum", HFILL }},
307 static gint *ett[] = {
311 module_t *eth_module;
313 proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
314 proto_register_field_array(proto_eth, hf, array_length(hf));
315 proto_register_subtree_array(ett, array_length(ett));
317 /* Register configuration preferences */
318 eth_module = prefs_register_protocol(proto_eth, NULL);
319 prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
320 "Interpret as FireWall-1 monitor file",
321 "Whether the capture file should be interpreted as a CheckPoint FireWall-1 monitor file",
322 ð_interpret_as_fw1_monitor);
324 register_dissector("eth", dissect_eth, proto_eth);
325 eth_tap = register_tap("eth");
329 proto_reg_handoff_eth(void)
331 dissector_handle_t eth_handle;
334 * Get a handle for the ISL dissector.
336 isl_handle = find_dissector("isl");
337 fw1_handle = find_dissector("fw1");
339 eth_handle = find_dissector("eth");
340 dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_handle);
341 dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_handle);
342 dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_handle);
343 dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_handle);