2 * Routines for IP and miscellaneous IP protocol packet disassembly
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
8 * Wednesday, January 17, 2006
9 * Support for the CIPSO IPv4 option
10 * (http://sourceforge.net/docman/display_doc.php?docid=34650&group_id=174379)
11 * by Paul Moore <paul.moore@hp.com>
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
30 #include <epan/packet.h>
31 #include <epan/addr_resolv.h>
32 #include <epan/ipproto.h>
33 #include <epan/expert.h>
34 #include <epan/ip_opts.h>
35 #include <epan/prefs.h>
36 #include <epan/conversation_table.h>
37 #include <epan/color_dissector_filters.h>
38 #include <epan/reassemble.h>
39 #include <epan/etypes.h>
40 #include <epan/ppptypes.h>
41 #include <epan/llcsaps.h>
42 #include <epan/aftypes.h>
43 #include <epan/arcnet_pids.h>
44 #include <epan/in_cksum.h>
45 #include <epan/nlpid.h>
46 #include <epan/ax25_pids.h>
47 #include <epan/decode_as.h>
48 #include <wiretap/erf.h>
50 #include "packet-ip.h"
51 #include "packet-juniper.h"
52 #include "packet-sflow.h"
53 #include "packet-gre.h"
54 #include "packet-l2tp.h"
58 #include <epan/geoip_db.h>
59 #endif /* HAVE_GEOIP */
61 void proto_register_ip(void);
62 void proto_reg_handoff_ip(void);
64 static int ip_tap = -1;
66 /* Decode the old IPv4 TOS field as the DiffServ DS Field (RFC2474/2475) */
67 static gboolean g_ip_dscp_actif = TRUE;
69 /* Defragment fragmented IP datagrams */
70 static gboolean ip_defragment = TRUE;
72 /* Place IP summary in proto tree */
73 static gboolean ip_summary_in_tree = TRUE;
75 /* Perform IP checksum */
76 static gboolean ip_check_checksum = FALSE;
78 /* Assume TSO and correct zero-length IP packets */
79 static gboolean ip_tso_supported = TRUE;
81 /* Use heuristics to determine subdissector */
82 static gboolean try_heuristic_first = FALSE;
85 /* Look up addresses in GeoIP */
86 static gboolean ip_use_geoip = TRUE;
87 #endif /* HAVE_GEOIP */
89 /* Interpret the reserved flag as security flag (RFC 3514) */
90 static gboolean ip_security_flag = FALSE;
93 static int hf_ip_version = -1;
94 static int hf_ip_hdr_len = -1;
95 static int hf_ip_dsfield = -1;
96 static int hf_ip_dsfield_dscp = -1;
97 static int hf_ip_dsfield_ecn = -1;
98 static int hf_ip_tos = -1;
99 static int hf_ip_tos_precedence = -1;
100 static int hf_ip_tos_delay = -1;
101 static int hf_ip_tos_throughput = -1;
102 static int hf_ip_tos_reliability = -1;
103 static int hf_ip_tos_cost = -1;
104 static int hf_ip_len = -1;
105 static int hf_ip_id = -1;
106 static int hf_ip_dst = -1;
107 static int hf_ip_dst_host = -1;
108 static int hf_ip_src = -1;
109 static int hf_ip_src_host = -1;
110 static int hf_ip_addr = -1;
111 static int hf_ip_host = -1;
112 static int hf_ip_flags = -1;
113 static int hf_ip_flags_sf = -1;
114 static int hf_ip_flags_rf = -1;
115 static int hf_ip_flags_df = -1;
116 static int hf_ip_flags_mf = -1;
117 static int hf_ip_frag_offset = -1;
118 static int hf_ip_ttl = -1;
119 static int hf_ip_proto = -1;
120 static int hf_ip_checksum = -1;
121 static int hf_ip_checksum_calculated = -1;
122 static int hf_ip_checksum_good = -1;
123 static int hf_ip_checksum_bad = -1;
125 /* IP option fields */
126 static int hf_ip_opt_type = -1;
127 static int hf_ip_opt_type_copy = -1;
128 static int hf_ip_opt_type_class = -1;
129 static int hf_ip_opt_type_number = -1;
130 static int hf_ip_opt_len = -1;
131 static int hf_ip_opt_ptr = -1;
132 static int hf_ip_opt_sid = -1;
133 static int hf_ip_opt_mtu = -1;
134 static int hf_ip_opt_id_number = -1;
135 static int hf_ip_opt_ohc = -1;
136 static int hf_ip_opt_rhc = -1;
137 static int hf_ip_opt_originator = -1;
138 static int hf_ip_opt_ra = -1;
139 static int hf_ip_opt_addr = -1;
140 static int hf_ip_opt_padding = -1;
141 static int hf_ip_opt_qs_func = -1;
142 static int hf_ip_opt_qs_rate = -1;
143 static int hf_ip_opt_qs_ttl = -1;
144 static int hf_ip_opt_qs_ttl_diff = -1;
145 static int hf_ip_opt_qs_unused = -1;
146 static int hf_ip_opt_qs_nonce = -1;
147 static int hf_ip_opt_qs_reserved = -1;
148 static int hf_ip_opt_sec_rfc791_sec = -1;
149 static int hf_ip_opt_sec_rfc791_comp = -1;
150 static int hf_ip_opt_sec_rfc791_hr = -1;
151 static int hf_ip_opt_sec_rfc791_tcc = -1;
152 static int hf_ip_opt_sec_cl = -1;
153 static int hf_ip_opt_sec_prot_auth_flags = -1;
154 static int hf_ip_opt_sec_prot_auth_genser = -1;
155 static int hf_ip_opt_sec_prot_auth_siop_esi = -1;
156 static int hf_ip_opt_sec_prot_auth_sci = -1;
157 static int hf_ip_opt_sec_prot_auth_nsa = -1;
158 static int hf_ip_opt_sec_prot_auth_doe = -1;
159 static int hf_ip_opt_sec_prot_auth_unassigned = -1;
160 static int hf_ip_opt_sec_prot_auth_unassigned2 = -1;
161 static int hf_ip_opt_sec_prot_auth_fti = -1;
162 static int hf_ip_opt_ext_sec_add_sec_info_format_code = -1;
163 static int hf_ip_opt_ext_sec_add_sec_info = -1;
164 static int hf_ip_rec_rt = -1;
165 static int hf_ip_rec_rt_host = -1;
166 static int hf_ip_cur_rt = -1;
167 static int hf_ip_cur_rt_host = -1;
168 static int hf_ip_src_rt = -1;
169 static int hf_ip_src_rt_host = -1;
170 static int hf_ip_empty_rt = -1;
171 static int hf_ip_empty_rt_host = -1;
172 static int hf_ip_cipso_tag_type = -1;
174 static int hf_ip_fragments = -1;
175 static int hf_ip_fragment = -1;
176 static int hf_ip_fragment_overlap = -1;
177 static int hf_ip_fragment_overlap_conflict = -1;
178 static int hf_ip_fragment_multiple_tails = -1;
179 static int hf_ip_fragment_too_long_fragment = -1;
180 static int hf_ip_fragment_error = -1;
181 static int hf_ip_fragment_count = -1;
182 static int hf_ip_reassembled_in = -1;
183 static int hf_ip_reassembled_length = -1;
184 static int hf_ip_reassembled_data = -1;
186 /* Generated from convert_proto_tree_add_text.pl */
187 static int hf_ip_opt_flag = -1;
188 static int hf_ip_opt_overflow = -1;
189 static int hf_ip_cipso_tag_data = -1;
190 static int hf_ip_cipso_sensitivity_level = -1;
191 static int hf_ip_cipso_categories = -1;
192 static int hf_ip_cipso_doi = -1;
193 static int hf_ip_opt_time_stamp = -1;
194 static int hf_ip_opt_time_stamp_addr = -1;
197 static int hf_geoip_country = -1;
198 static int hf_geoip_city = -1;
199 static int hf_geoip_org = -1;
200 static int hf_geoip_isp = -1;
201 static int hf_geoip_asnum = -1;
202 static int hf_geoip_lat = -1;
203 static int hf_geoip_lon = -1;
204 static int hf_geoip_src_country = -1;
205 static int hf_geoip_src_city = -1;
206 static int hf_geoip_src_org = -1;
207 static int hf_geoip_src_isp = -1;
208 static int hf_geoip_src_asnum = -1;
209 static int hf_geoip_src_lat = -1;
210 static int hf_geoip_src_lon = -1;
211 static int hf_geoip_dst_country = -1;
212 static int hf_geoip_dst_city = -1;
213 static int hf_geoip_dst_org = -1;
214 static int hf_geoip_dst_isp = -1;
215 static int hf_geoip_dst_asnum = -1;
216 static int hf_geoip_dst_lat = -1;
217 static int hf_geoip_dst_lon = -1;
218 #endif /* HAVE_GEOIP */
220 static gint ett_ip = -1;
221 static gint ett_ip_dsfield = -1;
222 static gint ett_ip_tos = -1;
223 static gint ett_ip_off = -1;
224 static gint ett_ip_options = -1;
225 static gint ett_ip_option_eool = -1;
226 static gint ett_ip_option_nop = -1;
227 static gint ett_ip_option_sec = -1;
228 static gint ett_ip_option_route = -1;
229 static gint ett_ip_option_timestamp = -1;
230 static gint ett_ip_option_ext_security = -1;
231 static gint ett_ip_option_cipso = -1;
232 static gint ett_ip_option_sid = -1;
233 static gint ett_ip_option_mtu = -1;
234 static gint ett_ip_option_tr = -1;
235 static gint ett_ip_option_ra = -1;
236 static gint ett_ip_option_sdb = -1;
237 static gint ett_ip_option_qs = -1;
238 static gint ett_ip_option_other = -1;
239 static gint ett_ip_fragments = -1;
240 static gint ett_ip_fragment = -1;
241 static gint ett_ip_checksum = -1;
242 static gint ett_ip_opt_type = -1;
243 static gint ett_ip_opt_sec_prot_auth_flags = -1;
244 static gint ett_unknown_ip_tcp_opt = -1;
246 static expert_field ei_ip_opt_len_invalid = EI_INIT;
247 static expert_field ei_ip_opt_sec_prot_auth_fti = EI_INIT;
248 static expert_field ei_ip_extraneous_data = EI_INIT;
249 static expert_field ei_ip_opt_ptr_before_address = EI_INIT;
250 static expert_field ei_ip_opt_ptr_middle_address = EI_INIT;
251 static expert_field ei_ip_subopt_too_long = EI_INIT;
252 static expert_field ei_ip_nop = EI_INIT;
253 static expert_field ei_ip_bogus_ip_length = EI_INIT;
254 static expert_field ei_ip_evil_packet = EI_INIT;
255 static expert_field ei_ip_checksum_bad = EI_INIT;
256 static expert_field ei_ip_ttl_lncb = EI_INIT;
257 static expert_field ei_ip_ttl_too_small = EI_INIT;
258 static expert_field ei_ip_cipso_tag = EI_INIT;
262 static gint ett_geoip_info = -1;
263 #endif /* HAVE_GEOIP */
265 static const fragment_items ip_frag_items = {
270 &hf_ip_fragment_overlap,
271 &hf_ip_fragment_overlap_conflict,
272 &hf_ip_fragment_multiple_tails,
273 &hf_ip_fragment_too_long_fragment,
274 &hf_ip_fragment_error,
275 &hf_ip_fragment_count,
276 &hf_ip_reassembled_in,
277 &hf_ip_reassembled_length,
278 &hf_ip_reassembled_data,
282 static heur_dissector_list_t heur_subdissector_list;
284 static dissector_table_t ip_dissector_table;
286 static dissector_handle_t ipv6_handle;
287 static dissector_handle_t data_handle;
290 /* IP structs and definitions */
292 /* Offsets of fields within an IP header. */
304 /* Minimum IP header length. */
305 #define IPH_MIN_LEN 20
307 /* Width (in bits) of the fragment offset IP header field */
308 #define IP_OFFSET_WIDTH 13
310 /* Width (in bits) of the flags IP header field */
311 #define IP_FLAGS_WIDTH 3
314 #define IP_RF 0x8000 /* Flag: "Reserved bit" */
315 #define IP_DF 0x4000 /* Flag: "Don't Fragment" */
316 #define IP_MF 0x2000 /* Flag: "More Fragments" */
317 #define IP_OFFSET 0x1FFF /* "Fragment Offset" part */
319 /* Differentiated Services Field. See RFCs 2474, 2597 and 2598. */
320 #define IPDSFIELD_DSCP_MASK 0xFC
321 #define IPDSFIELD_ECN_MASK 0x03
322 #define IPDSFIELD_DSCP_SHIFT 2
324 #define IPDSFIELD_DSCP(dsfield) (((dsfield)&IPDSFIELD_DSCP_MASK)>>IPDSFIELD_DSCP_SHIFT)
325 #define IPDSFIELD_ECN(dsfield) ((dsfield)&IPDSFIELD_ECN_MASK)
327 #define IPDSFIELD_DSCP_DEFAULT 0x00
328 #define IPDSFIELD_DSCP_CS1 0x08
329 #define IPDSFIELD_DSCP_AF11 0x0A
330 #define IPDSFIELD_DSCP_AF12 0x0C
331 #define IPDSFIELD_DSCP_AF13 0x0E
332 #define IPDSFIELD_DSCP_CS2 0x10
333 #define IPDSFIELD_DSCP_AF21 0x12
334 #define IPDSFIELD_DSCP_AF22 0x14
335 #define IPDSFIELD_DSCP_AF23 0x16
336 #define IPDSFIELD_DSCP_CS3 0x18
337 #define IPDSFIELD_DSCP_AF31 0x1A
338 #define IPDSFIELD_DSCP_AF32 0x1C
339 #define IPDSFIELD_DSCP_AF33 0x1E
340 #define IPDSFIELD_DSCP_CS4 0x20
341 #define IPDSFIELD_DSCP_AF41 0x22
342 #define IPDSFIELD_DSCP_AF42 0x24
343 #define IPDSFIELD_DSCP_AF43 0x26
344 #define IPDSFIELD_DSCP_CS5 0x28
345 #define IPDSFIELD_DSCP_EF 0x2E
346 #define IPDSFIELD_DSCP_CS6 0x30
347 #define IPDSFIELD_DSCP_CS7 0x38
349 #define IPDSFIELD_ECT_NOT 0x00
350 #define IPDSFIELD_ECT_1 0x01
351 #define IPDSFIELD_ECT_0 0x02
352 #define IPDSFIELD_CE 0x03
354 /* IP TOS, superseded by the DS Field, RFC 2474. */
355 #define IPTOS_TOS_MASK 0x1E
356 #define IPTOS_TOS(tos) ((tos) & IPTOS_TOS_MASK)
357 #define IPTOS_NONE 0x00
358 #define IPTOS_LOWCOST 0x02
359 #define IPTOS_RELIABILITY 0x04
360 #define IPTOS_THROUGHPUT 0x08
361 #define IPTOS_LOWDELAY 0x10
362 #define IPTOS_SECURITY 0x1E
364 #define IPTOS_PREC_MASK 0xE0
365 #define IPTOS_PREC_SHIFT 5
366 #define IPTOS_PREC(tos) (((tos)&IPTOS_PREC_MASK)>>IPTOS_PREC_SHIFT)
367 #define IPTOS_PREC_NETCONTROL 7
368 #define IPTOS_PREC_INTERNETCONTROL 6
369 #define IPTOS_PREC_CRITIC_ECP 5
370 #define IPTOS_PREC_FLASHOVERRIDE 4
371 #define IPTOS_PREC_FLASH 3
372 #define IPTOS_PREC_IMMEDIATE 2
373 #define IPTOS_PREC_PRIORITY 1
374 #define IPTOS_PREC_ROUTINE 0
377 #define IPOPT_COPY 0x80
379 #define IPOPT_CONTROL 0x00
380 #define IPOPT_RESERVED1 0x20
381 #define IPOPT_MEASUREMENT 0x40
382 #define IPOPT_RESERVED2 0x60
384 /* REF: http://www.iana.org/assignments/ip-parameters */
385 /* TODO: Not all of these are implemented. */
386 #define IPOPT_EOOL (0 |IPOPT_CONTROL)
387 #define IPOPT_NOP (1 |IPOPT_CONTROL)
388 #define IPOPT_SEC (2 |IPOPT_COPY|IPOPT_CONTROL) /* RFC 791/1108 */
389 #define IPOPT_LSR (3 |IPOPT_COPY|IPOPT_CONTROL)
390 #define IPOPT_TS (4 |IPOPT_MEASUREMENT)
391 #define IPOPT_ESEC (5 |IPOPT_COPY|IPOPT_CONTROL) /* RFC 1108 */
392 #define IPOPT_CIPSO (6 |IPOPT_COPY|IPOPT_CONTROL) /* draft-ietf-cipso-ipsecurity-01 */
393 #define IPOPT_RR (7 |IPOPT_CONTROL)
394 #define IPOPT_SID (8 |IPOPT_COPY|IPOPT_CONTROL)
395 #define IPOPT_SSR (9 |IPOPT_COPY|IPOPT_CONTROL)
396 #define IPOPT_ZSU (10|IPOPT_CONTROL) /* Zsu */
397 #define IPOPT_MTUP (11|IPOPT_CONTROL) /* RFC 1063 */
398 #define IPOPT_MTUR (12|IPOPT_CONTROL) /* RFC 1063 */
399 #define IPOPT_FINN (13|IPOPT_COPY|IPOPT_MEASUREMENT) /* Finn */
400 #define IPOPT_VISA (14|IPOPT_COPY|IPOPT_CONTROL) /* Estrin */
401 #define IPOPT_ENCODE (15|IPOPT_CONTROL) /* VerSteeg */
402 #define IPOPT_IMITD (16|IPOPT_COPY|IPOPT_CONTROL) /* Lee */
403 #define IPOPT_EIP (17|IPOPT_COPY|IPOPT_CONTROL) /* RFC 1385 */
404 #define IPOPT_TR (18|IPOPT_MEASUREMENT) /* RFC 1393 */
405 #define IPOPT_ADDEXT (19|IPOPT_COPY|IPOPT_CONTROL) /* Ullmann IPv7 */
406 #define IPOPT_RTRALT (20|IPOPT_COPY|IPOPT_CONTROL) /* RFC 2113 */
407 #define IPOPT_SDB (21|IPOPT_COPY|IPOPT_CONTROL) /* RFC 1770 Graff */
408 #define IPOPT_UN (22|IPOPT_COPY|IPOPT_CONTROL) /* Released 18-Oct-2005 */
409 #define IPOPT_DPS (23|IPOPT_COPY|IPOPT_CONTROL) /* Malis */
410 #define IPOPT_UMP (24|IPOPT_COPY|IPOPT_CONTROL) /* Farinacci */
411 #define IPOPT_QS (25|IPOPT_CONTROL) /* RFC 4782 */
412 #define IPOPT_EXP (30|IPOPT_CONTROL) /* RFC 4727 */
415 /* IP option lengths */
416 #define IPOLEN_SEC_MIN 3
417 #define IPOLEN_LSR_MIN 3
418 #define IPOLEN_TS_MIN 4
419 #define IPOLEN_ESEC_MIN 3
420 #define IPOLEN_CIPSO_MIN 10
421 #define IPOLEN_RR_MIN 3
423 #define IPOLEN_SSR_MIN 3
427 #define IPOLEN_SDB_MIN 6
429 #define IPOLEN_MAX 40
431 #define IPSEC_RFC791_UNCLASSIFIED 0x0000
432 #define IPSEC_RFC791_CONFIDENTIAL 0xF135
433 #define IPSEC_RFC791_EFTO 0x789A
434 #define IPSEC_RFC791_MMMM 0xBC4D
435 #define IPSEC_RFC791_PROG 0x5E26
436 #define IPSEC_RFC791_RESTRICTED 0xAF13
437 #define IPSEC_RFC791_SECRET 0xD788
438 #define IPSEC_RFC791_TOPSECRET 0x6BC5
439 #define IPSEC_RFC791_RESERVED1 0x35E2
440 #define IPSEC_RFC791_RESERVED2 0x9AF1
441 #define IPSEC_RFC791_RESERVED3 0x4D78
442 #define IPSEC_RFC791_RESERVED4 0x24BD
443 #define IPSEC_RFC791_RESERVED5 0x135E
444 #define IPSEC_RFC791_RESERVED6 0x89AF
445 #define IPSEC_RFC791_RESERVED7 0xC4D6
446 #define IPSEC_RFC791_RESERVED8 0xE26B
448 #define IPSEC_RESERVED4 0x01
449 #define IPSEC_TOPSECRET 0x3D
450 #define IPSEC_SECRET 0x5A
451 #define IPSEC_CONFIDENTIAL 0x96
452 #define IPSEC_RESERVED3 0x66
453 #define IPSEC_RESERVED2 0xCC
454 #define IPSEC_UNCLASSIFIED 0xAB
455 #define IPSEC_RESERVED1 0xF1
457 #define IPOPT_TS_TSONLY 0 /* timestamps only */
458 #define IPOPT_TS_TSANDADDR 1 /* timestamps and addresses */
459 #define IPOPT_TS_PRESPEC 3 /* specified modules only */
461 #define IPLOCAL_NETWRK_CTRL_BLK_VRRP_ADDR 0xE0000012
462 #define IPLOCAL_NETWRK_CTRL_BLK_VRRP_TTL 0xFF
463 #define IPLOCAL_NETWRK_CTRL_BLK_GLPB_ADDR 0xE0000066
464 #define IPLOCAL_NETWRK_CTRL_BLK_GLPB_TTL 0XFF
465 #define IPLOCAL_NETWRK_CTRL_BLK_MDNS_ADDR 0xE00000FB
466 #define IPLOCAL_NETWRK_CTRL_BLK_MDNS_TTL 0XFF
467 #define IPLOCAL_NETWRK_CTRL_BLK_LLMNR_ADDR 0xE00000FC
469 #define IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL 0x1000 /* larger than max ttl */
470 #define IPLOCAL_NETWRK_CTRL_BLK_DEFAULT_TTL 0X01
472 /* Return true if the address is in the 224.0.0.0/24 network block */
473 #define is_a_local_network_control_block_addr(addr) \
474 ((addr & 0xffffff00) == 0xe0000000)
476 /* Return true if the address is in the 224.0.0.0/4 network block */
477 #define is_a_multicast_addr(addr) \
478 ((addr & 0xf0000000) == 0xe0000000)
480 static void ip_prompt(packet_info *pinfo, gchar* result)
482 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "IP protocol %u as",
483 GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_ip, 0)));
486 static gpointer ip_value(packet_info *pinfo)
488 return p_get_proto_data(pinfo->pool, pinfo, proto_ip, 0);
491 static const char* ip_conv_get_filter_type(conv_item_t* conv, conv_filter_type_e filter)
493 if ((filter == CONV_FT_SRC_ADDRESS) && (conv->src_address.type == AT_IPv4))
496 if ((filter == CONV_FT_DST_ADDRESS) && (conv->dst_address.type == AT_IPv4))
499 if ((filter == CONV_FT_ANY_ADDRESS) && (conv->src_address.type == AT_IPv4))
502 return CONV_FILTER_INVALID;
505 static ct_dissector_info_t ip_ct_dissector_info = {&ip_conv_get_filter_type};
508 ip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
510 conv_hash_t *hash = (conv_hash_t*) pct;
511 const ws_ip *iph=(const ws_ip *)vip;
513 add_conversation_table_data(hash, &iph->ip_src, &iph->ip_dst, 0, 0, 1, pinfo->fd->pkt_len, &pinfo->rel_ts, &pinfo->fd->abs_ts, &ip_ct_dissector_info, PT_NONE);
518 static const char* ip_host_get_filter_type(hostlist_talker_t* host, conv_filter_type_e filter)
520 if ((filter == CONV_FT_ANY_ADDRESS) && (host->myaddress.type == AT_IPv4))
523 return CONV_FILTER_INVALID;
526 static hostlist_dissector_info_t ip_host_dissector_info = {&ip_host_get_filter_type};
529 ip_hostlist_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
531 conv_hash_t *hash = (conv_hash_t*) pit;
532 const ws_ip *iph=(const ws_ip *)vip;
534 /* Take two "add" passes per packet, adding for each direction, ensures that all
535 packets are counted properly (even if address is sending to itself)
536 XXX - this could probably be done more efficiently inside hostlist_table */
537 add_hostlist_table_data(hash, &iph->ip_src, 0, TRUE, 1, pinfo->fd->pkt_len, &ip_host_dissector_info, PT_NONE);
538 add_hostlist_table_data(hash, &iph->ip_dst, 0, FALSE, 1, pinfo->fd->pkt_len, &ip_host_dissector_info, PT_NONE);
543 ip_color_filter_valid(packet_info *pinfo)
545 return proto_is_frame_protocol(pinfo->layers, "ip");
549 ip_build_color_filter(packet_info *pinfo)
551 return g_strdup_printf("ip.addr eq %s and ip.addr eq %s",
552 address_to_str(pinfo->pool, &pinfo->net_src),
553 address_to_str(pinfo->pool, &pinfo->net_dst));
557 * defragmentation of IPv4
559 static reassembly_table ip_reassembly_table;
562 ip_defragment_init(void)
564 reassembly_table_init(&ip_reassembly_table,
565 &addresses_reassembly_table_functions);
569 capture_ip(const guchar *pd, int offset, int len, packet_counts *ld) {
570 if (!BYTES_ARE_IN_FRAME(offset, len, IPH_MIN_LEN)) {
574 switch (pd[offset + 9]) {
579 case IP_PROTO_UDPLITE:
583 case IP_PROTO_ICMPV6: /* XXX - separate counters? */
605 add_geoip_info_entry(proto_tree *geoip_info_tree, proto_item *geoip_info_item, tvbuff_t *tvb, gint offset, guint32 ip, int isdst)
607 guint num_dbs = geoip_db_num_dbs();
611 for (dbnum = 0; dbnum < num_dbs; dbnum++) {
612 char *geoip_str = geoip_db_lookup_ipv4(dbnum, ip, NULL);
613 int db_type = geoip_db_type(dbnum);
615 int geoip_hf, geoip_local_hf;
618 case GEOIP_COUNTRY_EDITION:
619 geoip_hf = hf_geoip_country;
620 geoip_local_hf = (isdst) ? hf_geoip_dst_country : hf_geoip_src_country;
622 case GEOIP_CITY_EDITION_REV0:
623 geoip_hf = hf_geoip_city;
624 geoip_local_hf = (isdst) ? hf_geoip_dst_city : hf_geoip_src_city;
626 case GEOIP_CITY_EDITION_REV1:
627 geoip_hf = hf_geoip_city;
628 geoip_local_hf = (isdst) ? hf_geoip_dst_city : hf_geoip_src_city;
630 case GEOIP_ORG_EDITION:
631 geoip_hf = hf_geoip_org;
632 geoip_local_hf = (isdst) ? hf_geoip_dst_org : hf_geoip_src_org;
634 case GEOIP_ISP_EDITION:
635 geoip_hf = hf_geoip_isp;
636 geoip_local_hf = (isdst) ? hf_geoip_dst_isp : hf_geoip_src_isp;
638 case GEOIP_ASNUM_EDITION:
639 geoip_hf = hf_geoip_asnum;
640 geoip_local_hf = (isdst) ? hf_geoip_dst_asnum : hf_geoip_src_asnum;
642 case WS_LAT_FAKE_EDITION:
643 geoip_hf = hf_geoip_lat;
644 geoip_local_hf = (isdst) ? hf_geoip_dst_lat : hf_geoip_src_lat;
646 case WS_LON_FAKE_EDITION:
647 geoip_hf = hf_geoip_lon;
648 geoip_local_hf = (isdst) ? hf_geoip_dst_lon : hf_geoip_src_lon;
656 if (db_type == WS_LAT_FAKE_EDITION || db_type == WS_LON_FAKE_EDITION) {
657 /* Convert latitude, longitude to double. Fix bug #5077 */
658 item = proto_tree_add_double_format_value(geoip_info_tree, geoip_local_hf,
659 tvb, offset, 4, g_ascii_strtod(geoip_str, NULL), "%s", geoip_str);
660 PROTO_ITEM_SET_GENERATED(item);
661 item = proto_tree_add_double_format_value(geoip_info_tree, geoip_hf,
662 tvb, offset, 4, g_ascii_strtod(geoip_str, NULL), "%s", geoip_str);
663 PROTO_ITEM_SET_GENERATED(item);
664 PROTO_ITEM_SET_HIDDEN(item);
666 item = proto_tree_add_string(geoip_info_tree, geoip_local_hf,
667 tvb, offset, 4, geoip_str);
668 PROTO_ITEM_SET_GENERATED(item);
669 item = proto_tree_add_string(geoip_info_tree, geoip_hf,
670 tvb, offset, 4, geoip_str);
671 PROTO_ITEM_SET_GENERATED(item);
672 PROTO_ITEM_SET_HIDDEN(item);
676 proto_item_append_text(geoip_info_item, "%s%s",
677 plurality(item_cnt, "", ", "), geoip_str);
678 wmem_free(NULL, geoip_str);
683 proto_item_append_text(geoip_info_item, "Unknown");
687 add_geoip_info(proto_tree *tree, tvbuff_t *tvb, gint offset, guint32 src32,
691 proto_item *geoip_info_item;
692 proto_tree *geoip_info_tree;
694 num_dbs = geoip_db_num_dbs();
698 geoip_info_tree = proto_tree_add_subtree(tree, tvb, offset + IPH_SRC, 4, ett_geoip_info, &geoip_info_item, "Source GeoIP: ");
699 PROTO_ITEM_SET_GENERATED(geoip_info_item);
700 add_geoip_info_entry(geoip_info_tree, geoip_info_item, tvb, offset + IPH_SRC, src32, 0);
702 geoip_info_tree = proto_tree_add_subtree(tree, tvb, offset + IPH_DST, 4, ett_geoip_info, &geoip_info_item, "Destination GeoIP: ");
703 PROTO_ITEM_SET_GENERATED(geoip_info_item);
704 add_geoip_info_entry(geoip_info_tree, geoip_info_item, tvb, offset + IPH_DST, dst32, 1);
706 #endif /* HAVE_GEOIP */
708 const value_string ipopt_type_class_vals[] = {
709 {(IPOPT_CONTROL & IPOPT_CLASS_MASK) >> 5, "Control"},
710 {(IPOPT_RESERVED1 & IPOPT_CLASS_MASK) >> 5, "Reserved for future use"},
711 {(IPOPT_MEASUREMENT & IPOPT_CLASS_MASK) >> 5, "Debugging and measurement"},
712 {(IPOPT_RESERVED2 & IPOPT_CLASS_MASK) >> 5, "Reserved for future use"},
716 const value_string ipopt_type_number_vals[] = {
717 {IPOPT_EOOL & IPOPT_NUMBER_MASK, "End of Option List (EOL)"},
718 {IPOPT_NOP & IPOPT_NUMBER_MASK, "No-Operation (NOP)"},
719 {IPOPT_SEC & IPOPT_NUMBER_MASK, "Security"},
720 {IPOPT_LSR & IPOPT_NUMBER_MASK, "Loose source route"},
721 {IPOPT_TS & IPOPT_NUMBER_MASK, "Time stamp"},
722 {IPOPT_ESEC & IPOPT_NUMBER_MASK, "Extended security"},
723 {IPOPT_CIPSO & IPOPT_NUMBER_MASK, "Commercial IP security option"},
724 {IPOPT_RR & IPOPT_NUMBER_MASK, "Record route"},
725 {IPOPT_SID & IPOPT_NUMBER_MASK, "Stream identifier"},
726 {IPOPT_SSR & IPOPT_NUMBER_MASK, "Strict source route"},
727 {IPOPT_ZSU & IPOPT_NUMBER_MASK, "Experimental Measurement"},
728 {IPOPT_MTUP & IPOPT_NUMBER_MASK, "MTU probe"},
729 {IPOPT_MTUR & IPOPT_NUMBER_MASK, "MTU Reply"},
730 {IPOPT_FINN & IPOPT_NUMBER_MASK, "Experimental Flow Control"},
731 {IPOPT_VISA & IPOPT_NUMBER_MASK, "Experimental Access Control"},
732 {IPOPT_ENCODE & IPOPT_NUMBER_MASK, "Ask Estrin"},
733 {IPOPT_IMITD & IPOPT_NUMBER_MASK, "IMI Traffic Descriptor"},
734 {IPOPT_EIP & IPOPT_NUMBER_MASK, "Extended Internet Protocol"},
735 {IPOPT_TR & IPOPT_NUMBER_MASK, "Traceroute"},
736 {IPOPT_ADDEXT & IPOPT_NUMBER_MASK, "Address Extension"},
737 {IPOPT_RTRALT & IPOPT_NUMBER_MASK, "Router Alert"},
738 {IPOPT_SDB & IPOPT_NUMBER_MASK, "Selective Directed Broadcast"},
739 {IPOPT_UN & IPOPT_NUMBER_MASK, "Unassigned"},
740 {IPOPT_DPS & IPOPT_NUMBER_MASK, "Dynamic Packet State"},
741 {IPOPT_UMP & IPOPT_NUMBER_MASK, "Upstream Multicast Packet"},
742 {IPOPT_QS & IPOPT_NUMBER_MASK, "Quick-Start"},
743 {IPOPT_EXP & IPOPT_NUMBER_MASK, "RFC 3692-style experiment"},
747 static ip_tcp_opt_type IP_OPT_TYPES = {&hf_ip_opt_type, &ett_ip_opt_type,
748 &hf_ip_opt_type_copy, &hf_ip_opt_type_class, &hf_ip_opt_type_number};
751 dissect_ipopt_type(tvbuff_t *tvb, int offset, proto_tree *tree, ip_tcp_opt_type* opttypes)
753 proto_tree *type_tree;
756 ti = proto_tree_add_item(tree, *opttypes->phf_opt_type, tvb, offset, 1, ENC_NA);
757 type_tree = proto_item_add_subtree(ti, *opttypes->pett_opt_type);
758 proto_tree_add_item(type_tree, *opttypes->phf_opt_type_copy, tvb, offset, 1, ENC_NA);
759 proto_tree_add_item(type_tree, *opttypes->phf_opt_type_class, tvb, offset, 1, ENC_NA);
760 proto_tree_add_item(type_tree, *opttypes->phf_opt_type_number, tvb, offset, 1, ENC_NA);
764 dissect_ipopt_eool(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
765 guint optlen _U_, packet_info *pinfo _U_,
766 proto_tree *opt_tree, void * data _U_)
768 proto_tree *field_tree;
770 field_tree = proto_tree_add_subtree(opt_tree, tvb, offset, 1, *optp->subtree_index, NULL, optp->name);
771 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
774 #define dissect_ipopt_nop dissect_ipopt_eool
776 static const value_string secl_rfc791_vals[] = {
777 {IPSEC_RFC791_UNCLASSIFIED, "Unclassified"},
778 {IPSEC_RFC791_CONFIDENTIAL, "Confidential"},
779 {IPSEC_RFC791_EFTO, "EFTO" },
780 {IPSEC_RFC791_MMMM, "MMMM" },
781 {IPSEC_RFC791_PROG, "PROG" },
782 {IPSEC_RFC791_RESTRICTED, "Restricted" },
783 {IPSEC_RFC791_SECRET, "Secret" },
784 {IPSEC_RFC791_TOPSECRET, "Top secret" },
785 {IPSEC_RFC791_RESERVED1, "Reserved" },
786 {IPSEC_RFC791_RESERVED2, "Reserved" },
787 {IPSEC_RFC791_RESERVED3, "Reserved" },
788 {IPSEC_RFC791_RESERVED4, "Reserved" },
789 {IPSEC_RFC791_RESERVED5, "Reserved" },
790 {IPSEC_RFC791_RESERVED6, "Reserved" },
791 {IPSEC_RFC791_RESERVED7, "Reserved" },
792 {IPSEC_RFC791_RESERVED8, "Reserved" },
796 static const value_string sec_cl_vals[] = {
797 {IPSEC_RESERVED4, "Reserved 4" },
798 {IPSEC_TOPSECRET, "Top secret" },
799 {IPSEC_SECRET, "Secret" },
800 {IPSEC_CONFIDENTIAL, "Confidential"},
801 {IPSEC_RESERVED3, "Reserved 3" },
802 {IPSEC_RESERVED2, "Reserved 2" },
803 {IPSEC_UNCLASSIFIED, "Unclassified"},
804 {IPSEC_RESERVED1, "Reserved 1" },
808 static const true_false_string ip_opt_sec_prot_auth_flag_tfs = {
809 "Datagram protected in accordance with its rules",
810 "Datagram not protected in accordance with its rules"
813 static const true_false_string ip_opt_sec_prot_auth_fti_tfs = {
814 "Additional octet present",
818 static const int *ip_opt_sec_prot_auth_fields_byte_1[] = {
819 &hf_ip_opt_sec_prot_auth_genser,
820 &hf_ip_opt_sec_prot_auth_siop_esi,
821 &hf_ip_opt_sec_prot_auth_sci,
822 &hf_ip_opt_sec_prot_auth_nsa,
823 &hf_ip_opt_sec_prot_auth_doe,
824 &hf_ip_opt_sec_prot_auth_unassigned,
825 &hf_ip_opt_sec_prot_auth_fti,
829 static const int *ip_opt_sec_prot_auth_fields_byte_n[] = {
830 &hf_ip_opt_sec_prot_auth_unassigned2,
831 &hf_ip_opt_sec_prot_auth_fti,
835 dissect_ipopt_security(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
836 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
839 proto_tree *field_tree;
843 guint curr_offset = offset;
845 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, curr_offset, optlen, *optp->subtree_index, &tf,
846 "%s (%u bytes)", optp->name, optlen);
847 dissect_ipopt_type(tvb, curr_offset, field_tree, &IP_OPT_TYPES);
849 tf_sub = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, curr_offset, 1, ENC_NA);
850 if (optlen > IPOLEN_MAX)
851 expert_add_info(pinfo, tf_sub, &ei_ip_opt_len_invalid);
855 /* Analyze payload start to decide whether it should be dissected
856 according to RFC 791 or RFC 1108 */
857 val = tvb_get_ntohs(tvb, curr_offset);
858 if (try_val_to_str(val, secl_rfc791_vals)) {
859 /* Dissect as RFC 791 */
860 proto_tree_add_item(field_tree, hf_ip_opt_sec_rfc791_sec,
861 tvb, curr_offset, 2, ENC_BIG_ENDIAN);
863 proto_tree_add_item(field_tree, hf_ip_opt_sec_rfc791_comp,
864 tvb, curr_offset, 2, ENC_BIG_ENDIAN);
866 proto_tree_add_item(field_tree, hf_ip_opt_sec_rfc791_hr,
867 tvb, curr_offset, 2, ENC_ASCII|ENC_NA);
869 proto_tree_add_item(field_tree, hf_ip_opt_sec_rfc791_tcc,
870 tvb, curr_offset, 3, ENC_ASCII|ENC_NA);
875 /* Dissect as RFC 108 */
876 proto_tree_add_item(field_tree, hf_ip_opt_sec_cl, tvb, curr_offset, 1, ENC_BIG_ENDIAN);
878 if ((curr_offset - offset) >= optlen) {
881 val = tvb_get_guint8(tvb, curr_offset);
882 proto_tree_add_bitmask(field_tree, tvb, curr_offset, hf_ip_opt_sec_prot_auth_flags,
883 ett_ip_opt_sec_prot_auth_flags, ip_opt_sec_prot_auth_fields_byte_1,
887 if ((val & 0x01) && ((curr_offset - offset) == optlen)) {
888 expert_add_info(pinfo, tf_sub, &ei_ip_opt_sec_prot_auth_fti);
891 val = tvb_get_guint8(tvb, curr_offset);
892 proto_tree_add_bitmask(field_tree, tvb, curr_offset, hf_ip_opt_sec_prot_auth_flags,
893 ett_ip_opt_sec_prot_auth_flags, ip_opt_sec_prot_auth_fields_byte_n,
897 if ((curr_offset - offset) < optlen) {
898 expert_add_info(pinfo, tf, &ei_ip_extraneous_data);
903 dissect_ipopt_ext_security(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
904 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
907 proto_tree *field_tree;
909 guint curr_offset = offset;
912 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, curr_offset, optlen,
913 *optp->subtree_index, NULL, "%s (%u bytes)", optp->name, optlen);
914 dissect_ipopt_type(tvb, curr_offset, field_tree, &IP_OPT_TYPES);
916 tf_sub = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, curr_offset, 1, ENC_NA);
917 if (optlen > IPOLEN_MAX)
918 expert_add_info(pinfo, tf_sub, &ei_ip_opt_len_invalid);
920 proto_tree_add_item(field_tree, hf_ip_opt_ext_sec_add_sec_info_format_code, tvb, curr_offset, 1, ENC_BIG_ENDIAN);
922 remaining = optlen - (curr_offset - offset);
924 proto_tree_add_item(field_tree, hf_ip_opt_ext_sec_add_sec_info, tvb, curr_offset, remaining, ENC_NA);
928 /* USHRT_MAX can hold at most 5 (base 10) digits (6 for the NULL byte) */
929 #define USHRT_MAX_STRLEN 6
931 /* Maximum CIPSO tag length:
932 * (IP hdr max)60 - (IPv4 hdr std)20 - (CIPSO base)6 = 34 */
933 #define CIPSO_TAG_LEN_MAX 34
935 /* The Commercial IP Security Option (CIPSO) is defined in IETF draft
936 * draft-ietf-cipso-ipsecurity-01.txt and FIPS 188, a copy of both documents
937 * can be found at the NetLabel project page, http://netlabel.sf.net or at
938 * http://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01 */
939 static const value_string cipso_tag_type_vals[] = {
941 {1, "Restrictive Category Bitmap"},
942 {2, "Enumerated Categories"},
943 {5, "Ranged Categories"},
944 {6, "Permissive Categories"},
951 dissect_ipopt_cipso(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
952 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
955 proto_tree *field_tree;
956 proto_item *tf, *tag_item;
957 guint tagtype, taglen;
958 int offset_max = offset + optlen;
960 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, &tf,
961 "%s (%u bytes)", optp->name, optlen);
962 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
963 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
964 if (optlen > IPOLEN_MAX)
965 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
969 proto_tree_add_item(field_tree, hf_ip_cipso_doi, tvb, offset, 4, ENC_BIG_ENDIAN);
972 /* loop through all of the tags in the CIPSO option */
973 while (offset < offset_max) {
974 tagtype = tvb_get_guint8(tvb, offset);
975 tag_item = proto_tree_add_item(field_tree, hf_ip_cipso_tag_type, tvb, offset, 1, ENC_NA);
977 if ((offset + 1) < offset_max)
978 taglen = tvb_get_guint8(tvb, offset + 1);
984 /* padding - skip this tag */
988 /* restrictive bitmap, see CIPSO draft section 3.4.2 for tag format */
989 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
990 ((offset + (int)taglen - 1) > offset_max)) {
991 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
995 /* skip past alignment octet */
998 proto_tree_add_item(field_tree, hf_ip_cipso_sensitivity_level, tvb, offset, 1, ENC_NA);
1003 guint byte_spot = 0;
1004 unsigned char bitmask;
1006 char *cat_str_tmp = (char *)wmem_alloc(wmem_packet_scope(), USHRT_MAX_STRLEN);
1008 const guint8 *val_ptr = tvb_get_ptr(tvb, offset, taglen - 4);
1010 /* this is just a guess regarding string size, but we grow it below
1013 cat_str = (char *)wmem_alloc0(wmem_packet_scope(), cat_str_len);
1015 /* we checked the length above so the highest category value
1016 * possible here is 240 */
1017 while (byte_spot < (taglen - 4)) {
1020 while (bit_spot < 8) {
1021 if (val_ptr[byte_spot] & bitmask) {
1022 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN, "%u",
1023 byte_spot * 8 + bit_spot);
1024 if (cat_str_len < (strlen(cat_str) + 2 + USHRT_MAX_STRLEN)) {
1027 while (cat_str_len < (strlen(cat_str) + 2 + USHRT_MAX_STRLEN))
1028 cat_str_len += cat_str_len;
1029 cat_str_new = (char *)wmem_alloc(wmem_packet_scope(), cat_str_len);
1030 g_strlcpy(cat_str_new, cat_str, cat_str_len);
1031 cat_str_new[cat_str_len - 1] = '\0';
1032 cat_str = cat_str_new;
1034 if (cat_str[0] != '\0')
1035 g_strlcat(cat_str, ",", cat_str_len);
1036 g_strlcat(cat_str, cat_str_tmp, cat_str_len);
1045 proto_tree_add_string(field_tree, hf_ip_cipso_categories, tvb, offset, taglen - 4, cat_str);
1047 proto_tree_add_string(field_tree, hf_ip_cipso_categories, tvb, offset, taglen - 4, "ERROR PARSING CATEGORIES");
1048 offset += taglen - 4;
1052 /* enumerated categories, see CIPSO draft section 3.4.3 for tag format */
1053 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
1054 ((offset + (int)taglen - 1) > offset_max)) {
1055 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
1059 /* skip past alignment octet */
1062 /* sensitivity level */
1063 proto_tree_add_item(field_tree, hf_ip_cipso_sensitivity_level, tvb, offset, 1, ENC_NA);
1067 int offset_max_cat = offset + taglen - 4;
1068 char *cat_str = (char *)wmem_alloc0(wmem_packet_scope(), USHRT_MAX_STRLEN * 15);
1069 char *cat_str_tmp = (char *)wmem_alloc(wmem_packet_scope(), USHRT_MAX_STRLEN);
1071 while ((offset + 2) <= offset_max_cat) {
1072 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN, "%u",
1073 tvb_get_ntohs(tvb, offset));
1075 if (cat_str[0] != '\0')
1076 g_strlcat(cat_str, ",", USHRT_MAX_STRLEN * 15);
1077 g_strlcat(cat_str, cat_str_tmp, USHRT_MAX_STRLEN * 15);
1080 proto_tree_add_string(field_tree, hf_ip_cipso_categories, tvb, offset - taglen + 4, taglen - 4, cat_str);
1084 /* ranged categories, see CIPSO draft section 3.4.4 for tag format */
1085 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
1086 ((offset + (int)taglen - 1) > offset_max)) {
1087 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
1091 /* skip past alignment octet */
1094 /* sensitivity level */
1095 proto_tree_add_item(field_tree, hf_ip_cipso_sensitivity_level, tvb, offset, 1, ENC_NA);
1099 guint16 cat_low, cat_high;
1100 int offset_max_cat = offset + taglen - 4;
1101 char *cat_str = (char *)wmem_alloc0(wmem_packet_scope(), USHRT_MAX_STRLEN * 16);
1102 char *cat_str_tmp = (char *)wmem_alloc(wmem_packet_scope(), USHRT_MAX_STRLEN * 2);
1104 while ((offset + 2) <= offset_max_cat) {
1105 cat_high = tvb_get_ntohs(tvb, offset);
1106 if ((offset + 4) <= offset_max_cat) {
1107 cat_low = tvb_get_ntohs(tvb, offset + 2);
1113 if (cat_low != cat_high)
1114 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN * 2, "%u-%u",
1117 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN * 2, "%u", cat_high);
1119 if (cat_str[0] != '\0')
1120 g_strlcat(cat_str, ",", USHRT_MAX_STRLEN * 16);
1121 g_strlcat(cat_str, cat_str_tmp, USHRT_MAX_STRLEN * 16);
1124 proto_tree_add_string(field_tree, hf_ip_cipso_categories, tvb, offset - taglen + 4, taglen - 4, cat_str);
1128 /* permissive categories, see FIPS 188 section 6.9 for tag format */
1129 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
1130 ((offset + (int)taglen - 1) > offset_max)) {
1131 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
1135 proto_tree_add_item(field_tree, hf_ip_cipso_tag_data, tvb, offset + 2, taglen - 2, ENC_NA);
1139 /* free form, see FIPS 188 section 6.10 for tag format */
1140 if ((taglen < 2) || (taglen > CIPSO_TAG_LEN_MAX) ||
1141 ((offset + (int)taglen - 1) > offset_max)) {
1142 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
1146 proto_tree_add_item(field_tree, hf_ip_cipso_tag_data, tvb, offset + 2, taglen - 2, ENC_NA);
1150 /* unknown tag - stop parsing this IPv4 option */
1151 if ((offset + 1) <= offset_max) {
1152 taglen = tvb_get_guint8(tvb, offset + 1);
1153 proto_item_append_text(tag_item, " (%u bytes)", taglen);
1162 dissect_option_route(proto_tree *tree, tvbuff_t *tvb, int offset, int hf,
1163 int hf_host, gboolean next)
1168 route = tvb_get_ipv4(tvb, offset);
1170 proto_tree_add_ipv4_format_value(tree, hf, tvb, offset, 4, route,
1172 tvb_ip_to_str(tvb, offset));
1174 proto_tree_add_ipv4(tree, hf, tvb, offset, 4, route);
1175 ti = proto_tree_add_string(tree, hf_host, tvb, offset, 4, get_hostname(route));
1176 PROTO_ITEM_SET_GENERATED(ti);
1177 PROTO_ITEM_SET_HIDDEN(ti);
1181 dissect_ipopt_route(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1182 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1185 proto_tree *field_tree;
1190 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1191 "%s (%u bytes)", optp->name, optlen);
1192 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1193 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1194 if (optlen > IPOLEN_MAX)
1195 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1196 ptr = tvb_get_guint8(tvb, offset + 2);
1197 tf = proto_tree_add_item(field_tree, hf_ip_opt_ptr, tvb, offset + 2, 1, ENC_NA);
1198 if ((ptr < (optp->optlen + 1)) || (ptr & 3)) {
1199 if (ptr < (optp->optlen + 1)) {
1200 expert_add_info(pinfo, tf, &ei_ip_opt_ptr_before_address);
1203 expert_add_info(pinfo, tf, &ei_ip_opt_ptr_middle_address);
1209 optoffset = 3; /* skip past type, length and pointer */
1210 for (optlen -= 3; optlen > 0; optlen -= 4, optoffset += 4) {
1212 expert_add_info(pinfo, tf, &ei_ip_subopt_too_long);
1217 /* This is a recorded route */
1218 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_rec_rt,
1219 hf_ip_rec_rt_host, FALSE);
1220 } else if (optoffset == (len - 4)) {
1221 /* This is the the destination */
1224 const char *dst_host;
1226 addr = tvb_get_ipv4(tvb, offset + optoffset);
1227 dst_host = get_hostname(addr);
1228 proto_tree_add_ipv4(field_tree, hf_ip_dst, tvb,
1229 offset + optoffset, 4, addr);
1230 item = proto_tree_add_ipv4(field_tree, hf_ip_addr, tvb,
1231 offset + optoffset, 4, addr);
1232 PROTO_ITEM_SET_HIDDEN(item);
1233 item = proto_tree_add_string(field_tree, hf_ip_dst_host, tvb,
1234 offset + optoffset, 4, dst_host);
1235 PROTO_ITEM_SET_GENERATED(item);
1236 PROTO_ITEM_SET_HIDDEN(item);
1237 item = proto_tree_add_string(field_tree, hf_ip_host, tvb,
1238 offset + optoffset, 4, dst_host);
1239 PROTO_ITEM_SET_GENERATED(item);
1240 PROTO_ITEM_SET_HIDDEN(item);
1241 } else if ((optoffset + 1) < ptr) {
1242 /* This is also a recorded route */
1243 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_rec_rt,
1244 hf_ip_rec_rt_host, FALSE);
1245 } else if ((optoffset + 1) == ptr) {
1246 /* This is the next source route. TODO: Should we use separate hf's
1247 * for this, such as hf_ip_next_rt and hf_ip_next_rt_host and avoid
1248 * having to pass TRUE/FALSE to dissect_option_route()? */
1249 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_src_rt,
1250 hf_ip_src_rt_host, TRUE);
1252 /* This must be a source route */
1253 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_src_rt,
1254 hf_ip_src_rt_host, FALSE);
1260 dissect_ipopt_record_route(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1261 guint optlen, packet_info *pinfo,
1262 proto_tree *opt_tree, void * data _U_)
1264 proto_tree *field_tree;
1269 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1270 "%s (%u bytes)", optp->name, optlen);
1271 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1272 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1273 if (optlen > IPOLEN_MAX)
1274 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1275 ptr = tvb_get_guint8(tvb, offset + 2);
1276 tf = proto_tree_add_item(field_tree, hf_ip_opt_ptr, tvb, offset + 2, 1, ENC_NA);
1278 if ((ptr < (optp->optlen + 1)) || (ptr & 3)) {
1279 if (ptr < (optp->optlen + 1)) {
1280 expert_add_info(pinfo, tf, &ei_ip_opt_ptr_before_address);
1283 expert_add_info(pinfo, tf, &ei_ip_opt_ptr_middle_address);
1289 optoffset = 3; /* skip past type, length and pointer */
1290 for (optlen -= 3; optlen > 0; optlen -= 4, optoffset += 4) {
1292 expert_add_info(pinfo, tf, &ei_ip_subopt_too_long);
1297 /* The recorded route data area is full. */
1298 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_rec_rt,
1299 hf_ip_rec_rt_host, FALSE);
1300 } else if ((optoffset + 1) < ptr) {
1301 /* This is a recorded route */
1302 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_rec_rt,
1303 hf_ip_rec_rt_host, FALSE);
1304 } else if ((optoffset + 1) == ptr) {
1305 /* This is the next available slot. TODO: Should we use separate hf's
1306 * for this, such as hf_ip_next_rt and hf_ip_next_rt_host and avoid
1307 * having to pass TRUE/FALSE to dissect_option_route()? */
1308 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_empty_rt,
1309 hf_ip_empty_rt_host, TRUE);
1311 /* This must be an available slot too. */
1312 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_empty_rt,
1313 hf_ip_empty_rt_host, FALSE);
1318 /* Stream Identifier */
1320 dissect_ipopt_sid(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1321 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1324 proto_tree *field_tree;
1327 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1328 "%s (%u bytes): %u", optp->name, optlen, tvb_get_ntohs(tvb, offset + 2));
1329 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1330 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1331 if (optlen != (guint)optp->optlen)
1332 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1333 proto_tree_add_item(field_tree, hf_ip_opt_sid, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1336 /* RFC 1063: MTU Probe and MTU Reply */
1338 dissect_ipopt_mtu(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1339 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1342 proto_tree *field_tree;
1345 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1346 "%s (%u bytes): %u", optp->name, optlen, tvb_get_ntohs(tvb, offset + 2));
1347 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1348 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1349 if (optlen != (guint)optp->optlen)
1350 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1351 proto_tree_add_item(field_tree, hf_ip_opt_mtu, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1354 /* RFC 1393: Traceroute */
1356 dissect_ipopt_tr(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1357 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1360 proto_tree *field_tree;
1363 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1364 "%s (%u bytes)", optp->name, optlen);
1365 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1366 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1367 if (optlen != (guint)optp->optlen)
1368 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1370 proto_tree_add_item(field_tree, hf_ip_opt_id_number, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1371 proto_tree_add_item(field_tree, hf_ip_opt_ohc, tvb, offset + 4, 2, ENC_BIG_ENDIAN);
1372 proto_tree_add_item(field_tree, hf_ip_opt_rhc, tvb, offset + 6, 2, ENC_BIG_ENDIAN);
1373 proto_tree_add_item(field_tree, hf_ip_opt_originator, tvb, offset + 8, 4, ENC_BIG_ENDIAN);
1376 static const value_string ipopt_timestamp_flag_vals[] = {
1377 {IPOPT_TS_TSONLY, "Time stamps only" },
1378 {IPOPT_TS_TSANDADDR, "Time stamp and address" },
1379 {IPOPT_TS_PRESPEC, "Time stamps for prespecified addresses"},
1383 dissect_ipopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
1384 int offset, guint optlen, packet_info *pinfo,
1385 proto_tree *opt_tree, void * data _U_)
1387 proto_tree *field_tree;
1394 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1395 "%s (%u bytes)", optp->name, optlen);
1396 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1397 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1398 if (optlen > IPOLEN_MAX)
1399 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1400 optoffset += 2; /* skip past type and length */
1401 optlen -= 2; /* subtract size of type and length */
1403 ptr = tvb_get_guint8(tvb, offset + optoffset);
1404 proto_tree_add_uint_format_value(field_tree, hf_ip_opt_ptr, tvb, offset + optoffset, 1, ptr, "%d%s",
1405 ptr, ((ptr == 1) ? " (header is full)" :
1406 (ptr < 5) ? " (points before first address)" :
1407 (((ptr - 1) & 3) ? " (points to middle of field)" : "")));
1410 ptr--; /* ptr is 1-origin */
1412 flg = tvb_get_guint8(tvb, offset + optoffset);
1413 proto_tree_add_item(field_tree, hf_ip_opt_overflow, tvb, offset + optoffset, 1, ENC_NA);
1415 proto_tree_add_item(field_tree, hf_ip_opt_flag, tvb, offset + optoffset, 1, ENC_NA);
1419 while (optlen > 0) {
1420 if (flg == IPOPT_TS_TSANDADDR || flg == IPOPT_TS_PRESPEC) {
1422 proto_tree_add_expert(field_tree, pinfo, &ei_ip_subopt_too_long, tvb, offset + optoffset, optlen);
1425 addr = tvb_get_ipv4(tvb, offset + optoffset);
1426 proto_tree_add_ipv4_format_value(field_tree, hf_ip_opt_time_stamp_addr, tvb, offset + optoffset, 4, addr,
1427 "%s", ((addr == 0) ? "-" : get_hostname(addr)));
1431 proto_tree_add_item(field_tree, hf_ip_opt_time_stamp, tvb, offset + optoffset, 4, ENC_BIG_ENDIAN);
1436 proto_tree_add_expert(field_tree, pinfo, &ei_ip_subopt_too_long, tvb, offset + optoffset, optlen);
1439 proto_tree_add_item(field_tree, hf_ip_opt_time_stamp, tvb, offset + optoffset, 4, ENC_BIG_ENDIAN);
1447 static const range_string ra_rvals[] = {
1448 {0, 0, "Router shall examine packet"},
1449 {1, 65535, "Reserved"},
1454 dissect_ipopt_ra(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1455 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1458 /* Router-Alert, as defined by RFC2113 */
1459 proto_tree *field_tree;
1461 guint16 value = tvb_get_ntohs(tvb, offset + 2);
1463 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen,
1464 *optp->subtree_index, NULL, "%s (%u bytes): %s (%u)", optp->name, optlen,
1465 rval_to_str(value, ra_rvals, "Unknown (%u)"),
1467 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1468 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1469 if (optlen != (guint)optp->optlen)
1470 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1471 proto_tree_add_item(field_tree, hf_ip_opt_ra, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1474 /* RFC 1770: Selective Directed Broadcast */
1476 dissect_ipopt_sdb(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1477 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1480 proto_tree *field_tree;
1483 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1484 "%s (%u bytes)", optp->name, optlen);
1485 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1486 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1487 if (optlen > IPOLEN_MAX)
1488 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1489 for (offset += 2, optlen -= 2; optlen >= 4; offset += 4, optlen -= 4)
1490 proto_tree_add_item(field_tree, hf_ip_opt_addr, tvb, offset, 4, ENC_BIG_ENDIAN);
1493 proto_tree_add_item(field_tree, hf_ip_opt_padding, tvb, offset, optlen, ENC_NA);
1496 const value_string qs_func_vals[] = {
1497 {QS_RATE_REQUEST, "Rate request"},
1498 {QS_RATE_REPORT, "Rate report"},
1502 static const value_string qs_rate_vals[] = {
1508 { 5, "1.28 Mbit/s"},
1509 { 6, "2.56 Mbit/s"},
1510 { 7, "5.12 Mbit/s"},
1511 { 8, "10.24 Mbit/s"},
1512 { 9, "20.48 Mbit/s"},
1513 {10, "40.96 Mbit/s"},
1514 {11, "81.92 Mbit/s"},
1515 {12, "163.84 Mbit/s"},
1516 {13, "327.68 Mbit/s"},
1517 {14, "655.36 Mbit/s"},
1518 {15, "1.31072 Gbit/s"},
1521 value_string_ext qs_rate_vals_ext = VALUE_STRING_EXT_INIT(qs_rate_vals);
1524 dissect_ipopt_qs(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1525 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1528 proto_tree *field_tree;
1531 ws_ip *iph = (ws_ip*)data;
1533 guint8 command = tvb_get_guint8(tvb, offset + 2);
1534 guint8 function = command >> 4;
1535 guint8 rate = command & QS_RATE_MASK;
1538 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen,
1539 *optp->subtree_index, NULL, "%s (%u bytes): %s (%u)", optp->name, optlen,
1540 val_to_str(function, qs_func_vals, "Unknown (%u)"),
1543 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1544 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1545 if (optlen != (guint)optp->optlen)
1546 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1547 proto_tree_add_item(field_tree, hf_ip_opt_qs_func, tvb, offset + 2, 1, ENC_NA);
1549 if (function == QS_RATE_REQUEST) {
1550 proto_tree_add_item(field_tree, hf_ip_opt_qs_rate, tvb, offset + 2, 1, ENC_NA);
1551 proto_tree_add_item(field_tree, hf_ip_opt_qs_ttl, tvb, offset + 3, 1, ENC_NA);
1552 ttl_diff = (iph->ip_ttl - tvb_get_guint8(tvb, offset + 3) % 256);
1553 ti = proto_tree_add_uint_format_value(field_tree, hf_ip_opt_qs_ttl_diff,
1554 tvb, offset + 3, 1, ttl_diff,
1556 PROTO_ITEM_SET_GENERATED(ti);
1557 proto_item_append_text(tf, ", %s, QS TTL %u, QS TTL diff %u",
1558 val_to_str_ext(rate, &qs_rate_vals_ext, "Unknown (%u)"),
1559 tvb_get_guint8(tvb, offset + 3), ttl_diff);
1560 proto_tree_add_item(field_tree, hf_ip_opt_qs_nonce, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
1561 proto_tree_add_item(field_tree, hf_ip_opt_qs_reserved, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
1562 } else if (function == QS_RATE_REPORT) {
1563 proto_tree_add_item(field_tree, hf_ip_opt_qs_rate, tvb, offset + 2, 1, ENC_NA);
1564 proto_item_append_text(tf, ", %s",
1565 val_to_str_ext(rate, &qs_rate_vals_ext, "Unknown (%u)"));
1566 proto_tree_add_item(field_tree, hf_ip_opt_qs_unused, tvb, offset + 3, 1, ENC_NA);
1567 proto_tree_add_item(field_tree, hf_ip_opt_qs_nonce, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
1568 proto_tree_add_item(field_tree, hf_ip_opt_qs_reserved, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
1572 static const ip_tcp_opt ipopts[] = {
1573 {IPOPT_EOOL, "End of Options List (EOL)", &ett_ip_option_eool,
1574 OPT_LEN_NO_LENGTH, 0, dissect_ipopt_eool},
1575 {IPOPT_NOP, "No Operation (NOP)", &ett_ip_option_nop,
1576 OPT_LEN_NO_LENGTH, 0, dissect_ipopt_nop},
1577 {IPOPT_SEC, "Security", &ett_ip_option_sec,
1578 OPT_LEN_VARIABLE_LENGTH, IPOLEN_SEC_MIN, dissect_ipopt_security},
1579 {IPOPT_LSR, "Loose Source Route", &ett_ip_option_route,
1580 OPT_LEN_VARIABLE_LENGTH, IPOLEN_LSR_MIN, dissect_ipopt_route},
1581 {IPOPT_TS, "Time Stamp", &ett_ip_option_timestamp,
1582 OPT_LEN_VARIABLE_LENGTH, IPOLEN_TS_MIN, dissect_ipopt_timestamp},
1583 {IPOPT_ESEC, "Extended Security", &ett_ip_option_ext_security,
1584 OPT_LEN_VARIABLE_LENGTH, IPOLEN_ESEC_MIN, dissect_ipopt_ext_security},
1585 {IPOPT_CIPSO, "Commercial Security", &ett_ip_option_cipso,
1586 OPT_LEN_VARIABLE_LENGTH, IPOLEN_CIPSO_MIN, dissect_ipopt_cipso},
1587 {IPOPT_RR, "Record Route", &ett_ip_option_route,
1588 OPT_LEN_VARIABLE_LENGTH, IPOLEN_RR_MIN, dissect_ipopt_record_route},
1589 {IPOPT_SID, "Stream ID", &ett_ip_option_sid,
1590 OPT_LEN_FIXED_LENGTH, IPOLEN_SID, dissect_ipopt_sid},
1591 {IPOPT_SSR, "Strict Source Route", &ett_ip_option_route,
1592 OPT_LEN_VARIABLE_LENGTH, IPOLEN_SSR_MIN, dissect_ipopt_route},
1594 {IPOPT_ZSU, "Experimental Measurement", &ett_ip_option_zsu,
1595 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_ZSU_MIN, dissect_ipopt_zsu},
1597 {IPOPT_MTUP, "MTU Probe", &ett_ip_option_mtu,
1598 OPT_LEN_FIXED_LENGTH, IPOLEN_MTU, dissect_ipopt_mtu},
1599 {IPOPT_MTUR, "MTU Reply", &ett_ip_option_mtu,
1600 OPT_LEN_FIXED_LENGTH, IPOLEN_MTU, dissect_ipopt_mtu},
1602 {IPOPT_FINN, "Experimental Flow Control", &ett_ip_option_finn,
1603 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_FINN_MIN, dissect_ipopt_finn},
1604 {IPOPT_VISA, "Experimental Access Control", &ett_ip_option_visa,
1605 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_VISA_MIN, dissect_ipopt_visa},
1606 {IPOPT_ENCODE, "???", &ett_ip_option_encode,
1607 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_ENCODE_MIN, dissect_ipopt_encode},
1608 {IPOPT_IMITD, "IMI Traffic Descriptor", &ett_ip_option_imitd,
1609 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_IMITD_MIN, dissect_ipopt_imitd},
1610 {IPOPT_EIP, "Extended Internet Protocol", &ett_ip_option_eip,
1611 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_EIP_MIN, dissect_ipopt_eip},
1613 {IPOPT_TR, "Traceroute", &ett_ip_option_tr,
1614 OPT_LEN_FIXED_LENGTH, IPOLEN_TR, dissect_ipopt_tr},
1616 {IPOPT_ADDEXT, "Address Extension", &ett_ip_option_addext,
1617 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_ADDEXT_MIN, dissect_ipopt_addext},
1619 {IPOPT_RTRALT, "Router Alert", &ett_ip_option_ra,
1620 OPT_LEN_FIXED_LENGTH, IPOLEN_RA, dissect_ipopt_ra},
1621 {IPOPT_SDB, "Selective Directed Broadcast", &ett_ip_option_sdb,
1622 OPT_LEN_VARIABLE_LENGTH, IPOLEN_SDB_MIN, dissect_ipopt_sdb},
1624 {IPOPT_UN, "Unassigned", &ett_ip_option_un,
1625 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_UN_MIN, dissect_ipopt_un},
1626 {IPOPT_DPS, "Dynamic Packet State", &ett_ip_option_dps,
1627 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_DPS_MIN, dissect_ipopt_dps},
1628 {IPOPT_UMP, "Upstream Multicast Pkt.", &ett_ip_option_ump,
1629 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_UMP_MIN, dissect_ipopt_ump},
1631 {IPOPT_QS, "Quick-Start", &ett_ip_option_qs,
1632 OPT_LEN_FIXED_LENGTH, IPOLEN_QS, dissect_ipopt_qs}
1634 {IPOPT_EXP, "RFC3692-style Experiment", &ett_ip_option_exp,
1635 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_EXP_MIN, dissect_ipopt_exp}
1639 #define N_IP_OPTS array_length(ipopts)
1641 /* Dissect the IP, TCP or various PPP protocols (IPCP, CP, LCP, VSNCP, BAP)
1642 * options in a packet. */
1644 dissect_ip_tcp_options(tvbuff_t *tvb, int offset, guint length,
1645 const ip_tcp_opt *opttab, int nopts, int eol,
1646 ip_tcp_opt_type* opttypes, expert_field* ei_bad,
1647 packet_info *pinfo, proto_tree *opt_tree,
1648 proto_item *opt_item, void * data)
1651 const ip_tcp_opt *optp;
1652 opt_len_type len_type;
1653 unsigned int optlen;
1655 void (*dissect)(const struct ip_tcp_opt *, tvbuff_t *,
1656 int, guint, packet_info *, proto_tree *,
1658 guint len, nop_count = 0;
1660 while (length > 0) {
1661 opt = tvb_get_guint8(tvb, offset);
1662 for (optp = &opttab[0]; optp < &opttab[nopts]; optp++) {
1663 if (optp->optcode == opt)
1666 if (optp == &opttab[nopts]) {
1667 /* We assume that the only OPT_LEN_NO_LENGTH options are EOL and NOP options,
1668 so that we can treat unknown options as OPT_LEN_VARIABLE_LENGTH with a
1669 minimum of 2, and at least be able to move on to the next option
1670 by using the length in the option. */
1671 optp = NULL; /* indicate that we don't know this option */
1672 len_type = OPT_LEN_VARIABLE_LENGTH;
1674 name = wmem_strdup_printf(wmem_packet_scope(), "Unknown (0x%02x)", opt);
1678 len_type = optp->len_type;
1679 optlen = optp->optlen;
1681 dissect = optp->dissect;
1682 if (opt_item && len_type == OPT_LEN_NO_LENGTH && optlen == 0 && opt == 1 &&
1683 (nop_count == 0 || offset % 4)) { /* opt 1 = NOP in both IP and TCP */
1684 /* Count number of NOP in a row within a uint32 */
1690 --length; /* account for type byte */
1691 if (len_type != OPT_LEN_NO_LENGTH) {
1692 /* Option has a length. Is it in the packet? */
1694 /* Bogus - packet must at least include option code byte and
1696 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, 1,
1697 "%s (length byte past end of options)", name);
1700 len = tvb_get_guint8(tvb, offset + 1); /* total including type, len */
1701 --length; /* account for length byte */
1703 /* Bogus - option length is too short to include option code and
1705 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, 2,
1706 "%s (with too-short option length = %u byte%s)",
1707 name, len, plurality(len, "", "s"));
1709 } else if (len - 2 > length) {
1710 /* Bogus - option goes past the end of the header. */
1711 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, length,
1712 "%s (option length = %u byte%s says option goes past end of options)",
1713 name, len, plurality(len, "", "s"));
1715 } else if (len_type == OPT_LEN_FIXED_LENGTH && len != optlen) {
1716 /* Bogus - option length isn't what it's supposed to be for this
1718 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, len,
1719 "%s (with option length = %u byte%s; should be %u)",
1720 name, len, plurality(len, "", "s"), optlen);
1722 } else if (len_type == OPT_LEN_VARIABLE_LENGTH && len < optlen) {
1723 /* Bogus - option length is less than what it's supposed to be for
1725 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, len,
1726 "%s (with option length = %u byte%s; should be >= %u)",
1727 name, len, plurality(len, "", "s"), optlen);
1731 proto_tree_add_subtree_format(opt_tree, tvb, offset, len, ett_unknown_ip_tcp_opt, NULL, "%s (%u byte%s)",
1732 name, len, plurality(len, "", "s"));
1734 if (dissect != NULL) {
1735 /* Option has a dissector. */
1736 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s",
1738 (*dissect)(optp, tvb, offset, len, pinfo, opt_tree, data);
1740 proto_tree *field_tree;
1742 /* Option has no data, hence no dissector. */
1743 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s",
1745 field_tree = proto_tree_add_subtree(opt_tree, tvb, offset, len, ett_ip_option_other, NULL, name);
1746 dissect_ipopt_type(tvb, offset, field_tree, opttypes);
1749 len -= 2; /* subtract size of type and length */
1754 if (dissect != NULL) {
1755 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s",
1757 (*dissect)(optp, tvb, offset, 1, pinfo, opt_tree, data);
1759 proto_tree *field_tree;
1761 /* Option has no data, hence no dissector. */
1762 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s", name);
1763 field_tree = proto_tree_add_subtree(opt_tree, tvb, offset, 1, ett_ip_option_other, NULL, name);
1764 dissect_ipopt_type(tvb, offset, field_tree, opttypes);
1768 if (nop_count == 4 && strcmp (name, "No-Operation (NOP)") == 0) {
1769 expert_add_info(pinfo, opt_item, &ei_ip_nop);
1777 /* This function searches the IP options for either a loose or strict source
1778 * route option, then returns the offset to the destination address if the
1779 * pointer is still valid or zero if the pointer is greater than the length.
1781 * The guts of this function was taken from dissect_ip_tcp_options().
1784 get_dst_offset(tvbuff_t *tvb, int offset, guint length,
1785 const ip_tcp_opt *opttab, int nopts, int eol)
1788 const ip_tcp_opt *optp;
1789 opt_len_type len_type;
1790 unsigned int optlen;
1792 int orig_offset = offset;
1794 while (length > 0) {
1795 opt = tvb_get_guint8(tvb, offset);
1796 for (optp = &opttab[0]; optp < &opttab[nopts]; optp++) {
1797 if (optp->optcode == opt)
1800 if (optp == &opttab[nopts]) {
1801 /* We assume that the only NO_LENGTH options are EOL and NOP options,
1802 so that we can treat unknown options as VARIABLE_LENGTH with a
1803 minimum of 2, and at least be able to move on to the next option
1804 by using the length in the option. */
1805 optp = NULL; /* indicate that we don't know this option */
1806 len_type = OPT_LEN_VARIABLE_LENGTH;
1809 len_type = optp->len_type;
1810 optlen = optp->optlen;
1812 --length; /* account for type byte */
1813 if (len_type != OPT_LEN_NO_LENGTH) {
1814 /* Option has a length. Is it in the packet? */
1816 /* Bogus - packet must at least include option code byte and
1820 len = tvb_get_guint8(tvb, offset + 1); /* total including type, len */
1821 --length; /* account for length byte */
1823 /* Bogus - option length is too short to include option code and
1826 } else if (len - 2 > length) {
1827 /* Bogus - option goes past the end of the header. */
1829 } else if (len_type == OPT_LEN_FIXED_LENGTH && len != optlen) {
1830 /* Bogus - option length isn't what it's supposed to be for this
1833 } else if (len_type == OPT_LEN_VARIABLE_LENGTH && len < optlen) {
1834 /* Bogus - option length is less than what it's supposed to be for
1839 if (opt == IPOPT_SSR || opt == IPOPT_LSR) {
1840 /* Hmm, what if you have both options? */
1843 ptr = tvb_get_guint8(tvb, offset + 2);
1844 if (ptr < 4 || (ptr & 3) || (ptr > len)) {
1847 return (offset - orig_offset) + 4 + (len - 4);
1850 len -= 2; /* subtract size of type and length */
1863 /* Returns the valid ttl for the group address */
1865 local_network_control_block_addr_valid_ttl(guint32 addr)
1867 /* An exception list, as some protocols seem to insist on
1868 * doing differently:
1871 /* IETF's VRRP (rfc3768) */
1872 if (IPLOCAL_NETWRK_CTRL_BLK_VRRP_ADDR == addr)
1873 return IPLOCAL_NETWRK_CTRL_BLK_VRRP_TTL;
1875 if (IPLOCAL_NETWRK_CTRL_BLK_GLPB_ADDR == addr)
1876 return IPLOCAL_NETWRK_CTRL_BLK_GLPB_TTL;
1877 /* mDNS (draft-cheshire-dnsext-multicastdns-07) */
1878 if (IPLOCAL_NETWRK_CTRL_BLK_MDNS_ADDR == addr)
1879 return IPLOCAL_NETWRK_CTRL_BLK_MDNS_TTL;
1880 /* LLMNR (rfc4795) */
1881 if (IPLOCAL_NETWRK_CTRL_BLK_LLMNR_ADDR == addr)
1882 return IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL;
1883 return IPLOCAL_NETWRK_CTRL_BLK_DEFAULT_TTL;
1886 static const value_string dscp_vals[] = {
1887 { IPDSFIELD_DSCP_DEFAULT, "Default" },
1888 { IPDSFIELD_DSCP_CS1, "Class Selector 1" },
1889 { IPDSFIELD_DSCP_AF11, "Assured Forwarding 11" },
1890 { IPDSFIELD_DSCP_AF12, "Assured Forwarding 12" },
1891 { IPDSFIELD_DSCP_AF13, "Assured Forwarding 13" },
1892 { IPDSFIELD_DSCP_CS2, "Class Selector 2" },
1893 { IPDSFIELD_DSCP_AF21, "Assured Forwarding 21" },
1894 { IPDSFIELD_DSCP_AF22, "Assured Forwarding 22" },
1895 { IPDSFIELD_DSCP_AF23, "Assured Forwarding 23" },
1896 { IPDSFIELD_DSCP_CS3, "Class Selector 3" },
1897 { IPDSFIELD_DSCP_AF31, "Assured Forwarding 31" },
1898 { IPDSFIELD_DSCP_AF32, "Assured Forwarding 32" },
1899 { IPDSFIELD_DSCP_AF33, "Assured Forwarding 33" },
1900 { IPDSFIELD_DSCP_CS4, "Class Selector 4" },
1901 { IPDSFIELD_DSCP_AF41, "Assured Forwarding 41" },
1902 { IPDSFIELD_DSCP_AF42, "Assured Forwarding 42" },
1903 { IPDSFIELD_DSCP_AF43, "Assured Forwarding 43" },
1904 { IPDSFIELD_DSCP_CS5, "Class Selector 5" },
1905 { IPDSFIELD_DSCP_EF, "Expedited Forwarding" },
1906 { IPDSFIELD_DSCP_CS6, "Class Selector 6" },
1907 { IPDSFIELD_DSCP_CS7, "Class Selector 7" },
1909 value_string_ext dscp_vals_ext = VALUE_STRING_EXT_INIT(dscp_vals);
1911 const value_string ecn_vals[] = {
1912 { IPDSFIELD_ECT_NOT, "Not-ECT (Not ECN-Capable Transport)" },
1913 { IPDSFIELD_ECT_1, "ECT(1) (ECN-Capable Transport)" },
1914 { IPDSFIELD_ECT_0, "ECT(0) (ECN-Capable Transport)" },
1915 { IPDSFIELD_CE, "CE (Congestion Experienced)" },
1918 static const value_string precedence_vals[] = {
1919 { IPTOS_PREC_ROUTINE, "routine" },
1920 { IPTOS_PREC_PRIORITY, "priority" },
1921 { IPTOS_PREC_IMMEDIATE, "immediate" },
1922 { IPTOS_PREC_FLASH, "flash" },
1923 { IPTOS_PREC_FLASHOVERRIDE, "flash override" },
1924 { IPTOS_PREC_CRITIC_ECP, "CRITIC/ECP" },
1925 { IPTOS_PREC_INTERNETCONTROL, "internetwork control" },
1926 { IPTOS_PREC_NETCONTROL, "network control" },
1929 static const value_string iptos_vals[] = {
1930 { IPTOS_NONE, "None" },
1931 { IPTOS_LOWCOST, "Minimize cost" },
1932 { IPTOS_RELIABILITY, "Maximize reliability" },
1933 { IPTOS_THROUGHPUT, "Maximize throughput" },
1934 { IPTOS_LOWDELAY, "Minimize delay" },
1935 { IPTOS_SECURITY, "Maximize security" },
1939 static const true_false_string tos_set_low = {
1944 static const true_false_string tos_set_high = {
1949 static const true_false_string flags_sf_set_evil = {
1955 ip_try_dissect(gboolean heur_first, tvbuff_t *tvb, packet_info *pinfo,
1956 proto_tree *tree, ws_ip *iph)
1958 heur_dtbl_entry_t *hdtbl_entry;
1960 if ((heur_first) && (dissector_try_heuristic(heur_subdissector_list, tvb,
1961 pinfo, tree, &hdtbl_entry, iph))) {
1965 if (dissector_try_uint_new(ip_dissector_table, iph->ip_p, tvb, pinfo,
1970 if ((!heur_first) && (!dissector_try_heuristic(heur_subdissector_list, tvb,
1971 pinfo, tree, &hdtbl_entry,
1980 dissect_ip(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
1982 proto_tree *ip_tree, *field_tree = NULL;
1983 proto_item *ti, *tf;
1985 int offset = 0, dst_off;
1989 guint16 expected_cksum;
1990 fragment_head *ipfd_head = NULL;
1992 gboolean update_col_info = TRUE;
1993 gboolean save_fragmented;
1995 guint32 src32, dst32;
1997 proto_item *item = NULL, *ttl_item;
1998 proto_tree *checksum_tree;
2002 iph = (ws_ip *)wmem_alloc(wmem_packet_scope(), sizeof(ws_ip));
2004 col_set_str(pinfo->cinfo, COL_PROTOCOL, "IPv4");
2005 col_clear(pinfo->cinfo, COL_INFO);
2007 iph->ip_v_hl = tvb_get_guint8(tvb, offset);
2008 if ( hi_nibble(iph->ip_v_hl) == 6) {
2009 call_dissector(ipv6_handle, tvb, pinfo, parent_tree);
2013 hlen = lo_nibble(iph->ip_v_hl) * 4; /* IP header length, in bytes */
2015 ti = proto_tree_add_item(tree, proto_ip, tvb, offset, hlen, ENC_NA);
2016 ip_tree = proto_item_add_subtree(ti, ett_ip);
2018 proto_tree_add_item(ip_tree, hf_ip_version, tvb, offset, 1, ENC_NA);
2020 /* if IP is not referenced from any filters we don't need to worry about
2021 generating any tree items. We must do this after we created the actual
2022 protocol above so that proto hier stat still works though.
2023 XXX: Note that because of the following optimization expert items must
2024 not be generated inside of an 'if (tree) ...'
2025 so that Analyze ! Expert ... will work.
2027 if (!proto_field_is_referenced(parent_tree, proto_ip)) {
2031 if (hlen < IPH_MIN_LEN) {
2032 col_add_fstr(pinfo->cinfo, COL_INFO,
2033 "Bogus IP header length (%u, must be at least %u)",
2036 proto_tree_add_uint_format_value(ip_tree, hf_ip_hdr_len, tvb, offset, 1, hlen,
2037 "%u bytes (bogus, must be at least %u)", hlen, IPH_MIN_LEN);
2041 proto_tree_add_uint_format_value(ip_tree, hf_ip_hdr_len, tvb, offset, 1, hlen/4,
2044 iph->ip_tos = tvb_get_guint8(tvb, offset + 1);
2045 if (g_ip_dscp_actif) {
2046 col_add_fstr(pinfo->cinfo, COL_DSCP_VALUE, "%u",
2047 IPDSFIELD_DSCP(iph->ip_tos));
2051 if (g_ip_dscp_actif) {
2052 tf = proto_tree_add_uint_format_value(ip_tree, hf_ip_dsfield, tvb, offset + 1,
2053 1, iph->ip_tos, "0x%02x (DSCP 0x%02x: %s; ECN: 0x%02x: %s)", iph->ip_tos,
2054 IPDSFIELD_DSCP(iph->ip_tos), val_to_str_ext_const(IPDSFIELD_DSCP(iph->ip_tos),
2055 &dscp_vals_ext, "Unknown DSCP"),
2056 IPDSFIELD_ECN(iph->ip_tos), val_to_str_const(IPDSFIELD_ECN(iph->ip_tos),
2057 ecn_vals, "Unknown ECN"));
2059 field_tree = proto_item_add_subtree(tf, ett_ip_dsfield);
2060 proto_tree_add_item(field_tree, hf_ip_dsfield_dscp, tvb, offset + 1, 1, ENC_NA);
2061 proto_tree_add_item(field_tree, hf_ip_dsfield_ecn, tvb, offset + 1, 1, ENC_NA);
2063 tf = proto_tree_add_uint_format_value(ip_tree, hf_ip_tos, tvb, offset + 1, 1,
2067 val_to_str_const(IPTOS_TOS(iph->ip_tos),
2068 iptos_vals, "Unknown"));
2070 field_tree = proto_item_add_subtree(tf, ett_ip_tos);
2071 proto_tree_add_item(field_tree, hf_ip_tos_precedence, tvb, offset + 1, 1, ENC_NA);
2072 proto_tree_add_item(field_tree, hf_ip_tos_delay, tvb, offset + 1, 1, ENC_NA);
2073 proto_tree_add_item(field_tree, hf_ip_tos_throughput, tvb, offset + 1, 1, ENC_NA);
2074 proto_tree_add_item(field_tree, hf_ip_tos_reliability, tvb, offset + 1, 1, ENC_NA);
2075 proto_tree_add_item(field_tree, hf_ip_tos_cost, tvb, offset + 1, 1, ENC_NA);
2079 /* Length of IP datagram.
2080 XXX - what if this is greater than the reported length of the
2081 tvbuff? This could happen, for example, in an IP datagram
2082 inside an ICMP datagram; we need to somehow let the
2083 dissector we call know that, as it might want to avoid
2084 doing its checksumming. */
2085 iph->ip_len = tvb_get_ntohs(tvb, offset + 2);
2087 if (iph->ip_len < hlen) {
2088 if (ip_tso_supported && !iph->ip_len) {
2089 /* TSO support enabled, and zero length. Assume the zero length is
2090 * the result of TSO, and use the reported length instead. Note that
2091 * we need to use the frame/reported length instead of the actually-
2092 * available length, just in case a snaplen was used on capture. */
2093 iph->ip_len = tvb_reported_length(tvb);
2095 tf = proto_tree_add_uint_format_value(ip_tree, hf_ip_len, tvb, offset + 2, 2,
2097 "%u bytes (reported as 0, presumed to be because of \"TCP segmentation offload\" (TSO))",
2099 PROTO_ITEM_SET_GENERATED(tf);
2102 /* TSO support not enabled, or non-zero length, so treat it as an error. */
2103 col_add_fstr(pinfo->cinfo, COL_INFO,
2104 "Bogus IP length (%u, less than header length %u)",
2106 tf = proto_tree_add_uint_format_value(ip_tree, hf_ip_len, tvb, offset + 2, 2,
2108 "%u bytes (bogus, less than header length %u)",
2110 expert_add_info(pinfo, tf, &ei_ip_bogus_ip_length);
2111 /* Can't dissect any further */
2116 * Now that we know that the total length of this IP datagram isn't
2117 * obviously bogus, adjust the length of this tvbuff to include only
2120 set_actual_length(tvb, iph->ip_len);
2123 proto_tree_add_uint(ip_tree, hf_ip_len, tvb, offset + 2, 2, iph->ip_len);
2126 iph->ip_id = tvb_get_ntohs(tvb, offset + 4);
2128 proto_tree_add_uint(ip_tree, hf_ip_id, tvb, offset + 4, 2, iph->ip_id);
2130 iph->ip_off = tvb_get_ntohs(tvb, offset + 6);
2132 int bit_offset = (offset + 6) * 8;
2134 flags = (iph->ip_off & (IP_RF | IP_DF | IP_MF)) >> IP_OFFSET_WIDTH;
2135 tf = proto_tree_add_uint(ip_tree, hf_ip_flags, tvb, offset + 6, 1, flags);
2136 field_tree = proto_item_add_subtree(tf, ett_ip_off);
2137 if (ip_security_flag) {
2140 sf = proto_tree_add_bits_item(field_tree, hf_ip_flags_sf, tvb,
2141 bit_offset + 0, 1, ENC_BIG_ENDIAN);
2142 if (iph->ip_off & IP_RF) {
2143 proto_item_append_text(tf, " (Evil packet!)");
2144 expert_add_info(pinfo, sf, &ei_ip_evil_packet);
2147 proto_tree_add_bits_item(field_tree, hf_ip_flags_rf, tvb, bit_offset + 0,
2148 1, ENC_LITTLE_ENDIAN);
2150 if (iph->ip_off & IP_DF)
2151 proto_item_append_text(tf, " (Don't Fragment)");
2152 proto_tree_add_bits_item(field_tree, hf_ip_flags_df, tvb, bit_offset + 1,
2154 if (iph->ip_off & IP_MF)
2155 proto_item_append_text(tf, " (More Fragments)");
2156 proto_tree_add_bits_item(field_tree, hf_ip_flags_mf, tvb, bit_offset + 2,
2158 proto_tree_add_uint(ip_tree, hf_ip_frag_offset, tvb, offset + 6, 2,
2159 (iph->ip_off & IP_OFFSET)*8);
2162 iph->ip_ttl = tvb_get_guint8(tvb, offset + 8);
2164 ttl_item = proto_tree_add_item(ip_tree, hf_ip_ttl, tvb, offset + 8, 1, ENC_BIG_ENDIAN);
2169 iph->ip_p = tvb_get_guint8(tvb, offset + 9);
2171 proto_tree_add_item(ip_tree, hf_ip_proto, tvb, offset + 9, 1, ENC_BIG_ENDIAN);
2174 iph->ip_sum = tvb_get_ntohs(tvb, offset + 10);
2177 * If checksum checking is enabled, and we have the entire IP header
2178 * available, and this isn't inside an ICMP error packet, check the
2181 if (ip_check_checksum && tvb_bytes_exist(tvb, offset, hlen)&&(!pinfo->flags.in_error_pkt)) {
2182 ipsum = ip_checksum_tvb(tvb, offset, hlen);
2185 item = proto_tree_add_uint_format_value(ip_tree, hf_ip_checksum, tvb,
2186 offset + 10, 2, iph->ip_sum,
2189 checksum_tree = proto_item_add_subtree(item, ett_ip_checksum);
2190 item = proto_tree_add_uint(checksum_tree, hf_ip_checksum_calculated, tvb,
2191 offset + 10, 2, iph->ip_sum);
2192 PROTO_ITEM_SET_GENERATED(item);
2193 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_good, tvb,
2194 offset + 10, 2, TRUE);
2195 PROTO_ITEM_SET_GENERATED(item);
2196 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_bad, tvb,
2197 offset + 10, 2, FALSE);
2198 PROTO_ITEM_SET_GENERATED(item);
2200 expected_cksum = in_cksum_shouldbe(iph->ip_sum, ipsum);
2202 item = proto_tree_add_uint_format_value(ip_tree, hf_ip_checksum, tvb,
2203 offset + 10, 2, iph->ip_sum,
2205 "[incorrect, should be 0x%04x "
2206 "(may be caused by \"IP checksum "
2207 "offload\"?)]", iph->ip_sum,
2209 checksum_tree = proto_item_add_subtree(item, ett_ip_checksum);
2210 item = proto_tree_add_uint(checksum_tree, hf_ip_checksum_calculated, tvb,
2211 offset + 10, 2, expected_cksum);
2212 PROTO_ITEM_SET_GENERATED(item);
2213 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_good, tvb,
2214 offset + 10, 2, FALSE);
2215 PROTO_ITEM_SET_GENERATED(item);
2216 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_bad, tvb,
2217 offset + 10, 2, TRUE);
2218 PROTO_ITEM_SET_GENERATED(item);
2222 /* Add expert item always (so tap gets called if present);
2223 if (tree == NULL) then item will be NULL
2224 else item should be from the
2225 add_boolean(..., hf_ip_checksum_bad, ...) above */
2226 expert_add_info(pinfo, item, &ei_ip_checksum_bad);
2231 item = proto_tree_add_uint_format_value(ip_tree, hf_ip_checksum, tvb,
2232 offset + 10, 2, iph->ip_sum,
2236 (pinfo->flags.in_error_pkt ?
2237 "in ICMP error packet" :
2238 "not all data available") :
2239 "validation disabled");
2240 checksum_tree = proto_item_add_subtree(item, ett_ip_checksum);
2241 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_good, tvb,
2242 offset + 10, 2, FALSE);
2243 PROTO_ITEM_SET_GENERATED(item);
2244 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_bad, tvb,
2245 offset + 10, 2, FALSE);
2246 PROTO_ITEM_SET_GENERATED(item);
2249 src32 = tvb_get_ntohl(tvb, offset + IPH_SRC);
2250 TVB_SET_ADDRESS(&pinfo->net_src, AT_IPv4, tvb, offset + IPH_SRC, 4);
2251 COPY_ADDRESS_SHALLOW(&pinfo->src, &pinfo->net_src);
2252 COPY_ADDRESS_SHALLOW(&iph->ip_src, &pinfo->src);
2254 const char *src_host;
2256 memcpy(&addr, iph->ip_src.data, 4);
2257 src_host = get_hostname(addr);
2258 if (ip_summary_in_tree) {
2259 proto_item_append_text(ti, ", Src: %s", address_with_resolution_to_str(wmem_packet_scope(), &iph->ip_src));
2261 proto_tree_add_ipv4(ip_tree, hf_ip_src, tvb, offset + 12, 4, addr);
2262 item = proto_tree_add_ipv4(ip_tree, hf_ip_addr, tvb, offset + 12, 4, addr);
2263 PROTO_ITEM_SET_HIDDEN(item);
2264 item = proto_tree_add_string(ip_tree, hf_ip_src_host, tvb, offset + 12, 4,
2266 PROTO_ITEM_SET_GENERATED(item);
2267 PROTO_ITEM_SET_HIDDEN(item);
2268 item = proto_tree_add_string(ip_tree, hf_ip_host, tvb, offset + 12, 4,
2270 PROTO_ITEM_SET_GENERATED(item);
2271 PROTO_ITEM_SET_HIDDEN(item);
2274 /* If there's an IP strict or loose source routing option, then the final
2275 * L3 IP destination address will be the last entry in the routing header
2276 * EXCEPT when the table is exhausted (pointer is greater than the length).
2277 * In this case, the final L3 IP destination address is the one in the L3
2278 * header. (REF: http://tools.ietf.org/html/rfc791#section-3.1)
2280 if (hlen > IPH_MIN_LEN) {
2281 /* There's more than just the fixed-length header. See if we've got
2282 * either a strict or loose source route option and if so, return the
2283 * offset into the tvb to where the real destination IP address is located.
2285 dst_off = get_dst_offset(tvb, offset + 20, hlen - IPH_MIN_LEN, ipopts,
2286 N_IP_OPTS, IPOPT_EOOL);
2291 dst32 = tvb_get_ntohl(tvb, offset + IPH_DST + dst_off);
2292 TVB_SET_ADDRESS(&pinfo->net_dst, AT_IPv4, tvb, offset + IPH_DST + dst_off, 4);
2293 COPY_ADDRESS_SHALLOW(&pinfo->dst, &pinfo->net_dst);
2294 COPY_ADDRESS_SHALLOW(&iph->ip_dst, &pinfo->net_dst);
2296 /* If an IP is destined for an IP address in the Local Network Control Block
2297 * (e.g. 224.0.0.0/24), the packet should never be routed and the TTL would
2298 * be expected to be 1. (see RFC 3171) Flag a TTL greater than 1.
2300 * Flag a low TTL if the packet is not destined for a multicast address
2301 * (e.g. 224.0.0.0/4) ... and the payload isn't protocol 103 (PIM).
2302 * (see http://tools.ietf.org/html/rfc3973#section-4.7).
2304 if (is_a_local_network_control_block_addr(dst32)) {
2305 ttl = local_network_control_block_addr_valid_ttl(dst32);
2306 if (ttl != iph->ip_ttl && ttl != IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL) {
2307 expert_add_info_format(pinfo, ttl_item, &ei_ip_ttl_lncb, "\"Time To Live\" != %d for a packet sent to the "
2308 "Local Network Control Block (see RFC 3171)",
2311 } else if (!is_a_multicast_addr(dst32) && iph->ip_ttl < 5 &&
2312 (iph->ip_p != IP_PROTO_PIM)) {
2313 expert_add_info_format(pinfo, ttl_item, &ei_ip_ttl_too_small, "\"Time To Live\" only %u", iph->ip_ttl);
2317 const char *dst_host;
2319 memcpy(&addr, iph->ip_dst.data, 4);
2320 dst_host = get_hostname(addr);
2321 if (ip_summary_in_tree) {
2322 proto_item_append_text(ti, ", Dst: %s", address_with_resolution_to_str(wmem_packet_scope(), &iph->ip_dst));
2328 cur_rt = tvb_get_ipv4(tvb, offset + 16);
2329 if (ip_summary_in_tree) {
2330 proto_item_append_text(ti, ", Via: %s",
2331 tvb_address_with_resolution_to_str(wmem_packet_scope(), tvb, AT_IPv4, offset + 16));
2333 proto_tree_add_ipv4(ip_tree, hf_ip_cur_rt, tvb, offset + 16, 4, cur_rt);
2334 item = proto_tree_add_string(ip_tree, hf_ip_cur_rt_host, tvb,
2335 offset + 16, 4, get_hostname(cur_rt));
2336 PROTO_ITEM_SET_GENERATED(item);
2337 PROTO_ITEM_SET_HIDDEN(item);
2340 proto_tree_add_ipv4(ip_tree, hf_ip_dst, tvb, offset + 16, 4, addr);
2341 item = proto_tree_add_ipv4(ip_tree, hf_ip_addr, tvb, offset + 16, 4,
2343 PROTO_ITEM_SET_HIDDEN(item);
2344 item = proto_tree_add_string(ip_tree, hf_ip_dst_host, tvb, offset + 16,
2346 PROTO_ITEM_SET_GENERATED(item);
2347 PROTO_ITEM_SET_HIDDEN(item);
2348 item = proto_tree_add_string(ip_tree, hf_ip_host, tvb,
2349 offset + 16 + dst_off, 4, dst_host);
2350 PROTO_ITEM_SET_GENERATED(item);
2351 PROTO_ITEM_SET_HIDDEN(item);
2356 if (tree && ip_use_geoip) {
2357 add_geoip_info(ip_tree, tvb, offset, src32, dst32);
2361 /* Decode IP options, if any. */
2362 if (hlen > IPH_MIN_LEN) {
2363 /* There's more than just the fixed-length header. Decode the options. */
2364 optlen = hlen - IPH_MIN_LEN; /* length of options, in bytes */
2365 field_tree = proto_tree_add_subtree_format(ip_tree, tvb, offset + 20, optlen,
2366 ett_ip_options, &tf, "Options: (%u bytes)", optlen);
2367 dissect_ip_tcp_options(tvb, offset + 20, optlen, ipopts, N_IP_OPTS,
2368 IPOPT_EOOL, &IP_OPT_TYPES, &ei_ip_opt_len_invalid, pinfo, field_tree, tf, iph);
2371 p_add_proto_data(pinfo->pool, pinfo, proto_ip, 0, GUINT_TO_POINTER((guint)iph->ip_p));
2372 tap_queue_packet(ip_tap, pinfo, iph);
2374 /* Skip over header + options */
2377 /* If ip_defragment is on, this is a fragment, we have all the data
2378 * in the fragment, and the header checksum is valid, then just add
2379 * the fragment to the hashtable.
2381 save_fragmented = pinfo->fragmented;
2382 if (ip_defragment && (iph->ip_off & (IP_MF|IP_OFFSET)) &&
2383 tvb_bytes_exist(tvb, offset, iph->ip_len - hlen) &&
2385 ipfd_head = fragment_add_check(&ip_reassembly_table, tvb, offset,
2387 iph->ip_p ^ iph->ip_id ^ src32 ^ dst32,
2389 (iph->ip_off & IP_OFFSET) * 8,
2391 iph->ip_off & IP_MF);
2393 next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled IPv4",
2394 ipfd_head, &ip_frag_items,
2395 &update_col_info, ip_tree);
2397 /* If this is the first fragment, dissect its contents, otherwise
2398 just show it as a fragment.
2400 XXX - if we eventually don't save the reassembled contents of all
2401 fragmented datagrams, we may want to always reassemble. */
2402 if (iph->ip_off & IP_OFFSET) {
2403 /* Not the first fragment - don't dissect it. */
2406 /* First fragment, or not fragmented. Dissect what we have here. */
2408 /* Get a tvbuff for the payload. */
2409 next_tvb = tvb_new_subset_remaining(tvb, offset);
2412 * If this is the first fragment, but not the only fragment,
2413 * tell the next protocol that.
2415 if (iph->ip_off & IP_MF)
2416 pinfo->fragmented = TRUE;
2418 pinfo->fragmented = FALSE;
2422 if (next_tvb == NULL) {
2423 /* Just show this as a fragment. */
2424 col_add_fstr(pinfo->cinfo, COL_INFO,
2425 "Fragmented IP protocol (proto=%s %u, off=%u, ID=%04x)",
2426 ipprotostr(iph->ip_p), iph->ip_p,
2427 (iph->ip_off & IP_OFFSET) * 8, iph->ip_id);
2428 if ( ipfd_head && ipfd_head->reassembled_in != pinfo->fd->num ) {
2429 col_append_fstr(pinfo->cinfo, COL_INFO, " [Reassembled in #%u]",
2430 ipfd_head->reassembled_in);
2433 call_dissector(data_handle, tvb_new_subset_remaining(tvb, offset), pinfo,
2435 pinfo->fragmented = save_fragmented;
2439 /* Hand off to the next protocol.
2441 XXX - setting the columns only after trying various dissectors means
2442 that if one of those dissectors throws an exception, the frame won't
2443 even be labeled as an IP frame; ideally, if a frame being dissected
2444 throws an exception, it'll be labeled as a mangled frame of the
2445 type in question. */
2446 if (!ip_try_dissect(try_heuristic_first, next_tvb, pinfo, parent_tree, iph)) {
2447 /* Unknown protocol */
2448 if (update_col_info) {
2449 col_add_fstr(pinfo->cinfo, COL_INFO, "%s (%u)",
2450 ipprotostr(iph->ip_p), iph->ip_p);
2452 call_dissector(data_handle,next_tvb, pinfo, parent_tree);
2454 pinfo->fragmented = save_fragmented;
2458 dissect_ip_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
2460 int length, tot_length;
2461 guint8 oct, version, ihl;
2465 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2466 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2467 |Version| IHL |Type of Service| Total Length |
2468 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2471 length = tvb_captured_length(tvb);
2473 /* Need at least 4 bytes to make some sort of decision */
2476 oct = tvb_get_guint8(tvb,0);
2480 /* TODO: Add IPv6 checks here */
2482 3. IPv6 Header Format
2485 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2486 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2487 |Version| Traffic Class | Flow Label |
2488 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2489 | Payload Length | Next Header | Hop Limit |
2490 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2498 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2502 + Destination Address +
2506 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2508 Version 4-bit Internet Protocol version number = 6.
2510 Traffic Class 8-bit traffic class field. See section 7.
2512 Flow Label 20-bit flow label. See section 6.
2514 Payload Length 16-bit unsigned integer. Length of the IPv6
2515 payload, i.e., the rest of the packet following
2516 this IPv6 header, in octets. (Note that any
2517 extension headers [section 4] present are
2518 considered part of the payload, i.e., included
2519 in the length count.)
2524 /* Need at least 8 bytes to make a decision */
2527 tot_length = tvb_get_ntohs(tvb,4);
2528 if((tot_length + 40) != (int)tvb_reported_length(tvb)){
2531 call_dissector(ipv6_handle, tvb, pinfo, tree);
2534 /* version == IPv4 , the minimum value for a correct header is 5 */
2535 if((version != 4)|| (ihl < 5)){
2538 /* Total Length is the length of the datagram, measured in octets,
2539 * including internet header and data.
2541 tot_length = tvb_get_ntohs(tvb,2);
2543 if(tot_length != (int)tvb_reported_length(tvb)){
2547 dissect_ip(tvb, pinfo, tree);
2552 proto_register_ip(void)
2554 #define ARG_TO_STR(ARG) #ARG
2555 #define FLAGS_OFFSET_WIDTH_MSG(WIDTH) \
2556 "Flags (" ARG_TO_STR(WIDTH) " bits)"
2557 #define FRAG_OFFSET_WIDTH_MSG(WIDTH) \
2558 "Fragment offset (" ARG_TO_STR(WIDTH) " bits)"
2560 static hf_register_info hf[] = {
2562 { "Version", "ip.version", FT_UINT8, BASE_DEC,
2563 NULL, 0xF0, NULL, HFILL }},
2566 { "Header Length", "ip.hdr_len", FT_UINT8, BASE_DEC,
2567 NULL, 0x0F, NULL, HFILL }},
2570 { "Differentiated Services Field", "ip.dsfield", FT_UINT8, BASE_DEC,
2571 NULL, 0x0, NULL, HFILL }},
2573 { &hf_ip_dsfield_dscp,
2574 { "Differentiated Services Codepoint", "ip.dsfield.dscp", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
2575 &dscp_vals_ext, IPDSFIELD_DSCP_MASK, NULL, HFILL }},
2577 { &hf_ip_dsfield_ecn,
2578 { "Explicit Congestion Notification", "ip.dsfield.ecn", FT_UINT8, BASE_HEX,
2579 VALS(ecn_vals), IPDSFIELD_ECN_MASK, NULL, HFILL }},
2582 { "Type of Service", "ip.tos", FT_UINT8, BASE_DEC,
2583 NULL, 0x0, NULL, HFILL }},
2585 { &hf_ip_tos_precedence,
2586 { "Precedence", "ip.tos.precedence", FT_UINT8, BASE_DEC,
2587 VALS(precedence_vals), IPTOS_PREC_MASK, NULL, HFILL }},
2590 { "Delay", "ip.tos.delay", FT_BOOLEAN, 8,
2591 TFS(&tos_set_low), IPTOS_LOWDELAY, NULL, HFILL }},
2593 { &hf_ip_tos_throughput,
2594 { "Throughput", "ip.tos.throughput", FT_BOOLEAN, 8,
2595 TFS(&tos_set_high), IPTOS_THROUGHPUT, NULL, HFILL }},
2597 { &hf_ip_tos_reliability,
2598 { "Reliability", "ip.tos.reliability", FT_BOOLEAN, 8,
2599 TFS(&tos_set_high), IPTOS_RELIABILITY, NULL, HFILL }},
2602 { "Cost", "ip.tos.cost", FT_BOOLEAN, 8,
2603 TFS(&tos_set_low), IPTOS_LOWCOST, NULL, HFILL }},
2606 { "Total Length", "ip.len", FT_UINT16, BASE_DEC,
2607 NULL, 0x0, NULL, HFILL }},
2610 { "Identification", "ip.id", FT_UINT16, BASE_HEX_DEC,
2611 NULL, 0x0, NULL, HFILL }},
2614 { "Destination", "ip.dst", FT_IPv4, BASE_NONE,
2615 NULL, 0x0, NULL, HFILL }},
2618 { "Destination Host", "ip.dst_host", FT_STRING, BASE_NONE,
2619 NULL, 0x0, NULL, HFILL }},
2622 { "Source", "ip.src", FT_IPv4, BASE_NONE,
2623 NULL, 0x0, NULL, HFILL }},
2626 { "Source Host", "ip.src_host", FT_STRING, BASE_NONE,
2627 NULL, 0x0, NULL, HFILL }},
2630 { "Source or Destination Address", "ip.addr", FT_IPv4, BASE_NONE,
2631 NULL, 0x0, NULL, HFILL }},
2634 { "Source or Destination Host", "ip.host", FT_STRING, BASE_NONE,
2635 NULL, 0x0, NULL, HFILL }},
2638 { &hf_geoip_country,
2639 { "Source or Destination GeoIP Country", "ip.geoip.country",
2640 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2642 { "Source or Destination GeoIP City", "ip.geoip.city",
2643 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2645 { "Source or Destination GeoIP Organization", "ip.geoip.org",
2646 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2648 { "Source or Destination GeoIP ISP", "ip.geoip.isp",
2649 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2651 { "Source or Destination GeoIP AS Number", "ip.geoip.asnum",
2652 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2654 { "Source or Destination GeoIP Latitude", "ip.geoip.lat",
2655 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2657 { "Source or Destination GeoIP Longitude", "ip.geoip.lon",
2658 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2659 { &hf_geoip_src_country,
2660 { "Source GeoIP Country", "ip.geoip.src_country",
2661 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2662 { &hf_geoip_src_city,
2663 { "Source GeoIP City", "ip.geoip.src_city",
2664 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2665 { &hf_geoip_src_org,
2666 { "Source GeoIP Organization", "ip.geoip.src_org",
2667 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2668 { &hf_geoip_src_isp,
2669 { "Source GeoIP ISP", "ip.geoip.src_isp",
2670 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2671 { &hf_geoip_src_asnum,
2672 { "Source GeoIP AS Number", "ip.geoip.src_asnum",
2673 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2674 { &hf_geoip_src_lat,
2675 { "Source GeoIP Latitude", "ip.geoip.src_lat",
2676 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2677 { &hf_geoip_src_lon,
2678 { "Source GeoIP Longitude", "ip.geoip.src_lon",
2679 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2680 { &hf_geoip_dst_country,
2681 { "Destination GeoIP Country", "ip.geoip.dst_country",
2682 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2683 { &hf_geoip_dst_city,
2684 { "Destination GeoIP City", "ip.geoip.dst_city",
2685 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2686 { &hf_geoip_dst_org,
2687 { "Destination GeoIP Organization", "ip.geoip.dst_org",
2688 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2689 { &hf_geoip_dst_isp,
2690 { "Destination GeoIP ISP", "ip.geoip.dst_isp",
2691 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2692 { &hf_geoip_dst_asnum,
2693 { "Destination GeoIP AS Number", "ip.geoip.dst_asnum",
2694 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2695 { &hf_geoip_dst_lat,
2696 { "Destination GeoIP Latitude", "ip.geoip.dst_lat",
2697 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2698 { &hf_geoip_dst_lon,
2699 { "Destination GeoIP Longitude", "ip.geoip.dst_lon",
2700 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2701 #endif /* HAVE_GEOIP */
2704 { "Flags", "ip.flags", FT_UINT8, BASE_HEX,
2705 NULL, 0x0, FLAGS_OFFSET_WIDTH_MSG(IP_FLAGS_WIDTH), HFILL }},
2708 { "Security flag", "ip.flags.sf", FT_BOOLEAN, BASE_NONE,
2709 TFS(&flags_sf_set_evil), 0x0, "Security flag (RFC 3514)", HFILL }},
2712 { "Reserved bit", "ip.flags.rb", FT_BOOLEAN, BASE_NONE,
2713 TFS(&tfs_set_notset), 0x0, NULL, HFILL }},
2716 { "Don't fragment", "ip.flags.df", FT_BOOLEAN, BASE_NONE,
2717 TFS(&tfs_set_notset), 0x0, NULL, HFILL }},
2720 { "More fragments", "ip.flags.mf", FT_BOOLEAN, BASE_NONE,
2721 TFS(&tfs_set_notset), 0x0, NULL, HFILL }},
2723 { &hf_ip_frag_offset,
2724 { "Fragment offset", "ip.frag_offset", FT_UINT16, BASE_DEC,
2725 NULL, 0x0, FRAG_OFFSET_WIDTH_MSG(IP_OFFSET_WIDTH), HFILL }},
2728 { "Time to live", "ip.ttl", FT_UINT8, BASE_DEC,
2729 NULL, 0x0, NULL, HFILL }},
2732 { "Protocol", "ip.proto", FT_UINT8, BASE_DEC | BASE_EXT_STRING,
2733 &ipproto_val_ext, 0x0, NULL, HFILL }},
2736 { "Header checksum", "ip.checksum", FT_UINT16, BASE_HEX,
2737 NULL, 0x0, NULL, HFILL }},
2739 { &hf_ip_checksum_calculated,
2740 { "Calculated Checksum", "ip.checksum_calculated", FT_UINT16, BASE_HEX, NULL, 0x0,
2741 "The expected IP checksum field as calculated from the IP datagram", HFILL }},
2743 { &hf_ip_checksum_good,
2744 { "Good", "ip.checksum_good", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2745 "True: checksum matches packet content; False: doesn't match content or not checked", HFILL }},
2747 { &hf_ip_checksum_bad,
2748 { "Bad", "ip.checksum_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2749 "True: checksum doesn't match packet content; False: matches content or not checked", HFILL }},
2751 /* IP options related fields */
2753 { "Type", "ip.opt.type", FT_UINT8, BASE_DEC,
2754 NULL, 0x0, NULL, HFILL }},
2756 { &hf_ip_opt_type_copy,
2757 { "Copy on fragmentation", "ip.opt.type.copy", FT_BOOLEAN, 8,
2758 TFS(&tfs_yes_no), IPOPT_COPY_MASK, NULL, HFILL }},
2760 { &hf_ip_opt_type_class,
2761 { "Class", "ip.opt.type.class", FT_UINT8, BASE_DEC,
2762 VALS(ipopt_type_class_vals), IPOPT_CLASS_MASK, NULL, HFILL }},
2764 { &hf_ip_opt_type_number,
2765 { "Number", "ip.opt.type.number", FT_UINT8, BASE_DEC,
2766 VALS(ipopt_type_number_vals), IPOPT_NUMBER_MASK, NULL, HFILL }},
2769 { "Length", "ip.opt.len", FT_UINT8, BASE_DEC,
2770 NULL, 0x0, NULL, HFILL }},
2773 { "Pointer", "ip.opt.ptr", FT_UINT8, BASE_DEC,
2774 NULL, 0x0, NULL, HFILL }},
2777 { "Stream Identifier", "ip.opt.sid", FT_UINT16, BASE_DEC,
2778 NULL, 0x0, "SATNET stream identifier", HFILL }},
2781 { "MTU", "ip.opt.mtu", FT_UINT16, BASE_DEC,
2782 NULL, 0x0, NULL, HFILL }},
2784 { &hf_ip_opt_id_number,
2785 { "ID Number", "ip.opt.id_number", FT_UINT16, BASE_DEC,
2786 NULL, 0x0, NULL, HFILL }},
2789 { "Outbound Hop Count", "ip.opt.ohc", FT_UINT16, BASE_DEC,
2790 NULL, 0x0, NULL, HFILL }},
2793 { "Return Hop Count", "ip.opt.rhc", FT_UINT16, BASE_DEC,
2794 NULL, 0x0, NULL, HFILL }},
2796 { &hf_ip_opt_originator,
2797 { "Originator IP Address", "ip.opt.originator", FT_IPv4, BASE_NONE,
2798 NULL, 0x0, NULL, HFILL }},
2801 { "Router Alert", "ip.opt.ra", FT_UINT16, BASE_DEC | BASE_RANGE_STRING,
2802 RVALS(ra_rvals), 0x0, NULL, HFILL }},
2805 { "IP Address", "ip.opt.addr", FT_IPv4, BASE_NONE,
2806 NULL, 0x0, NULL, HFILL }},
2808 { &hf_ip_opt_padding,
2809 { "Padding", "ip.opt.padding", FT_BYTES, BASE_NONE,
2810 NULL, 0x0, NULL, HFILL }},
2812 { &hf_ip_opt_qs_func,
2813 { "Function", "ip.opt.qs_func", FT_UINT8, BASE_DEC,
2814 VALS(qs_func_vals), QS_FUNC_MASK, NULL, HFILL }},
2816 { &hf_ip_opt_qs_rate,
2817 { "Rate", "ip.opt.qs_rate", FT_UINT8, BASE_DEC | BASE_EXT_STRING,
2818 &qs_rate_vals_ext, QS_RATE_MASK, NULL, HFILL }},
2820 { &hf_ip_opt_qs_ttl,
2821 { "QS TTL", "ip.opt.qs_ttl", FT_UINT8, BASE_DEC,
2822 NULL, 0x0, NULL, HFILL }},
2824 { &hf_ip_opt_qs_ttl_diff,
2825 { "TTL Diff", "ip.opt.qs_ttl_diff", FT_UINT8, BASE_DEC,
2826 NULL, 0x0, NULL, HFILL }},
2828 { &hf_ip_opt_qs_unused,
2829 { "Not Used", "ip.opt.qs_unused", FT_UINT8, BASE_DEC,
2830 NULL, 0x0, NULL, HFILL }},
2832 { &hf_ip_opt_qs_nonce,
2833 { "QS Nonce", "ip.opt.qs_nonce", FT_UINT32, BASE_HEX,
2834 NULL, 0xFFFFFFFC, NULL, HFILL }},
2836 { &hf_ip_opt_qs_reserved,
2837 { "Reserved", "ip.opt.qs_reserved", FT_UINT32, BASE_HEX,
2838 NULL, 0x00000003, NULL, HFILL }},
2840 { &hf_ip_opt_sec_rfc791_sec,
2841 { "Security", "ip.opt.sec_rfc791_sec", FT_UINT8, BASE_HEX,
2842 VALS(secl_rfc791_vals), 0x0, NULL, HFILL }},
2844 { &hf_ip_opt_sec_rfc791_comp,
2845 { "Compartments", "ip.opt.sec_rfc791_comp", FT_UINT16, BASE_DEC,
2846 NULL, 0x0, NULL, HFILL }},
2848 { &hf_ip_opt_sec_rfc791_hr,
2849 { "Handling Restrictions", "ip.opt.sec_rfc791_hr", FT_STRING, BASE_NONE,
2850 NULL, 0x0, NULL, HFILL }},
2852 { &hf_ip_opt_sec_rfc791_tcc,
2853 { "Transmission Control Code", "ip.opt.sec_rfc791_tcc", FT_STRING, BASE_NONE,
2854 NULL, 0x0, NULL, HFILL }},
2856 { &hf_ip_opt_sec_cl,
2857 { "Classification Level", "ip.opt.sec_cl", FT_UINT8, BASE_HEX,
2858 VALS(sec_cl_vals), 0x0, NULL, HFILL }},
2860 { &hf_ip_opt_sec_prot_auth_flags,
2861 { "Protection Authority Flags", "ip.opt.sec_prot_auth_flags", FT_UINT8, BASE_HEX,
2862 NULL, 0x0, NULL, HFILL }},
2864 { &hf_ip_opt_sec_prot_auth_genser,
2865 { "GENSER", "ip.opt.sec_prot_auth_genser", FT_BOOLEAN, 8,
2866 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x80, NULL, HFILL }},
2868 { &hf_ip_opt_sec_prot_auth_siop_esi,
2869 { "SIOP-ESI", "ip.opt.sec_prot_auth_siop_esi", FT_BOOLEAN, 8,
2870 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x40, NULL, HFILL }},
2872 { &hf_ip_opt_sec_prot_auth_sci,
2873 { "SCI", "ip.opt.sec_prot_auth_sci", FT_BOOLEAN, 8,
2874 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x20, NULL, HFILL }},
2876 { &hf_ip_opt_sec_prot_auth_nsa,
2877 { "NSA", "ip.opt.sec_prot_auth_nsa", FT_BOOLEAN, 8,
2878 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x10, NULL, HFILL }},
2880 { &hf_ip_opt_sec_prot_auth_doe,
2881 { "DOE", "ip.opt.sec_prot_auth_doe", FT_BOOLEAN, 8,
2882 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x08, NULL, HFILL }},
2884 { &hf_ip_opt_sec_prot_auth_unassigned,
2885 { "Unassigned", "ip.opt.sec_prot_auth_unassigned", FT_UINT8, BASE_HEX,
2886 NULL, 0x06, NULL, HFILL }},
2888 { &hf_ip_opt_sec_prot_auth_unassigned2,
2889 { "Unassigned", "ip.opt.sec_prot_auth_unassigned", FT_UINT8, BASE_HEX,
2890 NULL, 0xFE, NULL, HFILL }},
2892 { &hf_ip_opt_sec_prot_auth_fti,
2893 { "Field Termination Indicator", "ip.opt.sec_prot_auth_fti", FT_BOOLEAN, 8,
2894 TFS(&ip_opt_sec_prot_auth_fti_tfs), 0x01, NULL, HFILL }},
2896 { &hf_ip_opt_ext_sec_add_sec_info_format_code,
2897 { "Additional Security Info Format Code", "ip.opt.ext_sec_add_sec_info_format_code", FT_UINT8, BASE_HEX,
2898 NULL, 0x0, NULL, HFILL }},
2900 { &hf_ip_opt_ext_sec_add_sec_info,
2901 { "Additional Security Info", "ip.opt.ext_sec_add_sec_info", FT_BYTES, BASE_NONE,
2902 NULL, 0x0, NULL, HFILL }},
2905 { "Recorded Route", "ip.rec_rt", FT_IPv4, BASE_NONE, NULL, 0x0,
2908 { &hf_ip_rec_rt_host,
2909 { "Recorded Route Host", "ip.rec_rt_host", FT_STRING, BASE_NONE,
2910 NULL, 0x0, NULL, HFILL }},
2913 { "Current Route", "ip.cur_rt", FT_IPv4, BASE_NONE, NULL, 0x0,
2916 { &hf_ip_cur_rt_host,
2917 { "Current Route Host", "ip.cur_rt_host", FT_STRING, BASE_NONE,
2918 NULL, 0x0, NULL, HFILL }},
2921 { "Source Route", "ip.src_rt", FT_IPv4, BASE_NONE, NULL, 0x0,
2924 { &hf_ip_src_rt_host,
2925 { "Source Route Host", "ip.src_rt_host", FT_STRING, BASE_NONE,
2926 NULL, 0x0, NULL, HFILL }},
2929 { "Empty Route", "ip.empty_rt", FT_IPv4, BASE_NONE, NULL, 0x0,
2932 { &hf_ip_empty_rt_host,
2933 { "Empty Route Host", "ip.empty_rt_host", FT_STRING, BASE_NONE,
2934 NULL, 0x0, NULL, HFILL }},
2936 { &hf_ip_cipso_tag_type,
2937 { "Tag Type", "ip.cipso.tag_type", FT_UINT8, BASE_DEC,
2938 VALS(cipso_tag_type_vals), 0x0, NULL, HFILL }},
2941 { &hf_ip_fragment_overlap,
2942 { "Fragment overlap", "ip.fragment.overlap", FT_BOOLEAN, BASE_NONE,
2943 NULL, 0x0, "Fragment overlaps with other fragments", HFILL }},
2945 { &hf_ip_fragment_overlap_conflict,
2946 { "Conflicting data in fragment overlap", "ip.fragment.overlap.conflict",
2947 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2948 "Overlapping fragments contained conflicting data", HFILL }},
2950 { &hf_ip_fragment_multiple_tails,
2951 { "Multiple tail fragments found", "ip.fragment.multipletails",
2952 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2953 "Several tails were found when defragmenting the packet", HFILL }},
2955 { &hf_ip_fragment_too_long_fragment,
2956 { "Fragment too long", "ip.fragment.toolongfragment",
2957 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2958 "Fragment contained data past end of packet", HFILL }},
2960 { &hf_ip_fragment_error,
2961 { "Defragmentation error", "ip.fragment.error", FT_FRAMENUM, BASE_NONE,
2962 NULL, 0x0, "Defragmentation error due to illegal fragments", HFILL }},
2964 { &hf_ip_fragment_count,
2965 { "Fragment count", "ip.fragment.count", FT_UINT32, BASE_DEC,
2966 NULL, 0x0, NULL, HFILL }},
2969 { "IPv4 Fragment", "ip.fragment", FT_FRAMENUM, BASE_NONE,
2970 NULL, 0x0, NULL, HFILL }},
2973 { "IPv4 Fragments", "ip.fragments", FT_BYTES, BASE_NONE,
2974 NULL, 0x0, NULL, HFILL }},
2976 { &hf_ip_reassembled_in,
2977 { "Reassembled IPv4 in frame", "ip.reassembled_in", FT_FRAMENUM, BASE_NONE,
2978 NULL, 0x0, "This IPv4 packet is reassembled in this frame", HFILL }},
2980 { &hf_ip_reassembled_length,
2981 { "Reassembled IPv4 length", "ip.reassembled.length", FT_UINT32, BASE_DEC,
2982 NULL, 0x0, "The total length of the reassembled payload", HFILL }},
2984 { &hf_ip_reassembled_data,
2985 { "Reassembled IPv4 data", "ip.reassembled.data", FT_BYTES, BASE_NONE,
2986 NULL, 0x0, "The reassembled payload", HFILL }},
2988 /* Generated from convert_proto_tree_add_text.pl */
2989 { &hf_ip_cipso_doi, { "DOI", "ip.cipso.doi", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
2990 { &hf_ip_cipso_sensitivity_level, { "Sensitivity Level", "ip.cipso.sensitivity_level", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
2991 { &hf_ip_cipso_categories, { "Categories", "ip.cipso.categories", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2992 { &hf_ip_cipso_tag_data, { "Tag data", "ip.cipso.tag_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2993 { &hf_ip_opt_overflow, { "Overflow", "ip.opt.overflow", FT_UINT8, BASE_DEC, NULL, 0xF0, NULL, HFILL }},
2994 { &hf_ip_opt_flag, { "Flag", "ip.opt.flag", FT_UINT8, BASE_HEX, VALS(ipopt_timestamp_flag_vals), 0x0F, NULL, HFILL }},
2995 { &hf_ip_opt_time_stamp, { "Time stamp", "ip.opt.time_stamp", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
2996 { &hf_ip_opt_time_stamp_addr, { "Address", "ip.opt.time_stamp_addr", FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }},
3000 static gint *ett[] = {
3006 &ett_ip_option_eool,
3009 &ett_ip_option_route,
3010 &ett_ip_option_timestamp,
3011 &ett_ip_option_ext_security,
3012 &ett_ip_option_cipso,
3019 &ett_ip_option_other,
3024 &ett_ip_opt_sec_prot_auth_flags,
3025 &ett_unknown_ip_tcp_opt,
3030 static ei_register_info ei[] = {
3031 { &ei_ip_opt_len_invalid, { "ip.opt.len.invalid", PI_PROTOCOL, PI_WARN, "Invalid length for option", EXPFILL }},
3032 { &ei_ip_opt_sec_prot_auth_fti, { "ip.opt.len.invalid", PI_PROTOCOL, PI_WARN, "Field Termination Indicator set to 1 for last byte of option", EXPFILL }},
3033 { &ei_ip_extraneous_data, { "ip.opt.len.invalid", PI_PROTOCOL, PI_WARN, "Extraneous data in option", EXPFILL }},
3034 { &ei_ip_opt_ptr_before_address, { "ip.opt.ptr.before_address", PI_PROTOCOL, PI_WARN, "Pointer points before first address", EXPFILL }},
3035 { &ei_ip_opt_ptr_middle_address, { "ip.opt.ptr.middle_address", PI_PROTOCOL, PI_WARN, "Pointer points to middle of address", EXPFILL }},
3036 { &ei_ip_subopt_too_long, { "ip.subopt_too_long", PI_PROTOCOL, PI_WARN, "Suboption would go past end of option", EXPFILL }},
3037 { &ei_ip_nop, { "ip.nop", PI_PROTOCOL, PI_WARN, "4 NOP in a row - a router may have removed some options", EXPFILL }},
3038 { &ei_ip_bogus_ip_length, { "ip.bogus_ip_length", PI_PROTOCOL, PI_ERROR, "Bogus IP length", EXPFILL }},
3039 { &ei_ip_evil_packet, { "ip.evil_packet", PI_PROTOCOL, PI_WARN, "Suboption would go past end of option", EXPFILL }},
3040 { &ei_ip_checksum_bad, { "ip.checksum_bad.expert", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
3041 { &ei_ip_ttl_lncb, { "ip.ttl.lncb", PI_SEQUENCE, PI_NOTE, "Time To Live", EXPFILL }},
3042 { &ei_ip_ttl_too_small, { "ip.ttl.too_small", PI_SEQUENCE, PI_NOTE, "Time To Live", EXPFILL }},
3043 { &ei_ip_cipso_tag, { "ip.cipso.malformed", PI_SEQUENCE, PI_ERROR, "Malformed CIPSO tag", EXPFILL }},
3046 /* Decode As handling */
3047 static build_valid_func ip_da_build_value[1] = {ip_value};
3048 static decode_as_value_t ip_da_values = {ip_prompt, 1, ip_da_build_value};
3049 static decode_as_t ip_da = {"ip", "Network", "ip.proto", 1, 0, &ip_da_values, NULL, NULL,
3050 decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL};
3052 module_t *ip_module;
3053 expert_module_t* expert_ip;
3055 proto_ip = proto_register_protocol("Internet Protocol Version 4", "IPv4", "ip");
3056 proto_register_field_array(proto_ip, hf, array_length(hf));
3057 proto_register_subtree_array(ett, array_length(ett));
3058 expert_ip = expert_register_protocol(proto_ip);
3059 expert_register_field_array(expert_ip, ei, array_length(ei));
3061 /* subdissector code */
3062 ip_dissector_table = register_dissector_table("ip.proto", "IP protocol",
3063 FT_UINT8, BASE_DEC);
3064 heur_subdissector_list = register_heur_dissector_list("ip");
3066 /* Register configuration options */
3067 ip_module = prefs_register_protocol(proto_ip, NULL);
3068 prefs_register_bool_preference(ip_module, "decode_tos_as_diffserv",
3069 "Decode IPv4 TOS field as DiffServ field",
3070 "Whether the IPv4 type-of-service field should be decoded as a "
3071 "Differentiated Services field (see RFC2474/RFC2475)", &g_ip_dscp_actif);
3072 prefs_register_bool_preference(ip_module, "defragment",
3073 "Reassemble fragmented IPv4 datagrams",
3074 "Whether fragmented IPv4 datagrams should be reassembled", &ip_defragment);
3075 prefs_register_bool_preference(ip_module, "summary_in_tree",
3076 "Show IPv4 summary in protocol tree",
3077 "Whether the IPv4 summary line should be shown in the protocol tree",
3078 &ip_summary_in_tree);
3079 prefs_register_bool_preference(ip_module, "check_checksum",
3080 "Validate the IPv4 checksum if possible",
3081 "Whether to validate the IPv4 checksum", &ip_check_checksum);
3082 prefs_register_bool_preference(ip_module, "tso_support",
3083 "Support packet-capture from IP TSO-enabled hardware",
3084 "Whether to correct for TSO-enabled (TCP segmentation offload) hardware "
3085 "captures, such as spoofing the IP packet length", &ip_tso_supported);
3087 prefs_register_bool_preference(ip_module, "use_geoip",
3088 "Enable GeoIP lookups",
3089 "Whether to look up IP addresses in each GeoIP database we have loaded",
3091 #endif /* HAVE_GEOIP */
3092 prefs_register_bool_preference(ip_module, "security_flag" ,
3093 "Interpret Reserved flag as Security flag (RFC 3514)",
3094 "Whether to interpret the originally reserved flag as security flag",
3096 prefs_register_bool_preference(ip_module, "try_heuristic_first",
3097 "Try heuristic sub-dissectors first",
3098 "Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",
3099 &try_heuristic_first);
3101 register_dissector("ip", dissect_ip, proto_ip);
3102 register_init_routine(ip_defragment_init);
3103 ip_tap = register_tap("ip");
3105 register_decode_as(&ip_da);
3106 register_conversation_table(proto_ip, TRUE, ip_conversation_packet, ip_hostlist_packet);
3107 register_color_conversation_filter("ip", "IPv4", ip_color_filter_valid, ip_build_color_filter);
3111 proto_reg_handoff_ip(void)
3113 dissector_handle_t ip_handle;
3115 ip_handle = find_dissector("ip");
3116 ipv6_handle = find_dissector("ipv6");
3117 data_handle = find_dissector("data");
3119 dissector_add_uint("ethertype", ETHERTYPE_IP, ip_handle);
3120 dissector_add_uint("erf.types.type", ERF_TYPE_IPV4, ip_handle);
3121 dissector_add_uint("ppp.protocol", PPP_IP, ip_handle);
3122 dissector_add_uint("ppp.protocol", ETHERTYPE_IP, ip_handle);
3123 dissector_add_uint("gre.proto", ETHERTYPE_IP, ip_handle);
3124 dissector_add_uint("gre.proto", GRE_WCCP, ip_handle);
3125 dissector_add_uint("llc.dsap", SAP_IP, ip_handle);
3126 dissector_add_uint("ip.proto", IP_PROTO_IPIP, ip_handle);
3127 dissector_add_uint("null.type", BSD_AF_INET, ip_handle);
3128 dissector_add_uint("chdlc.protocol", ETHERTYPE_IP, ip_handle);
3129 dissector_add_uint("osinl.excl", NLPID_IP, ip_handle);
3130 dissector_add_uint("fr.nlpid", NLPID_IP, ip_handle);
3131 dissector_add_uint("x.25.spi", NLPID_IP, ip_handle);
3132 dissector_add_uint("arcnet.protocol_id", ARCNET_PROTO_IP_1051, ip_handle);
3133 dissector_add_uint("arcnet.protocol_id", ARCNET_PROTO_IP_1201, ip_handle);
3134 dissector_add_uint("ax25.pid", AX25_P_IP, ip_handle);
3135 dissector_add_uint("juniper.proto", JUNIPER_PROTO_IP, ip_handle);
3136 dissector_add_uint("juniper.proto", JUNIPER_PROTO_MPLS_IP, ip_handle);
3137 dissector_add_uint("pwach.channel_type", 0x21, ip_handle); /* IPv4, RFC4385 clause 6. */
3138 dissector_add_uint("sflow_245.header_protocol", SFLOW_245_HEADER_IPv4, ip_handle);
3139 dissector_add_uint("l2tp.pw_type", L2TPv3_PROTOCOL_IP, ip_handle);
3140 dissector_add_for_decode_as("udp.port", ip_handle);
3141 dissector_add_uint("wtap_encap", WTAP_ENCAP_RAW_IP4, ip_handle);
3143 heur_dissector_add("tipc", dissect_ip_heur, proto_ip);
3147 * Editor modelines - http://www.wireshark.org/tools/modelines.html
3152 * indent-tabs-mode: nil
3155 * vi: set shiftwidth=2 tabstop=8 expandtab:
3156 * :indentSize=2:tabSize=8:noTabs=true: