2 * Routines for IEEE 802.2 LLC layer
3 * Gilbert Ramirez <gramirez@tivoli.com>
5 * $Id: packet-llc.c,v 1.42 2000/01/24 01:45:12 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_TYPES_H
32 # include <sys/types.h>
41 static int proto_llc = -1;
42 static int hf_llc_dsap = -1;
43 static int hf_llc_ssap = -1;
44 static int hf_llc_dsap_ig = -1;
45 static int hf_llc_ssap_cr = -1;
46 static int hf_llc_ctrl = -1;
47 static int hf_llc_type = -1;
48 static int hf_llc_oui = -1;
49 static int hf_llc_pid = -1;
51 static gint ett_llc = -1;
52 static gint ett_llc_ctrl = -1;
54 typedef void (capture_func_t)(const u_char *, int, packet_counts *);
55 typedef void (dissect_func_t)(const u_char *, int, frame_data *, proto_tree *);
57 /* The SAP info is split into two tables, one value_string table and one table of sap_info. This is
58 * so that the value_string can be used in the header field registration.
62 capture_func_t *capture_func;
63 dissect_func_t *dissect_func;
67 * Group/Individual bit, in the DSAP.
69 #define DSAP_GI_BIT 0x01
72 * Command/Response bit, in the SSAP.
74 * The low-order bit of the SSAP apparently determines whether this
75 * is a request or a response. (RFC 1390, "Transmission of IP and
76 * ARP over FDDI Networks", says
78 * Command frames are identified by having the low order
79 * bit of the SSAP address reset to zero. Response frames
80 * have the low order bit of the SSAP address set to one.
82 * and a page I've seen seems to imply that's part of 802.2.)
84 #define SSAP_CR_BIT 0x01
87 * Mask to extrace the SAP number from the DSAP or the SSAP.
92 * These are for SSAP and DSAP, wth last bit always zero.
93 * XXX - some DSAPs come in separate "individual" and "group" versions,
94 * with the last bit 0 and 1, respectively (e.g., LLC Sub-layer Management,
95 * IBM SNA Path Control, IBM Net Management), and, whilst 0xFE is
96 * the ISO Network Layer Protocol, 0xFF is the Global LSAP.
98 static const value_string sap_vals[] = {
99 { 0x00, "NULL LSAP" },
100 { 0x02, "LLC Sub-Layer Management" },
101 { 0x04, "SNA Path Control" },
105 { 0x42, "Spanning Tree BPDU" },
106 { 0x7F, "ISO 802.2" },
109 { 0xBA, "Banyan Vines" },
110 { 0xBC, "Banyan Vines" },
113 { 0xF4, "IBM Net Management" },
114 { 0xF8, "Remote Program Load" },
115 { 0xFC, "Remote Program Load" },
116 { 0xFE, "ISO Network Layer" },
117 { 0xFF, "Global LSAP" },
121 static struct sap_info saps[] = {
122 { 0x00, NULL, NULL },
123 { 0x02, NULL, NULL },
124 { 0x03, NULL, NULL },
125 { 0x04, NULL, dissect_sna },
126 { 0x05, NULL, NULL },
127 { 0x06, capture_ip, dissect_ip },
128 { 0x08, NULL, NULL },
129 { 0x0C, NULL, NULL },
130 { 0x42, NULL, dissect_bpdu },
131 { 0x7F, NULL, NULL },
132 { 0x80, NULL, NULL },
133 { 0xAA, NULL, NULL },
134 { 0xBA, NULL, NULL },
135 { 0xBC, NULL, NULL },
136 { 0xE0, capture_ipx, dissect_ipx },
137 { 0xF0, capture_netbios, dissect_netbios },
138 { 0xF4, NULL, NULL },
139 { 0xF5, NULL, NULL },
140 { 0xF8, NULL, NULL },
141 { 0xFC, NULL, NULL },
142 { 0xFE, NULL, dissect_osi },
143 { 0xFF, NULL, NULL },
147 static const value_string llc_ctrl_vals[] = {
148 { 0, "Information Transfer" },
149 { 1, "Supervisory" },
151 { 3, "Unnumbered Information" },
155 const value_string oui_vals[] = {
156 { OUI_ENCAP_ETHER, "Encapsulated Ethernet" },
158 http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/ibm_r/brprt1/brsrb.htm
160 { OUI_CISCO, "Cisco" },
161 { OUI_CISCO_90, "Cisco IOS 9.0 Compatible" },
162 { OUI_BFR, "Bridged Frame-Relay" }, /* RFC 2427 */
163 { OUI_ATM_FORUM, "ATM Forum" },
164 { OUI_APPLE_ATALK, "Apple (AppleTalk)" },
168 static capture_func_t *
169 sap_capture_func(u_char sap) {
172 /* look for the second record where sap == 0, which should
175 while (saps[i].sap > 0 || i == 0) {
176 if (saps[i].sap == sap) {
177 return saps[i].capture_func;
184 static dissect_func_t *
185 sap_dissect_func(u_char sap) {
188 /* look for the second record where sap == 0, which should
191 while (saps[i].sap > 0 || i == 0) {
192 if (saps[i].sap == sap) {
193 return saps[i].dissect_func;
201 capture_llc(const u_char *pd, int offset, packet_counts *ld) {
208 capture_func_t *capture;
210 if (!BYTES_ARE_IN_FRAME(offset, 2)) {
214 is_snap = (pd[offset] == 0xAA) && (pd[offset+1] == 0xAA);
215 llc_header_len = 2; /* DSAP + SSAP */
218 * XXX - the page referred to in the comment above about the
219 * Command/Response bit also implies that LLC Type 2 always
220 * uses extended operation, so we don't need to determine
221 * whether it's basic or extended operation; is that the case?
223 control = get_xdlc_control(pd, offset+2, pd[offset+1] & SSAP_CR_BIT,
225 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
227 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
228 if (!BYTES_ARE_IN_FRAME(offset, llc_header_len)) {
234 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
235 if (XDLC_HAS_PAYLOAD(control)) {
237 * This frame has a payload to be analyzed.
239 etype = pntohs(&pd[offset+6]);
242 case OUI_ENCAP_ETHER:
243 case OUI_APPLE_ATALK:
244 /* No, I have no idea why Apple used
245 one of their own OUIs, rather than
246 OUI_ENCAP_ETHER, and an Ethernet
247 packet type as protocol ID, for
248 AppleTalk data packets - but used
249 OUI_ENCAP_ETHER and an Ethernet
250 packet type for AARP packets. */
251 capture_ethertype(etype, offset+8, pd,
255 capture_ethertype(etype,
265 if (XDLC_HAS_PAYLOAD(control)) {
267 * This frame has a payload to be analyzed.
269 capture = sap_capture_func(pd[offset]);
272 offset += llc_header_len;
275 capture(pd, offset, ld);
285 dissect_llc(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
287 proto_tree *llc_tree = NULL;
288 proto_item *ti = NULL;
294 dissect_func_t *dissect;
296 if (!BYTES_ARE_IN_FRAME(offset, 2)) {
297 dissect_data(pd, offset, fd, tree);
300 is_snap = (pd[offset] == 0xAA) && (pd[offset+1] == 0xAA);
301 llc_header_len = 2; /* DSAP + SSAP */
303 if (check_col(fd, COL_PROTOCOL)) {
304 col_add_str(fd, COL_PROTOCOL, "LLC");
308 ti = proto_tree_add_item(tree, proto_llc, offset, 0, NULL);
309 llc_tree = proto_item_add_subtree(ti, ett_llc);
310 proto_tree_add_item(llc_tree, hf_llc_dsap, offset,
311 1, pd[offset] & SAP_MASK);
312 proto_tree_add_item(llc_tree, hf_llc_dsap_ig, offset,
313 1, pd[offset] & DSAP_GI_BIT);
314 proto_tree_add_item(llc_tree, hf_llc_ssap, offset+1,
315 1, pd[offset+1] & SAP_MASK);
316 proto_tree_add_item(llc_tree, hf_llc_ssap_cr, offset+1,
317 1, pd[offset+1] & SSAP_CR_BIT);
322 * XXX - the page referred to in the comment above about the
323 * Command/Response bit also implies that LLC Type 2 always
324 * uses extended operation, so we don't need to determine
325 * whether it's basic or extended operation; is that the case?
327 control = dissect_xdlc_control(pd, offset+2, fd, llc_tree,
328 hf_llc_ctrl, ett_llc_ctrl,
329 pd[offset+1] & SSAP_CR_BIT, TRUE);
330 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
332 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
333 if (!BYTES_ARE_IN_FRAME(offset, llc_header_len)) {
334 dissect_data(pd, offset, fd, tree);
338 proto_item_set_len(ti, llc_header_len);
341 * XXX - do we want to append the SAP information to the stuff
342 * "dissect_xdlc_control()" put in the COL_INFO column, rather
343 * than overwriting it?
346 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
347 etype = pntohs(&pd[offset+6]);
348 if (check_col(fd, COL_INFO)) {
349 col_add_fstr(fd, COL_INFO, "SNAP, OUI 0x%06X (%s), PID 0x%04X",
350 oui, val_to_str(oui, oui_vals, "Unknown"),
354 proto_tree_add_item(llc_tree, hf_llc_oui, offset+3, 3,
359 case OUI_ENCAP_ETHER:
360 case OUI_APPLE_ATALK:
361 /* No, I have no idea why Apple used
362 one of their own OUIs, rather than
363 OUI_ENCAP_ETHER, and an Ethernet
364 packet type as protocol ID, for
365 AppleTalk data packets - but used
366 OUI_ENCAP_ETHER and an Ethernet
367 packet type for AARP packets. */
368 if (XDLC_HAS_PAYLOAD(control)) {
370 * This frame has a payload to be analyzed.
371 * XXX - I've seen a U frame (for a SNAP
372 * protocol with OUI 00-80-5F, belonging
373 * to Compaq, and a PID of 0002) with a
374 * function of TEST and, apparently, with
375 * a payload - the data in the frame
376 * following the LLC header included the
377 * Unicode string "NTFS", so, unless that's
378 * crud left over from an earlier frame whose
379 * buffer was reused for this frame, and the
380 * length was mysteriously set to include the
381 * leftover crud, TEST frames can have data,
382 * just as UI frames can.
384 ethertype(etype, offset+8, pd,
385 fd, tree, llc_tree, hf_llc_type);
390 /* So are all CDP packets LLC packets
391 with an OUI of OUI_CISCO and a
392 protocol ID of 0x2000, or
393 are some of them raw or encapsulated
396 proto_tree_add_item(llc_tree,
397 hf_llc_pid, offset+6, 2, etype);
399 if (XDLC_HAS_PAYLOAD(control)) {
401 * This frame has a payload to be analyzed.
406 dissect_cdp(pd, offset+8, fd, tree);
410 dissect_data(pd, offset+8, fd, tree);
418 proto_tree_add_item(llc_tree,
419 hf_llc_pid, offset+6, 2, etype);
421 if (XDLC_HAS_PAYLOAD(control)) {
423 * This frame has a payload to be analyzed.
425 dissect_data(pd, offset+8, fd, tree);
431 if (check_col(fd, COL_INFO)) {
432 col_add_fstr(fd, COL_INFO,
433 "DSAP %s %s, SSAP %s %s",
434 val_to_str(pd[offset] & SAP_MASK, sap_vals, "%02x"),
435 pd[offset] & DSAP_GI_BIT ?
436 "Group" : "Individual",
437 val_to_str(pd[offset+1] & SAP_MASK, sap_vals, "%02x"),
438 pd[offset+1] & SSAP_CR_BIT ?
439 "Command" : "Response"
443 if (XDLC_HAS_PAYLOAD(control)) {
445 * This frame has a payload to be analyzed.
447 dissect = sap_dissect_func(pd[offset]);
450 offset += llc_header_len;
453 dissect(pd, offset, fd, tree);
456 dissect_data(pd, offset, fd, tree);
463 proto_register_llc(void)
465 static struct true_false_string ig_bit = { "Group", "Individual" };
466 static struct true_false_string cr_bit = { "Response", "Command" };
468 static hf_register_info hf[] = {
470 { "DSAP", "llc.dsap", FT_UINT8, BASE_HEX,
471 VALS(sap_vals), 0x0, "" }},
474 { "IG Bit", "llc.dsap.ig", FT_BOOLEAN, BASE_HEX,
475 &ig_bit, 0x0, "Individual/Group" }},
478 { "SSAP", "llc.ssap", FT_UINT8, BASE_HEX,
479 VALS(sap_vals), 0x0, "" }},
482 { "CR Bit", "llc.ssap.cr", FT_BOOLEAN, BASE_HEX,
483 &cr_bit, 0x0, "Command/Response" }},
486 { "Control", "llc.control", FT_UINT8, BASE_HEX,
487 VALS(llc_ctrl_vals), 0x0, "" }},
489 /* registered here but handled in ethertype.c */
491 { "Type", "llc.type", FT_UINT16, BASE_HEX,
492 VALS(etype_vals), 0x0, "" }},
495 { "Organization Code", "llc.oui", FT_UINT24, BASE_HEX,
496 VALS(oui_vals), 0x0, ""}},
499 { "Protocol ID", "llc.pid", FT_UINT16, BASE_HEX,
502 static gint *ett[] = {
507 proto_llc = proto_register_protocol ("Logical-Link Control", "llc" );
508 proto_register_field_array(proto_llc, hf, array_length(hf));
509 proto_register_subtree_array(ett, array_length(ett));