2 * Routines for ethernet packet disassembly
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
27 #include <epan/packet.h>
28 #include <epan/exceptions.h>
29 #include <epan/prefs.h>
30 #include <epan/etypes.h>
31 #include <epan/addr_resolv.h>
32 #include <epan/expert.h>
33 #include <epan/conversation_table.h>
34 #include <wsutil/pint.h>
35 #include "packet-eth.h"
36 #include "packet-ieee8023.h"
37 #include "packet-ipx.h"
38 #include "packet-isl.h"
39 #include "packet-llc.h"
40 #include "packet-sll.h"
41 #include "packet-usb.h"
42 #include "packet-juniper.h"
43 #include <epan/crc32-tvb.h>
45 #include <wiretap/erf.h>
47 void proto_register_eth(void);
48 void proto_reg_handoff_eth(void);
50 /* Assume all packets have an FCS */
51 static gboolean eth_assume_padding = TRUE;
52 static guint eth_trailer_length = 0;
53 static gboolean eth_assume_fcs = FALSE;
54 static gboolean eth_check_fcs = TRUE;
55 /* Interpret packets as FW1 monitor file packets if they look as if they are */
56 static gboolean eth_interpret_as_fw1_monitor = FALSE;
57 /* Preference settings defining conditions for which the CCSDS dissector is called */
58 static gboolean ccsds_heuristic_length = FALSE;
59 static gboolean ccsds_heuristic_version = FALSE;
60 static gboolean ccsds_heuristic_header = FALSE;
61 static gboolean ccsds_heuristic_bit = FALSE;
63 /* protocols and header fields */
64 static int proto_eth = -1;
65 static int hf_eth_dst = -1;
66 static int hf_eth_dst_resolved = -1;
67 static int hf_eth_src = -1;
68 static int hf_eth_src_resolved = -1;
69 static int hf_eth_len = -1;
70 static int hf_eth_type = -1;
71 static int hf_eth_invalid_lentype = -1;
72 static int hf_eth_addr = -1;
73 static int hf_eth_addr_resolved = -1;
74 static int hf_eth_lg = -1;
75 static int hf_eth_ig = -1;
76 static int hf_eth_padding = -1;
77 static int hf_eth_trailer = -1;
78 static int hf_eth_fcs = -1;
79 static int hf_eth_fcs_good = -1;
80 static int hf_eth_fcs_bad = -1;
82 static gint ett_ieee8023 = -1;
83 static gint ett_ether2 = -1;
84 static gint ett_ether = -1;
85 static gint ett_addr = -1;
86 static gint ett_eth_fcs = -1;
88 static expert_field ei_eth_invalid_lentype = EI_INIT;
89 static expert_field ei_eth_src_not_group = EI_INIT;
90 static expert_field ei_eth_fcs_bad = EI_INIT;
91 static expert_field ei_eth_len = EI_INIT;
93 static dissector_handle_t fw1_handle;
94 static dissector_handle_t ethertype_handle;
95 static dissector_handle_t data_handle;
96 static heur_dissector_list_t heur_subdissector_list;
97 static heur_dissector_list_t eth_trailer_subdissector_list;
99 static int eth_tap = -1;
101 #define ETH_HEADER_SIZE 14
103 static const true_false_string ig_tfs = {
104 "Group address (multicast/broadcast)",
105 "Individual address (unicast)"
107 static const true_false_string lg_tfs = {
108 "Locally administered address (this is NOT the factory default)",
109 "Globally unique address (factory default)"
113 static const char* eth_conv_get_filter_type(conv_item_t* conv, conv_filter_type_e filter)
115 if ((filter == CONV_FT_SRC_ADDRESS) && (conv->src_address.type == AT_ETHER))
118 if ((filter == CONV_FT_DST_ADDRESS) && (conv->dst_address.type == AT_ETHER))
121 if ((filter == CONV_FT_ANY_ADDRESS) && (conv->src_address.type == AT_ETHER))
124 return CONV_FILTER_INVALID;
127 static ct_dissector_info_t eth_ct_dissector_info = {ð_conv_get_filter_type};
130 eth_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
132 conv_hash_t *hash = (conv_hash_t*) pct;
133 const eth_hdr *ehdr=(const eth_hdr *)vip;
135 add_conversation_table_data(hash, &ehdr->src, &ehdr->dst, 0, 0, 1, pinfo->fd->pkt_len, &pinfo->rel_ts, &pinfo->fd->abs_ts, ð_ct_dissector_info, PT_NONE);
140 static const char* eth_host_get_filter_type(hostlist_talker_t* host, conv_filter_type_e filter)
142 if ((filter == CONV_FT_ANY_ADDRESS) && (host->myaddress.type == AT_ETHER))
145 return CONV_FILTER_INVALID;
148 static hostlist_dissector_info_t eth_host_dissector_info = {ð_host_get_filter_type};
151 eth_hostlist_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
153 conv_hash_t *hash = (conv_hash_t*) pit;
154 const eth_hdr *ehdr=(const eth_hdr *)vip;
156 /* Take two "add" passes per packet, adding for each direction, ensures that all
157 packets are counted properly (even if address is sending to itself)
158 XXX - this could probably be done more efficiently inside hostlist_table */
159 add_hostlist_table_data(hash, &ehdr->src, 0, TRUE, 1, pinfo->fd->pkt_len, ð_host_dissector_info, PT_NONE);
160 add_hostlist_table_data(hash, &ehdr->dst, 0, FALSE, 1, pinfo->fd->pkt_len, ð_host_dissector_info, PT_NONE);
168 /* These are the Netware-ish names for the different Ethernet frame types.
169 EthernetII: The ethernet with a Type field instead of a length field
170 Ethernet802.2: An 802.3 header followed by an 802.2 header
171 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
172 There's no 802.2 hdr in this.
173 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
174 there's no difference between 802.2 and 802.2SNAP, since we just
175 pass it down to the LLC dissector. -- Gilbert
177 #define ETHERNET_II 0
178 #define ETHERNET_802_2 1
179 #define ETHERNET_802_3 2
180 #define ETHERNET_SNAP 3
183 capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
185 guint16 etype, length;
186 int ethhdr_type; /* the type of ethernet frame */
188 if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
193 etype = pntoh16(&pd[offset+12]);
195 if (etype <= IEEE_802_3_MAX_LEN) {
196 /* Oh, yuck. Cisco ISL frames require special interpretation of the
197 destination address field; fortunately, they can be recognized by
198 checking the first 5 octets of the destination address, which are
199 01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */
200 if ((pd[offset] == 0x01 || pd[offset] == 0x0C) && pd[offset+1] == 0x00
201 && pd[offset+2] == 0x0C && pd[offset+3] == 0x00
202 && pd[offset+4] == 0x00) {
203 capture_isl(pd, offset, len, ld);
209 * If the type/length field is <= the maximum 802.3 length,
210 * and is not zero, this is an 802.3 frame, and it's a length
211 * field; it might be an Novell "raw 802.3" frame, with no
212 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
215 * If the type/length field is >= the minimum Ethernet II length,
216 * this is an Ethernet II frame, and it's a type field.
218 * If the type/length field is > maximum 802.3 length and < minimum
219 * Ethernet II length, then this is an invalid packet.
221 * If the type/length field is zero (ETHERTYPE_UNK), this is
222 * a frame used internally by the Cisco MDS switch to contain
223 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
224 * frame; the dissector for those frames registers itself with
225 * an ethernet type of ETHERTYPE_UNK.
227 if (etype > IEEE_802_3_MAX_LEN && etype < ETHERNET_II_MIN_LEN) {
232 if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
235 /* Is there an 802.2 layer? I can tell by looking at the first 2
236 bytes after the 802.3 header. If they are 0xffff, then what
237 follows the 802.3 header is an IPX payload, meaning no 802.2.
238 (IPX/SPX is they only thing that can be contained inside a
239 straight 802.3 packet). A non-0xffff value means that there's an
240 802.2 layer inside the 802.3 layer */
241 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
242 ethhdr_type = ETHERNET_802_3;
245 ethhdr_type = ETHERNET_802_2;
248 /* Convert the LLC length from the 802.3 header to a total
249 frame length, by adding in the size of any data that preceded
250 the Ethernet header, and adding in the Ethernet header size,
251 and set the payload and captured-payload lengths to the minima
252 of the total length and the frame lengths. */
253 length += offset + ETH_HEADER_SIZE;
257 ethhdr_type = ETHERNET_II;
259 offset += ETH_HEADER_SIZE;
261 switch (ethhdr_type) {
266 capture_llc(pd, offset, len, ld);
269 capture_ethertype(etype, pd, offset, len, ld);
274 static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len);
277 dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
280 proto_item *ti = NULL;
283 proto_tree *fh_tree = NULL;
284 const guint8 *src_addr, *dst_addr;
285 const char *src_addr_name, *dst_addr_name;
286 static eth_hdr ehdrs[4];
287 static int ehdr_num=0;
289 proto_item *addr_item;
290 proto_tree *addr_tree=NULL;
291 ethertype_data_t ethertype_data;
292 heur_dtbl_entry_t *hdtbl_entry = NULL;
298 ehdr=&ehdrs[ehdr_num];
302 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
304 src_addr = tvb_get_ptr(tvb, 6, 6);
305 src_addr_name = get_ether_name(src_addr);
306 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src_addr);
307 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src_addr);
308 SET_ADDRESS(&ehdr->src, AT_ETHER, 6, src_addr);
310 dst_addr = tvb_get_ptr(tvb, 0, 6);
311 dst_addr_name = get_ether_name(dst_addr);
312 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst_addr);
313 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst_addr);
314 SET_ADDRESS(&ehdr->dst, AT_ETHER, 6, dst_addr);
316 ehdr->type = tvb_get_ntohs(tvb, 12);
318 tap_queue_packet(eth_tap, pinfo, ehdr);
321 * In case the packet is a non-Ethernet packet inside
322 * Ethernet framing, allow heuristic dissectors to take
323 * a first look before we assume that it's actually an
326 if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, parent_tree, &hdtbl_entry, NULL))
329 if (ehdr->type <= IEEE_802_3_MAX_LEN) {
330 /* Oh, yuck. Cisco ISL frames require special interpretation of the
331 destination address field; fortunately, they can be recognized by
332 checking the first 5 octets of the destination address, which are
333 01-00-0C-00-00 for ISL frames. */
334 if ((tvb_get_guint8(tvb, 0) == 0x01 ||
335 tvb_get_guint8(tvb, 0) == 0x0C) &&
336 tvb_get_guint8(tvb, 1) == 0x00 &&
337 tvb_get_guint8(tvb, 2) == 0x0C &&
338 tvb_get_guint8(tvb, 3) == 0x00 &&
339 tvb_get_guint8(tvb, 4) == 0x00) {
340 dissect_isl(tvb, pinfo, parent_tree, fcs_len);
346 * If the type/length field is <= the maximum 802.3 length,
347 * and is not zero, this is an 802.3 frame, and it's a length
348 * field; it might be an Novell "raw 802.3" frame, with no
349 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
352 * If the type/length field is >= the minimum Ethernet II length,
353 * this is an Ethernet II frame, and it's a type field.
355 * If the type/length field is > maximum 802.3 length and < minimum
356 * Ethernet II length, then this is an invalid packet.
358 * If the type/length field is zero (ETHERTYPE_UNK), this is
359 * a frame used internally by the Cisco MDS switch to contain
360 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
361 * frame; the dissector for those frames registers itself with
362 * an ethernet type of ETHERTYPE_UNK.
364 if (ehdr->type > IEEE_802_3_MAX_LEN && ehdr->type < ETHERNET_II_MIN_LEN) {
367 col_add_fstr(pinfo->cinfo, COL_INFO,
368 "Ethernet Unknown: Invalid length/type: 0x%04x (%d)",
369 ehdr->type, ehdr->type);
370 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
371 "Ethernet Unknown, Src: %s (%s), Dst: %s (%s)",
372 src_addr_name, ether_to_str(src_addr),
373 dst_addr_name, ether_to_str(dst_addr));
374 fh_tree = proto_item_add_subtree(ti, ett_ether);
375 addr_item = proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
377 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
378 addr_item=proto_tree_add_string(addr_tree, hf_eth_dst_resolved, tvb, 0, 6,
380 PROTO_ITEM_SET_GENERATED(addr_item);
381 PROTO_ITEM_SET_HIDDEN(addr_item);
382 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
383 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 0, 6,
385 PROTO_ITEM_SET_GENERATED(addr_item);
386 PROTO_ITEM_SET_HIDDEN(addr_item);
387 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN);
388 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN);
390 addr_item = proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
392 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
393 addr_item=proto_tree_add_string(addr_tree, hf_eth_src_resolved, tvb, 6, 6,
395 PROTO_ITEM_SET_GENERATED(addr_item);
396 PROTO_ITEM_SET_HIDDEN(addr_item);
397 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr);
398 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 6, 6,
400 PROTO_ITEM_SET_GENERATED(addr_item);
401 PROTO_ITEM_SET_HIDDEN(addr_item);
402 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN);
403 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN);
405 ti = proto_tree_add_item(fh_tree, hf_eth_invalid_lentype, tvb, 12, 2, ENC_BIG_ENDIAN);
406 expert_add_info_format(pinfo, ti, &ei_eth_invalid_lentype,
407 "Invalid length/type: 0x%04x (%d)", ehdr->type, ehdr->type);
408 next_tvb = tvb_new_subset_remaining(tvb, 14);
409 call_dissector(data_handle, next_tvb, pinfo, parent_tree);
413 if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) {
415 is_802_2 = check_is_802_2(tvb, fcs_len);
417 col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
418 (is_802_2 ? "" : "Raw "));
420 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
421 "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
423 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
426 /* if IP is not referenced from any filters we don't need to worry about
427 generating any tree items. We must do this after we created the actual
428 protocol above so that proto hier stat still works though.
430 if(!proto_field_is_referenced(parent_tree, proto_eth)){
435 addr_item=proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
437 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
439 addr_item=proto_tree_add_string(addr_tree, hf_eth_dst_resolved, tvb, 0, 6,
441 PROTO_ITEM_SET_GENERATED(addr_item);
442 PROTO_ITEM_SET_HIDDEN(addr_item);
443 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
444 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 0, 6,
446 PROTO_ITEM_SET_GENERATED(addr_item);
447 PROTO_ITEM_SET_HIDDEN(addr_item);
448 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN);
449 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN);
451 addr_item=proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
453 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
455 addr_item=proto_tree_add_string(addr_tree, hf_eth_src_resolved, tvb, 6, 6,
457 PROTO_ITEM_SET_GENERATED(addr_item);
458 PROTO_ITEM_SET_HIDDEN(addr_item);
459 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr);
460 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 6, 6,
462 PROTO_ITEM_SET_GENERATED(addr_item);
463 PROTO_ITEM_SET_HIDDEN(addr_item);
464 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN);
465 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN);
467 dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo,
468 parent_tree, fh_tree, hf_eth_len, hf_eth_trailer, &ei_eth_len, fcs_len);
470 if (eth_interpret_as_fw1_monitor) {
471 if ((dst_addr[0] == 'i') || (dst_addr[0] == 'I') ||
472 (dst_addr[0] == 'o') || (dst_addr[0] == 'O')) {
473 call_dissector(fw1_handle, tvb, pinfo, parent_tree);
478 col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
480 if (PTREE_DATA(parent_tree)->visible) {
481 ti = proto_tree_add_protocol_format(parent_tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
482 "Ethernet II, Src: %s (%s), Dst: %s (%s)",
483 src_addr_name, ether_to_str(src_addr),
484 dst_addr_name, ether_to_str(dst_addr));
487 ti = proto_tree_add_item(parent_tree, proto_eth, tvb, 0, ETH_HEADER_SIZE, ENC_NA);
489 fh_tree = proto_item_add_subtree(ti, ett_ether2);
492 addr_item=proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
494 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
496 addr_item=proto_tree_add_string(addr_tree, hf_eth_dst_resolved, tvb, 0, 6,
498 PROTO_ITEM_SET_GENERATED(addr_item);
499 PROTO_ITEM_SET_HIDDEN(addr_item);
500 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
501 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 0, 6,
503 PROTO_ITEM_SET_GENERATED(addr_item);
504 PROTO_ITEM_SET_HIDDEN(addr_item);
505 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN);
506 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN);
508 addr_item=proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
510 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
511 if (tvb_get_guint8(tvb, 6) & 0x01) {
512 expert_add_info(pinfo, addr_item, &ei_eth_src_not_group);
515 addr_item=proto_tree_add_string(addr_tree, hf_eth_src_resolved, tvb, 6, 6,
517 PROTO_ITEM_SET_GENERATED(addr_item);
518 PROTO_ITEM_SET_HIDDEN(addr_item);
519 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr);
520 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 6, 6,
522 PROTO_ITEM_SET_GENERATED(addr_item);
523 PROTO_ITEM_SET_HIDDEN(addr_item);
524 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN);
525 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN);
527 ethertype_data.etype = ehdr->type;
528 ethertype_data.offset_after_ethertype = ETH_HEADER_SIZE;
529 ethertype_data.fh_tree = fh_tree;
530 ethertype_data.etype_id = hf_eth_type;
531 ethertype_data.trailer_id = hf_eth_trailer;
532 ethertype_data.fcs_len = fcs_len;
534 call_dissector_with_data(ethertype_handle, tvb, pinfo, parent_tree, ðertype_data);
540 static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len)
542 volatile gboolean is_802_2;
544 gint captured_length, reported_length;
548 /* Is there an 802.2 layer? I can tell by looking at the first 2
549 bytes after the 802.3 header. If they are 0xffff, then what
550 follows the 802.3 header is an IPX payload, meaning no 802.2.
551 A non-0xffff value means that there's an 802.2 layer or CCSDS
552 layer inside the 802.3 layer */
555 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
558 /* Is this a CCSDS payload instead of an 802.2 (LLC)?
559 Check the conditions enabled by the user for CCSDS presence */
560 else if (ccsds_heuristic_length || ccsds_heuristic_version ||
561 ccsds_heuristic_header || ccsds_heuristic_bit) {
562 gboolean CCSDS_len = TRUE;
563 gboolean CCSDS_ver = TRUE;
564 gboolean CCSDS_head = TRUE;
565 gboolean CCSDS_bit = TRUE;
566 /* See if the reported payload size matches the
567 size contained in the CCSDS header. */
568 if (ccsds_heuristic_length) {
569 /* The following technique to account for FCS
570 is copied from packet-ieee8023.c dissect_802_3() */
571 length = tvb_get_ntohs(tvb, 12);
572 reported_length = tvb_reported_length_remaining(tvb, ETH_HEADER_SIZE);
574 if (reported_length >= fcs_len)
575 reported_length -= fcs_len;
577 /* Make sure the length in the 802.3 header doesn't go past the end of
579 if (length > reported_length) {
580 length = reported_length;
582 /* Only allow inspection of 'length' number of bytes. */
583 captured_length = tvb_captured_length_remaining(tvb, ETH_HEADER_SIZE);
584 if (captured_length > length)
585 captured_length = length;
587 /* Check if payload is large enough to contain a CCSDS header */
588 if (captured_length >= 6) {
589 /* Compare length to packet length contained in CCSDS header. */
590 if (length != 7 + tvb_get_ntohs(tvb, ETH_HEADER_SIZE + 4))
594 /* Check if CCSDS Version number (first 3 bits of payload) is zero */
595 if ((ccsds_heuristic_version) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE, 3)!=0))
597 /* Check if Secondary Header Flag (4th bit of payload) is set to one. */
598 if ((ccsds_heuristic_header) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 4, 1)!=1))
600 /* Check if spare bit (1st bit of 7th word of payload) is zero. */
601 if ((ccsds_heuristic_bit) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 16*6, 1)!=0))
603 /* If all the conditions are true, don't interpret payload as an 802.2 (LLC).
604 * Additional check in packet-802.3.c will distinguish between
605 * IPX and CCSDS packets*/
606 if (CCSDS_len && CCSDS_ver && CCSDS_head && CCSDS_bit)
610 CATCH_BOUNDS_ERRORS {
620 * Add an Ethernet trailer - which, for some captures, might be the FCS
621 * rather than a pad-to-60-bytes trailer.
623 * If fcs_len is 0, we assume the frame has no FCS; if it's 4, we assume
624 * it has an FCS; if it's anything else (such as -1, which means "maybe
625 * it does, maybe it doesn't"), we try to infer whether it has an FCS.
628 add_ethernet_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree,
629 int trailer_id, tvbuff_t *tvb, tvbuff_t *trailer_tvb, int fcs_len)
631 /* If there're some bytes left over, it could be a combination of:
632 - padding to meet the minimum 64 byte frame length
633 - an FCS, if present (if fcs_len is 0, we know it's not present;
634 if fcs_len is 4, we know it's present; if fcs_len is -1, we
635 need some heuristics to determine whether it's present)
636 - information inserted by TAPs or other network monitoring equipment.
638 If we don't know whether the FCS is present, then, if we don't have a
639 network monitoring trailer, and if the Ethernet frame was claimed to
640 have had 64 or more bytes - i.e., it was at least an FCS worth of data
641 longer than the minimum payload size - we could assume the last 4 bytes
642 of the trailer are an FCS. */
644 proto_tree *checksum_tree;
645 heur_dtbl_entry_t *hdtbl_entry;
648 guint trailer_length, trailer_reported_length;
649 guint padding_length = 0;
650 gboolean has_fcs = FALSE;
651 tvbuff_t *real_trailer_tvb;
653 trailer_length = tvb_captured_length(trailer_tvb);
654 trailer_reported_length = tvb_reported_length(trailer_tvb);
656 /* There can not have been padding when the length of the frame (including the
657 trailer) is less than 60 bytes. */
658 if (eth_assume_padding && pinfo->fd->pkt_len>=60) {
659 /* Calculate the amount of padding needed for a minimum sized frame */
660 if ( (pinfo->fd->pkt_len - trailer_reported_length) < 60 )
661 padding_length = 60 - (pinfo->fd->pkt_len - trailer_reported_length);
663 /* Add the padding to the tree, unless it should be treated as
664 part of the trailer and therefor be handed over to (one of)
665 the ethernet-trailer dissectors */
666 if (padding_length > 0) {
667 tvb_ensure_bytes_exist(tvb, 0, padding_length);
668 proto_tree_add_item(fh_tree, hf_eth_padding, trailer_tvb, 0,
669 padding_length, ENC_NA);
670 trailer_length -= padding_length;
671 trailer_reported_length -= padding_length;
676 /* If fcs_len is 4, we assume we definitely have an FCS.
677 Otherwise, then, if the frame is big enough that, if we
678 have a trailer, it probably inclues an FCS, and we have
679 enough space in the trailer for the FCS, we assume we
682 "Big enough" means 64 bytes or more; any frame that big
683 needs no trailer, as there's no need to pad an Ethernet
684 packet past 60 bytes.
686 The trailer must be at least 4 bytes long to have enough
689 if (fcs_len == 4 || (tvb_reported_length(tvb) >= 64 &&
690 trailer_reported_length >= 4)) {
691 /* Either we know we have an FCS, or we believe we have an FCS. */
692 if (trailer_length < trailer_reported_length) {
693 /* The packet is claimed to have enough data for a 4-byte FCS,
694 but we didn't capture all of the packet.
695 Slice off the 4-byte FCS from the reported length, and
696 trim the captured length so it's no more than the reported
697 length; that will slice off what of the FCS, if any, is
698 in the captured packet. */
699 trailer_reported_length -= 4;
700 if (trailer_length > trailer_reported_length)
701 trailer_length = trailer_reported_length;
704 /* We captured all of the packet, including what appears to
705 be a 4-byte FCS. Slice it off. */
707 trailer_reported_length -= 4;
713 /* Create a new tvb without the padding and/or the (assumed) fcs */
715 real_trailer_tvb = tvb_new_subset(trailer_tvb, padding_length,
716 trailer_length, trailer_reported_length);
718 real_trailer_tvb = tvb_new_subset_remaining(trailer_tvb, padding_length);
720 /* Call all ethernet trailer dissectors to dissect the trailer if
721 we actually have a trailer. */
722 if (tvb_reported_length(real_trailer_tvb) != 0) {
723 if (dissector_try_heuristic(eth_trailer_subdissector_list,
724 real_trailer_tvb, pinfo, tree, &hdtbl_entry, NULL) ) {
725 /* If we're not sure that there is a FCS, all trailer data
726 has been given to the ethernet-trailer dissector, so
727 stop dissecting here */
731 /* No luck with the trailer dissectors, so just display the
732 extra bytes as general trailer */
733 if (trailer_length != 0) {
734 tvb_ensure_bytes_exist(tvb, 0, trailer_length);
735 proto_tree_add_item(fh_tree, trailer_id, real_trailer_tvb, 0,
736 trailer_length, ENC_NA);
742 guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, padding_length+trailer_length);
744 guint32 fcs = crc32_802_tvb(tvb, tvb_captured_length(tvb) - 4);
745 if (fcs == sent_fcs) {
746 item = proto_tree_add_uint_format_value(fh_tree, hf_eth_fcs, trailer_tvb,
747 padding_length+trailer_length, 4, sent_fcs,
748 "0x%08x [correct]", sent_fcs);
749 checksum_tree = proto_item_add_subtree(item, ett_eth_fcs);
750 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_good, trailer_tvb,
751 padding_length+trailer_length, 4, TRUE);
752 PROTO_ITEM_SET_GENERATED(item);
753 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_bad, trailer_tvb,
754 padding_length+trailer_length, 4, FALSE);
755 PROTO_ITEM_SET_GENERATED(item);
757 item = proto_tree_add_uint_format_value(fh_tree, hf_eth_fcs, trailer_tvb,
758 padding_length+trailer_length, 4, sent_fcs,
759 "0x%08x [incorrect, should be 0x%08x]",
761 checksum_tree = proto_item_add_subtree(item, ett_eth_fcs);
762 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_good, trailer_tvb,
763 padding_length+trailer_length, 4, FALSE);
764 PROTO_ITEM_SET_GENERATED(item);
765 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_bad, trailer_tvb,
766 padding_length+trailer_length, 4, TRUE);
767 PROTO_ITEM_SET_GENERATED(item);
768 expert_add_info(pinfo, item, &ei_eth_fcs_bad);
769 col_append_str(pinfo->cinfo, COL_INFO, " [ETHERNET FRAME CHECK SEQUENCE INCORRECT]");
772 item = proto_tree_add_uint_format_value(fh_tree, hf_eth_fcs, trailer_tvb,
773 padding_length+trailer_length, 4, sent_fcs,
774 "0x%08x [validation disabled]", sent_fcs);
775 checksum_tree = proto_item_add_subtree(item, ett_eth_fcs);
776 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_good, trailer_tvb,
777 padding_length+trailer_length, 4, FALSE);
778 PROTO_ITEM_SET_GENERATED(item);
779 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_bad, trailer_tvb,
780 padding_length+trailer_length, 4, FALSE);
781 PROTO_ITEM_SET_GENERATED(item);
785 proto_tree_set_appendix(fh_tree, tvb, tvb_captured_length(tvb) - padding_length - trailer_length, padding_length + trailer_length);
789 /* Called for the Ethernet Wiretap encapsulation type; pass the FCS length
790 reported to us, or, if the "assume_fcs" preference is set, pass 4. */
792 dissect_eth_maybefcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
796 /* Some devices slice the packet and add their own trailer before
797 putting the frame on the network. Make sure these packets get
798 a proper trailer (even though the sliced frame might not
800 if ( (eth_trailer_length > 0) && (eth_trailer_length < tvb_captured_length(tvb)) ) {
802 guint total_trailer_length;
804 total_trailer_length = eth_trailer_length + (eth_assume_fcs ? 4 : 0);
806 /* Dissect the tvb up to, but not including the trailer */
807 next_tvb = tvb_new_subset(tvb, 0,
808 tvb_captured_length(tvb) - total_trailer_length,
809 tvb_reported_length(tvb) - total_trailer_length);
810 fh_tree = dissect_eth_common(next_tvb, pinfo, tree, 0);
812 /* Now handle the ethernet trailer and optional FCS */
813 next_tvb = tvb_new_subset_remaining(tvb, tvb_captured_length(tvb) - total_trailer_length);
814 add_ethernet_trailer(pinfo, tree, fh_tree, hf_eth_trailer, tvb, next_tvb,
815 eth_assume_fcs ? 4 : pinfo->pseudo_header->eth.fcs_len);
817 dissect_eth_common(tvb, pinfo, tree, eth_assume_fcs ? 4 : pinfo->pseudo_header->eth.fcs_len);
821 /* Called by other dissectors This one's for encapsulated Ethernet
822 packets that don't include an FCS. */
824 dissect_eth_withoutfcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
826 dissect_eth_common(tvb, pinfo, tree, 0);
829 /* ...and this one's for encapsulated packets that do. */
831 dissect_eth_withfcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
833 dissect_eth_common(tvb, pinfo, tree, 4);
837 proto_register_eth(void)
839 static hf_register_info hf[] = {
842 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
843 "Destination Hardware Address", HFILL }},
845 { &hf_eth_dst_resolved,
846 { "Destination (resolved)", "eth.dst_resolved", FT_STRING, BASE_NONE,
847 NULL, 0x0, "Destination Hardware Address (resolved)", HFILL }},
850 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
851 "Source Hardware Address", HFILL }},
853 { &hf_eth_src_resolved,
854 { "Source (resolved)", "eth.src_resolved", FT_STRING, BASE_NONE,
855 NULL, 0x0, "Source Hardware Address (resolved)", HFILL }},
858 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
861 /* registered here but handled in packet-ethertype.c */
863 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
866 { &hf_eth_invalid_lentype,
867 { "Invalid length/type", "eth.invalid_lentype", FT_UINT16, BASE_HEX_DEC,
868 NULL, 0x0, NULL, HFILL }},
871 { "Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
872 "Source or Destination Hardware Address", HFILL }},
874 { &hf_eth_addr_resolved,
875 { "Address (resolved)", "eth.addr_resolved", FT_STRING, BASE_NONE,
876 NULL, 0x0, "Source or Destination Hardware Address (resolved)",
880 { "Padding", "eth.padding", FT_BYTES, BASE_NONE, NULL, 0x0,
881 "Ethernet Padding", HFILL }},
884 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
885 "Ethernet Trailer or Checksum", HFILL }},
888 { "Frame check sequence", "eth.fcs", FT_UINT32, BASE_HEX, NULL, 0x0,
889 "Ethernet checksum", HFILL }},
892 { "FCS Good", "eth.fcs_good", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
893 "True: checksum matches packet content; False: doesn't match content or not checked", HFILL }},
896 { "FCS Bad", "eth.fcs_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
897 "True: checksum doesn't matche packet content; False: does match content or not checked", HFILL }},
900 { "LG bit", "eth.lg", FT_BOOLEAN, 24,
901 TFS(&lg_tfs), 0x020000,
902 "Specifies if this is a locally administered or globally unique (IEEE assigned) address", HFILL }},
905 { "IG bit", "eth.ig", FT_BOOLEAN, 24,
906 TFS(&ig_tfs), 0x010000,
907 "Specifies if this is an individual (unicast) or group (broadcast/multicast) address", HFILL }}
909 static gint *ett[] = {
917 static ei_register_info ei[] = {
918 { &ei_eth_invalid_lentype, { "eth.invalid_lentype", PI_PROTOCOL, PI_WARN, "Invalid length/type", EXPFILL }},
919 { &ei_eth_src_not_group, { "eth.src_not_group", PI_PROTOCOL, PI_WARN, "Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)", EXPFILL }},
920 { &ei_eth_fcs_bad, { "eth.fcs_bad.expert", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
921 { &ei_eth_len, { "eth.len.past_end", PI_MALFORMED, PI_ERROR, "Length field value goes past the end of the payload", EXPFILL }},
924 module_t *eth_module;
925 expert_module_t* expert_eth;
927 proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
928 proto_register_field_array(proto_eth, hf, array_length(hf));
929 proto_register_subtree_array(ett, array_length(ett));
930 expert_eth = expert_register_protocol(proto_eth);
931 expert_register_field_array(expert_eth, ei, array_length(ei));
933 /* subdissector code */
934 register_heur_dissector_list("eth", &heur_subdissector_list);
935 register_heur_dissector_list("eth.trailer", ð_trailer_subdissector_list);
937 /* Register configuration preferences */
938 eth_module = prefs_register_protocol(proto_eth, NULL);
940 prefs_register_bool_preference(eth_module, "assume_padding",
941 "Assume short frames which include a trailer contain padding",
942 "Some devices add trailing data to frames. When this setting is checked "
943 "the Ethernet dissector will assume there has been added padding to the "
944 "frame before the trailer was added. Uncheck if a device added a trailer "
945 "before the frame was padded.",
946 ð_assume_padding);
948 prefs_register_uint_preference(eth_module, "trailer_length",
949 "Fixed ethernet trailer length",
950 "Some TAPs add a fixed length ethernet trailer at the end "
951 "of the frame, but before the (optional) FCS. Make sure it "
952 "gets interpreted correctly.",
953 10, ð_trailer_length);
955 prefs_register_bool_preference(eth_module, "assume_fcs",
956 "Assume packets have FCS",
957 "Some Ethernet adapters and drivers include the FCS at the end of a packet, others do not. "
958 "The Ethernet dissector attempts to guess whether a captured packet has an FCS, "
959 "but it cannot always guess correctly.",
962 prefs_register_bool_preference(eth_module, "check_fcs",
963 "Validate the Ethernet checksum if possible",
964 "Whether to validate the Frame Check Sequence",
967 prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
968 "Attempt to interpret as FireWall-1 monitor file",
969 "Whether packets should be interpreted as coming from CheckPoint FireWall-1 monitor file if they look as if they do",
970 ð_interpret_as_fw1_monitor);
972 prefs_register_static_text_preference(eth_module, "ccsds_heuristic",
973 "These are the conditions to match a payload against in order to determine if this\n"
974 "is a CCSDS (Consultative Committee for Space Data Systems) packet within\n"
975 "an 802.3 packet. A packet is considered as a possible CCSDS packet only if\n"
976 "one or more of the conditions are checked.",
977 "Describe the conditions that must be true for the CCSDS dissector to be called");
979 prefs_register_bool_preference(eth_module, "ccsds_heuristic_length",
980 "CCSDS Length in header matches payload size",
981 "Set the condition that must be true for the CCSDS dissector to be called",
982 &ccsds_heuristic_length);
984 prefs_register_bool_preference(eth_module, "ccsds_heuristic_version",
985 "CCSDS Version # is zero",
986 "Set the condition that must be true for the CCSDS dissector to be called",
987 &ccsds_heuristic_version);
989 prefs_register_bool_preference(eth_module, "ccsds_heuristic_header",
990 "CCSDS Secondary Header Flag is set",
991 "Set the condition that must be true for the CCSDS dissector to be called",
992 &ccsds_heuristic_header);
994 prefs_register_bool_preference(eth_module, "ccsds_heuristic_bit",
995 "CCSDS Spare bit is cleared",
996 "Set the condition that must be true for the CCSDS dissector to be called",
997 &ccsds_heuristic_bit);
999 register_dissector("eth_withoutfcs", dissect_eth_withoutfcs, proto_eth);
1000 register_dissector("eth_withfcs", dissect_eth_withfcs, proto_eth);
1001 register_dissector("eth", dissect_eth_maybefcs, proto_eth);
1002 eth_tap = register_tap("eth");
1004 register_conversation_table(proto_eth, TRUE, eth_conversation_packet, eth_hostlist_packet, NULL);
1008 proto_reg_handoff_eth(void)
1010 dissector_handle_t eth_maybefcs_handle, eth_withoutfcs_handle;
1012 /* Get a handle for the Firewall-1 dissector. */
1013 fw1_handle = find_dissector("fw1");
1015 /* Get a handle for the ethertype dissector. */
1016 ethertype_handle = find_dissector("ethertype");
1018 /* Get a handle for the generic data dissector. */
1019 data_handle = find_dissector("data");
1021 eth_maybefcs_handle = find_dissector("eth");
1022 dissector_add_uint("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle);
1024 eth_withoutfcs_handle = find_dissector("eth_withoutfcs");
1025 dissector_add_uint("ethertype", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
1026 dissector_add_uint("erf.types.type", ERF_TYPE_ETH, eth_withoutfcs_handle);
1027 dissector_add_uint("chdlc.protocol", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
1028 dissector_add_uint("gre.proto", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
1029 dissector_add_uint("juniper.proto", JUNIPER_PROTO_ETHER, eth_withoutfcs_handle);
1031 dissector_add_uint("sll.ltype", LINUX_SLL_P_ETHERNET, eth_withoutfcs_handle);
1034 * This is to handle the output for the Cisco CMTS "cable intercept"
1035 * command - it encapsulates Ethernet frames in UDP packets, but
1036 * the UDP port is user-defined.
1038 dissector_add_for_decode_as("udp.port", eth_withoutfcs_handle);
1042 * Editor modelines - http://www.wireshark.org/tools/modelines.html
1047 * indent-tabs-mode: nil
1050 * ex: set shiftwidth=2 tabstop=8 expandtab:
1051 * :indentSize=2:tabSize=8:noTabs=true: