2 * Routines for Token-Ring packet disassembly
3 * Gilbert Ramirez <gram@xiexie.org>
5 * $Id: packet-tr.c,v 1.38 2000/05/11 08:15:53 gram Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_TYPES_H
32 # include <sys/types.h>
38 #include "packet-llc.h"
39 #include "packet-trmac.h"
41 static int proto_tr = -1;
42 static int hf_tr_dst = -1;
43 static int hf_tr_src = -1;
44 static int hf_tr_addr = -1;
45 static int hf_tr_sr = -1;
46 static int hf_tr_ac = -1;
47 static int hf_tr_priority = -1;
48 static int hf_tr_frame = -1;
49 static int hf_tr_monitor_cnt = -1;
50 static int hf_tr_priority_reservation = -1;
51 static int hf_tr_fc = -1;
52 static int hf_tr_fc_type = -1;
53 static int hf_tr_fc_pcf = -1;
54 static int hf_tr_rif_bytes = -1;
55 static int hf_tr_broadcast = -1;
56 static int hf_tr_max_frame_size = -1;
57 static int hf_tr_direction = -1;
58 static int hf_tr_rif = -1;
59 static int hf_tr_rif_ring = -1;
60 static int hf_tr_rif_bridge = -1;
62 static gint ett_token_ring = -1;
63 static gint ett_token_ring_ac = -1;
64 static gint ett_token_ring_fc = -1;
66 #define TR_MIN_HEADER_LEN 14
67 #define TR_MAX_HEADER_LEN 32
69 static const true_false_string ac_truth = { "Frame", "Token" };
71 static const value_string pcf_vals[] = {
72 { 0, "Normal buffer" },
73 { 1, "Express buffer" },
77 { 5, "Active Monitor Present" },
78 { 6, "Standby Monitor Present" },
82 static const value_string frame_vals[] = {
89 static const value_string broadcast_vals[] = {
90 { 0 << 5, "Non-broadcast" },
91 { 1 << 5, "Non-broadcast" },
92 { 2 << 5, "Non-broadcast" },
93 { 3 << 5, "Non-broadcast" },
94 { 4 << 5, "All-routes broadcast" },
95 { 5 << 5, "All-routes broadcast" },
96 { 6 << 5, "Single-route broadcast" },
97 { 7 << 5, "Single-route broadcast" },
101 static const value_string max_frame_size_vals[] = {
112 static const value_string direction_vals[] = {
113 { 0, "From originating station (-->)" },
114 { 128, "To originating station (<--)" },
119 * DODGY LINUX HACK DODGY LINUX HACK
120 * Linux 2.0.x always passes frames to the Token Ring driver for transmission with
121 * 18 bytes padding for source routing information. Some drivers copy the first
122 * (18 - srlen) bytes up the frame (18 - srlen) bytes thus removing the padding.
123 * Other drivers just make a copy of the entire frame and then hack about with it
124 * so the frame the sniffer gets is fine (just has extra sr routing).
125 * In the first instance (driver hacking frame in situ) the sniffer gets a garbled
127 * This function trys to detect this and returns the offset of where
128 * the frame really starts.
129 * This only detects frames that we have sent ourselves so if we are packet sniffing
130 * on the machine we are watching this is useful.
131 * Compare offset 0 with offset x+1 for a length of x bytes for all value of x = 1 to 18
132 * if match then Linux driver has done in situ source route compression of the crappy
133 * Linux 2.0.x frame so the beginning of the real frame is x bytes in.
134 * (And this real frame x bytes in looks like a proper TR frame that goes on the wire
135 * with none of the Linux idiosyncrasies).
137 int check_for_old_linux(const u_char * pd)
142 if (memcmp(&pd[0],&pd[x],x) == 0)
151 add_ring_bridge_pairs(int rcf_len, const u_char *pd, int offset, proto_tree *tree);
154 capture_tr(const u_char *pd, int offset, packet_counts *ld) {
156 int source_routed = 0;
159 guint8 trn_rif_bytes;
160 guint8 actual_rif_bytes;
162 /* The trn_hdr struct, as separate variables */
163 guint8 trn_fc; /* field control field */
164 const guint8 *trn_shost; /* source host */
166 if (!BYTES_ARE_IN_FRAME(offset, TR_MIN_HEADER_LEN)) {
171 if ((x = check_for_old_linux(pd)))
173 /* Actually packet starts x bytes into what we have got but with all
174 source routing compressed
176 /* pd = &pd[x]; */ offset+=x;
180 trn_fc = pd[offset + 1];
181 trn_shost = &pd[offset + 8];
183 frame_type = (trn_fc & 192) >> 6;
185 /* if the high bit on the first byte of src hwaddr is 1, then
186 this packet is source-routed */
187 source_routed = trn_shost[0] & 128;
189 trn_rif_bytes = pd[offset + 14] & 31;
191 /* sometimes we have a RCF but no RIF... half source-routed? */
192 if (!source_routed && trn_rif_bytes > 0) {
193 /* I'll check for 2 bytes of RIF and mark the packet as source
194 * routed even though I'm not sure _what_ that kind of packet is */
195 if (trn_rif_bytes == 2) {
198 /* the Linux 2.0 TR code strips source-route bits in
199 * order to test for SR. This can be removed from most
200 * packets with oltr, but not all. So, I try to figure out
201 * which packets should have been SR here. I'll check to
202 * see if there's a SNAP or IPX field right after
206 pd[offset + 0x0e + trn_rif_bytes] == 0xaa &&
207 pd[offset + 0x0f + trn_rif_bytes] == 0xaa &&
208 pd[offset + 0x10 + trn_rif_bytes] == 0x03) ||
210 pd[offset + 0x0e + trn_rif_bytes] == 0xe0 &&
211 pd[offset + 0x0f + trn_rif_bytes] == 0xe0) ) {
219 actual_rif_bytes = trn_rif_bytes;
223 actual_rif_bytes = 0;
226 /* this is a silly hack for Linux 2.0.x. Read the comment below,
227 in front of the other #ifdef linux. If we're sniffing our own NIC,
228 we get a full RIF, sometimes with garbage */
229 if ((source_routed && trn_rif_bytes == 2 && frame_type == 1) ||
230 (!source_routed && frame_type == 1)) {
231 /* look for SNAP or IPX only */
232 if ( (pd[offset + 0x20] == 0xaa && pd[offset + 0x21] == 0xaa && pd[offset + 0x22] == 03) ||
233 (pd[offset + 0x20] == 0xe0 && pd[offset + 0x21] == 0xe0) ) {
234 actual_rif_bytes = 18;
236 pd[offset + 0x23] == 0 &&
237 pd[offset + 0x24] == 0 &&
238 pd[offset + 0x25] == 0 &&
239 pd[offset + 0x26] == 0x00 &&
240 pd[offset + 0x27] == 0x11) {
242 actual_rif_bytes = 18;
244 /* Linux 2.0.x also requires drivers pass up a fake SNAP and LLC header before th
245 real LLC hdr for all Token Ring frames that arrive with DSAP and SSAP != 0xAA
246 (i.e. for non SNAP frames e.g. for Netware frames)
247 the fake SNAP header has the ETH_P_TR_802_2 ether type (0x0011) and the protocol id
248 bytes as zero frame looks like :-
249 TR Header | Fake LLC | Fake SNAP | Wire LLC | Rest of data */
250 offset += 8; /* Skip fake LLC and SNAP */
254 offset += actual_rif_bytes + 14;
256 /* The package is either MAC or LLC */
257 switch (frame_type) {
263 capture_llc(pd, offset, ld);
266 /* non-MAC, non-LLC, i.e., "Reserved" */
274 dissect_tr(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
276 proto_tree *tr_tree, *bf_tree;
279 int source_routed = 0;
281 guint8 trn_rif_bytes;
282 guint8 actual_rif_bytes;
284 /* The trn_hdr struct, as separate variables */
285 guint8 trn_ac; /* access control field */
286 guint8 trn_fc; /* field control field */
287 const guint8 *trn_dhost; /* destination host */
288 const guint8 *trn_shost; /* source host */
290 /* non-source-routed version of source addr */
291 static guint8 trn_shost_nonsr[6];
294 /* Token-Ring Strings */
295 char *fc[] = { "MAC", "LLC", "Reserved", "Unknown" };
297 if (!BYTES_ARE_IN_FRAME(offset, TR_MIN_HEADER_LEN)) {
298 dissect_data(pd, offset, fd, tree);
302 if ((x = check_for_old_linux(pd)))
304 /* Actually packet starts x bytes into what we have got but with all
305 source routing compressed. See comment above */
311 trn_fc = pd[offset+1];
312 trn_dhost = &pd[offset+2];
313 trn_shost = &pd[offset+8];
315 memcpy(trn_shost_nonsr, trn_shost, 6 * sizeof(guint8));
316 trn_shost_nonsr[0] &= 127;
317 frame_type = (trn_fc & 192) >> 6;
319 /* if the high bit on the first byte of src hwaddr is 1, then
320 this packet is source-routed */
321 source_routed = trn_shost[0] & 128;
323 trn_rif_bytes = pd[offset+14] & 31;
325 /* sometimes we have a RCF but no RIF... half source-routed? */
326 /* I'll check for 2 bytes of RIF and the 0x70 byte */
327 if (!source_routed && trn_rif_bytes > 0) {
328 if (trn_rif_bytes == 2) {
331 /* the Linux 2.0 TR code strips source-route bits in
332 * order to test for SR. This can be removed from most
333 * packets with oltr, but not all. So, I try to figure out
334 * which packets should have been SR here. I'll check to
335 * see if there's a SNAP or IPX field right after
339 pd[offset + 0x0e + trn_rif_bytes] == 0xaa &&
340 pd[offset + 0x0f + trn_rif_bytes] == 0xaa &&
341 pd[offset + 0x10 + trn_rif_bytes] == 0x03) ||
343 pd[offset + 0x0e + trn_rif_bytes] == 0xe0 &&
344 pd[offset + 0x0f + trn_rif_bytes] == 0xe0) ) {
349 printf("0e+%d = %02X 0f+%d = %02X\n", trn_rif_bytes,
350 pd[offset + 0x0e + trn_rif_bytes],
352 pd[offset + 0x0f + trn_rif_bytes]);
358 actual_rif_bytes = trn_rif_bytes;
362 actual_rif_bytes = 0;
365 /* this is a silly hack for Linux 2.0.x. Read the comment below,
366 in front of the other #ifdef linux. If we're sniffing our own NIC,
367 we get a full RIF, sometimes with garbage */
368 if ((source_routed && trn_rif_bytes == 2 && frame_type == 1) ||
369 (!source_routed && frame_type == 1)) {
370 /* look for SNAP or IPX only */
371 if ( (pd[offset + 0x20] == 0xaa &&
372 pd[offset + 0x21] == 0xaa &&
373 pd[offset + 0x22] == 03)
375 (pd[offset + 0x20] == 0xe0 &&
376 pd[offset + 0x21] == 0xe0) ) {
378 actual_rif_bytes = 18;
387 actual_rif_bytes = 18;
389 /* Linux 2.0.x also requires drivers pass up a fake SNAP and LLC header before th
390 real LLC hdr for all Token Ring frames that arrive with DSAP and SSAP != 0xAA
391 (i.e. for non SNAP frames e.g. for Netware frames)
392 the fake SNAP header has the ETH_P_TR_802_2 ether type (0x0011) and the protocol id
393 bytes as zero frame looks like :-
394 TR Header | Fake LLC | Fake SNAP | Wire LLC | Rest of data */
395 fixoffset += 8; /* Skip fake LLC and SNAP */
399 /* XXX - copy it to some buffer associated with "pi", rather than
400 just making "trn_shost_nonsr" static? */
401 SET_ADDRESS(&pi.dl_src, AT_ETHER, 6, trn_shost_nonsr);
402 SET_ADDRESS(&pi.src, AT_ETHER, 6, trn_shost_nonsr);
403 SET_ADDRESS(&pi.dl_dst, AT_ETHER, 6, trn_dhost);
404 SET_ADDRESS(&pi.dst, AT_ETHER, 6, trn_dhost);
406 /* information window */
407 if (check_col(fd, COL_PROTOCOL))
408 col_add_str(fd, COL_PROTOCOL, "TR");
409 if (check_col(fd, COL_INFO))
410 col_add_fstr(fd, COL_INFO, "Token-Ring %s", fc[frame_type]);
412 /* protocol analysis tree */
414 /* Create Token-Ring Tree */
415 ti = proto_tree_add_item(tree, proto_tr, NullTVB, offset, 14 + actual_rif_bytes, NULL);
416 tr_tree = proto_item_add_subtree(ti, ett_token_ring);
418 /* Create the Access Control bitfield tree */
419 trn_ac = pd[offset+0];
420 ti = proto_tree_add_item(tr_tree, hf_tr_ac, NullTVB, offset, 1, trn_ac);
421 bf_tree = proto_item_add_subtree(ti, ett_token_ring_ac);
423 proto_tree_add_item(bf_tree, hf_tr_priority, NullTVB, offset, 1, trn_ac);
424 proto_tree_add_item(bf_tree, hf_tr_frame, NullTVB, offset, 1, trn_ac);
425 proto_tree_add_item(bf_tree, hf_tr_monitor_cnt, NullTVB, offset, 1, trn_ac);
426 proto_tree_add_item(bf_tree, hf_tr_priority_reservation, NullTVB, offset, 1, trn_ac);
428 /* Create the Frame Control bitfield tree */
429 ti = proto_tree_add_item(tr_tree, hf_tr_fc, NullTVB, offset + 1, 1, trn_fc);
430 bf_tree = proto_item_add_subtree(ti, ett_token_ring_fc);
432 proto_tree_add_item(bf_tree, hf_tr_fc_type, NullTVB, offset + 1, 1, trn_fc);
433 proto_tree_add_item(bf_tree, hf_tr_fc_pcf, NullTVB, offset + 1, 1, trn_fc);
434 proto_tree_add_item(tr_tree, hf_tr_dst, NullTVB, offset + 2, 6, trn_dhost);
435 proto_tree_add_item(tr_tree, hf_tr_src, NullTVB, offset + 8, 6, trn_shost);
436 proto_tree_add_item_hidden(tr_tree, hf_tr_addr, NullTVB, offset + 2, 6, trn_dhost);
437 proto_tree_add_item_hidden(tr_tree, hf_tr_addr, NullTVB, offset + 8, 6, trn_shost);
439 proto_tree_add_item(tr_tree, hf_tr_sr, NullTVB, offset + 8, 1, source_routed);
441 /* non-source-routed version of src addr */
442 proto_tree_add_item_hidden(tr_tree, hf_tr_src, NullTVB, offset + 8, 6, trn_shost_nonsr);
446 proto_tree_add_item(tr_tree, hf_tr_rif_bytes, NullTVB, offset + 14, 1, trn_rif_bytes);
447 proto_tree_add_item(tr_tree, hf_tr_broadcast, NullTVB, offset + 14, 1, pd[offset + 14] & 224);
450 proto_tree_add_item(tr_tree, hf_tr_max_frame_size, NullTVB, offset + 15, 1, pd[offset + 15] & 112);
451 proto_tree_add_item(tr_tree, hf_tr_direction, NullTVB, offset + 15, 1, pd[offset + 15] & 128);
453 /* if we have more than 2 bytes of RIF, then we have
455 if ((trn_rif_bytes > 2) && BYTES_ARE_IN_FRAME(offset + 14, trn_rif_bytes)) {
456 add_ring_bridge_pairs(trn_rif_bytes,
457 pd, offset, tr_tree);
461 /* Linux 2.0.x has a problem in that the 802.5 code creates
462 an emtpy full (18-byte) RIF area. It's up to the tr driver to
463 either fill it in or remove it before sending the bytes out
464 to the wire. If you run tcpdump on a Linux 2.0.x machine running
465 token-ring, tcpdump will capture these 18 filler bytes. They
466 are filled with garbage. The best way to detect this problem is
467 to know the src hwaddr of the machine from which you were running
468 tcpdump. W/o that, however, I'm guessing that DSAP == SSAP if the
469 frame type is LLC. It's very much a hack. -- Gilbert Ramirez */
470 if (actual_rif_bytes > trn_rif_bytes) {
471 proto_tree_add_text(tr_tree, NullTVB, 14 + trn_rif_bytes, actual_rif_bytes - trn_rif_bytes,
472 "Empty RIF from Linux 2.0.x driver. The sniffing NIC "
473 "is also running a protocol stack.");
476 proto_tree_add_text(tr_tree, NullTVB, 14 + 18,8,"Linux 2.0.x fake LLC and SNAP header");
479 offset += 14 + actual_rif_bytes + fixoffset;
481 if (IS_DATA_IN_FRAME(offset)) {
482 /* The package is either MAC or LLC */
483 switch (frame_type) {
486 dissect_trmac(pd, offset, fd, tree);
489 dissect_llc(pd, offset, fd, tree);
492 /* non-MAC, non-LLC, i.e., "Reserved" */
493 dissect_data(pd, offset, fd, tree);
499 /* this routine is taken from the Linux net/802/tr.c code, which shows
500 ring-bridge pairs in the /proc/net/tr_rif virtual file. */
502 add_ring_bridge_pairs(int rcf_len, const u_char *pd, int offset, proto_tree *tree)
505 int segment, brdgnmb, unprocessed_rif;
508 #define RIF_BYTES_TO_PROCESS 30
510 char buffer[3 + (RIF_BYTES_TO_PROCESS / 2) * 6 + 1];
512 /* Only process so many bytes of RIF, as per TR spec, and not overflow
513 * static buffer above */
514 unprocessed_rif = rcf_len - RIF_BYTES_TO_PROCESS;
515 rcf_len = MIN(rcf_len, RIF_BYTES_TO_PROCESS);
517 /* Ignore the 2 RCF bytes, since they don't make up the ring/bride pairs */
520 for(j = 1; j < rcf_len - 1; j += 2) {
522 segment=pntohs(&pd[offset + 16]) >> 4;
523 size = sprintf(buffer, "%03X",segment);
524 proto_tree_add_item_hidden(tree, hf_tr_rif_ring, NullTVB, offset + 16, 2, segment);
527 segment=pntohs(&pd[offset+17+j]) >> 4;
528 brdgnmb=pd[offset+16+j] & 0x0f;
529 size = sprintf(buffer+buff_offset, "-%01X-%03X",brdgnmb,segment);
530 proto_tree_add_item_hidden(tree, hf_tr_rif_ring, NullTVB, offset+17+j, 2, segment);
531 proto_tree_add_item_hidden(tree, hf_tr_rif_bridge, NullTVB, offset+16+j, 1, brdgnmb);
534 proto_tree_add_item(tree, hf_tr_rif, NullTVB, offset+16, rcf_len, buffer);
536 if (unprocessed_rif > 0) {
537 proto_tree_add_text(tree, NullTVB, offset+14+RIF_BYTES_TO_PROCESS, unprocessed_rif,
538 "Extra RIF bytes beyond spec: %d", unprocessed_rif);
543 proto_register_tr(void)
545 static hf_register_info hf[] = {
547 { "Access Control", "tr.ac", FT_UINT8, BASE_HEX, NULL, 0x0,
551 { "Priority", "tr.priority", FT_UINT8, BASE_DEC, NULL, 0xe0,
555 { "Frame", "tr.frame", FT_BOOLEAN, 8, TFS(&ac_truth), 0x10,
558 { &hf_tr_monitor_cnt,
559 { "Monitor Count", "tr.monitor_cnt", FT_UINT8, BASE_DEC, NULL, 0x08,
562 { &hf_tr_priority_reservation,
563 { "Priority Reservation","tr.priority_reservation", FT_UINT8, BASE_DEC, NULL, 0x07,
567 { "Frame Control", "tr.fc", FT_UINT8, BASE_HEX, NULL, 0x0,
571 { "Frame Type", "tr.frame_type", FT_UINT8, BASE_DEC, VALS(frame_vals), 0xc0,
575 { "Frame PCF", "tr.frame_pcf", FT_UINT8, BASE_DEC, VALS(pcf_vals), 0x0f,
579 { "Destination", "tr.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
580 "Destination Hardware Address" }},
583 { "Source", "tr.src", FT_ETHER, BASE_NONE, NULL, 0x0,
584 "Source Hardware Address" }},
587 { "Source or Destination Address", "tr.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
588 "Source or Destination Hardware Address" }},
591 { "Source Routed", "tr.sr", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
595 { "RIF Bytes", "tr.rif_bytes", FT_UINT8, BASE_DEC, NULL, 0x0,
596 "Number of bytes in Routing Information Fields, including "
597 "the two bytes of Routing Control Field" }},
600 { "Broadcast Type", "tr.broadcast", FT_UINT8, BASE_DEC, VALS(broadcast_vals), 0x0,
601 "Type of Token-Ring Broadcast" }},
603 { &hf_tr_max_frame_size,
604 { "Maximum Frame Size", "tr.max_frame_size", FT_UINT8, BASE_DEC, VALS(max_frame_size_vals),
609 { "Direction", "tr.direction", FT_UINT8, BASE_DEC, VALS(direction_vals), 0x0,
610 "Direction of RIF" }},
613 { "Ring-Bridge Pairs", "tr.rif", FT_STRING, BASE_NONE, NULL, 0x0,
614 "String representing Ring-Bridge Pairs" }},
617 { "RIF Ring", "tr.rif.ring", FT_UINT16, BASE_HEX, NULL, 0x0,
621 { "RIF Bridge", "tr.rif.bridge", FT_UINT8, BASE_HEX, NULL, 0x0,
624 static gint *ett[] = {
630 proto_tr = proto_register_protocol("Token-Ring", "tr");
631 proto_register_field_array(proto_tr, hf, array_length(hf));
632 proto_register_subtree_array(ett, array_length(ett));