2 * Routines for IP and miscellaneous IP protocol packet disassembly
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
8 * Wednesday, January 17, 2006
9 * Support for the CIPSO IPv4 option
10 * (http://sourceforge.net/docman/display_doc.php?docid=34650&group_id=174379)
11 * by Paul Moore <paul.moore@hp.com>
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
30 #include <epan/packet.h>
31 #include <epan/addr_resolv.h>
32 #include <epan/ipproto.h>
33 #include <epan/expert.h>
34 #include <epan/ip_opts.h>
35 #include <epan/prefs.h>
36 #include <epan/conversation_table.h>
37 #include <epan/color_dissector_filters.h>
38 #include <epan/reassemble.h>
39 #include <epan/etypes.h>
40 #include <epan/ppptypes.h>
41 #include <epan/llcsaps.h>
42 #include <epan/aftypes.h>
43 #include <epan/arcnet_pids.h>
44 #include <epan/in_cksum.h>
45 #include <epan/nlpid.h>
46 #include <epan/ax25_pids.h>
47 #include <epan/decode_as.h>
48 #include <wiretap/erf.h>
50 #include "packet-ip.h"
51 #include "packet-juniper.h"
52 #include "packet-sflow.h"
53 #include "packet-gre.h"
54 #include "packet-l2tp.h"
58 #include <epan/geoip_db.h>
59 #endif /* HAVE_GEOIP */
61 void proto_register_ip(void);
62 void proto_reg_handoff_ip(void);
64 static int ip_tap = -1;
66 /* Decode the old IPv4 TOS field as the DiffServ DS Field (RFC2474/2475) */
67 static gboolean g_ip_dscp_actif = TRUE;
69 /* Defragment fragmented IP datagrams */
70 static gboolean ip_defragment = TRUE;
72 /* Place IP summary in proto tree */
73 static gboolean ip_summary_in_tree = TRUE;
75 /* Perform IP checksum */
76 static gboolean ip_check_checksum = FALSE;
78 /* Assume TSO and correct zero-length IP packets */
79 static gboolean ip_tso_supported = TRUE;
81 /* Use heuristics to determine subdissector */
82 static gboolean try_heuristic_first = FALSE;
85 /* Look up addresses in GeoIP */
86 static gboolean ip_use_geoip = TRUE;
87 #endif /* HAVE_GEOIP */
89 /* Interpret the reserved flag as security flag (RFC 3514) */
90 static gboolean ip_security_flag = FALSE;
93 static int hf_ip_version = -1;
94 static int hf_ip_hdr_len = -1;
95 static int hf_ip_dsfield = -1;
96 static int hf_ip_dsfield_dscp = -1;
97 static int hf_ip_dsfield_ecn = -1;
98 static int hf_ip_tos = -1;
99 static int hf_ip_tos_precedence = -1;
100 static int hf_ip_tos_delay = -1;
101 static int hf_ip_tos_throughput = -1;
102 static int hf_ip_tos_reliability = -1;
103 static int hf_ip_tos_cost = -1;
104 static int hf_ip_len = -1;
105 static int hf_ip_id = -1;
106 static int hf_ip_dst = -1;
107 static int hf_ip_dst_host = -1;
108 static int hf_ip_src = -1;
109 static int hf_ip_src_host = -1;
110 static int hf_ip_addr = -1;
111 static int hf_ip_host = -1;
112 static int hf_ip_flags = -1;
113 static int hf_ip_flags_sf = -1;
114 static int hf_ip_flags_rf = -1;
115 static int hf_ip_flags_df = -1;
116 static int hf_ip_flags_mf = -1;
117 static int hf_ip_frag_offset = -1;
118 static int hf_ip_ttl = -1;
119 static int hf_ip_proto = -1;
120 static int hf_ip_checksum = -1;
121 static int hf_ip_checksum_calculated = -1;
122 static int hf_ip_checksum_good = -1;
123 static int hf_ip_checksum_bad = -1;
125 /* IP option fields */
126 static int hf_ip_opt_type = -1;
127 static int hf_ip_opt_type_copy = -1;
128 static int hf_ip_opt_type_class = -1;
129 static int hf_ip_opt_type_number = -1;
130 static int hf_ip_opt_len = -1;
131 static int hf_ip_opt_ptr = -1;
132 static int hf_ip_opt_sid = -1;
133 static int hf_ip_opt_mtu = -1;
134 static int hf_ip_opt_id_number = -1;
135 static int hf_ip_opt_ohc = -1;
136 static int hf_ip_opt_rhc = -1;
137 static int hf_ip_opt_originator = -1;
138 static int hf_ip_opt_ra = -1;
139 static int hf_ip_opt_addr = -1;
140 static int hf_ip_opt_padding = -1;
141 static int hf_ip_opt_qs_func = -1;
142 static int hf_ip_opt_qs_rate = -1;
143 static int hf_ip_opt_qs_ttl = -1;
144 static int hf_ip_opt_qs_ttl_diff = -1;
145 static int hf_ip_opt_qs_unused = -1;
146 static int hf_ip_opt_qs_nonce = -1;
147 static int hf_ip_opt_qs_reserved = -1;
148 static int hf_ip_opt_sec_rfc791_sec = -1;
149 static int hf_ip_opt_sec_rfc791_comp = -1;
150 static int hf_ip_opt_sec_rfc791_hr = -1;
151 static int hf_ip_opt_sec_rfc791_tcc = -1;
152 static int hf_ip_opt_sec_cl = -1;
153 static int hf_ip_opt_sec_prot_auth_flags = -1;
154 static int hf_ip_opt_sec_prot_auth_genser = -1;
155 static int hf_ip_opt_sec_prot_auth_siop_esi = -1;
156 static int hf_ip_opt_sec_prot_auth_sci = -1;
157 static int hf_ip_opt_sec_prot_auth_nsa = -1;
158 static int hf_ip_opt_sec_prot_auth_doe = -1;
159 static int hf_ip_opt_sec_prot_auth_unassigned = -1;
160 static int hf_ip_opt_sec_prot_auth_unassigned2 = -1;
161 static int hf_ip_opt_sec_prot_auth_fti = -1;
162 static int hf_ip_opt_ext_sec_add_sec_info_format_code = -1;
163 static int hf_ip_opt_ext_sec_add_sec_info = -1;
164 static int hf_ip_rec_rt = -1;
165 static int hf_ip_rec_rt_host = -1;
166 static int hf_ip_cur_rt = -1;
167 static int hf_ip_cur_rt_host = -1;
168 static int hf_ip_src_rt = -1;
169 static int hf_ip_src_rt_host = -1;
170 static int hf_ip_empty_rt = -1;
171 static int hf_ip_empty_rt_host = -1;
172 static int hf_ip_cipso_tag_type = -1;
174 static int hf_ip_fragments = -1;
175 static int hf_ip_fragment = -1;
176 static int hf_ip_fragment_overlap = -1;
177 static int hf_ip_fragment_overlap_conflict = -1;
178 static int hf_ip_fragment_multiple_tails = -1;
179 static int hf_ip_fragment_too_long_fragment = -1;
180 static int hf_ip_fragment_error = -1;
181 static int hf_ip_fragment_count = -1;
182 static int hf_ip_reassembled_in = -1;
183 static int hf_ip_reassembled_length = -1;
184 static int hf_ip_reassembled_data = -1;
186 /* Generated from convert_proto_tree_add_text.pl */
187 static int hf_ip_opt_flag = -1;
188 static int hf_ip_opt_overflow = -1;
189 static int hf_ip_cipso_tag_data = -1;
190 static int hf_ip_cipso_sensitivity_level = -1;
191 static int hf_ip_cipso_categories = -1;
192 static int hf_ip_cipso_doi = -1;
193 static int hf_ip_opt_time_stamp = -1;
194 static int hf_ip_opt_time_stamp_addr = -1;
197 static int hf_geoip_country = -1;
198 static int hf_geoip_city = -1;
199 static int hf_geoip_org = -1;
200 static int hf_geoip_isp = -1;
201 static int hf_geoip_asnum = -1;
202 static int hf_geoip_lat = -1;
203 static int hf_geoip_lon = -1;
204 static int hf_geoip_src_country = -1;
205 static int hf_geoip_src_city = -1;
206 static int hf_geoip_src_org = -1;
207 static int hf_geoip_src_isp = -1;
208 static int hf_geoip_src_asnum = -1;
209 static int hf_geoip_src_lat = -1;
210 static int hf_geoip_src_lon = -1;
211 static int hf_geoip_dst_country = -1;
212 static int hf_geoip_dst_city = -1;
213 static int hf_geoip_dst_org = -1;
214 static int hf_geoip_dst_isp = -1;
215 static int hf_geoip_dst_asnum = -1;
216 static int hf_geoip_dst_lat = -1;
217 static int hf_geoip_dst_lon = -1;
218 #endif /* HAVE_GEOIP */
220 static gint ett_ip = -1;
221 static gint ett_ip_dsfield = -1;
222 static gint ett_ip_tos = -1;
223 static gint ett_ip_off = -1;
224 static gint ett_ip_options = -1;
225 static gint ett_ip_option_eool = -1;
226 static gint ett_ip_option_nop = -1;
227 static gint ett_ip_option_sec = -1;
228 static gint ett_ip_option_route = -1;
229 static gint ett_ip_option_timestamp = -1;
230 static gint ett_ip_option_ext_security = -1;
231 static gint ett_ip_option_cipso = -1;
232 static gint ett_ip_option_sid = -1;
233 static gint ett_ip_option_mtu = -1;
234 static gint ett_ip_option_tr = -1;
235 static gint ett_ip_option_ra = -1;
236 static gint ett_ip_option_sdb = -1;
237 static gint ett_ip_option_qs = -1;
238 static gint ett_ip_option_other = -1;
239 static gint ett_ip_fragments = -1;
240 static gint ett_ip_fragment = -1;
241 static gint ett_ip_checksum = -1;
242 static gint ett_ip_opt_type = -1;
243 static gint ett_ip_opt_sec_prot_auth_flags = -1;
244 static gint ett_unknown_ip_tcp_opt = -1;
246 static expert_field ei_ip_opt_len_invalid = EI_INIT;
247 static expert_field ei_ip_opt_sec_prot_auth_fti = EI_INIT;
248 static expert_field ei_ip_extraneous_data = EI_INIT;
249 static expert_field ei_ip_opt_ptr_before_address = EI_INIT;
250 static expert_field ei_ip_opt_ptr_middle_address = EI_INIT;
251 static expert_field ei_ip_subopt_too_long = EI_INIT;
252 static expert_field ei_ip_nop = EI_INIT;
253 static expert_field ei_ip_bogus_ip_length = EI_INIT;
254 static expert_field ei_ip_evil_packet = EI_INIT;
255 static expert_field ei_ip_checksum_bad = EI_INIT;
256 static expert_field ei_ip_ttl_lncb = EI_INIT;
257 static expert_field ei_ip_ttl_too_small = EI_INIT;
258 static expert_field ei_ip_cipso_tag = EI_INIT;
262 static gint ett_geoip_info = -1;
263 #endif /* HAVE_GEOIP */
265 static const fragment_items ip_frag_items = {
270 &hf_ip_fragment_overlap,
271 &hf_ip_fragment_overlap_conflict,
272 &hf_ip_fragment_multiple_tails,
273 &hf_ip_fragment_too_long_fragment,
274 &hf_ip_fragment_error,
275 &hf_ip_fragment_count,
276 &hf_ip_reassembled_in,
277 &hf_ip_reassembled_length,
278 &hf_ip_reassembled_data,
282 static heur_dissector_list_t heur_subdissector_list;
284 static dissector_table_t ip_dissector_table;
286 static dissector_handle_t ipv6_handle;
287 static dissector_handle_t data_handle;
290 /* IP structs and definitions */
292 /* Offsets of fields within an IP header. */
304 /* Minimum IP header length. */
305 #define IPH_MIN_LEN 20
307 /* Width (in bits) of the fragment offset IP header field */
308 #define IP_OFFSET_WIDTH 13
310 /* Width (in bits) of the flags IP header field */
311 #define IP_FLAGS_WIDTH 3
314 #define IP_RF 0x8000 /* Flag: "Reserved bit" */
315 #define IP_DF 0x4000 /* Flag: "Don't Fragment" */
316 #define IP_MF 0x2000 /* Flag: "More Fragments" */
317 #define IP_OFFSET 0x1FFF /* "Fragment Offset" part */
319 /* Differentiated Services Field. See RFCs 2474, 2597 and 2598. */
320 #define IPDSFIELD_DSCP_MASK 0xFC
321 #define IPDSFIELD_ECN_MASK 0x03
322 #define IPDSFIELD_DSCP_SHIFT 2
324 #define IPDSFIELD_DSCP(dsfield) (((dsfield)&IPDSFIELD_DSCP_MASK)>>IPDSFIELD_DSCP_SHIFT)
325 #define IPDSFIELD_ECN(dsfield) ((dsfield)&IPDSFIELD_ECN_MASK)
327 #define IPDSFIELD_DSCP_DEFAULT 0x00
328 #define IPDSFIELD_DSCP_CS1 0x08
329 #define IPDSFIELD_DSCP_AF11 0x0A
330 #define IPDSFIELD_DSCP_AF12 0x0C
331 #define IPDSFIELD_DSCP_AF13 0x0E
332 #define IPDSFIELD_DSCP_CS2 0x10
333 #define IPDSFIELD_DSCP_AF21 0x12
334 #define IPDSFIELD_DSCP_AF22 0x14
335 #define IPDSFIELD_DSCP_AF23 0x16
336 #define IPDSFIELD_DSCP_CS3 0x18
337 #define IPDSFIELD_DSCP_AF31 0x1A
338 #define IPDSFIELD_DSCP_AF32 0x1C
339 #define IPDSFIELD_DSCP_AF33 0x1E
340 #define IPDSFIELD_DSCP_CS4 0x20
341 #define IPDSFIELD_DSCP_AF41 0x22
342 #define IPDSFIELD_DSCP_AF42 0x24
343 #define IPDSFIELD_DSCP_AF43 0x26
344 #define IPDSFIELD_DSCP_CS5 0x28
345 #define IPDSFIELD_DSCP_EF 0x2E
346 #define IPDSFIELD_DSCP_CS6 0x30
347 #define IPDSFIELD_DSCP_CS7 0x38
349 #define IPDSFIELD_ECT_NOT 0x00
350 #define IPDSFIELD_ECT_1 0x01
351 #define IPDSFIELD_ECT_0 0x02
352 #define IPDSFIELD_CE 0x03
354 /* IP TOS, superseded by the DS Field, RFC 2474. */
355 #define IPTOS_TOS_MASK 0x1E
356 #define IPTOS_TOS(tos) ((tos) & IPTOS_TOS_MASK)
357 #define IPTOS_NONE 0x00
358 #define IPTOS_LOWCOST 0x02
359 #define IPTOS_RELIABILITY 0x04
360 #define IPTOS_THROUGHPUT 0x08
361 #define IPTOS_LOWDELAY 0x10
362 #define IPTOS_SECURITY 0x1E
364 #define IPTOS_PREC_MASK 0xE0
365 #define IPTOS_PREC_SHIFT 5
366 #define IPTOS_PREC(tos) (((tos)&IPTOS_PREC_MASK)>>IPTOS_PREC_SHIFT)
367 #define IPTOS_PREC_NETCONTROL 7
368 #define IPTOS_PREC_INTERNETCONTROL 6
369 #define IPTOS_PREC_CRITIC_ECP 5
370 #define IPTOS_PREC_FLASHOVERRIDE 4
371 #define IPTOS_PREC_FLASH 3
372 #define IPTOS_PREC_IMMEDIATE 2
373 #define IPTOS_PREC_PRIORITY 1
374 #define IPTOS_PREC_ROUTINE 0
377 #define IPOPT_COPY 0x80
379 #define IPOPT_CONTROL 0x00
380 #define IPOPT_RESERVED1 0x20
381 #define IPOPT_MEASUREMENT 0x40
382 #define IPOPT_RESERVED2 0x60
384 /* REF: http://www.iana.org/assignments/ip-parameters */
385 /* TODO: Not all of these are implemented. */
386 #define IPOPT_EOOL (0 |IPOPT_CONTROL)
387 #define IPOPT_NOP (1 |IPOPT_CONTROL)
388 #define IPOPT_SEC (2 |IPOPT_COPY|IPOPT_CONTROL) /* RFC 791/1108 */
389 #define IPOPT_LSR (3 |IPOPT_COPY|IPOPT_CONTROL)
390 #define IPOPT_TS (4 |IPOPT_MEASUREMENT)
391 #define IPOPT_ESEC (5 |IPOPT_COPY|IPOPT_CONTROL) /* RFC 1108 */
392 #define IPOPT_CIPSO (6 |IPOPT_COPY|IPOPT_CONTROL) /* draft-ietf-cipso-ipsecurity-01 */
393 #define IPOPT_RR (7 |IPOPT_CONTROL)
394 #define IPOPT_SID (8 |IPOPT_COPY|IPOPT_CONTROL)
395 #define IPOPT_SSR (9 |IPOPT_COPY|IPOPT_CONTROL)
396 #define IPOPT_ZSU (10|IPOPT_CONTROL) /* Zsu */
397 #define IPOPT_MTUP (11|IPOPT_CONTROL) /* RFC 1063 */
398 #define IPOPT_MTUR (12|IPOPT_CONTROL) /* RFC 1063 */
399 #define IPOPT_FINN (13|IPOPT_COPY|IPOPT_MEASUREMENT) /* Finn */
400 #define IPOPT_VISA (14|IPOPT_COPY|IPOPT_CONTROL) /* Estrin */
401 #define IPOPT_ENCODE (15|IPOPT_CONTROL) /* VerSteeg */
402 #define IPOPT_IMITD (16|IPOPT_COPY|IPOPT_CONTROL) /* Lee */
403 #define IPOPT_EIP (17|IPOPT_COPY|IPOPT_CONTROL) /* RFC 1385 */
404 #define IPOPT_TR (18|IPOPT_MEASUREMENT) /* RFC 1393 */
405 #define IPOPT_ADDEXT (19|IPOPT_COPY|IPOPT_CONTROL) /* Ullmann IPv7 */
406 #define IPOPT_RTRALT (20|IPOPT_COPY|IPOPT_CONTROL) /* RFC 2113 */
407 #define IPOPT_SDB (21|IPOPT_COPY|IPOPT_CONTROL) /* RFC 1770 Graff */
408 #define IPOPT_UN (22|IPOPT_COPY|IPOPT_CONTROL) /* Released 18-Oct-2005 */
409 #define IPOPT_DPS (23|IPOPT_COPY|IPOPT_CONTROL) /* Malis */
410 #define IPOPT_UMP (24|IPOPT_COPY|IPOPT_CONTROL) /* Farinacci */
411 #define IPOPT_QS (25|IPOPT_CONTROL) /* RFC 4782 */
412 #define IPOPT_EXP (30|IPOPT_CONTROL) /* RFC 4727 */
415 /* IP option lengths */
416 #define IPOLEN_SEC_MIN 3
417 #define IPOLEN_LSR_MIN 3
418 #define IPOLEN_TS_MIN 4
419 #define IPOLEN_ESEC_MIN 3
420 #define IPOLEN_CIPSO_MIN 10
421 #define IPOLEN_RR_MIN 3
423 #define IPOLEN_SSR_MIN 3
427 #define IPOLEN_SDB_MIN 6
429 #define IPOLEN_MAX 40
431 #define IPSEC_RFC791_UNCLASSIFIED 0x0000
432 #define IPSEC_RFC791_CONFIDENTIAL 0xF135
433 #define IPSEC_RFC791_EFTO 0x789A
434 #define IPSEC_RFC791_MMMM 0xBC4D
435 #define IPSEC_RFC791_PROG 0x5E26
436 #define IPSEC_RFC791_RESTRICTED 0xAF13
437 #define IPSEC_RFC791_SECRET 0xD788
438 #define IPSEC_RFC791_TOPSECRET 0x6BC5
439 #define IPSEC_RFC791_RESERVED1 0x35E2
440 #define IPSEC_RFC791_RESERVED2 0x9AF1
441 #define IPSEC_RFC791_RESERVED3 0x4D78
442 #define IPSEC_RFC791_RESERVED4 0x24BD
443 #define IPSEC_RFC791_RESERVED5 0x135E
444 #define IPSEC_RFC791_RESERVED6 0x89AF
445 #define IPSEC_RFC791_RESERVED7 0xC4D6
446 #define IPSEC_RFC791_RESERVED8 0xE26B
448 #define IPSEC_RESERVED4 0x01
449 #define IPSEC_TOPSECRET 0x3D
450 #define IPSEC_SECRET 0x5A
451 #define IPSEC_CONFIDENTIAL 0x96
452 #define IPSEC_RESERVED3 0x66
453 #define IPSEC_RESERVED2 0xCC
454 #define IPSEC_UNCLASSIFIED 0xAB
455 #define IPSEC_RESERVED1 0xF1
457 #define IPOPT_TS_TSONLY 0 /* timestamps only */
458 #define IPOPT_TS_TSANDADDR 1 /* timestamps and addresses */
459 #define IPOPT_TS_PRESPEC 3 /* specified modules only */
461 #define IPLOCAL_NETWRK_CTRL_BLK_VRRP_ADDR 0xE0000012
462 #define IPLOCAL_NETWRK_CTRL_BLK_VRRP_TTL 0xFF
463 #define IPLOCAL_NETWRK_CTRL_BLK_GLPB_ADDR 0xE0000066
464 #define IPLOCAL_NETWRK_CTRL_BLK_GLPB_TTL 0XFF
465 #define IPLOCAL_NETWRK_CTRL_BLK_MDNS_ADDR 0xE00000FB
466 #define IPLOCAL_NETWRK_CTRL_BLK_MDNS_TTL 0XFF
467 #define IPLOCAL_NETWRK_CTRL_BLK_LLMNR_ADDR 0xE00000FC
469 #define IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL 0x1000 /* larger than max ttl */
470 #define IPLOCAL_NETWRK_CTRL_BLK_DEFAULT_TTL 0X01
472 /* Return true if the address is in the 224.0.0.0/24 network block */
473 #define is_a_local_network_control_block_addr(addr) \
474 ((addr & 0xffffff00) == 0xe0000000)
476 /* Return true if the address is in the 224.0.0.0/4 network block */
477 #define is_a_multicast_addr(addr) \
478 ((addr & 0xf0000000) == 0xe0000000)
480 static void ip_prompt(packet_info *pinfo, gchar* result)
482 g_snprintf(result, MAX_DECODE_AS_PROMPT_LEN, "IP protocol %u as",
483 GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_ip, 0)));
486 static gpointer ip_value(packet_info *pinfo)
488 return p_get_proto_data(pinfo->pool, pinfo, proto_ip, 0);
491 static const char* ip_conv_get_filter_type(conv_item_t* conv, conv_filter_type_e filter)
493 if ((filter == CONV_FT_SRC_ADDRESS) && (conv->src_address.type == AT_IPv4))
496 if ((filter == CONV_FT_DST_ADDRESS) && (conv->dst_address.type == AT_IPv4))
499 if ((filter == CONV_FT_ANY_ADDRESS) && (conv->src_address.type == AT_IPv4))
502 return CONV_FILTER_INVALID;
505 static ct_dissector_info_t ip_ct_dissector_info = {&ip_conv_get_filter_type};
508 ip_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
510 conv_hash_t *hash = (conv_hash_t*) pct;
511 const ws_ip *iph=(const ws_ip *)vip;
513 add_conversation_table_data(hash, &iph->ip_src, &iph->ip_dst, 0, 0, 1, pinfo->fd->pkt_len, &pinfo->rel_ts, &pinfo->fd->abs_ts, &ip_ct_dissector_info, PT_NONE);
518 static const char* ip_host_get_filter_type(hostlist_talker_t* host, conv_filter_type_e filter)
520 if ((filter == CONV_FT_ANY_ADDRESS) && (host->myaddress.type == AT_IPv4))
523 return CONV_FILTER_INVALID;
526 static hostlist_dissector_info_t ip_host_dissector_info = {&ip_host_get_filter_type};
529 ip_hostlist_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip)
531 conv_hash_t *hash = (conv_hash_t*) pit;
532 const ws_ip *iph=(const ws_ip *)vip;
534 /* Take two "add" passes per packet, adding for each direction, ensures that all
535 packets are counted properly (even if address is sending to itself)
536 XXX - this could probably be done more efficiently inside hostlist_table */
537 add_hostlist_table_data(hash, &iph->ip_src, 0, TRUE, 1, pinfo->fd->pkt_len, &ip_host_dissector_info, PT_NONE);
538 add_hostlist_table_data(hash, &iph->ip_dst, 0, FALSE, 1, pinfo->fd->pkt_len, &ip_host_dissector_info, PT_NONE);
543 ip_color_filter_valid(packet_info *pinfo)
545 return proto_is_frame_protocol(pinfo->layers, "ip");
549 ip_build_color_filter(packet_info *pinfo)
551 return g_strdup_printf("ip.addr eq %s and ip.addr eq %s",
552 address_to_str(pinfo->pool, &pinfo->net_src),
553 address_to_str(pinfo->pool, &pinfo->net_dst));
557 * defragmentation of IPv4
559 static reassembly_table ip_reassembly_table;
562 ip_defragment_init(void)
564 reassembly_table_init(&ip_reassembly_table,
565 &addresses_reassembly_table_functions);
569 ip_defragment_cleanup(void)
571 reassembly_table_destroy(&ip_reassembly_table);
575 capture_ip(const guchar *pd, int offset, int len, packet_counts *ld) {
576 if (!BYTES_ARE_IN_FRAME(offset, len, IPH_MIN_LEN)) {
580 switch (pd[offset + 9]) {
585 case IP_PROTO_UDPLITE:
589 case IP_PROTO_ICMPV6: /* XXX - separate counters? */
611 add_geoip_info_entry(proto_tree *geoip_info_tree, proto_item *geoip_info_item, tvbuff_t *tvb, gint offset, guint32 ip, int isdst)
613 guint num_dbs = geoip_db_num_dbs();
617 for (dbnum = 0; dbnum < num_dbs; dbnum++) {
618 char *geoip_str = geoip_db_lookup_ipv4(dbnum, ip, NULL);
619 int db_type = geoip_db_type(dbnum);
621 int geoip_hf, geoip_local_hf;
624 case GEOIP_COUNTRY_EDITION:
625 geoip_hf = hf_geoip_country;
626 geoip_local_hf = (isdst) ? hf_geoip_dst_country : hf_geoip_src_country;
628 case GEOIP_CITY_EDITION_REV0:
629 geoip_hf = hf_geoip_city;
630 geoip_local_hf = (isdst) ? hf_geoip_dst_city : hf_geoip_src_city;
632 case GEOIP_CITY_EDITION_REV1:
633 geoip_hf = hf_geoip_city;
634 geoip_local_hf = (isdst) ? hf_geoip_dst_city : hf_geoip_src_city;
636 case GEOIP_ORG_EDITION:
637 geoip_hf = hf_geoip_org;
638 geoip_local_hf = (isdst) ? hf_geoip_dst_org : hf_geoip_src_org;
640 case GEOIP_ISP_EDITION:
641 geoip_hf = hf_geoip_isp;
642 geoip_local_hf = (isdst) ? hf_geoip_dst_isp : hf_geoip_src_isp;
644 case GEOIP_ASNUM_EDITION:
645 geoip_hf = hf_geoip_asnum;
646 geoip_local_hf = (isdst) ? hf_geoip_dst_asnum : hf_geoip_src_asnum;
648 case WS_LAT_FAKE_EDITION:
649 geoip_hf = hf_geoip_lat;
650 geoip_local_hf = (isdst) ? hf_geoip_dst_lat : hf_geoip_src_lat;
652 case WS_LON_FAKE_EDITION:
653 geoip_hf = hf_geoip_lon;
654 geoip_local_hf = (isdst) ? hf_geoip_dst_lon : hf_geoip_src_lon;
662 if (db_type == WS_LAT_FAKE_EDITION || db_type == WS_LON_FAKE_EDITION) {
663 /* Convert latitude, longitude to double. Fix bug #5077 */
664 item = proto_tree_add_double_format_value(geoip_info_tree, geoip_local_hf,
665 tvb, offset, 4, g_ascii_strtod(geoip_str, NULL), "%s", geoip_str);
666 PROTO_ITEM_SET_GENERATED(item);
667 item = proto_tree_add_double_format_value(geoip_info_tree, geoip_hf,
668 tvb, offset, 4, g_ascii_strtod(geoip_str, NULL), "%s", geoip_str);
669 PROTO_ITEM_SET_GENERATED(item);
670 PROTO_ITEM_SET_HIDDEN(item);
672 item = proto_tree_add_string(geoip_info_tree, geoip_local_hf,
673 tvb, offset, 4, geoip_str);
674 PROTO_ITEM_SET_GENERATED(item);
675 item = proto_tree_add_string(geoip_info_tree, geoip_hf,
676 tvb, offset, 4, geoip_str);
677 PROTO_ITEM_SET_GENERATED(item);
678 PROTO_ITEM_SET_HIDDEN(item);
682 proto_item_append_text(geoip_info_item, "%s%s",
683 plurality(item_cnt, "", ", "), geoip_str);
684 wmem_free(NULL, geoip_str);
689 proto_item_append_text(geoip_info_item, "Unknown");
693 add_geoip_info(proto_tree *tree, tvbuff_t *tvb, gint offset, guint32 src32,
697 proto_item *geoip_info_item;
698 proto_tree *geoip_info_tree;
700 num_dbs = geoip_db_num_dbs();
704 geoip_info_tree = proto_tree_add_subtree(tree, tvb, offset + IPH_SRC, 4, ett_geoip_info, &geoip_info_item, "Source GeoIP: ");
705 PROTO_ITEM_SET_GENERATED(geoip_info_item);
706 add_geoip_info_entry(geoip_info_tree, geoip_info_item, tvb, offset + IPH_SRC, src32, 0);
708 geoip_info_tree = proto_tree_add_subtree(tree, tvb, offset + IPH_DST, 4, ett_geoip_info, &geoip_info_item, "Destination GeoIP: ");
709 PROTO_ITEM_SET_GENERATED(geoip_info_item);
710 add_geoip_info_entry(geoip_info_tree, geoip_info_item, tvb, offset + IPH_DST, dst32, 1);
712 #endif /* HAVE_GEOIP */
714 const value_string ipopt_type_class_vals[] = {
715 {(IPOPT_CONTROL & IPOPT_CLASS_MASK) >> 5, "Control"},
716 {(IPOPT_RESERVED1 & IPOPT_CLASS_MASK) >> 5, "Reserved for future use"},
717 {(IPOPT_MEASUREMENT & IPOPT_CLASS_MASK) >> 5, "Debugging and measurement"},
718 {(IPOPT_RESERVED2 & IPOPT_CLASS_MASK) >> 5, "Reserved for future use"},
722 const value_string ipopt_type_number_vals[] = {
723 {IPOPT_EOOL & IPOPT_NUMBER_MASK, "End of Option List (EOL)"},
724 {IPOPT_NOP & IPOPT_NUMBER_MASK, "No-Operation (NOP)"},
725 {IPOPT_SEC & IPOPT_NUMBER_MASK, "Security"},
726 {IPOPT_LSR & IPOPT_NUMBER_MASK, "Loose source route"},
727 {IPOPT_TS & IPOPT_NUMBER_MASK, "Time stamp"},
728 {IPOPT_ESEC & IPOPT_NUMBER_MASK, "Extended security"},
729 {IPOPT_CIPSO & IPOPT_NUMBER_MASK, "Commercial IP security option"},
730 {IPOPT_RR & IPOPT_NUMBER_MASK, "Record route"},
731 {IPOPT_SID & IPOPT_NUMBER_MASK, "Stream identifier"},
732 {IPOPT_SSR & IPOPT_NUMBER_MASK, "Strict source route"},
733 {IPOPT_ZSU & IPOPT_NUMBER_MASK, "Experimental Measurement"},
734 {IPOPT_MTUP & IPOPT_NUMBER_MASK, "MTU probe"},
735 {IPOPT_MTUR & IPOPT_NUMBER_MASK, "MTU Reply"},
736 {IPOPT_FINN & IPOPT_NUMBER_MASK, "Experimental Flow Control"},
737 {IPOPT_VISA & IPOPT_NUMBER_MASK, "Experimental Access Control"},
738 {IPOPT_ENCODE & IPOPT_NUMBER_MASK, "Ask Estrin"},
739 {IPOPT_IMITD & IPOPT_NUMBER_MASK, "IMI Traffic Descriptor"},
740 {IPOPT_EIP & IPOPT_NUMBER_MASK, "Extended Internet Protocol"},
741 {IPOPT_TR & IPOPT_NUMBER_MASK, "Traceroute"},
742 {IPOPT_ADDEXT & IPOPT_NUMBER_MASK, "Address Extension"},
743 {IPOPT_RTRALT & IPOPT_NUMBER_MASK, "Router Alert"},
744 {IPOPT_SDB & IPOPT_NUMBER_MASK, "Selective Directed Broadcast"},
745 {IPOPT_UN & IPOPT_NUMBER_MASK, "Unassigned"},
746 {IPOPT_DPS & IPOPT_NUMBER_MASK, "Dynamic Packet State"},
747 {IPOPT_UMP & IPOPT_NUMBER_MASK, "Upstream Multicast Packet"},
748 {IPOPT_QS & IPOPT_NUMBER_MASK, "Quick-Start"},
749 {IPOPT_EXP & IPOPT_NUMBER_MASK, "RFC 3692-style experiment"},
753 static ip_tcp_opt_type IP_OPT_TYPES = {&hf_ip_opt_type, &ett_ip_opt_type,
754 &hf_ip_opt_type_copy, &hf_ip_opt_type_class, &hf_ip_opt_type_number};
757 dissect_ipopt_type(tvbuff_t *tvb, int offset, proto_tree *tree, ip_tcp_opt_type* opttypes)
759 proto_tree *type_tree;
762 ti = proto_tree_add_item(tree, *opttypes->phf_opt_type, tvb, offset, 1, ENC_NA);
763 type_tree = proto_item_add_subtree(ti, *opttypes->pett_opt_type);
764 proto_tree_add_item(type_tree, *opttypes->phf_opt_type_copy, tvb, offset, 1, ENC_NA);
765 proto_tree_add_item(type_tree, *opttypes->phf_opt_type_class, tvb, offset, 1, ENC_NA);
766 proto_tree_add_item(type_tree, *opttypes->phf_opt_type_number, tvb, offset, 1, ENC_NA);
770 dissect_ipopt_eool(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
771 guint optlen _U_, packet_info *pinfo _U_,
772 proto_tree *opt_tree, void * data _U_)
774 proto_tree *field_tree;
776 field_tree = proto_tree_add_subtree(opt_tree, tvb, offset, 1, *optp->subtree_index, NULL, optp->name);
777 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
780 #define dissect_ipopt_nop dissect_ipopt_eool
782 static const value_string secl_rfc791_vals[] = {
783 {IPSEC_RFC791_UNCLASSIFIED, "Unclassified"},
784 {IPSEC_RFC791_CONFIDENTIAL, "Confidential"},
785 {IPSEC_RFC791_EFTO, "EFTO" },
786 {IPSEC_RFC791_MMMM, "MMMM" },
787 {IPSEC_RFC791_PROG, "PROG" },
788 {IPSEC_RFC791_RESTRICTED, "Restricted" },
789 {IPSEC_RFC791_SECRET, "Secret" },
790 {IPSEC_RFC791_TOPSECRET, "Top secret" },
791 {IPSEC_RFC791_RESERVED1, "Reserved" },
792 {IPSEC_RFC791_RESERVED2, "Reserved" },
793 {IPSEC_RFC791_RESERVED3, "Reserved" },
794 {IPSEC_RFC791_RESERVED4, "Reserved" },
795 {IPSEC_RFC791_RESERVED5, "Reserved" },
796 {IPSEC_RFC791_RESERVED6, "Reserved" },
797 {IPSEC_RFC791_RESERVED7, "Reserved" },
798 {IPSEC_RFC791_RESERVED8, "Reserved" },
802 static const value_string sec_cl_vals[] = {
803 {IPSEC_RESERVED4, "Reserved 4" },
804 {IPSEC_TOPSECRET, "Top secret" },
805 {IPSEC_SECRET, "Secret" },
806 {IPSEC_CONFIDENTIAL, "Confidential"},
807 {IPSEC_RESERVED3, "Reserved 3" },
808 {IPSEC_RESERVED2, "Reserved 2" },
809 {IPSEC_UNCLASSIFIED, "Unclassified"},
810 {IPSEC_RESERVED1, "Reserved 1" },
814 static const true_false_string ip_opt_sec_prot_auth_flag_tfs = {
815 "Datagram protected in accordance with its rules",
816 "Datagram not protected in accordance with its rules"
819 static const true_false_string ip_opt_sec_prot_auth_fti_tfs = {
820 "Additional octet present",
824 static const int *ip_opt_sec_prot_auth_fields_byte_1[] = {
825 &hf_ip_opt_sec_prot_auth_genser,
826 &hf_ip_opt_sec_prot_auth_siop_esi,
827 &hf_ip_opt_sec_prot_auth_sci,
828 &hf_ip_opt_sec_prot_auth_nsa,
829 &hf_ip_opt_sec_prot_auth_doe,
830 &hf_ip_opt_sec_prot_auth_unassigned,
831 &hf_ip_opt_sec_prot_auth_fti,
835 static const int *ip_opt_sec_prot_auth_fields_byte_n[] = {
836 &hf_ip_opt_sec_prot_auth_unassigned2,
837 &hf_ip_opt_sec_prot_auth_fti,
841 dissect_ipopt_security(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
842 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
845 proto_tree *field_tree;
849 guint curr_offset = offset;
851 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, curr_offset, optlen, *optp->subtree_index, &tf,
852 "%s (%u bytes)", optp->name, optlen);
853 dissect_ipopt_type(tvb, curr_offset, field_tree, &IP_OPT_TYPES);
855 tf_sub = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, curr_offset, 1, ENC_NA);
856 if (optlen > IPOLEN_MAX)
857 expert_add_info(pinfo, tf_sub, &ei_ip_opt_len_invalid);
861 /* Analyze payload start to decide whether it should be dissected
862 according to RFC 791 or RFC 1108 */
863 val = tvb_get_ntohs(tvb, curr_offset);
864 if (try_val_to_str(val, secl_rfc791_vals)) {
865 /* Dissect as RFC 791 */
866 proto_tree_add_item(field_tree, hf_ip_opt_sec_rfc791_sec,
867 tvb, curr_offset, 2, ENC_BIG_ENDIAN);
869 proto_tree_add_item(field_tree, hf_ip_opt_sec_rfc791_comp,
870 tvb, curr_offset, 2, ENC_BIG_ENDIAN);
872 proto_tree_add_item(field_tree, hf_ip_opt_sec_rfc791_hr,
873 tvb, curr_offset, 2, ENC_ASCII|ENC_NA);
875 proto_tree_add_item(field_tree, hf_ip_opt_sec_rfc791_tcc,
876 tvb, curr_offset, 3, ENC_ASCII|ENC_NA);
881 /* Dissect as RFC 108 */
882 proto_tree_add_item(field_tree, hf_ip_opt_sec_cl, tvb, curr_offset, 1, ENC_BIG_ENDIAN);
884 if ((curr_offset - offset) >= optlen) {
887 val = tvb_get_guint8(tvb, curr_offset);
888 proto_tree_add_bitmask(field_tree, tvb, curr_offset, hf_ip_opt_sec_prot_auth_flags,
889 ett_ip_opt_sec_prot_auth_flags, ip_opt_sec_prot_auth_fields_byte_1,
893 if ((val & 0x01) && ((curr_offset - offset) == optlen)) {
894 expert_add_info(pinfo, tf_sub, &ei_ip_opt_sec_prot_auth_fti);
897 val = tvb_get_guint8(tvb, curr_offset);
898 proto_tree_add_bitmask(field_tree, tvb, curr_offset, hf_ip_opt_sec_prot_auth_flags,
899 ett_ip_opt_sec_prot_auth_flags, ip_opt_sec_prot_auth_fields_byte_n,
903 if ((curr_offset - offset) < optlen) {
904 expert_add_info(pinfo, tf, &ei_ip_extraneous_data);
909 dissect_ipopt_ext_security(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
910 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
913 proto_tree *field_tree;
915 guint curr_offset = offset;
918 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, curr_offset, optlen,
919 *optp->subtree_index, NULL, "%s (%u bytes)", optp->name, optlen);
920 dissect_ipopt_type(tvb, curr_offset, field_tree, &IP_OPT_TYPES);
922 tf_sub = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, curr_offset, 1, ENC_NA);
923 if (optlen > IPOLEN_MAX)
924 expert_add_info(pinfo, tf_sub, &ei_ip_opt_len_invalid);
926 proto_tree_add_item(field_tree, hf_ip_opt_ext_sec_add_sec_info_format_code, tvb, curr_offset, 1, ENC_BIG_ENDIAN);
928 remaining = optlen - (curr_offset - offset);
930 proto_tree_add_item(field_tree, hf_ip_opt_ext_sec_add_sec_info, tvb, curr_offset, remaining, ENC_NA);
934 /* USHRT_MAX can hold at most 5 (base 10) digits (6 for the NULL byte) */
935 #define USHRT_MAX_STRLEN 6
937 /* Maximum CIPSO tag length:
938 * (IP hdr max)60 - (IPv4 hdr std)20 - (CIPSO base)6 = 34 */
939 #define CIPSO_TAG_LEN_MAX 34
941 /* The Commercial IP Security Option (CIPSO) is defined in IETF draft
942 * draft-ietf-cipso-ipsecurity-01.txt and FIPS 188, a copy of both documents
943 * can be found at the NetLabel project page, http://netlabel.sf.net or at
944 * http://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01 */
945 static const value_string cipso_tag_type_vals[] = {
947 {1, "Restrictive Category Bitmap"},
948 {2, "Enumerated Categories"},
949 {5, "Ranged Categories"},
950 {6, "Permissive Categories"},
957 dissect_ipopt_cipso(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
958 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
961 proto_tree *field_tree;
962 proto_item *tf, *tag_item;
963 guint tagtype, taglen;
964 int offset_max = offset + optlen;
966 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, &tf,
967 "%s (%u bytes)", optp->name, optlen);
968 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
969 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
970 if (optlen > IPOLEN_MAX)
971 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
975 proto_tree_add_item(field_tree, hf_ip_cipso_doi, tvb, offset, 4, ENC_BIG_ENDIAN);
978 /* loop through all of the tags in the CIPSO option */
979 while (offset < offset_max) {
980 tagtype = tvb_get_guint8(tvb, offset);
981 tag_item = proto_tree_add_item(field_tree, hf_ip_cipso_tag_type, tvb, offset, 1, ENC_NA);
983 if ((offset + 1) < offset_max)
984 taglen = tvb_get_guint8(tvb, offset + 1);
990 /* padding - skip this tag */
994 /* restrictive bitmap, see CIPSO draft section 3.4.2 for tag format */
995 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
996 ((offset + (int)taglen - 1) > offset_max)) {
997 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
1001 /* skip past alignment octet */
1004 proto_tree_add_item(field_tree, hf_ip_cipso_sensitivity_level, tvb, offset, 1, ENC_NA);
1009 guint byte_spot = 0;
1010 unsigned char bitmask;
1012 char *cat_str_tmp = (char *)wmem_alloc(wmem_packet_scope(), USHRT_MAX_STRLEN);
1014 const guint8 *val_ptr = tvb_get_ptr(tvb, offset, taglen - 4);
1016 /* this is just a guess regarding string size, but we grow it below
1019 cat_str = (char *)wmem_alloc0(wmem_packet_scope(), cat_str_len);
1021 /* we checked the length above so the highest category value
1022 * possible here is 240 */
1023 while (byte_spot < (taglen - 4)) {
1026 while (bit_spot < 8) {
1027 if (val_ptr[byte_spot] & bitmask) {
1028 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN, "%u",
1029 byte_spot * 8 + bit_spot);
1030 if (cat_str_len < (strlen(cat_str) + 2 + USHRT_MAX_STRLEN)) {
1033 while (cat_str_len < (strlen(cat_str) + 2 + USHRT_MAX_STRLEN))
1034 cat_str_len += cat_str_len;
1035 cat_str_new = (char *)wmem_alloc(wmem_packet_scope(), cat_str_len);
1036 g_strlcpy(cat_str_new, cat_str, cat_str_len);
1037 cat_str_new[cat_str_len - 1] = '\0';
1038 cat_str = cat_str_new;
1040 if (cat_str[0] != '\0')
1041 g_strlcat(cat_str, ",", cat_str_len);
1042 g_strlcat(cat_str, cat_str_tmp, cat_str_len);
1051 proto_tree_add_string(field_tree, hf_ip_cipso_categories, tvb, offset, taglen - 4, cat_str);
1053 proto_tree_add_string(field_tree, hf_ip_cipso_categories, tvb, offset, taglen - 4, "ERROR PARSING CATEGORIES");
1054 offset += taglen - 4;
1058 /* enumerated categories, see CIPSO draft section 3.4.3 for tag format */
1059 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
1060 ((offset + (int)taglen - 1) > offset_max)) {
1061 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
1065 /* skip past alignment octet */
1068 /* sensitivity level */
1069 proto_tree_add_item(field_tree, hf_ip_cipso_sensitivity_level, tvb, offset, 1, ENC_NA);
1073 int offset_max_cat = offset + taglen - 4;
1074 char *cat_str = (char *)wmem_alloc0(wmem_packet_scope(), USHRT_MAX_STRLEN * 15);
1075 char *cat_str_tmp = (char *)wmem_alloc(wmem_packet_scope(), USHRT_MAX_STRLEN);
1077 while ((offset + 2) <= offset_max_cat) {
1078 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN, "%u",
1079 tvb_get_ntohs(tvb, offset));
1081 if (cat_str[0] != '\0')
1082 g_strlcat(cat_str, ",", USHRT_MAX_STRLEN * 15);
1083 g_strlcat(cat_str, cat_str_tmp, USHRT_MAX_STRLEN * 15);
1086 proto_tree_add_string(field_tree, hf_ip_cipso_categories, tvb, offset - taglen + 4, taglen - 4, cat_str);
1090 /* ranged categories, see CIPSO draft section 3.4.4 for tag format */
1091 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
1092 ((offset + (int)taglen - 1) > offset_max)) {
1093 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
1097 /* skip past alignment octet */
1100 /* sensitivity level */
1101 proto_tree_add_item(field_tree, hf_ip_cipso_sensitivity_level, tvb, offset, 1, ENC_NA);
1105 guint16 cat_low, cat_high;
1106 int offset_max_cat = offset + taglen - 4;
1107 char *cat_str = (char *)wmem_alloc0(wmem_packet_scope(), USHRT_MAX_STRLEN * 16);
1108 char *cat_str_tmp = (char *)wmem_alloc(wmem_packet_scope(), USHRT_MAX_STRLEN * 2);
1110 while ((offset + 2) <= offset_max_cat) {
1111 cat_high = tvb_get_ntohs(tvb, offset);
1112 if ((offset + 4) <= offset_max_cat) {
1113 cat_low = tvb_get_ntohs(tvb, offset + 2);
1119 if (cat_low != cat_high)
1120 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN * 2, "%u-%u",
1123 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN * 2, "%u", cat_high);
1125 if (cat_str[0] != '\0')
1126 g_strlcat(cat_str, ",", USHRT_MAX_STRLEN * 16);
1127 g_strlcat(cat_str, cat_str_tmp, USHRT_MAX_STRLEN * 16);
1130 proto_tree_add_string(field_tree, hf_ip_cipso_categories, tvb, offset - taglen + 4, taglen - 4, cat_str);
1134 /* permissive categories, see FIPS 188 section 6.9 for tag format */
1135 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
1136 ((offset + (int)taglen - 1) > offset_max)) {
1137 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
1141 proto_tree_add_item(field_tree, hf_ip_cipso_tag_data, tvb, offset + 2, taglen - 2, ENC_NA);
1145 /* free form, see FIPS 188 section 6.10 for tag format */
1146 if ((taglen < 2) || (taglen > CIPSO_TAG_LEN_MAX) ||
1147 ((offset + (int)taglen - 1) > offset_max)) {
1148 expert_add_info(pinfo, tag_item, &ei_ip_cipso_tag);
1152 proto_tree_add_item(field_tree, hf_ip_cipso_tag_data, tvb, offset + 2, taglen - 2, ENC_NA);
1156 /* unknown tag - stop parsing this IPv4 option */
1157 if ((offset + 1) <= offset_max) {
1158 taglen = tvb_get_guint8(tvb, offset + 1);
1159 proto_item_append_text(tag_item, " (%u bytes)", taglen);
1168 dissect_option_route(proto_tree *tree, tvbuff_t *tvb, int offset, int hf,
1169 int hf_host, gboolean next)
1174 route = tvb_get_ipv4(tvb, offset);
1176 proto_tree_add_ipv4_format_value(tree, hf, tvb, offset, 4, route,
1178 tvb_ip_to_str(tvb, offset));
1180 proto_tree_add_ipv4(tree, hf, tvb, offset, 4, route);
1181 ti = proto_tree_add_string(tree, hf_host, tvb, offset, 4, get_hostname(route));
1182 PROTO_ITEM_SET_GENERATED(ti);
1183 PROTO_ITEM_SET_HIDDEN(ti);
1187 dissect_ipopt_route(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1188 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1191 proto_tree *field_tree;
1196 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1197 "%s (%u bytes)", optp->name, optlen);
1198 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1199 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1200 if (optlen > IPOLEN_MAX)
1201 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1202 ptr = tvb_get_guint8(tvb, offset + 2);
1203 tf = proto_tree_add_item(field_tree, hf_ip_opt_ptr, tvb, offset + 2, 1, ENC_NA);
1204 if ((ptr < (optp->optlen + 1)) || (ptr & 3)) {
1205 if (ptr < (optp->optlen + 1)) {
1206 expert_add_info(pinfo, tf, &ei_ip_opt_ptr_before_address);
1209 expert_add_info(pinfo, tf, &ei_ip_opt_ptr_middle_address);
1215 optoffset = 3; /* skip past type, length and pointer */
1216 for (optlen -= 3; optlen > 0; optlen -= 4, optoffset += 4) {
1218 expert_add_info(pinfo, tf, &ei_ip_subopt_too_long);
1223 /* This is a recorded route */
1224 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_rec_rt,
1225 hf_ip_rec_rt_host, FALSE);
1226 } else if (optoffset == (len - 4)) {
1227 /* This is the the destination */
1230 const char *dst_host;
1232 addr = tvb_get_ipv4(tvb, offset + optoffset);
1233 dst_host = get_hostname(addr);
1234 proto_tree_add_ipv4(field_tree, hf_ip_dst, tvb,
1235 offset + optoffset, 4, addr);
1236 item = proto_tree_add_ipv4(field_tree, hf_ip_addr, tvb,
1237 offset + optoffset, 4, addr);
1238 PROTO_ITEM_SET_HIDDEN(item);
1239 item = proto_tree_add_string(field_tree, hf_ip_dst_host, tvb,
1240 offset + optoffset, 4, dst_host);
1241 PROTO_ITEM_SET_GENERATED(item);
1242 PROTO_ITEM_SET_HIDDEN(item);
1243 item = proto_tree_add_string(field_tree, hf_ip_host, tvb,
1244 offset + optoffset, 4, dst_host);
1245 PROTO_ITEM_SET_GENERATED(item);
1246 PROTO_ITEM_SET_HIDDEN(item);
1247 } else if ((optoffset + 1) < ptr) {
1248 /* This is also a recorded route */
1249 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_rec_rt,
1250 hf_ip_rec_rt_host, FALSE);
1251 } else if ((optoffset + 1) == ptr) {
1252 /* This is the next source route. TODO: Should we use separate hf's
1253 * for this, such as hf_ip_next_rt and hf_ip_next_rt_host and avoid
1254 * having to pass TRUE/FALSE to dissect_option_route()? */
1255 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_src_rt,
1256 hf_ip_src_rt_host, TRUE);
1258 /* This must be a source route */
1259 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_src_rt,
1260 hf_ip_src_rt_host, FALSE);
1266 dissect_ipopt_record_route(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1267 guint optlen, packet_info *pinfo,
1268 proto_tree *opt_tree, void * data _U_)
1270 proto_tree *field_tree;
1275 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1276 "%s (%u bytes)", optp->name, optlen);
1277 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1278 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1279 if (optlen > IPOLEN_MAX)
1280 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1281 ptr = tvb_get_guint8(tvb, offset + 2);
1282 tf = proto_tree_add_item(field_tree, hf_ip_opt_ptr, tvb, offset + 2, 1, ENC_NA);
1284 if ((ptr < (optp->optlen + 1)) || (ptr & 3)) {
1285 if (ptr < (optp->optlen + 1)) {
1286 expert_add_info(pinfo, tf, &ei_ip_opt_ptr_before_address);
1289 expert_add_info(pinfo, tf, &ei_ip_opt_ptr_middle_address);
1295 optoffset = 3; /* skip past type, length and pointer */
1296 for (optlen -= 3; optlen > 0; optlen -= 4, optoffset += 4) {
1298 expert_add_info(pinfo, tf, &ei_ip_subopt_too_long);
1303 /* The recorded route data area is full. */
1304 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_rec_rt,
1305 hf_ip_rec_rt_host, FALSE);
1306 } else if ((optoffset + 1) < ptr) {
1307 /* This is a recorded route */
1308 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_rec_rt,
1309 hf_ip_rec_rt_host, FALSE);
1310 } else if ((optoffset + 1) == ptr) {
1311 /* This is the next available slot. TODO: Should we use separate hf's
1312 * for this, such as hf_ip_next_rt and hf_ip_next_rt_host and avoid
1313 * having to pass TRUE/FALSE to dissect_option_route()? */
1314 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_empty_rt,
1315 hf_ip_empty_rt_host, TRUE);
1317 /* This must be an available slot too. */
1318 dissect_option_route(field_tree, tvb, offset + optoffset, hf_ip_empty_rt,
1319 hf_ip_empty_rt_host, FALSE);
1324 /* Stream Identifier */
1326 dissect_ipopt_sid(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1327 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1330 proto_tree *field_tree;
1333 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1334 "%s (%u bytes): %u", optp->name, optlen, tvb_get_ntohs(tvb, offset + 2));
1335 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1336 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1337 if (optlen != (guint)optp->optlen)
1338 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1339 proto_tree_add_item(field_tree, hf_ip_opt_sid, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1342 /* RFC 1063: MTU Probe and MTU Reply */
1344 dissect_ipopt_mtu(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1345 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1348 proto_tree *field_tree;
1351 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1352 "%s (%u bytes): %u", optp->name, optlen, tvb_get_ntohs(tvb, offset + 2));
1353 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1354 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1355 if (optlen != (guint)optp->optlen)
1356 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1357 proto_tree_add_item(field_tree, hf_ip_opt_mtu, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1360 /* RFC 1393: Traceroute */
1362 dissect_ipopt_tr(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1363 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1366 proto_tree *field_tree;
1369 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1370 "%s (%u bytes)", optp->name, optlen);
1371 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1372 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1373 if (optlen != (guint)optp->optlen)
1374 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1376 proto_tree_add_item(field_tree, hf_ip_opt_id_number, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1377 proto_tree_add_item(field_tree, hf_ip_opt_ohc, tvb, offset + 4, 2, ENC_BIG_ENDIAN);
1378 proto_tree_add_item(field_tree, hf_ip_opt_rhc, tvb, offset + 6, 2, ENC_BIG_ENDIAN);
1379 proto_tree_add_item(field_tree, hf_ip_opt_originator, tvb, offset + 8, 4, ENC_BIG_ENDIAN);
1382 static const value_string ipopt_timestamp_flag_vals[] = {
1383 {IPOPT_TS_TSONLY, "Time stamps only" },
1384 {IPOPT_TS_TSANDADDR, "Time stamp and address" },
1385 {IPOPT_TS_PRESPEC, "Time stamps for prespecified addresses"},
1389 dissect_ipopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
1390 int offset, guint optlen, packet_info *pinfo,
1391 proto_tree *opt_tree, void * data _U_)
1393 proto_tree *field_tree;
1400 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1401 "%s (%u bytes)", optp->name, optlen);
1402 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1403 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1404 if (optlen > IPOLEN_MAX)
1405 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1406 optoffset += 2; /* skip past type and length */
1407 optlen -= 2; /* subtract size of type and length */
1409 ptr = tvb_get_guint8(tvb, offset + optoffset);
1410 proto_tree_add_uint_format_value(field_tree, hf_ip_opt_ptr, tvb, offset + optoffset, 1, ptr, "%d%s",
1411 ptr, ((ptr == 1) ? " (header is full)" :
1412 (ptr < 5) ? " (points before first address)" :
1413 (((ptr - 1) & 3) ? " (points to middle of field)" : "")));
1416 ptr--; /* ptr is 1-origin */
1418 flg = tvb_get_guint8(tvb, offset + optoffset);
1419 proto_tree_add_item(field_tree, hf_ip_opt_overflow, tvb, offset + optoffset, 1, ENC_NA);
1421 proto_tree_add_item(field_tree, hf_ip_opt_flag, tvb, offset + optoffset, 1, ENC_NA);
1425 while (optlen > 0) {
1426 if (flg == IPOPT_TS_TSANDADDR || flg == IPOPT_TS_PRESPEC) {
1428 proto_tree_add_expert(field_tree, pinfo, &ei_ip_subopt_too_long, tvb, offset + optoffset, optlen);
1431 addr = tvb_get_ipv4(tvb, offset + optoffset);
1432 proto_tree_add_ipv4_format_value(field_tree, hf_ip_opt_time_stamp_addr, tvb, offset + optoffset, 4, addr,
1433 "%s", ((addr == 0) ? "-" : get_hostname(addr)));
1437 proto_tree_add_item(field_tree, hf_ip_opt_time_stamp, tvb, offset + optoffset, 4, ENC_BIG_ENDIAN);
1442 proto_tree_add_expert(field_tree, pinfo, &ei_ip_subopt_too_long, tvb, offset + optoffset, optlen);
1445 proto_tree_add_item(field_tree, hf_ip_opt_time_stamp, tvb, offset + optoffset, 4, ENC_BIG_ENDIAN);
1453 static const range_string ra_rvals[] = {
1454 {0, 0, "Router shall examine packet"},
1455 {1, 65535, "Reserved"},
1460 dissect_ipopt_ra(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1461 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1464 /* Router-Alert, as defined by RFC2113 */
1465 proto_tree *field_tree;
1467 guint16 value = tvb_get_ntohs(tvb, offset + 2);
1469 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen,
1470 *optp->subtree_index, NULL, "%s (%u bytes): %s (%u)", optp->name, optlen,
1471 rval_to_str(value, ra_rvals, "Unknown (%u)"),
1473 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1474 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1475 if (optlen != (guint)optp->optlen)
1476 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1477 proto_tree_add_item(field_tree, hf_ip_opt_ra, tvb, offset + 2, 2, ENC_BIG_ENDIAN);
1480 /* RFC 1770: Selective Directed Broadcast */
1482 dissect_ipopt_sdb(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1483 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1486 proto_tree *field_tree;
1489 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen, *optp->subtree_index, NULL,
1490 "%s (%u bytes)", optp->name, optlen);
1491 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1492 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1493 if (optlen > IPOLEN_MAX)
1494 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1495 for (offset += 2, optlen -= 2; optlen >= 4; offset += 4, optlen -= 4)
1496 proto_tree_add_item(field_tree, hf_ip_opt_addr, tvb, offset, 4, ENC_BIG_ENDIAN);
1499 proto_tree_add_item(field_tree, hf_ip_opt_padding, tvb, offset, optlen, ENC_NA);
1502 const value_string qs_func_vals[] = {
1503 {QS_RATE_REQUEST, "Rate request"},
1504 {QS_RATE_REPORT, "Rate report"},
1508 static const value_string qs_rate_vals[] = {
1514 { 5, "1.28 Mbit/s"},
1515 { 6, "2.56 Mbit/s"},
1516 { 7, "5.12 Mbit/s"},
1517 { 8, "10.24 Mbit/s"},
1518 { 9, "20.48 Mbit/s"},
1519 {10, "40.96 Mbit/s"},
1520 {11, "81.92 Mbit/s"},
1521 {12, "163.84 Mbit/s"},
1522 {13, "327.68 Mbit/s"},
1523 {14, "655.36 Mbit/s"},
1524 {15, "1.31072 Gbit/s"},
1527 value_string_ext qs_rate_vals_ext = VALUE_STRING_EXT_INIT(qs_rate_vals);
1530 dissect_ipopt_qs(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
1531 guint optlen, packet_info *pinfo, proto_tree *opt_tree,
1534 proto_tree *field_tree;
1537 ws_ip *iph = (ws_ip*)data;
1539 guint8 command = tvb_get_guint8(tvb, offset + 2);
1540 guint8 function = command >> 4;
1541 guint8 rate = command & QS_RATE_MASK;
1544 field_tree = proto_tree_add_subtree_format(opt_tree, tvb, offset, optlen,
1545 *optp->subtree_index, NULL, "%s (%u bytes): %s (%u)", optp->name, optlen,
1546 val_to_str(function, qs_func_vals, "Unknown (%u)"),
1549 dissect_ipopt_type(tvb, offset, field_tree, &IP_OPT_TYPES);
1550 tf = proto_tree_add_item(field_tree, hf_ip_opt_len, tvb, offset + 1, 1, ENC_NA);
1551 if (optlen != (guint)optp->optlen)
1552 expert_add_info(pinfo, tf, &ei_ip_opt_len_invalid);
1553 proto_tree_add_item(field_tree, hf_ip_opt_qs_func, tvb, offset + 2, 1, ENC_NA);
1555 if (function == QS_RATE_REQUEST) {
1556 proto_tree_add_item(field_tree, hf_ip_opt_qs_rate, tvb, offset + 2, 1, ENC_NA);
1557 proto_tree_add_item(field_tree, hf_ip_opt_qs_ttl, tvb, offset + 3, 1, ENC_NA);
1558 ttl_diff = (iph->ip_ttl - tvb_get_guint8(tvb, offset + 3) % 256);
1559 ti = proto_tree_add_uint_format_value(field_tree, hf_ip_opt_qs_ttl_diff,
1560 tvb, offset + 3, 1, ttl_diff,
1562 PROTO_ITEM_SET_GENERATED(ti);
1563 proto_item_append_text(tf, ", %s, QS TTL %u, QS TTL diff %u",
1564 val_to_str_ext(rate, &qs_rate_vals_ext, "Unknown (%u)"),
1565 tvb_get_guint8(tvb, offset + 3), ttl_diff);
1566 proto_tree_add_item(field_tree, hf_ip_opt_qs_nonce, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
1567 proto_tree_add_item(field_tree, hf_ip_opt_qs_reserved, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
1568 } else if (function == QS_RATE_REPORT) {
1569 proto_tree_add_item(field_tree, hf_ip_opt_qs_rate, tvb, offset + 2, 1, ENC_NA);
1570 proto_item_append_text(tf, ", %s",
1571 val_to_str_ext(rate, &qs_rate_vals_ext, "Unknown (%u)"));
1572 proto_tree_add_item(field_tree, hf_ip_opt_qs_unused, tvb, offset + 3, 1, ENC_NA);
1573 proto_tree_add_item(field_tree, hf_ip_opt_qs_nonce, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
1574 proto_tree_add_item(field_tree, hf_ip_opt_qs_reserved, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
1578 static const ip_tcp_opt ipopts[] = {
1579 {IPOPT_EOOL, "End of Options List (EOL)", &ett_ip_option_eool,
1580 OPT_LEN_NO_LENGTH, 0, dissect_ipopt_eool},
1581 {IPOPT_NOP, "No Operation (NOP)", &ett_ip_option_nop,
1582 OPT_LEN_NO_LENGTH, 0, dissect_ipopt_nop},
1583 {IPOPT_SEC, "Security", &ett_ip_option_sec,
1584 OPT_LEN_VARIABLE_LENGTH, IPOLEN_SEC_MIN, dissect_ipopt_security},
1585 {IPOPT_LSR, "Loose Source Route", &ett_ip_option_route,
1586 OPT_LEN_VARIABLE_LENGTH, IPOLEN_LSR_MIN, dissect_ipopt_route},
1587 {IPOPT_TS, "Time Stamp", &ett_ip_option_timestamp,
1588 OPT_LEN_VARIABLE_LENGTH, IPOLEN_TS_MIN, dissect_ipopt_timestamp},
1589 {IPOPT_ESEC, "Extended Security", &ett_ip_option_ext_security,
1590 OPT_LEN_VARIABLE_LENGTH, IPOLEN_ESEC_MIN, dissect_ipopt_ext_security},
1591 {IPOPT_CIPSO, "Commercial Security", &ett_ip_option_cipso,
1592 OPT_LEN_VARIABLE_LENGTH, IPOLEN_CIPSO_MIN, dissect_ipopt_cipso},
1593 {IPOPT_RR, "Record Route", &ett_ip_option_route,
1594 OPT_LEN_VARIABLE_LENGTH, IPOLEN_RR_MIN, dissect_ipopt_record_route},
1595 {IPOPT_SID, "Stream ID", &ett_ip_option_sid,
1596 OPT_LEN_FIXED_LENGTH, IPOLEN_SID, dissect_ipopt_sid},
1597 {IPOPT_SSR, "Strict Source Route", &ett_ip_option_route,
1598 OPT_LEN_VARIABLE_LENGTH, IPOLEN_SSR_MIN, dissect_ipopt_route},
1600 {IPOPT_ZSU, "Experimental Measurement", &ett_ip_option_zsu,
1601 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_ZSU_MIN, dissect_ipopt_zsu},
1603 {IPOPT_MTUP, "MTU Probe", &ett_ip_option_mtu,
1604 OPT_LEN_FIXED_LENGTH, IPOLEN_MTU, dissect_ipopt_mtu},
1605 {IPOPT_MTUR, "MTU Reply", &ett_ip_option_mtu,
1606 OPT_LEN_FIXED_LENGTH, IPOLEN_MTU, dissect_ipopt_mtu},
1608 {IPOPT_FINN, "Experimental Flow Control", &ett_ip_option_finn,
1609 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_FINN_MIN, dissect_ipopt_finn},
1610 {IPOPT_VISA, "Experimental Access Control", &ett_ip_option_visa,
1611 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_VISA_MIN, dissect_ipopt_visa},
1612 {IPOPT_ENCODE, "???", &ett_ip_option_encode,
1613 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_ENCODE_MIN, dissect_ipopt_encode},
1614 {IPOPT_IMITD, "IMI Traffic Descriptor", &ett_ip_option_imitd,
1615 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_IMITD_MIN, dissect_ipopt_imitd},
1616 {IPOPT_EIP, "Extended Internet Protocol", &ett_ip_option_eip,
1617 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_EIP_MIN, dissect_ipopt_eip},
1619 {IPOPT_TR, "Traceroute", &ett_ip_option_tr,
1620 OPT_LEN_FIXED_LENGTH, IPOLEN_TR, dissect_ipopt_tr},
1622 {IPOPT_ADDEXT, "Address Extension", &ett_ip_option_addext,
1623 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_ADDEXT_MIN, dissect_ipopt_addext},
1625 {IPOPT_RTRALT, "Router Alert", &ett_ip_option_ra,
1626 OPT_LEN_FIXED_LENGTH, IPOLEN_RA, dissect_ipopt_ra},
1627 {IPOPT_SDB, "Selective Directed Broadcast", &ett_ip_option_sdb,
1628 OPT_LEN_VARIABLE_LENGTH, IPOLEN_SDB_MIN, dissect_ipopt_sdb},
1630 {IPOPT_UN, "Unassigned", &ett_ip_option_un,
1631 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_UN_MIN, dissect_ipopt_un},
1632 {IPOPT_DPS, "Dynamic Packet State", &ett_ip_option_dps,
1633 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_DPS_MIN, dissect_ipopt_dps},
1634 {IPOPT_UMP, "Upstream Multicast Pkt.", &ett_ip_option_ump,
1635 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_UMP_MIN, dissect_ipopt_ump},
1637 {IPOPT_QS, "Quick-Start", &ett_ip_option_qs,
1638 OPT_LEN_FIXED_LENGTH, IPOLEN_QS, dissect_ipopt_qs}
1640 {IPOPT_EXP, "RFC3692-style Experiment", &ett_ip_option_exp,
1641 OPT_LEN_VARIABLE_LENGTH /* ? */, IPOLEN_EXP_MIN, dissect_ipopt_exp}
1645 #define N_IP_OPTS array_length(ipopts)
1647 /* Dissect the IP, TCP or various PPP protocols (IPCP, CP, LCP, VSNCP, BAP)
1648 * options in a packet. */
1650 dissect_ip_tcp_options(tvbuff_t *tvb, int offset, guint length,
1651 const ip_tcp_opt *opttab, int nopts, int eol,
1652 ip_tcp_opt_type* opttypes, expert_field* ei_bad,
1653 packet_info *pinfo, proto_tree *opt_tree,
1654 proto_item *opt_item, void * data)
1657 const ip_tcp_opt *optp;
1658 opt_len_type len_type;
1659 unsigned int optlen;
1661 void (*dissect)(const struct ip_tcp_opt *, tvbuff_t *,
1662 int, guint, packet_info *, proto_tree *,
1664 guint len, nop_count = 0;
1666 while (length > 0) {
1667 opt = tvb_get_guint8(tvb, offset);
1668 for (optp = &opttab[0]; optp < &opttab[nopts]; optp++) {
1669 if (optp->optcode == opt)
1672 if (optp == &opttab[nopts]) {
1673 /* We assume that the only OPT_LEN_NO_LENGTH options are EOL and NOP options,
1674 so that we can treat unknown options as OPT_LEN_VARIABLE_LENGTH with a
1675 minimum of 2, and at least be able to move on to the next option
1676 by using the length in the option. */
1677 optp = NULL; /* indicate that we don't know this option */
1678 len_type = OPT_LEN_VARIABLE_LENGTH;
1680 name = wmem_strdup_printf(wmem_packet_scope(), "Unknown (0x%02x)", opt);
1684 len_type = optp->len_type;
1685 optlen = optp->optlen;
1687 dissect = optp->dissect;
1688 if (opt_item && len_type == OPT_LEN_NO_LENGTH && optlen == 0 && opt == 1 &&
1689 (nop_count == 0 || offset % 4)) { /* opt 1 = NOP in both IP and TCP */
1690 /* Count number of NOP in a row within a uint32 */
1696 --length; /* account for type byte */
1697 if (len_type != OPT_LEN_NO_LENGTH) {
1698 /* Option has a length. Is it in the packet? */
1700 /* Bogus - packet must at least include option code byte and
1702 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, 1,
1703 "%s (length byte past end of options)", name);
1706 len = tvb_get_guint8(tvb, offset + 1); /* total including type, len */
1707 --length; /* account for length byte */
1709 /* Bogus - option length is too short to include option code and
1711 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, 2,
1712 "%s (with too-short option length = %u byte%s)",
1713 name, len, plurality(len, "", "s"));
1715 } else if (len - 2 > length) {
1716 /* Bogus - option goes past the end of the header. */
1717 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, length,
1718 "%s (option length = %u byte%s says option goes past end of options)",
1719 name, len, plurality(len, "", "s"));
1721 } else if (len_type == OPT_LEN_FIXED_LENGTH && len != optlen) {
1722 /* Bogus - option length isn't what it's supposed to be for this
1724 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, len,
1725 "%s (with option length = %u byte%s; should be %u)",
1726 name, len, plurality(len, "", "s"), optlen);
1728 } else if (len_type == OPT_LEN_VARIABLE_LENGTH && len < optlen) {
1729 /* Bogus - option length is less than what it's supposed to be for
1731 proto_tree_add_expert_format(opt_tree, pinfo, ei_bad, tvb, offset, len,
1732 "%s (with option length = %u byte%s; should be >= %u)",
1733 name, len, plurality(len, "", "s"), optlen);
1737 proto_tree_add_subtree_format(opt_tree, tvb, offset, len, ett_unknown_ip_tcp_opt, NULL, "%s (%u byte%s)",
1738 name, len, plurality(len, "", "s"));
1740 if (dissect != NULL) {
1741 /* Option has a dissector. */
1742 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s",
1744 (*dissect)(optp, tvb, offset, len, pinfo, opt_tree, data);
1746 proto_tree *field_tree;
1748 /* Option has no data, hence no dissector. */
1749 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s",
1751 field_tree = proto_tree_add_subtree(opt_tree, tvb, offset, len, ett_ip_option_other, NULL, name);
1752 dissect_ipopt_type(tvb, offset, field_tree, opttypes);
1755 len -= 2; /* subtract size of type and length */
1760 if (dissect != NULL) {
1761 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s",
1763 (*dissect)(optp, tvb, offset, 1, pinfo, opt_tree, data);
1765 proto_tree *field_tree;
1767 /* Option has no data, hence no dissector. */
1768 proto_item_append_text(proto_tree_get_parent(opt_tree), ", %s", name);
1769 field_tree = proto_tree_add_subtree(opt_tree, tvb, offset, 1, ett_ip_option_other, NULL, name);
1770 dissect_ipopt_type(tvb, offset, field_tree, opttypes);
1774 if (nop_count == 4 && strcmp (name, "No-Operation (NOP)") == 0) {
1775 expert_add_info(pinfo, opt_item, &ei_ip_nop);
1783 /* This function searches the IP options for either a loose or strict source
1784 * route option, then returns the offset to the destination address if the
1785 * pointer is still valid or zero if the pointer is greater than the length.
1787 * The guts of this function was taken from dissect_ip_tcp_options().
1790 get_dst_offset(tvbuff_t *tvb, int offset, guint length,
1791 const ip_tcp_opt *opttab, int nopts, int eol)
1794 const ip_tcp_opt *optp;
1795 opt_len_type len_type;
1796 unsigned int optlen;
1798 int orig_offset = offset;
1800 while (length > 0) {
1801 opt = tvb_get_guint8(tvb, offset);
1802 for (optp = &opttab[0]; optp < &opttab[nopts]; optp++) {
1803 if (optp->optcode == opt)
1806 if (optp == &opttab[nopts]) {
1807 /* We assume that the only NO_LENGTH options are EOL and NOP options,
1808 so that we can treat unknown options as VARIABLE_LENGTH with a
1809 minimum of 2, and at least be able to move on to the next option
1810 by using the length in the option. */
1811 optp = NULL; /* indicate that we don't know this option */
1812 len_type = OPT_LEN_VARIABLE_LENGTH;
1815 len_type = optp->len_type;
1816 optlen = optp->optlen;
1818 --length; /* account for type byte */
1819 if (len_type != OPT_LEN_NO_LENGTH) {
1820 /* Option has a length. Is it in the packet? */
1822 /* Bogus - packet must at least include option code byte and
1826 len = tvb_get_guint8(tvb, offset + 1); /* total including type, len */
1827 --length; /* account for length byte */
1829 /* Bogus - option length is too short to include option code and
1832 } else if (len - 2 > length) {
1833 /* Bogus - option goes past the end of the header. */
1835 } else if (len_type == OPT_LEN_FIXED_LENGTH && len != optlen) {
1836 /* Bogus - option length isn't what it's supposed to be for this
1839 } else if (len_type == OPT_LEN_VARIABLE_LENGTH && len < optlen) {
1840 /* Bogus - option length is less than what it's supposed to be for
1845 if (opt == IPOPT_SSR || opt == IPOPT_LSR) {
1846 /* Hmm, what if you have both options? */
1849 ptr = tvb_get_guint8(tvb, offset + 2);
1850 if (ptr < 4 || (ptr & 3) || (ptr > len)) {
1853 return (offset - orig_offset) + 4 + (len - 4);
1856 len -= 2; /* subtract size of type and length */
1869 /* Returns the valid ttl for the group address */
1871 local_network_control_block_addr_valid_ttl(guint32 addr)
1873 /* An exception list, as some protocols seem to insist on
1874 * doing differently:
1877 /* IETF's VRRP (rfc3768) */
1878 if (IPLOCAL_NETWRK_CTRL_BLK_VRRP_ADDR == addr)
1879 return IPLOCAL_NETWRK_CTRL_BLK_VRRP_TTL;
1881 if (IPLOCAL_NETWRK_CTRL_BLK_GLPB_ADDR == addr)
1882 return IPLOCAL_NETWRK_CTRL_BLK_GLPB_TTL;
1883 /* mDNS (draft-cheshire-dnsext-multicastdns-07) */
1884 if (IPLOCAL_NETWRK_CTRL_BLK_MDNS_ADDR == addr)
1885 return IPLOCAL_NETWRK_CTRL_BLK_MDNS_TTL;
1886 /* LLMNR (rfc4795) */
1887 if (IPLOCAL_NETWRK_CTRL_BLK_LLMNR_ADDR == addr)
1888 return IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL;
1889 return IPLOCAL_NETWRK_CTRL_BLK_DEFAULT_TTL;
1892 static const value_string dscp_vals[] = {
1893 { IPDSFIELD_DSCP_DEFAULT, "Default" },
1894 { IPDSFIELD_DSCP_CS1, "Class Selector 1" },
1895 { IPDSFIELD_DSCP_AF11, "Assured Forwarding 11" },
1896 { IPDSFIELD_DSCP_AF12, "Assured Forwarding 12" },
1897 { IPDSFIELD_DSCP_AF13, "Assured Forwarding 13" },
1898 { IPDSFIELD_DSCP_CS2, "Class Selector 2" },
1899 { IPDSFIELD_DSCP_AF21, "Assured Forwarding 21" },
1900 { IPDSFIELD_DSCP_AF22, "Assured Forwarding 22" },
1901 { IPDSFIELD_DSCP_AF23, "Assured Forwarding 23" },
1902 { IPDSFIELD_DSCP_CS3, "Class Selector 3" },
1903 { IPDSFIELD_DSCP_AF31, "Assured Forwarding 31" },
1904 { IPDSFIELD_DSCP_AF32, "Assured Forwarding 32" },
1905 { IPDSFIELD_DSCP_AF33, "Assured Forwarding 33" },
1906 { IPDSFIELD_DSCP_CS4, "Class Selector 4" },
1907 { IPDSFIELD_DSCP_AF41, "Assured Forwarding 41" },
1908 { IPDSFIELD_DSCP_AF42, "Assured Forwarding 42" },
1909 { IPDSFIELD_DSCP_AF43, "Assured Forwarding 43" },
1910 { IPDSFIELD_DSCP_CS5, "Class Selector 5" },
1911 { IPDSFIELD_DSCP_EF, "Expedited Forwarding" },
1912 { IPDSFIELD_DSCP_CS6, "Class Selector 6" },
1913 { IPDSFIELD_DSCP_CS7, "Class Selector 7" },
1915 value_string_ext dscp_vals_ext = VALUE_STRING_EXT_INIT(dscp_vals);
1917 const value_string ecn_vals[] = {
1918 { IPDSFIELD_ECT_NOT, "Not-ECT (Not ECN-Capable Transport)" },
1919 { IPDSFIELD_ECT_1, "ECT(1) (ECN-Capable Transport)" },
1920 { IPDSFIELD_ECT_0, "ECT(0) (ECN-Capable Transport)" },
1921 { IPDSFIELD_CE, "CE (Congestion Experienced)" },
1924 static const value_string precedence_vals[] = {
1925 { IPTOS_PREC_ROUTINE, "routine" },
1926 { IPTOS_PREC_PRIORITY, "priority" },
1927 { IPTOS_PREC_IMMEDIATE, "immediate" },
1928 { IPTOS_PREC_FLASH, "flash" },
1929 { IPTOS_PREC_FLASHOVERRIDE, "flash override" },
1930 { IPTOS_PREC_CRITIC_ECP, "CRITIC/ECP" },
1931 { IPTOS_PREC_INTERNETCONTROL, "internetwork control" },
1932 { IPTOS_PREC_NETCONTROL, "network control" },
1935 static const value_string iptos_vals[] = {
1936 { IPTOS_NONE, "None" },
1937 { IPTOS_LOWCOST, "Minimize cost" },
1938 { IPTOS_RELIABILITY, "Maximize reliability" },
1939 { IPTOS_THROUGHPUT, "Maximize throughput" },
1940 { IPTOS_LOWDELAY, "Minimize delay" },
1941 { IPTOS_SECURITY, "Maximize security" },
1945 static const true_false_string tos_set_low = {
1950 static const true_false_string tos_set_high = {
1955 static const true_false_string flags_sf_set_evil = {
1961 ip_try_dissect(gboolean heur_first, tvbuff_t *tvb, packet_info *pinfo,
1962 proto_tree *tree, ws_ip *iph)
1964 heur_dtbl_entry_t *hdtbl_entry;
1966 if ((heur_first) && (dissector_try_heuristic(heur_subdissector_list, tvb,
1967 pinfo, tree, &hdtbl_entry, iph))) {
1971 if (dissector_try_uint_new(ip_dissector_table, iph->ip_p, tvb, pinfo,
1976 if ((!heur_first) && (!dissector_try_heuristic(heur_subdissector_list, tvb,
1977 pinfo, tree, &hdtbl_entry,
1986 dissect_ip(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
1988 proto_tree *ip_tree, *field_tree = NULL;
1989 proto_item *ti, *tf;
1991 int offset = 0, dst_off;
1995 guint16 expected_cksum;
1996 fragment_head *ipfd_head = NULL;
1998 gboolean update_col_info = TRUE;
1999 gboolean save_fragmented;
2001 guint32 src32, dst32;
2003 proto_item *item = NULL, *ttl_item;
2004 proto_tree *checksum_tree;
2008 iph = (ws_ip *)wmem_alloc(wmem_packet_scope(), sizeof(ws_ip));
2010 col_set_str(pinfo->cinfo, COL_PROTOCOL, "IPv4");
2011 col_clear(pinfo->cinfo, COL_INFO);
2013 iph->ip_v_hl = tvb_get_guint8(tvb, offset);
2014 if ( hi_nibble(iph->ip_v_hl) == 6) {
2015 call_dissector(ipv6_handle, tvb, pinfo, parent_tree);
2019 hlen = lo_nibble(iph->ip_v_hl) * 4; /* IP header length, in bytes */
2021 ti = proto_tree_add_item(tree, proto_ip, tvb, offset, hlen, ENC_NA);
2022 ip_tree = proto_item_add_subtree(ti, ett_ip);
2024 proto_tree_add_item(ip_tree, hf_ip_version, tvb, offset, 1, ENC_NA);
2026 /* if IP is not referenced from any filters we don't need to worry about
2027 generating any tree items. We must do this after we created the actual
2028 protocol above so that proto hier stat still works though.
2029 XXX: Note that because of the following optimization expert items must
2030 not be generated inside of an 'if (tree) ...'
2031 so that Analyze ! Expert ... will work.
2033 if (!proto_field_is_referenced(parent_tree, proto_ip)) {
2037 if (hlen < IPH_MIN_LEN) {
2038 col_add_fstr(pinfo->cinfo, COL_INFO,
2039 "Bogus IP header length (%u, must be at least %u)",
2042 proto_tree_add_uint_format_value(ip_tree, hf_ip_hdr_len, tvb, offset, 1, hlen,
2043 "%u bytes (bogus, must be at least %u)", hlen, IPH_MIN_LEN);
2047 proto_tree_add_uint_format_value(ip_tree, hf_ip_hdr_len, tvb, offset, 1, hlen/4,
2050 iph->ip_tos = tvb_get_guint8(tvb, offset + 1);
2051 if (g_ip_dscp_actif) {
2052 col_add_fstr(pinfo->cinfo, COL_DSCP_VALUE, "%u",
2053 IPDSFIELD_DSCP(iph->ip_tos));
2057 if (g_ip_dscp_actif) {
2058 tf = proto_tree_add_uint_format_value(ip_tree, hf_ip_dsfield, tvb, offset + 1,
2059 1, iph->ip_tos, "0x%02x (DSCP 0x%02x: %s; ECN: 0x%02x: %s)", iph->ip_tos,
2060 IPDSFIELD_DSCP(iph->ip_tos), val_to_str_ext_const(IPDSFIELD_DSCP(iph->ip_tos),
2061 &dscp_vals_ext, "Unknown DSCP"),
2062 IPDSFIELD_ECN(iph->ip_tos), val_to_str_const(IPDSFIELD_ECN(iph->ip_tos),
2063 ecn_vals, "Unknown ECN"));
2065 field_tree = proto_item_add_subtree(tf, ett_ip_dsfield);
2066 proto_tree_add_item(field_tree, hf_ip_dsfield_dscp, tvb, offset + 1, 1, ENC_NA);
2067 proto_tree_add_item(field_tree, hf_ip_dsfield_ecn, tvb, offset + 1, 1, ENC_NA);
2069 tf = proto_tree_add_uint_format_value(ip_tree, hf_ip_tos, tvb, offset + 1, 1,
2073 val_to_str_const(IPTOS_TOS(iph->ip_tos),
2074 iptos_vals, "Unknown"));
2076 field_tree = proto_item_add_subtree(tf, ett_ip_tos);
2077 proto_tree_add_item(field_tree, hf_ip_tos_precedence, tvb, offset + 1, 1, ENC_NA);
2078 proto_tree_add_item(field_tree, hf_ip_tos_delay, tvb, offset + 1, 1, ENC_NA);
2079 proto_tree_add_item(field_tree, hf_ip_tos_throughput, tvb, offset + 1, 1, ENC_NA);
2080 proto_tree_add_item(field_tree, hf_ip_tos_reliability, tvb, offset + 1, 1, ENC_NA);
2081 proto_tree_add_item(field_tree, hf_ip_tos_cost, tvb, offset + 1, 1, ENC_NA);
2085 /* Length of IP datagram.
2086 XXX - what if this is greater than the reported length of the
2087 tvbuff? This could happen, for example, in an IP datagram
2088 inside an ICMP datagram; we need to somehow let the
2089 dissector we call know that, as it might want to avoid
2090 doing its checksumming. */
2091 iph->ip_len = tvb_get_ntohs(tvb, offset + 2);
2093 if (iph->ip_len < hlen) {
2094 if (ip_tso_supported && !iph->ip_len) {
2095 /* TSO support enabled, and zero length. Assume the zero length is
2096 * the result of TSO, and use the reported length instead. Note that
2097 * we need to use the frame/reported length instead of the actually-
2098 * available length, just in case a snaplen was used on capture. */
2099 iph->ip_len = tvb_reported_length(tvb);
2101 tf = proto_tree_add_uint_format_value(ip_tree, hf_ip_len, tvb, offset + 2, 2,
2103 "%u bytes (reported as 0, presumed to be because of \"TCP segmentation offload\" (TSO))",
2105 PROTO_ITEM_SET_GENERATED(tf);
2108 /* TSO support not enabled, or non-zero length, so treat it as an error. */
2109 col_add_fstr(pinfo->cinfo, COL_INFO,
2110 "Bogus IP length (%u, less than header length %u)",
2112 tf = proto_tree_add_uint_format_value(ip_tree, hf_ip_len, tvb, offset + 2, 2,
2114 "%u bytes (bogus, less than header length %u)",
2116 expert_add_info(pinfo, tf, &ei_ip_bogus_ip_length);
2117 /* Can't dissect any further */
2122 * Now that we know that the total length of this IP datagram isn't
2123 * obviously bogus, adjust the length of this tvbuff to include only
2126 set_actual_length(tvb, iph->ip_len);
2129 proto_tree_add_uint(ip_tree, hf_ip_len, tvb, offset + 2, 2, iph->ip_len);
2132 iph->ip_id = tvb_get_ntohs(tvb, offset + 4);
2134 proto_tree_add_uint(ip_tree, hf_ip_id, tvb, offset + 4, 2, iph->ip_id);
2136 iph->ip_off = tvb_get_ntohs(tvb, offset + 6);
2138 int bit_offset = (offset + 6) * 8;
2140 flags = (iph->ip_off & (IP_RF | IP_DF | IP_MF)) >> IP_OFFSET_WIDTH;
2141 tf = proto_tree_add_uint(ip_tree, hf_ip_flags, tvb, offset + 6, 1, flags);
2142 field_tree = proto_item_add_subtree(tf, ett_ip_off);
2143 if (ip_security_flag) {
2146 sf = proto_tree_add_bits_item(field_tree, hf_ip_flags_sf, tvb,
2147 bit_offset + 0, 1, ENC_BIG_ENDIAN);
2148 if (iph->ip_off & IP_RF) {
2149 proto_item_append_text(tf, " (Evil packet!)");
2150 expert_add_info(pinfo, sf, &ei_ip_evil_packet);
2153 proto_tree_add_bits_item(field_tree, hf_ip_flags_rf, tvb, bit_offset + 0,
2154 1, ENC_LITTLE_ENDIAN);
2156 if (iph->ip_off & IP_DF)
2157 proto_item_append_text(tf, " (Don't Fragment)");
2158 proto_tree_add_bits_item(field_tree, hf_ip_flags_df, tvb, bit_offset + 1,
2160 if (iph->ip_off & IP_MF)
2161 proto_item_append_text(tf, " (More Fragments)");
2162 proto_tree_add_bits_item(field_tree, hf_ip_flags_mf, tvb, bit_offset + 2,
2164 proto_tree_add_uint(ip_tree, hf_ip_frag_offset, tvb, offset + 6, 2,
2165 (iph->ip_off & IP_OFFSET)*8);
2168 iph->ip_ttl = tvb_get_guint8(tvb, offset + 8);
2170 ttl_item = proto_tree_add_item(ip_tree, hf_ip_ttl, tvb, offset + 8, 1, ENC_BIG_ENDIAN);
2175 iph->ip_p = tvb_get_guint8(tvb, offset + 9);
2177 proto_tree_add_item(ip_tree, hf_ip_proto, tvb, offset + 9, 1, ENC_BIG_ENDIAN);
2180 iph->ip_sum = tvb_get_ntohs(tvb, offset + 10);
2183 * If checksum checking is enabled, and we have the entire IP header
2184 * available, and this isn't inside an ICMP error packet, check the
2187 if (ip_check_checksum && tvb_bytes_exist(tvb, offset, hlen)&&(!pinfo->flags.in_error_pkt)) {
2188 ipsum = ip_checksum_tvb(tvb, offset, hlen);
2191 item = proto_tree_add_uint_format_value(ip_tree, hf_ip_checksum, tvb,
2192 offset + 10, 2, iph->ip_sum,
2195 checksum_tree = proto_item_add_subtree(item, ett_ip_checksum);
2196 item = proto_tree_add_uint(checksum_tree, hf_ip_checksum_calculated, tvb,
2197 offset + 10, 2, iph->ip_sum);
2198 PROTO_ITEM_SET_GENERATED(item);
2199 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_good, tvb,
2200 offset + 10, 2, TRUE);
2201 PROTO_ITEM_SET_GENERATED(item);
2202 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_bad, tvb,
2203 offset + 10, 2, FALSE);
2204 PROTO_ITEM_SET_GENERATED(item);
2206 expected_cksum = in_cksum_shouldbe(iph->ip_sum, ipsum);
2208 item = proto_tree_add_uint_format_value(ip_tree, hf_ip_checksum, tvb,
2209 offset + 10, 2, iph->ip_sum,
2211 "[incorrect, should be 0x%04x "
2212 "(may be caused by \"IP checksum "
2213 "offload\"?)]", iph->ip_sum,
2215 checksum_tree = proto_item_add_subtree(item, ett_ip_checksum);
2216 item = proto_tree_add_uint(checksum_tree, hf_ip_checksum_calculated, tvb,
2217 offset + 10, 2, expected_cksum);
2218 PROTO_ITEM_SET_GENERATED(item);
2219 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_good, tvb,
2220 offset + 10, 2, FALSE);
2221 PROTO_ITEM_SET_GENERATED(item);
2222 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_bad, tvb,
2223 offset + 10, 2, TRUE);
2224 PROTO_ITEM_SET_GENERATED(item);
2228 /* Add expert item always (so tap gets called if present);
2229 if (tree == NULL) then item will be NULL
2230 else item should be from the
2231 add_boolean(..., hf_ip_checksum_bad, ...) above */
2232 expert_add_info(pinfo, item, &ei_ip_checksum_bad);
2237 item = proto_tree_add_uint_format_value(ip_tree, hf_ip_checksum, tvb,
2238 offset + 10, 2, iph->ip_sum,
2242 (pinfo->flags.in_error_pkt ?
2243 "in ICMP error packet" :
2244 "not all data available") :
2245 "validation disabled");
2246 checksum_tree = proto_item_add_subtree(item, ett_ip_checksum);
2247 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_good, tvb,
2248 offset + 10, 2, FALSE);
2249 PROTO_ITEM_SET_GENERATED(item);
2250 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_bad, tvb,
2251 offset + 10, 2, FALSE);
2252 PROTO_ITEM_SET_GENERATED(item);
2255 src32 = tvb_get_ntohl(tvb, offset + IPH_SRC);
2256 TVB_SET_ADDRESS(&pinfo->net_src, AT_IPv4, tvb, offset + IPH_SRC, 4);
2257 COPY_ADDRESS_SHALLOW(&pinfo->src, &pinfo->net_src);
2258 COPY_ADDRESS_SHALLOW(&iph->ip_src, &pinfo->src);
2260 const char *src_host;
2262 memcpy(&addr, iph->ip_src.data, 4);
2263 src_host = get_hostname(addr);
2264 if (ip_summary_in_tree) {
2265 proto_item_append_text(ti, ", Src: %s", address_with_resolution_to_str(wmem_packet_scope(), &iph->ip_src));
2267 proto_tree_add_ipv4(ip_tree, hf_ip_src, tvb, offset + 12, 4, addr);
2268 item = proto_tree_add_ipv4(ip_tree, hf_ip_addr, tvb, offset + 12, 4, addr);
2269 PROTO_ITEM_SET_HIDDEN(item);
2270 item = proto_tree_add_string(ip_tree, hf_ip_src_host, tvb, offset + 12, 4,
2272 PROTO_ITEM_SET_GENERATED(item);
2273 PROTO_ITEM_SET_HIDDEN(item);
2274 item = proto_tree_add_string(ip_tree, hf_ip_host, tvb, offset + 12, 4,
2276 PROTO_ITEM_SET_GENERATED(item);
2277 PROTO_ITEM_SET_HIDDEN(item);
2280 /* If there's an IP strict or loose source routing option, then the final
2281 * L3 IP destination address will be the last entry in the routing header
2282 * EXCEPT when the table is exhausted (pointer is greater than the length).
2283 * In this case, the final L3 IP destination address is the one in the L3
2284 * header. (REF: http://tools.ietf.org/html/rfc791#section-3.1)
2286 if (hlen > IPH_MIN_LEN) {
2287 /* There's more than just the fixed-length header. See if we've got
2288 * either a strict or loose source route option and if so, return the
2289 * offset into the tvb to where the real destination IP address is located.
2291 dst_off = get_dst_offset(tvb, offset + 20, hlen - IPH_MIN_LEN, ipopts,
2292 N_IP_OPTS, IPOPT_EOOL);
2297 dst32 = tvb_get_ntohl(tvb, offset + IPH_DST + dst_off);
2298 TVB_SET_ADDRESS(&pinfo->net_dst, AT_IPv4, tvb, offset + IPH_DST + dst_off, 4);
2299 COPY_ADDRESS_SHALLOW(&pinfo->dst, &pinfo->net_dst);
2300 COPY_ADDRESS_SHALLOW(&iph->ip_dst, &pinfo->net_dst);
2302 /* If an IP is destined for an IP address in the Local Network Control Block
2303 * (e.g. 224.0.0.0/24), the packet should never be routed and the TTL would
2304 * be expected to be 1. (see RFC 3171) Flag a TTL greater than 1.
2306 * Flag a low TTL if the packet is not destined for a multicast address
2307 * (e.g. 224.0.0.0/4) ... and the payload isn't protocol 103 (PIM).
2308 * (see http://tools.ietf.org/html/rfc3973#section-4.7).
2310 if (is_a_local_network_control_block_addr(dst32)) {
2311 ttl = local_network_control_block_addr_valid_ttl(dst32);
2312 if (ttl != iph->ip_ttl && ttl != IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL) {
2313 expert_add_info_format(pinfo, ttl_item, &ei_ip_ttl_lncb, "\"Time To Live\" != %d for a packet sent to the "
2314 "Local Network Control Block (see RFC 3171)",
2317 } else if (!is_a_multicast_addr(dst32) && iph->ip_ttl < 5 &&
2318 (iph->ip_p != IP_PROTO_PIM)) {
2319 expert_add_info_format(pinfo, ttl_item, &ei_ip_ttl_too_small, "\"Time To Live\" only %u", iph->ip_ttl);
2323 const char *dst_host;
2325 memcpy(&addr, iph->ip_dst.data, 4);
2326 dst_host = get_hostname(addr);
2327 if (ip_summary_in_tree) {
2328 proto_item_append_text(ti, ", Dst: %s", address_with_resolution_to_str(wmem_packet_scope(), &iph->ip_dst));
2334 cur_rt = tvb_get_ipv4(tvb, offset + 16);
2335 if (ip_summary_in_tree) {
2336 proto_item_append_text(ti, ", Via: %s",
2337 tvb_address_with_resolution_to_str(wmem_packet_scope(), tvb, AT_IPv4, offset + 16));
2339 proto_tree_add_ipv4(ip_tree, hf_ip_cur_rt, tvb, offset + 16, 4, cur_rt);
2340 item = proto_tree_add_string(ip_tree, hf_ip_cur_rt_host, tvb,
2341 offset + 16, 4, get_hostname(cur_rt));
2342 PROTO_ITEM_SET_GENERATED(item);
2343 PROTO_ITEM_SET_HIDDEN(item);
2346 proto_tree_add_ipv4(ip_tree, hf_ip_dst, tvb, offset + 16, 4, addr);
2347 item = proto_tree_add_ipv4(ip_tree, hf_ip_addr, tvb, offset + 16, 4,
2349 PROTO_ITEM_SET_HIDDEN(item);
2350 item = proto_tree_add_string(ip_tree, hf_ip_dst_host, tvb, offset + 16,
2352 PROTO_ITEM_SET_GENERATED(item);
2353 PROTO_ITEM_SET_HIDDEN(item);
2354 item = proto_tree_add_string(ip_tree, hf_ip_host, tvb,
2355 offset + 16 + dst_off, 4, dst_host);
2356 PROTO_ITEM_SET_GENERATED(item);
2357 PROTO_ITEM_SET_HIDDEN(item);
2362 if (tree && ip_use_geoip) {
2363 add_geoip_info(ip_tree, tvb, offset, src32, dst32);
2367 /* Decode IP options, if any. */
2368 if (hlen > IPH_MIN_LEN) {
2369 /* There's more than just the fixed-length header. Decode the options. */
2370 optlen = hlen - IPH_MIN_LEN; /* length of options, in bytes */
2371 field_tree = proto_tree_add_subtree_format(ip_tree, tvb, offset + 20, optlen,
2372 ett_ip_options, &tf, "Options: (%u bytes)", optlen);
2373 dissect_ip_tcp_options(tvb, offset + 20, optlen, ipopts, N_IP_OPTS,
2374 IPOPT_EOOL, &IP_OPT_TYPES, &ei_ip_opt_len_invalid, pinfo, field_tree, tf, iph);
2377 p_add_proto_data(pinfo->pool, pinfo, proto_ip, 0, GUINT_TO_POINTER((guint)iph->ip_p));
2378 tap_queue_packet(ip_tap, pinfo, iph);
2380 /* Skip over header + options */
2383 /* If ip_defragment is on, this is a fragment, we have all the data
2384 * in the fragment, and the header checksum is valid, then just add
2385 * the fragment to the hashtable.
2387 save_fragmented = pinfo->fragmented;
2388 if (ip_defragment && (iph->ip_off & (IP_MF|IP_OFFSET)) &&
2389 tvb_bytes_exist(tvb, offset, iph->ip_len - hlen) &&
2391 ipfd_head = fragment_add_check(&ip_reassembly_table, tvb, offset,
2393 iph->ip_p ^ iph->ip_id ^ src32 ^ dst32,
2395 (iph->ip_off & IP_OFFSET) * 8,
2397 iph->ip_off & IP_MF);
2399 next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled IPv4",
2400 ipfd_head, &ip_frag_items,
2401 &update_col_info, ip_tree);
2403 /* If this is the first fragment, dissect its contents, otherwise
2404 just show it as a fragment.
2406 XXX - if we eventually don't save the reassembled contents of all
2407 fragmented datagrams, we may want to always reassemble. */
2408 if (iph->ip_off & IP_OFFSET) {
2409 /* Not the first fragment - don't dissect it. */
2412 /* First fragment, or not fragmented. Dissect what we have here. */
2414 /* Get a tvbuff for the payload. */
2415 next_tvb = tvb_new_subset_remaining(tvb, offset);
2418 * If this is the first fragment, but not the only fragment,
2419 * tell the next protocol that.
2421 if (iph->ip_off & IP_MF)
2422 pinfo->fragmented = TRUE;
2424 pinfo->fragmented = FALSE;
2428 if (next_tvb == NULL) {
2429 /* Just show this as a fragment. */
2430 col_add_fstr(pinfo->cinfo, COL_INFO,
2431 "Fragmented IP protocol (proto=%s %u, off=%u, ID=%04x)",
2432 ipprotostr(iph->ip_p), iph->ip_p,
2433 (iph->ip_off & IP_OFFSET) * 8, iph->ip_id);
2434 if ( ipfd_head && ipfd_head->reassembled_in != pinfo->fd->num ) {
2435 col_append_fstr(pinfo->cinfo, COL_INFO, " [Reassembled in #%u]",
2436 ipfd_head->reassembled_in);
2439 call_dissector(data_handle, tvb_new_subset_remaining(tvb, offset), pinfo,
2441 pinfo->fragmented = save_fragmented;
2445 if (tvb_reported_length(next_tvb) > 0) {
2446 /* Hand off to the next protocol.
2448 XXX - setting the columns only after trying various dissectors means
2449 that if one of those dissectors throws an exception, the frame won't
2450 even be labeled as an IP frame; ideally, if a frame being dissected
2451 throws an exception, it'll be labeled as a mangled frame of the
2452 type in question. */
2453 if (!ip_try_dissect(try_heuristic_first, next_tvb, pinfo, parent_tree, iph)) {
2454 /* Unknown protocol */
2455 if (update_col_info) {
2456 col_add_fstr(pinfo->cinfo, COL_INFO, "%s (%u)",
2457 ipprotostr(iph->ip_p), iph->ip_p);
2459 call_dissector(data_handle,next_tvb, pinfo, parent_tree);
2462 pinfo->fragmented = save_fragmented;
2466 dissect_ip_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
2468 int length, tot_length;
2469 guint8 oct, version, ihl;
2473 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2474 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2475 |Version| IHL |Type of Service| Total Length |
2476 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2479 length = tvb_captured_length(tvb);
2481 /* Need at least 4 bytes to make some sort of decision */
2484 oct = tvb_get_guint8(tvb,0);
2488 /* TODO: Add IPv6 checks here */
2490 3. IPv6 Header Format
2493 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2494 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2495 |Version| Traffic Class | Flow Label |
2496 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2497 | Payload Length | Next Header | Hop Limit |
2498 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2506 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2510 + Destination Address +
2514 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2516 Version 4-bit Internet Protocol version number = 6.
2518 Traffic Class 8-bit traffic class field. See section 7.
2520 Flow Label 20-bit flow label. See section 6.
2522 Payload Length 16-bit unsigned integer. Length of the IPv6
2523 payload, i.e., the rest of the packet following
2524 this IPv6 header, in octets. (Note that any
2525 extension headers [section 4] present are
2526 considered part of the payload, i.e., included
2527 in the length count.)
2532 /* Need at least 8 bytes to make a decision */
2535 tot_length = tvb_get_ntohs(tvb,4);
2536 if((tot_length + 40) != (int)tvb_reported_length(tvb)){
2539 call_dissector(ipv6_handle, tvb, pinfo, tree);
2542 /* version == IPv4 , the minimum value for a correct header is 5 */
2543 if((version != 4)|| (ihl < 5)){
2546 /* Total Length is the length of the datagram, measured in octets,
2547 * including internet header and data.
2549 tot_length = tvb_get_ntohs(tvb,2);
2551 if(tot_length != (int)tvb_reported_length(tvb)){
2555 dissect_ip(tvb, pinfo, tree);
2560 proto_register_ip(void)
2562 #define ARG_TO_STR(ARG) #ARG
2563 #define FLAGS_OFFSET_WIDTH_MSG(WIDTH) \
2564 "Flags (" ARG_TO_STR(WIDTH) " bits)"
2565 #define FRAG_OFFSET_WIDTH_MSG(WIDTH) \
2566 "Fragment offset (" ARG_TO_STR(WIDTH) " bits)"
2568 static hf_register_info hf[] = {
2570 { "Version", "ip.version", FT_UINT8, BASE_DEC,
2571 NULL, 0xF0, NULL, HFILL }},
2574 { "Header Length", "ip.hdr_len", FT_UINT8, BASE_DEC,
2575 NULL, 0x0F, NULL, HFILL }},
2578 { "Differentiated Services Field", "ip.dsfield", FT_UINT8, BASE_DEC,
2579 NULL, 0x0, NULL, HFILL }},
2581 { &hf_ip_dsfield_dscp,
2582 { "Differentiated Services Codepoint", "ip.dsfield.dscp", FT_UINT8, BASE_HEX | BASE_EXT_STRING,
2583 &dscp_vals_ext, IPDSFIELD_DSCP_MASK, NULL, HFILL }},
2585 { &hf_ip_dsfield_ecn,
2586 { "Explicit Congestion Notification", "ip.dsfield.ecn", FT_UINT8, BASE_HEX,
2587 VALS(ecn_vals), IPDSFIELD_ECN_MASK, NULL, HFILL }},
2590 { "Type of Service", "ip.tos", FT_UINT8, BASE_DEC,
2591 NULL, 0x0, NULL, HFILL }},
2593 { &hf_ip_tos_precedence,
2594 { "Precedence", "ip.tos.precedence", FT_UINT8, BASE_DEC,
2595 VALS(precedence_vals), IPTOS_PREC_MASK, NULL, HFILL }},
2598 { "Delay", "ip.tos.delay", FT_BOOLEAN, 8,
2599 TFS(&tos_set_low), IPTOS_LOWDELAY, NULL, HFILL }},
2601 { &hf_ip_tos_throughput,
2602 { "Throughput", "ip.tos.throughput", FT_BOOLEAN, 8,
2603 TFS(&tos_set_high), IPTOS_THROUGHPUT, NULL, HFILL }},
2605 { &hf_ip_tos_reliability,
2606 { "Reliability", "ip.tos.reliability", FT_BOOLEAN, 8,
2607 TFS(&tos_set_high), IPTOS_RELIABILITY, NULL, HFILL }},
2610 { "Cost", "ip.tos.cost", FT_BOOLEAN, 8,
2611 TFS(&tos_set_low), IPTOS_LOWCOST, NULL, HFILL }},
2614 { "Total Length", "ip.len", FT_UINT16, BASE_DEC,
2615 NULL, 0x0, NULL, HFILL }},
2618 { "Identification", "ip.id", FT_UINT16, BASE_HEX_DEC,
2619 NULL, 0x0, NULL, HFILL }},
2622 { "Destination", "ip.dst", FT_IPv4, BASE_NONE,
2623 NULL, 0x0, NULL, HFILL }},
2626 { "Destination Host", "ip.dst_host", FT_STRING, BASE_NONE,
2627 NULL, 0x0, NULL, HFILL }},
2630 { "Source", "ip.src", FT_IPv4, BASE_NONE,
2631 NULL, 0x0, NULL, HFILL }},
2634 { "Source Host", "ip.src_host", FT_STRING, BASE_NONE,
2635 NULL, 0x0, NULL, HFILL }},
2638 { "Source or Destination Address", "ip.addr", FT_IPv4, BASE_NONE,
2639 NULL, 0x0, NULL, HFILL }},
2642 { "Source or Destination Host", "ip.host", FT_STRING, BASE_NONE,
2643 NULL, 0x0, NULL, HFILL }},
2646 { &hf_geoip_country,
2647 { "Source or Destination GeoIP Country", "ip.geoip.country",
2648 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2650 { "Source or Destination GeoIP City", "ip.geoip.city",
2651 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2653 { "Source or Destination GeoIP Organization", "ip.geoip.org",
2654 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2656 { "Source or Destination GeoIP ISP", "ip.geoip.isp",
2657 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2659 { "Source or Destination GeoIP AS Number", "ip.geoip.asnum",
2660 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2662 { "Source or Destination GeoIP Latitude", "ip.geoip.lat",
2663 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2665 { "Source or Destination GeoIP Longitude", "ip.geoip.lon",
2666 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2667 { &hf_geoip_src_country,
2668 { "Source GeoIP Country", "ip.geoip.src_country",
2669 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2670 { &hf_geoip_src_city,
2671 { "Source GeoIP City", "ip.geoip.src_city",
2672 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2673 { &hf_geoip_src_org,
2674 { "Source GeoIP Organization", "ip.geoip.src_org",
2675 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2676 { &hf_geoip_src_isp,
2677 { "Source GeoIP ISP", "ip.geoip.src_isp",
2678 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2679 { &hf_geoip_src_asnum,
2680 { "Source GeoIP AS Number", "ip.geoip.src_asnum",
2681 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2682 { &hf_geoip_src_lat,
2683 { "Source GeoIP Latitude", "ip.geoip.src_lat",
2684 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2685 { &hf_geoip_src_lon,
2686 { "Source GeoIP Longitude", "ip.geoip.src_lon",
2687 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2688 { &hf_geoip_dst_country,
2689 { "Destination GeoIP Country", "ip.geoip.dst_country",
2690 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2691 { &hf_geoip_dst_city,
2692 { "Destination GeoIP City", "ip.geoip.dst_city",
2693 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2694 { &hf_geoip_dst_org,
2695 { "Destination GeoIP Organization", "ip.geoip.dst_org",
2696 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2697 { &hf_geoip_dst_isp,
2698 { "Destination GeoIP ISP", "ip.geoip.dst_isp",
2699 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2700 { &hf_geoip_dst_asnum,
2701 { "Destination GeoIP AS Number", "ip.geoip.dst_asnum",
2702 FT_STRING, STR_UNICODE, NULL, 0x0, NULL, HFILL }},
2703 { &hf_geoip_dst_lat,
2704 { "Destination GeoIP Latitude", "ip.geoip.dst_lat",
2705 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2706 { &hf_geoip_dst_lon,
2707 { "Destination GeoIP Longitude", "ip.geoip.dst_lon",
2708 FT_DOUBLE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2709 #endif /* HAVE_GEOIP */
2712 { "Flags", "ip.flags", FT_UINT8, BASE_HEX,
2713 NULL, 0x0, FLAGS_OFFSET_WIDTH_MSG(IP_FLAGS_WIDTH), HFILL }},
2716 { "Security flag", "ip.flags.sf", FT_BOOLEAN, BASE_NONE,
2717 TFS(&flags_sf_set_evil), 0x0, "Security flag (RFC 3514)", HFILL }},
2720 { "Reserved bit", "ip.flags.rb", FT_BOOLEAN, BASE_NONE,
2721 TFS(&tfs_set_notset), 0x0, NULL, HFILL }},
2724 { "Don't fragment", "ip.flags.df", FT_BOOLEAN, BASE_NONE,
2725 TFS(&tfs_set_notset), 0x0, NULL, HFILL }},
2728 { "More fragments", "ip.flags.mf", FT_BOOLEAN, BASE_NONE,
2729 TFS(&tfs_set_notset), 0x0, NULL, HFILL }},
2731 { &hf_ip_frag_offset,
2732 { "Fragment offset", "ip.frag_offset", FT_UINT16, BASE_DEC,
2733 NULL, 0x0, FRAG_OFFSET_WIDTH_MSG(IP_OFFSET_WIDTH), HFILL }},
2736 { "Time to live", "ip.ttl", FT_UINT8, BASE_DEC,
2737 NULL, 0x0, NULL, HFILL }},
2740 { "Protocol", "ip.proto", FT_UINT8, BASE_DEC | BASE_EXT_STRING,
2741 &ipproto_val_ext, 0x0, NULL, HFILL }},
2744 { "Header checksum", "ip.checksum", FT_UINT16, BASE_HEX,
2745 NULL, 0x0, NULL, HFILL }},
2747 { &hf_ip_checksum_calculated,
2748 { "Calculated Checksum", "ip.checksum_calculated", FT_UINT16, BASE_HEX, NULL, 0x0,
2749 "The expected IP checksum field as calculated from the IP datagram", HFILL }},
2751 { &hf_ip_checksum_good,
2752 { "Good", "ip.checksum_good", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2753 "True: checksum matches packet content; False: doesn't match content or not checked", HFILL }},
2755 { &hf_ip_checksum_bad,
2756 { "Bad", "ip.checksum_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2757 "True: checksum doesn't match packet content; False: matches content or not checked", HFILL }},
2759 /* IP options related fields */
2761 { "Type", "ip.opt.type", FT_UINT8, BASE_DEC,
2762 NULL, 0x0, NULL, HFILL }},
2764 { &hf_ip_opt_type_copy,
2765 { "Copy on fragmentation", "ip.opt.type.copy", FT_BOOLEAN, 8,
2766 TFS(&tfs_yes_no), IPOPT_COPY_MASK, NULL, HFILL }},
2768 { &hf_ip_opt_type_class,
2769 { "Class", "ip.opt.type.class", FT_UINT8, BASE_DEC,
2770 VALS(ipopt_type_class_vals), IPOPT_CLASS_MASK, NULL, HFILL }},
2772 { &hf_ip_opt_type_number,
2773 { "Number", "ip.opt.type.number", FT_UINT8, BASE_DEC,
2774 VALS(ipopt_type_number_vals), IPOPT_NUMBER_MASK, NULL, HFILL }},
2777 { "Length", "ip.opt.len", FT_UINT8, BASE_DEC,
2778 NULL, 0x0, NULL, HFILL }},
2781 { "Pointer", "ip.opt.ptr", FT_UINT8, BASE_DEC,
2782 NULL, 0x0, NULL, HFILL }},
2785 { "Stream Identifier", "ip.opt.sid", FT_UINT16, BASE_DEC,
2786 NULL, 0x0, "SATNET stream identifier", HFILL }},
2789 { "MTU", "ip.opt.mtu", FT_UINT16, BASE_DEC,
2790 NULL, 0x0, NULL, HFILL }},
2792 { &hf_ip_opt_id_number,
2793 { "ID Number", "ip.opt.id_number", FT_UINT16, BASE_DEC,
2794 NULL, 0x0, NULL, HFILL }},
2797 { "Outbound Hop Count", "ip.opt.ohc", FT_UINT16, BASE_DEC,
2798 NULL, 0x0, NULL, HFILL }},
2801 { "Return Hop Count", "ip.opt.rhc", FT_UINT16, BASE_DEC,
2802 NULL, 0x0, NULL, HFILL }},
2804 { &hf_ip_opt_originator,
2805 { "Originator IP Address", "ip.opt.originator", FT_IPv4, BASE_NONE,
2806 NULL, 0x0, NULL, HFILL }},
2809 { "Router Alert", "ip.opt.ra", FT_UINT16, BASE_DEC | BASE_RANGE_STRING,
2810 RVALS(ra_rvals), 0x0, NULL, HFILL }},
2813 { "IP Address", "ip.opt.addr", FT_IPv4, BASE_NONE,
2814 NULL, 0x0, NULL, HFILL }},
2816 { &hf_ip_opt_padding,
2817 { "Padding", "ip.opt.padding", FT_BYTES, BASE_NONE,
2818 NULL, 0x0, NULL, HFILL }},
2820 { &hf_ip_opt_qs_func,
2821 { "Function", "ip.opt.qs_func", FT_UINT8, BASE_DEC,
2822 VALS(qs_func_vals), QS_FUNC_MASK, NULL, HFILL }},
2824 { &hf_ip_opt_qs_rate,
2825 { "Rate", "ip.opt.qs_rate", FT_UINT8, BASE_DEC | BASE_EXT_STRING,
2826 &qs_rate_vals_ext, QS_RATE_MASK, NULL, HFILL }},
2828 { &hf_ip_opt_qs_ttl,
2829 { "QS TTL", "ip.opt.qs_ttl", FT_UINT8, BASE_DEC,
2830 NULL, 0x0, NULL, HFILL }},
2832 { &hf_ip_opt_qs_ttl_diff,
2833 { "TTL Diff", "ip.opt.qs_ttl_diff", FT_UINT8, BASE_DEC,
2834 NULL, 0x0, NULL, HFILL }},
2836 { &hf_ip_opt_qs_unused,
2837 { "Not Used", "ip.opt.qs_unused", FT_UINT8, BASE_DEC,
2838 NULL, 0x0, NULL, HFILL }},
2840 { &hf_ip_opt_qs_nonce,
2841 { "QS Nonce", "ip.opt.qs_nonce", FT_UINT32, BASE_HEX,
2842 NULL, 0xFFFFFFFC, NULL, HFILL }},
2844 { &hf_ip_opt_qs_reserved,
2845 { "Reserved", "ip.opt.qs_reserved", FT_UINT32, BASE_HEX,
2846 NULL, 0x00000003, NULL, HFILL }},
2848 { &hf_ip_opt_sec_rfc791_sec,
2849 { "Security", "ip.opt.sec_rfc791_sec", FT_UINT8, BASE_HEX,
2850 VALS(secl_rfc791_vals), 0x0, NULL, HFILL }},
2852 { &hf_ip_opt_sec_rfc791_comp,
2853 { "Compartments", "ip.opt.sec_rfc791_comp", FT_UINT16, BASE_DEC,
2854 NULL, 0x0, NULL, HFILL }},
2856 { &hf_ip_opt_sec_rfc791_hr,
2857 { "Handling Restrictions", "ip.opt.sec_rfc791_hr", FT_STRING, BASE_NONE,
2858 NULL, 0x0, NULL, HFILL }},
2860 { &hf_ip_opt_sec_rfc791_tcc,
2861 { "Transmission Control Code", "ip.opt.sec_rfc791_tcc", FT_STRING, BASE_NONE,
2862 NULL, 0x0, NULL, HFILL }},
2864 { &hf_ip_opt_sec_cl,
2865 { "Classification Level", "ip.opt.sec_cl", FT_UINT8, BASE_HEX,
2866 VALS(sec_cl_vals), 0x0, NULL, HFILL }},
2868 { &hf_ip_opt_sec_prot_auth_flags,
2869 { "Protection Authority Flags", "ip.opt.sec_prot_auth_flags", FT_UINT8, BASE_HEX,
2870 NULL, 0x0, NULL, HFILL }},
2872 { &hf_ip_opt_sec_prot_auth_genser,
2873 { "GENSER", "ip.opt.sec_prot_auth_genser", FT_BOOLEAN, 8,
2874 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x80, NULL, HFILL }},
2876 { &hf_ip_opt_sec_prot_auth_siop_esi,
2877 { "SIOP-ESI", "ip.opt.sec_prot_auth_siop_esi", FT_BOOLEAN, 8,
2878 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x40, NULL, HFILL }},
2880 { &hf_ip_opt_sec_prot_auth_sci,
2881 { "SCI", "ip.opt.sec_prot_auth_sci", FT_BOOLEAN, 8,
2882 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x20, NULL, HFILL }},
2884 { &hf_ip_opt_sec_prot_auth_nsa,
2885 { "NSA", "ip.opt.sec_prot_auth_nsa", FT_BOOLEAN, 8,
2886 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x10, NULL, HFILL }},
2888 { &hf_ip_opt_sec_prot_auth_doe,
2889 { "DOE", "ip.opt.sec_prot_auth_doe", FT_BOOLEAN, 8,
2890 TFS(&ip_opt_sec_prot_auth_flag_tfs), 0x08, NULL, HFILL }},
2892 { &hf_ip_opt_sec_prot_auth_unassigned,
2893 { "Unassigned", "ip.opt.sec_prot_auth_unassigned", FT_UINT8, BASE_HEX,
2894 NULL, 0x06, NULL, HFILL }},
2896 { &hf_ip_opt_sec_prot_auth_unassigned2,
2897 { "Unassigned", "ip.opt.sec_prot_auth_unassigned", FT_UINT8, BASE_HEX,
2898 NULL, 0xFE, NULL, HFILL }},
2900 { &hf_ip_opt_sec_prot_auth_fti,
2901 { "Field Termination Indicator", "ip.opt.sec_prot_auth_fti", FT_BOOLEAN, 8,
2902 TFS(&ip_opt_sec_prot_auth_fti_tfs), 0x01, NULL, HFILL }},
2904 { &hf_ip_opt_ext_sec_add_sec_info_format_code,
2905 { "Additional Security Info Format Code", "ip.opt.ext_sec_add_sec_info_format_code", FT_UINT8, BASE_HEX,
2906 NULL, 0x0, NULL, HFILL }},
2908 { &hf_ip_opt_ext_sec_add_sec_info,
2909 { "Additional Security Info", "ip.opt.ext_sec_add_sec_info", FT_BYTES, BASE_NONE,
2910 NULL, 0x0, NULL, HFILL }},
2913 { "Recorded Route", "ip.rec_rt", FT_IPv4, BASE_NONE, NULL, 0x0,
2916 { &hf_ip_rec_rt_host,
2917 { "Recorded Route Host", "ip.rec_rt_host", FT_STRING, BASE_NONE,
2918 NULL, 0x0, NULL, HFILL }},
2921 { "Current Route", "ip.cur_rt", FT_IPv4, BASE_NONE, NULL, 0x0,
2924 { &hf_ip_cur_rt_host,
2925 { "Current Route Host", "ip.cur_rt_host", FT_STRING, BASE_NONE,
2926 NULL, 0x0, NULL, HFILL }},
2929 { "Source Route", "ip.src_rt", FT_IPv4, BASE_NONE, NULL, 0x0,
2932 { &hf_ip_src_rt_host,
2933 { "Source Route Host", "ip.src_rt_host", FT_STRING, BASE_NONE,
2934 NULL, 0x0, NULL, HFILL }},
2937 { "Empty Route", "ip.empty_rt", FT_IPv4, BASE_NONE, NULL, 0x0,
2940 { &hf_ip_empty_rt_host,
2941 { "Empty Route Host", "ip.empty_rt_host", FT_STRING, BASE_NONE,
2942 NULL, 0x0, NULL, HFILL }},
2944 { &hf_ip_cipso_tag_type,
2945 { "Tag Type", "ip.cipso.tag_type", FT_UINT8, BASE_DEC,
2946 VALS(cipso_tag_type_vals), 0x0, NULL, HFILL }},
2949 { &hf_ip_fragment_overlap,
2950 { "Fragment overlap", "ip.fragment.overlap", FT_BOOLEAN, BASE_NONE,
2951 NULL, 0x0, "Fragment overlaps with other fragments", HFILL }},
2953 { &hf_ip_fragment_overlap_conflict,
2954 { "Conflicting data in fragment overlap", "ip.fragment.overlap.conflict",
2955 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2956 "Overlapping fragments contained conflicting data", HFILL }},
2958 { &hf_ip_fragment_multiple_tails,
2959 { "Multiple tail fragments found", "ip.fragment.multipletails",
2960 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2961 "Several tails were found when defragmenting the packet", HFILL }},
2963 { &hf_ip_fragment_too_long_fragment,
2964 { "Fragment too long", "ip.fragment.toolongfragment",
2965 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2966 "Fragment contained data past end of packet", HFILL }},
2968 { &hf_ip_fragment_error,
2969 { "Defragmentation error", "ip.fragment.error", FT_FRAMENUM, BASE_NONE,
2970 NULL, 0x0, "Defragmentation error due to illegal fragments", HFILL }},
2972 { &hf_ip_fragment_count,
2973 { "Fragment count", "ip.fragment.count", FT_UINT32, BASE_DEC,
2974 NULL, 0x0, NULL, HFILL }},
2977 { "IPv4 Fragment", "ip.fragment", FT_FRAMENUM, BASE_NONE,
2978 NULL, 0x0, NULL, HFILL }},
2981 { "IPv4 Fragments", "ip.fragments", FT_BYTES, BASE_NONE,
2982 NULL, 0x0, NULL, HFILL }},
2984 { &hf_ip_reassembled_in,
2985 { "Reassembled IPv4 in frame", "ip.reassembled_in", FT_FRAMENUM, BASE_NONE,
2986 NULL, 0x0, "This IPv4 packet is reassembled in this frame", HFILL }},
2988 { &hf_ip_reassembled_length,
2989 { "Reassembled IPv4 length", "ip.reassembled.length", FT_UINT32, BASE_DEC,
2990 NULL, 0x0, "The total length of the reassembled payload", HFILL }},
2992 { &hf_ip_reassembled_data,
2993 { "Reassembled IPv4 data", "ip.reassembled.data", FT_BYTES, BASE_NONE,
2994 NULL, 0x0, "The reassembled payload", HFILL }},
2996 /* Generated from convert_proto_tree_add_text.pl */
2997 { &hf_ip_cipso_doi, { "DOI", "ip.cipso.doi", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
2998 { &hf_ip_cipso_sensitivity_level, { "Sensitivity Level", "ip.cipso.sensitivity_level", FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }},
2999 { &hf_ip_cipso_categories, { "Categories", "ip.cipso.categories", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
3000 { &hf_ip_cipso_tag_data, { "Tag data", "ip.cipso.tag_data", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }},
3001 { &hf_ip_opt_overflow, { "Overflow", "ip.opt.overflow", FT_UINT8, BASE_DEC, NULL, 0xF0, NULL, HFILL }},
3002 { &hf_ip_opt_flag, { "Flag", "ip.opt.flag", FT_UINT8, BASE_HEX, VALS(ipopt_timestamp_flag_vals), 0x0F, NULL, HFILL }},
3003 { &hf_ip_opt_time_stamp, { "Time stamp", "ip.opt.time_stamp", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
3004 { &hf_ip_opt_time_stamp_addr, { "Address", "ip.opt.time_stamp_addr", FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }},
3008 static gint *ett[] = {
3014 &ett_ip_option_eool,
3017 &ett_ip_option_route,
3018 &ett_ip_option_timestamp,
3019 &ett_ip_option_ext_security,
3020 &ett_ip_option_cipso,
3027 &ett_ip_option_other,
3032 &ett_ip_opt_sec_prot_auth_flags,
3033 &ett_unknown_ip_tcp_opt,
3038 static ei_register_info ei[] = {
3039 { &ei_ip_opt_len_invalid, { "ip.opt.len.invalid", PI_PROTOCOL, PI_WARN, "Invalid length for option", EXPFILL }},
3040 { &ei_ip_opt_sec_prot_auth_fti, { "ip.opt.len.invalid", PI_PROTOCOL, PI_WARN, "Field Termination Indicator set to 1 for last byte of option", EXPFILL }},
3041 { &ei_ip_extraneous_data, { "ip.opt.len.invalid", PI_PROTOCOL, PI_WARN, "Extraneous data in option", EXPFILL }},
3042 { &ei_ip_opt_ptr_before_address, { "ip.opt.ptr.before_address", PI_PROTOCOL, PI_WARN, "Pointer points before first address", EXPFILL }},
3043 { &ei_ip_opt_ptr_middle_address, { "ip.opt.ptr.middle_address", PI_PROTOCOL, PI_WARN, "Pointer points to middle of address", EXPFILL }},
3044 { &ei_ip_subopt_too_long, { "ip.subopt_too_long", PI_PROTOCOL, PI_WARN, "Suboption would go past end of option", EXPFILL }},
3045 { &ei_ip_nop, { "ip.nop", PI_PROTOCOL, PI_WARN, "4 NOP in a row - a router may have removed some options", EXPFILL }},
3046 { &ei_ip_bogus_ip_length, { "ip.bogus_ip_length", PI_PROTOCOL, PI_ERROR, "Bogus IP length", EXPFILL }},
3047 { &ei_ip_evil_packet, { "ip.evil_packet", PI_PROTOCOL, PI_WARN, "Suboption would go past end of option", EXPFILL }},
3048 { &ei_ip_checksum_bad, { "ip.checksum_bad.expert", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
3049 { &ei_ip_ttl_lncb, { "ip.ttl.lncb", PI_SEQUENCE, PI_NOTE, "Time To Live", EXPFILL }},
3050 { &ei_ip_ttl_too_small, { "ip.ttl.too_small", PI_SEQUENCE, PI_NOTE, "Time To Live", EXPFILL }},
3051 { &ei_ip_cipso_tag, { "ip.cipso.malformed", PI_SEQUENCE, PI_ERROR, "Malformed CIPSO tag", EXPFILL }},
3054 /* Decode As handling */
3055 static build_valid_func ip_da_build_value[1] = {ip_value};
3056 static decode_as_value_t ip_da_values = {ip_prompt, 1, ip_da_build_value};
3057 static decode_as_t ip_da = {"ip", "Network", "ip.proto", 1, 0, &ip_da_values, NULL, NULL,
3058 decode_as_default_populate_list, decode_as_default_reset, decode_as_default_change, NULL};
3060 module_t *ip_module;
3061 expert_module_t* expert_ip;
3063 proto_ip = proto_register_protocol("Internet Protocol Version 4", "IPv4", "ip");
3064 proto_register_field_array(proto_ip, hf, array_length(hf));
3065 proto_register_subtree_array(ett, array_length(ett));
3066 expert_ip = expert_register_protocol(proto_ip);
3067 expert_register_field_array(expert_ip, ei, array_length(ei));
3069 /* subdissector code */
3070 ip_dissector_table = register_dissector_table("ip.proto", "IP protocol",
3071 FT_UINT8, BASE_DEC);
3072 heur_subdissector_list = register_heur_dissector_list("ip");
3074 /* Register configuration options */
3075 ip_module = prefs_register_protocol(proto_ip, NULL);
3076 prefs_register_bool_preference(ip_module, "decode_tos_as_diffserv",
3077 "Decode IPv4 TOS field as DiffServ field",
3078 "Whether the IPv4 type-of-service field should be decoded as a "
3079 "Differentiated Services field (see RFC2474/RFC2475)", &g_ip_dscp_actif);
3080 prefs_register_bool_preference(ip_module, "defragment",
3081 "Reassemble fragmented IPv4 datagrams",
3082 "Whether fragmented IPv4 datagrams should be reassembled", &ip_defragment);
3083 prefs_register_bool_preference(ip_module, "summary_in_tree",
3084 "Show IPv4 summary in protocol tree",
3085 "Whether the IPv4 summary line should be shown in the protocol tree",
3086 &ip_summary_in_tree);
3087 prefs_register_bool_preference(ip_module, "check_checksum",
3088 "Validate the IPv4 checksum if possible",
3089 "Whether to validate the IPv4 checksum", &ip_check_checksum);
3090 prefs_register_bool_preference(ip_module, "tso_support",
3091 "Support packet-capture from IP TSO-enabled hardware",
3092 "Whether to correct for TSO-enabled (TCP segmentation offload) hardware "
3093 "captures, such as spoofing the IP packet length", &ip_tso_supported);
3095 prefs_register_bool_preference(ip_module, "use_geoip",
3096 "Enable GeoIP lookups",
3097 "Whether to look up IP addresses in each GeoIP database we have loaded",
3099 #endif /* HAVE_GEOIP */
3100 prefs_register_bool_preference(ip_module, "security_flag" ,
3101 "Interpret Reserved flag as Security flag (RFC 3514)",
3102 "Whether to interpret the originally reserved flag as security flag",
3104 prefs_register_bool_preference(ip_module, "try_heuristic_first",
3105 "Try heuristic sub-dissectors first",
3106 "Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port",
3107 &try_heuristic_first);
3109 register_dissector("ip", dissect_ip, proto_ip);
3110 register_init_routine(ip_defragment_init);
3111 register_cleanup_routine(ip_defragment_cleanup);
3112 ip_tap = register_tap("ip");
3114 register_decode_as(&ip_da);
3115 register_conversation_table(proto_ip, TRUE, ip_conversation_packet, ip_hostlist_packet);
3116 register_color_conversation_filter("ip", "IPv4", ip_color_filter_valid, ip_build_color_filter);
3120 proto_reg_handoff_ip(void)
3122 dissector_handle_t ip_handle;
3124 ip_handle = find_dissector("ip");
3125 ipv6_handle = find_dissector("ipv6");
3126 data_handle = find_dissector("data");
3128 dissector_add_uint("ethertype", ETHERTYPE_IP, ip_handle);
3129 dissector_add_uint("erf.types.type", ERF_TYPE_IPV4, ip_handle);
3130 dissector_add_uint("ppp.protocol", PPP_IP, ip_handle);
3131 dissector_add_uint("ppp.protocol", ETHERTYPE_IP, ip_handle);
3132 dissector_add_uint("gre.proto", ETHERTYPE_IP, ip_handle);
3133 dissector_add_uint("gre.proto", GRE_WCCP, ip_handle);
3134 dissector_add_uint("llc.dsap", SAP_IP, ip_handle);
3135 dissector_add_uint("ip.proto", IP_PROTO_IPIP, ip_handle);
3136 dissector_add_uint("null.type", BSD_AF_INET, ip_handle);
3137 dissector_add_uint("chdlc.protocol", ETHERTYPE_IP, ip_handle);
3138 dissector_add_uint("osinl.excl", NLPID_IP, ip_handle);
3139 dissector_add_uint("fr.nlpid", NLPID_IP, ip_handle);
3140 dissector_add_uint("x.25.spi", NLPID_IP, ip_handle);
3141 dissector_add_uint("arcnet.protocol_id", ARCNET_PROTO_IP_1051, ip_handle);
3142 dissector_add_uint("arcnet.protocol_id", ARCNET_PROTO_IP_1201, ip_handle);
3143 dissector_add_uint("ax25.pid", AX25_P_IP, ip_handle);
3144 dissector_add_uint("juniper.proto", JUNIPER_PROTO_IP, ip_handle);
3145 dissector_add_uint("juniper.proto", JUNIPER_PROTO_MPLS_IP, ip_handle);
3146 dissector_add_uint("pwach.channel_type", 0x21, ip_handle); /* IPv4, RFC4385 clause 6. */
3147 dissector_add_uint("sflow_245.header_protocol", SFLOW_245_HEADER_IPv4, ip_handle);
3148 dissector_add_uint("l2tp.pw_type", L2TPv3_PROTOCOL_IP, ip_handle);
3149 dissector_add_for_decode_as("udp.port", ip_handle);
3150 dissector_add_uint("wtap_encap", WTAP_ENCAP_RAW_IP4, ip_handle);
3152 heur_dissector_add("tipc", dissect_ip_heur, "IP over TIPC", "ip_tipc", proto_ip, HEURISTIC_ENABLE);
3156 * Editor modelines - http://www.wireshark.org/tools/modelines.html
3161 * indent-tabs-mode: nil
3164 * vi: set shiftwidth=2 tabstop=8 expandtab:
3165 * :indentSize=2:tabSize=8:noTabs=true: