2 * Routines for ethernet packet disassembly
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
28 #include <epan/packet.h>
29 #include <epan/prefs.h>
30 #include <epan/etypes.h>
31 #include <epan/addr_resolv.h>
32 #include "packet-eth.h"
33 #include "packet-ieee8023.h"
34 #include "packet-ipx.h"
35 #include "packet-isl.h"
36 #include "packet-llc.h"
37 #include "packet-sll.h"
38 #include "packet-usb.h"
39 #include <epan/crc32-tvb.h>
41 #include <epan/expert.h>
43 void proto_register_eth(void);
44 void proto_reg_handoff_eth(void);
46 /* Assume all packets have an FCS */
47 static gboolean eth_assume_padding = TRUE;
48 static gboolean eth_assume_fcs = FALSE;
49 static gboolean eth_check_fcs = TRUE;
50 /* Interpret packets as FW1 monitor file packets if they look as if they are */
51 static gboolean eth_interpret_as_fw1_monitor = FALSE;
52 /* Preference settings defining conditions for which the CCSDS dissector is called */
53 static gboolean ccsds_heuristic_length = FALSE;
54 static gboolean ccsds_heuristic_version = FALSE;
55 static gboolean ccsds_heuristic_header = FALSE;
56 static gboolean ccsds_heuristic_bit = FALSE;
58 /* protocols and header fields */
59 static int proto_eth = -1;
60 static int hf_eth_dst = -1;
61 static int hf_eth_src = -1;
62 static int hf_eth_len = -1;
63 static int hf_eth_type = -1;
64 static int hf_eth_invalid_lentype = -1;
65 static int hf_eth_addr = -1;
66 static int hf_eth_lg = -1;
67 static int hf_eth_ig = -1;
68 static int hf_eth_padding = -1;
69 static int hf_eth_trailer = -1;
70 static int hf_eth_fcs = -1;
71 static int hf_eth_fcs_good = -1;
72 static int hf_eth_fcs_bad = -1;
74 static gint ett_ieee8023 = -1;
75 static gint ett_ether2 = -1;
76 static gint ett_ether = -1;
77 static gint ett_addr = -1;
78 static gint ett_eth_fcs = -1;
80 static expert_field ei_eth_invalid_lentype = EI_INIT;
81 static expert_field ei_eth_src_not_group = EI_INIT;
82 static expert_field ei_eth_fcs_bad = EI_INIT;
84 static dissector_handle_t fw1_handle;
85 static dissector_handle_t data_handle;
86 static heur_dissector_list_t heur_subdissector_list;
87 static heur_dissector_list_t eth_trailer_subdissector_list;
89 static int eth_tap = -1;
91 #define ETH_HEADER_SIZE 14
93 static const true_false_string ig_tfs = {
94 "Group address (multicast/broadcast)",
95 "Individual address (unicast)"
97 static const true_false_string lg_tfs = {
98 "Locally administered address (this is NOT the factory default)",
99 "Globally unique address (factory default)"
102 /* These are the Netware-ish names for the different Ethernet frame types.
103 EthernetII: The ethernet with a Type field instead of a length field
104 Ethernet802.2: An 802.3 header followed by an 802.2 header
105 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
106 There's no 802.2 hdr in this.
107 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
108 there's no difference between 802.2 and 802.2SNAP, since we just
109 pass it down to the LLC dissector. -- Gilbert
111 #define ETHERNET_II 0
112 #define ETHERNET_802_2 1
113 #define ETHERNET_802_3 2
114 #define ETHERNET_SNAP 3
117 capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
119 guint16 etype, length;
120 int ethhdr_type; /* the type of ethernet frame */
122 if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
127 etype = pntohs(&pd[offset+12]);
129 if (etype <= IEEE_802_3_MAX_LEN) {
130 /* Oh, yuck. Cisco ISL frames require special interpretation of the
131 destination address field; fortunately, they can be recognized by
132 checking the first 5 octets of the destination address, which are
133 01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */
134 if ((pd[offset] == 0x01 || pd[offset] == 0x0C) && pd[offset+1] == 0x00
135 && pd[offset+2] == 0x0C && pd[offset+3] == 0x00
136 && pd[offset+4] == 0x00) {
137 capture_isl(pd, offset, len, ld);
143 * If the type/length field is <= the maximum 802.3 length,
144 * and is not zero, this is an 802.3 frame, and it's a length
145 * field; it might be an Novell "raw 802.3" frame, with no
146 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
149 * If the type/length field is >= the minimum Ethernet II length,
150 * this is an Ethernet II frame, and it's a type field.
152 * If the type/length field is > maximum 802.3 length and < minimum
153 * Ethernet II length, then this is an invalid packet.
155 * If the type/length field is zero (ETHERTYPE_UNK), this is
156 * a frame used internally by the Cisco MDS switch to contain
157 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
158 * frame; the dissector for those frames registers itself with
159 * an ethernet type of ETHERTYPE_UNK.
161 if (etype > IEEE_802_3_MAX_LEN && etype < ETHERNET_II_MIN_LEN) {
166 if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
169 /* Is there an 802.2 layer? I can tell by looking at the first 2
170 bytes after the 802.3 header. If they are 0xffff, then what
171 follows the 802.3 header is an IPX payload, meaning no 802.2.
172 (IPX/SPX is they only thing that can be contained inside a
173 straight 802.3 packet). A non-0xffff value means that there's an
174 802.2 layer inside the 802.3 layer */
175 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
176 ethhdr_type = ETHERNET_802_3;
179 ethhdr_type = ETHERNET_802_2;
182 /* Convert the LLC length from the 802.3 header to a total
183 frame length, by adding in the size of any data that preceded
184 the Ethernet header, and adding in the Ethernet header size,
185 and set the payload and captured-payload lengths to the minima
186 of the total length and the frame lengths. */
187 length += offset + ETH_HEADER_SIZE;
191 ethhdr_type = ETHERNET_II;
193 offset += ETH_HEADER_SIZE;
195 switch (ethhdr_type) {
200 capture_llc(pd, offset, len, ld);
203 capture_ethertype(etype, pd, offset, len, ld);
208 static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len);
211 dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
214 proto_item *ti = NULL;
217 proto_tree *fh_tree = NULL;
218 const guint8 *src_addr, *dst_addr;
219 static eth_hdr ehdrs[4];
220 static int ehdr_num=0;
222 proto_item *addr_item;
223 proto_tree *addr_tree=NULL;
229 ehdr=&ehdrs[ehdr_num];
233 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
235 src_addr=tvb_get_ptr(tvb, 6, 6);
236 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src_addr);
237 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src_addr);
238 SET_ADDRESS(&ehdr->src, AT_ETHER, 6, src_addr);
239 dst_addr=tvb_get_ptr(tvb, 0, 6);
240 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst_addr);
241 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst_addr);
242 SET_ADDRESS(&ehdr->dst, AT_ETHER, 6, dst_addr);
244 ehdr->type = tvb_get_ntohs(tvb, 12);
246 tap_queue_packet(eth_tap, pinfo, ehdr);
249 * In case the packet is a non-Ethernet packet inside
250 * Ethernet framing, allow heuristic dissectors to take
251 * a first look before we assume that it's actually an
254 if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, parent_tree, NULL))
257 if (ehdr->type <= IEEE_802_3_MAX_LEN) {
258 /* Oh, yuck. Cisco ISL frames require special interpretation of the
259 destination address field; fortunately, they can be recognized by
260 checking the first 5 octets of the destination address, which are
261 01-00-0C-00-00 for ISL frames. */
262 if ((tvb_get_guint8(tvb, 0) == 0x01 ||
263 tvb_get_guint8(tvb, 0) == 0x0C) &&
264 tvb_get_guint8(tvb, 1) == 0x00 &&
265 tvb_get_guint8(tvb, 2) == 0x0C &&
266 tvb_get_guint8(tvb, 3) == 0x00 &&
267 tvb_get_guint8(tvb, 4) == 0x00) {
268 dissect_isl(tvb, pinfo, parent_tree, fcs_len);
274 * If the type/length field is <= the maximum 802.3 length,
275 * and is not zero, this is an 802.3 frame, and it's a length
276 * field; it might be an Novell "raw 802.3" frame, with no
277 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
280 * If the type/length field is >= the minimum Ethernet II length,
281 * this is an Ethernet II frame, and it's a type field.
283 * If the type/length field is > maximum 802.3 length and < minimum
284 * Ethernet II length, then this is an invalid packet.
286 * If the type/length field is zero (ETHERTYPE_UNK), this is
287 * a frame used internally by the Cisco MDS switch to contain
288 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
289 * frame; the dissector for those frames registers itself with
290 * an ethernet type of ETHERTYPE_UNK.
292 if (ehdr->type > IEEE_802_3_MAX_LEN && ehdr->type < ETHERNET_II_MIN_LEN) {
295 col_add_fstr(pinfo->cinfo, COL_INFO,
296 "Ethernet Unknown: Invalid length/type: 0x%04x (%d)",
297 ehdr->type, ehdr->type);
298 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
299 "Ethernet Unknown, Src: %s (%s), Dst: %s (%s)",
300 get_ether_name(src_addr), ether_to_str(src_addr),
301 get_ether_name(dst_addr), ether_to_str(dst_addr));
302 fh_tree = proto_item_add_subtree(ti, ett_ether);
303 addr_item = proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
305 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
306 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
307 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN);
308 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN);
310 addr_item = proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
312 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
313 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr);
314 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN);
315 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN);
317 ti = proto_tree_add_item(fh_tree, hf_eth_invalid_lentype, tvb, 12, 2, ENC_BIG_ENDIAN);
318 expert_add_info_format_text(pinfo, ti, &ei_eth_invalid_lentype,
319 "Invalid length/type: 0x%04x (%d)", ehdr->type, ehdr->type);
320 next_tvb = tvb_new_subset_remaining(tvb, 14);
321 call_dissector(data_handle, next_tvb, pinfo, parent_tree);
325 if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) {
327 is_802_2 = check_is_802_2(tvb, fcs_len);
329 col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
330 (is_802_2 ? "" : "Raw "));
332 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
333 "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
335 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
338 /* if IP is not referenced from any filters we dont need to worry about
339 generating any tree items. We must do this after we created the actual
340 protocol above so that proto hier stat still works though.
342 if(!proto_field_is_referenced(parent_tree, proto_eth)){
347 addr_item=proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
349 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
351 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
352 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN);
353 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN);
355 addr_item=proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
357 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
359 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr);
360 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN);
361 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN);
363 dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo,
364 parent_tree, fh_tree, hf_eth_len, hf_eth_trailer, fcs_len);
366 if (eth_interpret_as_fw1_monitor) {
367 if ((dst_addr[0] == 'i') || (dst_addr[0] == 'I') ||
368 (dst_addr[0] == 'o') || (dst_addr[0] == 'O')) {
369 call_dissector(fw1_handle, tvb, pinfo, parent_tree);
374 col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
376 if (PTREE_DATA(parent_tree)->visible) {
377 ti = proto_tree_add_protocol_format(parent_tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
378 "Ethernet II, Src: %s (%s), Dst: %s (%s)",
379 get_ether_name(src_addr), ether_to_str(src_addr),
380 get_ether_name(dst_addr), ether_to_str(dst_addr));
383 ti = proto_tree_add_item(parent_tree, proto_eth, tvb, 0, ETH_HEADER_SIZE, ENC_NA);
385 fh_tree = proto_item_add_subtree(ti, ett_ether2);
388 addr_item=proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
390 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
392 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
393 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN);
394 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN);
396 addr_item=proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
398 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
399 if (tvb_get_guint8(tvb, 6) & 0x01) {
400 expert_add_info(pinfo, addr_item, &ei_eth_src_not_group);
403 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr);
404 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN);
405 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN);
407 ethertype(ehdr->type, tvb, ETH_HEADER_SIZE, pinfo, parent_tree, fh_tree, hf_eth_type,
408 hf_eth_trailer, fcs_len);
413 static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len)
415 volatile gboolean is_802_2;
417 gint captured_length, reported_length;
421 /* Is there an 802.2 layer? I can tell by looking at the first 2
422 bytes after the 802.3 header. If they are 0xffff, then what
423 follows the 802.3 header is an IPX payload, meaning no 802.2.
424 A non-0xffff value means that there's an 802.2 layer or CCSDS
425 layer inside the 802.3 layer */
428 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
431 /* Is this a CCSDS payload instead of an 802.2 (LLC)?
432 Check the conditions enabled by the user for CCSDS presence */
433 else if (ccsds_heuristic_length || ccsds_heuristic_version ||
434 ccsds_heuristic_header || ccsds_heuristic_bit) {
435 gboolean CCSDS_len = TRUE;
436 gboolean CCSDS_ver = TRUE;
437 gboolean CCSDS_head = TRUE;
438 gboolean CCSDS_bit = TRUE;
439 /* See if the reported payload size matches the
440 size contained in the CCSDS header. */
441 if (ccsds_heuristic_length) {
442 /* The following technique to account for FCS
443 is copied from packet-ieee8023.c dissect_802_3() */
444 length = tvb_get_ntohs(tvb, 12);
445 reported_length = tvb_reported_length_remaining(tvb, ETH_HEADER_SIZE);
447 if (reported_length >= fcs_len)
448 reported_length -= fcs_len;
450 /* Make sure the length in the 802.3 header doesn't go past the end of
452 if (length > reported_length) {
453 length = reported_length;
455 /* Only allow inspection of 'length' number of bytes. */
456 captured_length = tvb_length_remaining(tvb, ETH_HEADER_SIZE);
457 if (captured_length > length)
458 captured_length = length;
460 /* Check if payload is large enough to contain a CCSDS header */
461 if (captured_length >= 6) {
462 /* Compare length to packet length contained in CCSDS header. */
463 if (length != 7 + tvb_get_ntohs(tvb, ETH_HEADER_SIZE + 4))
467 /* Check if CCSDS Version number (first 3 bits of payload) is zero */
468 if ((ccsds_heuristic_version) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE, 3)!=0))
470 /* Check if Secondary Header Flag (4th bit of payload) is set to one. */
471 if ((ccsds_heuristic_header) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 4, 1)!=1))
473 /* Check if spare bit (1st bit of 7th word of payload) is zero. */
474 if ((ccsds_heuristic_bit) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 16*6, 1)!=0))
476 /* If all the conditions are true, don't interpret payload as an 802.2 (LLC).
477 * Additional check in packet-802.3.c will distinguish between
478 * IPX and CCSDS packets*/
479 if (CCSDS_len && CCSDS_ver && CCSDS_head && CCSDS_bit)
483 CATCH_BOUNDS_ERRORS {
493 * Add an Ethernet trailer - which, for some captures, might be the FCS
494 * rather than a pad-to-60-bytes trailer.
496 * If fcs_len is 0, we assume the frame has no FCS; if it's 4, we assume
497 * it has an FCS; if it's anything else (such as -1, which means "maybe
498 * it does, maybe it doesn't"), we try to infer whether it has an FCS.
501 add_ethernet_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree,
502 int trailer_id, tvbuff_t *tvb, tvbuff_t *trailer_tvb, int fcs_len)
504 /* If there're some bytes left over, it could be a combination of:
505 - padding to meet the minimum 64 byte frame length
506 - an FCS, if present (if fcs_len is 0, we know it's not present;
507 if fcs_len is 4, we know it's present; if fcs_len is -1, we
508 need some heuristics to determine whether it's present)
509 - information inserted by TAPs or other network monitoring equipment.
511 If we don't know whether the FCS is present, then, if we don't have a
512 network monitoring trailer, and if the Ethernet frame was claimed to
513 have had 64 or more bytes - i.e., it was at least an FCS worth of data
514 longer than the minimum payload size - we could assume the last 4 bytes
515 of the trailer are an FCS. */
517 proto_tree *checksum_tree;
519 if (trailer_tvb && fh_tree) {
520 guint trailer_length, trailer_reported_length;
521 guint padding_length = 0;
522 gboolean has_fcs = FALSE;
523 tvbuff_t *real_trailer_tvb;
525 trailer_length = tvb_length(trailer_tvb);
526 trailer_reported_length = tvb_reported_length(trailer_tvb);
528 /* There can not have been padding when the length of the frame (including the
529 trailer) is less than 60 bytes. */
530 if (eth_assume_padding && pinfo->fd->pkt_len>=60) {
531 /* Calculate the amount of padding needed for a minimum sized frame */
532 if ( (pinfo->fd->pkt_len - trailer_reported_length) < 60 )
533 padding_length = 60 - (pinfo->fd->pkt_len - trailer_reported_length);
535 /* Add the padding to the tree, unless it should be treated as
536 part of the trailer and therefor be handed over to (one of)
537 the ethernet-trailer dissectors */
538 if (padding_length > 0) {
539 tvb_ensure_bytes_exist(tvb, 0, padding_length);
540 proto_tree_add_item(fh_tree, hf_eth_padding, trailer_tvb, 0,
541 padding_length, ENC_NA);
542 trailer_length -= padding_length;
543 trailer_reported_length -= padding_length;
548 /* If fcs_len is 4, we assume we definitely have an FCS.
549 Otherwise, then, if the frame is big enough that, if we
550 have a trailer, it probably inclues an FCS, and we have
551 enough space in the trailer for the FCS, we assume we
554 "Big enough" means 64 bytes or more; any frame that big
555 needs no trailer, as there's no need to pad an Ethernet
556 packet past 60 bytes.
558 The trailer must be at least 4 bytes long to have enough
561 if (fcs_len == 4 || (tvb_reported_length(tvb) >= 64 &&
562 trailer_reported_length >= 4)) {
563 /* Either we know we have an FCS, or we believe we have an FCS. */
564 if (trailer_length < trailer_reported_length) {
565 /* The packet is claimed to have enough data for a 4-byte FCS,
566 but we didn't capture all of the packet.
567 Slice off the 4-byte FCS from the reported length, and
568 trim the captured length so it's no more than the reported
569 length; that will slice off what of the FCS, if any, is
570 in the captured packet. */
571 trailer_reported_length -= 4;
572 if (trailer_length > trailer_reported_length)
573 trailer_length = trailer_reported_length;
576 /* We captured all of the packet, including what appears to
577 be a 4-byte FCS. Slice it off. */
579 trailer_reported_length -= 4;
585 /* Create a new tvb without the padding and/or the (assumed) fcs */
587 real_trailer_tvb = tvb_new_subset(trailer_tvb, padding_length,
588 trailer_length, trailer_reported_length);
590 real_trailer_tvb = tvb_new_subset_remaining(trailer_tvb, padding_length);
592 /* Call all ethernet trailer dissectors to dissect the trailer if
593 we actually have a trailer. */
594 if (tvb_reported_length(real_trailer_tvb) != 0) {
595 if (dissector_try_heuristic(eth_trailer_subdissector_list,
596 real_trailer_tvb, pinfo, tree, NULL) ) {
597 /* If we're not sure that there is a FCS, all trailer data
598 has been given to the ethernet-trailer dissector, so
599 stop dissecting here */
603 /* No luck with the trailer dissectors, so just display the
604 extra bytes as general trailer */
605 if (trailer_length != 0) {
606 tvb_ensure_bytes_exist(tvb, 0, trailer_length);
607 proto_tree_add_item(fh_tree, trailer_id, real_trailer_tvb, 0,
608 trailer_length, ENC_NA);
614 guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, padding_length+trailer_length);
616 guint32 fcs = crc32_802_tvb(tvb, tvb_length(tvb) - 4);
617 if (fcs == sent_fcs) {
618 item = proto_tree_add_uint_format(fh_tree, hf_eth_fcs, trailer_tvb,
619 padding_length+trailer_length, 4, sent_fcs,
620 "Frame check sequence: 0x%08x [correct]", sent_fcs);
621 checksum_tree = proto_item_add_subtree(item, ett_eth_fcs);
622 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_good, tvb,
623 trailer_length, 2, TRUE);
624 PROTO_ITEM_SET_GENERATED(item);
625 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_bad, tvb,
626 trailer_length, 2, FALSE);
627 PROTO_ITEM_SET_GENERATED(item);
629 item = proto_tree_add_uint_format(fh_tree, hf_eth_fcs, trailer_tvb,
630 padding_length+trailer_length, 4, sent_fcs,
631 "Frame check sequence: 0x%08x [incorrect, should be 0x%08x]",
633 checksum_tree = proto_item_add_subtree(item, ett_eth_fcs);
634 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_good, tvb,
635 trailer_length, 2, FALSE);
636 PROTO_ITEM_SET_GENERATED(item);
637 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_bad, tvb,
638 trailer_length, 2, TRUE);
639 PROTO_ITEM_SET_GENERATED(item);
640 expert_add_info(pinfo, item, &ei_eth_fcs_bad);
641 col_append_str(pinfo->cinfo, COL_INFO, " [ETHERNET FRAME CHECK SEQUENCE INCORRECT]");
644 item = proto_tree_add_uint_format(fh_tree, hf_eth_fcs, trailer_tvb,
645 padding_length+trailer_length, 4, sent_fcs,
646 "Frame check sequence: 0x%08x [validiation disabled]", sent_fcs);
647 checksum_tree = proto_item_add_subtree(item, ett_eth_fcs);
648 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_good, tvb,
649 trailer_length, 2, FALSE);
650 PROTO_ITEM_SET_GENERATED(item);
651 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_bad, tvb,
652 trailer_length, 2, FALSE);
653 PROTO_ITEM_SET_GENERATED(item);
657 proto_tree_set_appendix(fh_tree, tvb, tvb_length(tvb) - padding_length - trailer_length, padding_length + trailer_length);
661 /* Called for the Ethernet Wiretap encapsulation type; pass the FCS length
662 reported to us, or, if the "assume_fcs" preference is set, pass 4. */
664 dissect_eth_maybefcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
666 dissect_eth_common(tvb, pinfo, tree,
668 pinfo->pseudo_header->eth.fcs_len);
671 /* Called by other dissectors This one's for encapsulated Ethernet
672 packets that don't include an FCS. */
674 dissect_eth_withoutfcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
676 dissect_eth_common(tvb, pinfo, tree, 0);
679 /* ...and this one's for encapsulated packets that do. */
681 dissect_eth_withfcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
683 dissect_eth_common(tvb, pinfo, tree, 4);
687 proto_register_eth(void)
689 static hf_register_info hf[] = {
692 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
693 "Destination Hardware Address", HFILL }},
696 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
697 "Source Hardware Address", HFILL }},
700 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
703 /* registered here but handled in packet-ethertype.c */
705 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
708 { &hf_eth_invalid_lentype,
709 { "Invalid length/type", "eth.invalid_lentype", FT_UINT16, BASE_HEX_DEC,
710 NULL, 0x0, NULL, HFILL }},
713 { "Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
714 "Source or Destination Hardware Address", HFILL }},
717 { "Padding", "eth.padding", FT_BYTES, BASE_NONE, NULL, 0x0,
718 "Ethernet Padding", HFILL }},
721 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
722 "Ethernet Trailer or Checksum", HFILL }},
725 { "Frame check sequence", "eth.fcs", FT_UINT16, BASE_HEX, NULL, 0x0,
726 "Ethernet checksum", HFILL }},
729 { "FCS Good", "eth.fcs_good", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
730 "True: checksum matches packet content; False: doesn't match content or not checked", HFILL }},
733 { "FCS Bad", "eth.fcs_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
734 "True: checksum doesn't matche packet content; False: does match content or not checked", HFILL }},
737 { "LG bit", "eth.lg", FT_BOOLEAN, 24,
738 TFS(&lg_tfs), 0x020000,
739 "Specifies if this is a locally administered or globally unique (IEEE assigned) address", HFILL }},
742 { "IG bit", "eth.ig", FT_BOOLEAN, 24,
743 TFS(&ig_tfs), 0x010000,
744 "Specifies if this is an individual (unicast) or group (broadcast/multicast) address", HFILL }}
746 static gint *ett[] = {
754 static ei_register_info ei[] = {
755 { &ei_eth_invalid_lentype, { "arp.duplicate-address-detected", PI_PROTOCOL, PI_WARN, "Invalid length/type", EXPFILL }},
756 { &ei_eth_src_not_group, { "arp.packet-storm-detected", PI_PROTOCOL, PI_WARN, "Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)", EXPFILL }},
757 { &ei_eth_fcs_bad, { "arp.packet-storm-detected", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
760 module_t *eth_module;
761 expert_module_t* expert_eth;
763 proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
764 proto_register_field_array(proto_eth, hf, array_length(hf));
765 proto_register_subtree_array(ett, array_length(ett));
766 expert_eth = expert_register_protocol(proto_eth);
767 expert_register_field_array(expert_eth, ei, array_length(ei));
769 /* subdissector code */
770 register_heur_dissector_list("eth", &heur_subdissector_list);
771 register_heur_dissector_list("eth.trailer", ð_trailer_subdissector_list);
773 /* Register configuration preferences */
774 eth_module = prefs_register_protocol(proto_eth, NULL);
776 prefs_register_bool_preference(eth_module, "assume_padding",
777 "Assume short frames which include a trailer contain padding",
778 "Some devices add trailing data to frames. When this setting is checked "
779 "the Ethernet dissector will assume there has been added padding to the "
780 "frame before the trailer was added. Uncheck if a device added a trailer "
781 "before the frame was padded.",
782 ð_assume_padding);
784 prefs_register_bool_preference(eth_module, "assume_fcs",
785 "Assume packets have FCS",
786 "Some Ethernet adapters and drivers include the FCS at the end of a packet, others do not. "
787 "The Ethernet dissector attempts to guess whether a captured packet has an FCS, "
788 "but it cannot always guess correctly.",
791 prefs_register_bool_preference(eth_module, "check_fcs",
792 "Validate the Ethernet checksum if possible",
793 "Whether to validate the Frame Check Sequence",
796 prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
797 "Attempt to interpret as FireWall-1 monitor file",
798 "Whether packets should be interpreted as coming from CheckPoint FireWall-1 monitor file if they look as if they do",
799 ð_interpret_as_fw1_monitor);
801 prefs_register_static_text_preference(eth_module, "ccsds_heuristic",
802 "These are the conditions to match a payload against in order to determine if this\n"
803 "is a CCSDS (Consultative Committee for Space Data Systems) packet within\n"
804 "an 802.3 packet. A packet is considered as a possible CCSDS packet only if\n"
805 "one or more of the conditions are checked.",
806 "Describe the conditions that must be true for the CCSDS dissector to be called");
808 prefs_register_bool_preference(eth_module, "ccsds_heuristic_length",
809 "CCSDS Length in header matches payload size",
810 "Set the condition that must be true for the CCSDS dissector to be called",
811 &ccsds_heuristic_length);
813 prefs_register_bool_preference(eth_module, "ccsds_heuristic_version",
814 "CCSDS Version # is zero",
815 "Set the condition that must be true for the CCSDS dissector to be called",
816 &ccsds_heuristic_version);
818 prefs_register_bool_preference(eth_module, "ccsds_heuristic_header",
819 "CCSDS Secondary Header Flag is set",
820 "Set the condition that must be true for the CCSDS dissector to be called",
821 &ccsds_heuristic_header);
823 prefs_register_bool_preference(eth_module, "ccsds_heuristic_bit",
824 "CCSDS Spare bit is cleared",
825 "Set the condition that must be true for the CCSDS dissector to be called",
826 &ccsds_heuristic_bit);
828 register_dissector("eth_withoutfcs", dissect_eth_withoutfcs, proto_eth);
829 register_dissector("eth_withfcs", dissect_eth_withfcs, proto_eth);
830 register_dissector("eth", dissect_eth_maybefcs, proto_eth);
831 eth_tap = register_tap("eth");
835 proto_reg_handoff_eth(void)
837 dissector_handle_t eth_maybefcs_handle, eth_withoutfcs_handle;
839 /* Get a handle for the Firewall-1 dissector. */
840 fw1_handle = find_dissector("fw1");
842 /* Get a handle for the generic data dissector. */
843 data_handle = find_dissector("data");
845 eth_maybefcs_handle = find_dissector("eth");
846 dissector_add_uint("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle);
848 eth_withoutfcs_handle = find_dissector("eth_withoutfcs");
849 dissector_add_uint("ethertype", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
850 dissector_add_uint("chdlctype", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
851 dissector_add_uint("gre.proto", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
853 dissector_add_uint("sll.ltype", LINUX_SLL_P_ETHERNET, eth_withoutfcs_handle);
854 dissector_add_uint("usb.bulk", IF_CLASS_CDC_DATA, eth_withoutfcs_handle);
857 * This is to handle the output for the Cisco CMTS "cable intercept"
858 * command - it encapsulates Ethernet frames in UDP packets, but
859 * the UDP port is user-defined.
861 dissector_add_handle("udp.port", eth_withoutfcs_handle);