2 * Routines for IP and miscellaneous IP protocol packet disassembly
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * Wednesday, January 17, 2006
11 * Support for the CIPSO IPv4 option
12 * (http://sourceforge.net/docman/display_doc.php?docid=34650&group_id=174379)
13 * by Paul Moore <paul.moore@hp.com>
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
38 #include <epan/packet.h>
39 #include <epan/addr_resolv.h>
40 #include <epan/ipproto.h>
41 #include <epan/ip_opts.h>
42 #include <epan/prefs.h>
43 #include <epan/reassemble.h>
44 #include <epan/etypes.h>
45 #include <epan/greproto.h>
46 #include <epan/ppptypes.h>
47 #include <epan/llcsaps.h>
48 #include <epan/aftypes.h>
49 #include <epan/arcnet_pids.h>
50 #include <epan/in_cksum.h>
51 #include <epan/nlpid.h>
53 #include <epan/emem.h>
54 #include <epan/expert.h>
56 #include "packet-ip.h"
57 #include "packet-ipsec.h"
61 #include <epan/geoip_db.h>
62 #endif /* HAVE_GEOIP */
65 static int ip_tap = -1;
67 /* Decode the old IPv4 TOS field as the DiffServ DS Field (RFC2474/2475) */
68 static gboolean g_ip_dscp_actif = TRUE;
70 /* Defragment fragmented IP datagrams */
71 static gboolean ip_defragment = TRUE;
73 /* Place IP summary in proto tree */
74 static gboolean ip_summary_in_tree = TRUE;
76 /* Perform IP checksum */
77 static gboolean ip_check_checksum = TRUE;
79 /* Assume TSO and correct zero-length IP packets */
80 static gboolean ip_tso_supported = FALSE;
83 /* Look up addresses in GeoIP */
84 static gboolean ip_use_geoip = FALSE;
85 #endif /* HAVE_GEOIP */
87 static int proto_ip = -1;
88 static int hf_ip_version = -1;
89 static int hf_ip_hdr_len = -1;
90 static int hf_ip_dsfield = -1;
91 static int hf_ip_dsfield_dscp = -1;
92 static int hf_ip_dsfield_ect = -1;
93 static int hf_ip_dsfield_ce = -1;
94 static int hf_ip_tos = -1;
95 static int hf_ip_tos_precedence = -1;
96 static int hf_ip_tos_delay = -1;
97 static int hf_ip_tos_throughput = -1;
98 static int hf_ip_tos_reliability = -1;
99 static int hf_ip_tos_cost = -1;
100 static int hf_ip_len = -1;
101 static int hf_ip_id = -1;
102 static int hf_ip_dst = -1;
103 static int hf_ip_dst_host = -1;
104 static int hf_ip_src = -1;
105 static int hf_ip_src_host = -1;
106 static int hf_ip_addr = -1;
107 static int hf_ip_host = -1;
108 static int hf_ip_flags = -1;
109 static int hf_ip_flags_rf = -1;
110 static int hf_ip_flags_df = -1;
111 static int hf_ip_flags_mf = -1;
112 static int hf_ip_frag_offset = -1;
113 static int hf_ip_ttl = -1;
114 static int hf_ip_proto = -1;
115 static int hf_ip_checksum = -1;
116 static int hf_ip_checksum_good = -1;
117 static int hf_ip_checksum_bad = -1;
118 static int hf_ip_fragments = -1;
119 static int hf_ip_fragment = -1;
120 static int hf_ip_fragment_overlap = -1;
121 static int hf_ip_fragment_overlap_conflict = -1;
122 static int hf_ip_fragment_multiple_tails = -1;
123 static int hf_ip_fragment_too_long_fragment = -1;
124 static int hf_ip_fragment_error = -1;
125 static int hf_ip_reassembled_in = -1;
128 static int hf_geoip_country = -1;
129 static int hf_geoip_city = -1;
130 static int hf_geoip_org = -1;
131 static int hf_geoip_isp = -1;
132 static int hf_geoip_asnum = -1;
133 static int hf_geoip_lat = -1;
134 static int hf_geoip_lon = -1;
135 static int hf_geoip_src_country = -1;
136 static int hf_geoip_src_city = -1;
137 static int hf_geoip_src_org = -1;
138 static int hf_geoip_src_isp = -1;
139 static int hf_geoip_src_asnum = -1;
140 static int hf_geoip_src_lat = -1;
141 static int hf_geoip_src_lon = -1;
142 static int hf_geoip_dst_country = -1;
143 static int hf_geoip_dst_city = -1;
144 static int hf_geoip_dst_org = -1;
145 static int hf_geoip_dst_isp = -1;
146 static int hf_geoip_dst_asnum = -1;
147 static int hf_geoip_dst_lat = -1;
148 static int hf_geoip_dst_lon = -1;
149 #endif /* HAVE_GEOIP */
151 static gint ett_ip = -1;
152 static gint ett_ip_dsfield = -1;
153 static gint ett_ip_tos = -1;
154 static gint ett_ip_off = -1;
155 static gint ett_ip_options = -1;
156 static gint ett_ip_option_sec = -1;
157 static gint ett_ip_option_route = -1;
158 static gint ett_ip_option_timestamp = -1;
159 static gint ett_ip_option_cipso = -1;
160 static gint ett_ip_fragments = -1;
161 static gint ett_ip_fragment = -1;
162 static gint ett_ip_checksum = -1;
165 static gint ett_geoip_info = -1;
166 #endif /* HAVE_GEOIP */
168 static const fragment_items ip_frag_items = {
173 &hf_ip_fragment_overlap,
174 &hf_ip_fragment_overlap_conflict,
175 &hf_ip_fragment_multiple_tails,
176 &hf_ip_fragment_too_long_fragment,
177 &hf_ip_fragment_error,
178 &hf_ip_reassembled_in,
182 static dissector_table_t ip_dissector_table;
184 static dissector_handle_t ipv6_handle;
185 static dissector_handle_t data_handle;
186 static dissector_handle_t tapa_handle;
189 /* IP structs and definitions */
191 /* Offsets of fields within an IP header. */
203 /* Minimum IP header length. */
204 #define IPH_MIN_LEN 20
207 #define IP_RF 0x8000 /* Flag: "Reserved bit" */
208 #define IP_DF 0x4000 /* Flag: "Don't Fragment" */
209 #define IP_MF 0x2000 /* Flag: "More Fragments" */
210 #define IP_OFFSET 0x1FFF /* "Fragment Offset" part */
212 /* Differentiated Services Field. See RFCs 2474, 2597 and 2598. */
213 #define IPDSFIELD_DSCP_MASK 0xFC
214 #define IPDSFIELD_ECN_MASK 0x03
215 #define IPDSFIELD_DSCP_SHIFT 2
216 #define IPDSFIELD_DSCP(dsfield) (((dsfield)&IPDSFIELD_DSCP_MASK)>>IPDSFIELD_DSCP_SHIFT)
217 #define IPDSFIELD_ECN(dsfield) ((dsfield)&IPDSFIELD_ECN_MASK)
218 #define IPDSFIELD_DSCP_DEFAULT 0x00
219 #define IPDSFIELD_DSCP_CS1 0x08
220 #define IPDSFIELD_DSCP_CS2 0x10
221 #define IPDSFIELD_DSCP_CS3 0x18
222 #define IPDSFIELD_DSCP_CS4 0x20
223 #define IPDSFIELD_DSCP_CS5 0x28
224 #define IPDSFIELD_DSCP_CS6 0x30
225 #define IPDSFIELD_DSCP_CS7 0x38
226 #define IPDSFIELD_DSCP_AF11 0x0A
227 #define IPDSFIELD_DSCP_AF12 0x0C
228 #define IPDSFIELD_DSCP_AF13 0x0E
229 #define IPDSFIELD_DSCP_AF21 0x12
230 #define IPDSFIELD_DSCP_AF22 0x14
231 #define IPDSFIELD_DSCP_AF23 0x16
232 #define IPDSFIELD_DSCP_AF31 0x1A
233 #define IPDSFIELD_DSCP_AF32 0x1C
234 #define IPDSFIELD_DSCP_AF33 0x1E
235 #define IPDSFIELD_DSCP_AF41 0x22
236 #define IPDSFIELD_DSCP_AF42 0x24
237 #define IPDSFIELD_DSCP_AF43 0x26
238 #define IPDSFIELD_DSCP_EF 0x2E
239 #define IPDSFIELD_ECT_MASK 0x02
240 #define IPDSFIELD_CE_MASK 0x01
242 /* IP TOS, superseded by the DS Field, RFC 2474. */
243 #define IPTOS_TOS_MASK 0x1E
244 #define IPTOS_TOS(tos) ((tos) & IPTOS_TOS_MASK)
245 #define IPTOS_NONE 0x00
246 #define IPTOS_LOWCOST 0x02
247 #define IPTOS_RELIABILITY 0x04
248 #define IPTOS_THROUGHPUT 0x08
249 #define IPTOS_LOWDELAY 0x10
250 #define IPTOS_SECURITY 0x1E
252 #define IPTOS_PREC_MASK 0xE0
253 #define IPTOS_PREC_SHIFT 5
254 #define IPTOS_PREC(tos) (((tos)&IPTOS_PREC_MASK)>>IPTOS_PREC_SHIFT)
255 #define IPTOS_PREC_NETCONTROL 7
256 #define IPTOS_PREC_INTERNETCONTROL 6
257 #define IPTOS_PREC_CRITIC_ECP 5
258 #define IPTOS_PREC_FLASHOVERRIDE 4
259 #define IPTOS_PREC_FLASH 3
260 #define IPTOS_PREC_IMMEDIATE 2
261 #define IPTOS_PREC_PRIORITY 1
262 #define IPTOS_PREC_ROUTINE 0
265 #define IPOPT_COPY 0x80
267 #define IPOPT_CONTROL 0x00
268 #define IPOPT_RESERVED1 0x20
269 #define IPOPT_MEASUREMENT 0x40
270 #define IPOPT_RESERVED2 0x60
272 #define IPOPT_END (0 |IPOPT_CONTROL)
273 #define IPOPT_NOOP (1 |IPOPT_CONTROL)
274 #define IPOPT_SEC (2 |IPOPT_CONTROL|IPOPT_COPY)
275 #define IPOPT_LSRR (3 |IPOPT_CONTROL|IPOPT_COPY)
276 #define IPOPT_TIMESTAMP (4 |IPOPT_MEASUREMENT)
277 #define IPOPT_CIPSO (6 |IPOPT_CONTROL|IPOPT_COPY)
278 #define IPOPT_RR (7 |IPOPT_CONTROL)
279 #define IPOPT_SID (8 |IPOPT_CONTROL|IPOPT_COPY)
280 #define IPOPT_SSRR (9 |IPOPT_CONTROL|IPOPT_COPY)
281 #define IPOPT_RA (20|IPOPT_CONTROL|IPOPT_COPY)
282 #define IPOPT_QS (25|IPOPT_CONTROL)
284 /* IP option lengths */
285 #define IPOLEN_SEC 11
286 #define IPOLEN_LSRR_MIN 3
287 #define IPOLEN_TIMESTAMP_MIN 5
288 #define IPOLEN_RR_MIN 3
290 #define IPOLEN_SSRR_MIN 3
293 #define IPOLEN_CIPSO_MIN 10
295 #define IPSEC_UNCLASSIFIED 0x0000
296 #define IPSEC_CONFIDENTIAL 0xF135
297 #define IPSEC_EFTO 0x789A
298 #define IPSEC_MMMM 0xBC4D
299 #define IPSEC_RESTRICTED 0xAF13
300 #define IPSEC_SECRET 0xD788
301 #define IPSEC_TOPSECRET 0x6BC5
302 #define IPSEC_RESERVED1 0x35E2
303 #define IPSEC_RESERVED2 0x9AF1
304 #define IPSEC_RESERVED3 0x4D78
305 #define IPSEC_RESERVED4 0x24BD
306 #define IPSEC_RESERVED5 0x135E
307 #define IPSEC_RESERVED6 0x89AF
308 #define IPSEC_RESERVED7 0xC4D6
309 #define IPSEC_RESERVED8 0xE26B
311 #define IPOPT_TS_TSONLY 0 /* timestamps only */
312 #define IPOPT_TS_TSANDADDR 1 /* timestamps and addresses */
313 #define IPOPT_TS_PRESPEC 3 /* specified modules only */
315 #define IPLOCAL_NETWRK_CTRL_BLK_VRRP_ADDR 0xE0000012
316 #define IPLOCAL_NETWRK_CTRL_BLK_VRRP_TTL 0xFF
317 #define IPLOCAL_NETWRK_CTRL_BLK_GLPB_ADDR 0xE0000066
318 #define IPLOCAL_NETWRK_CTRL_BLK_GLPB_TTL 0XFF
319 #define IPLOCAL_NETWRK_CTRL_BLK_MDNS_ADDR 0xE00000FB
320 #define IPLOCAL_NETWRK_CTRL_BLK_MDNS_TTL 0XFF
321 #define IPLOCAL_NETWRK_CTRL_BLK_LLMNR_ADDR 0xE00000FC
323 #define IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL 0x1000 /* larger than max ttl */
324 #define IPLOCAL_NETWRK_CTRL_BLK_DEFAULT_TTL 0X01
326 /* Return true if the address is in the 224.0.0.0/24 network block */
327 #define is_a_local_network_control_block_addr(addr) \
328 ((addr & 0xffffff00) == 0xe0000000)
330 /* Return true if the address is in the 224.0.0.0/4 network block */
331 #define is_a_multicast_addr(addr) \
332 ((addr & 0xf0000000) == 0xe0000000)
335 * defragmentation of IPv4
337 static GHashTable *ip_fragment_table = NULL;
338 static GHashTable *ip_reassembled_table = NULL;
341 ip_defragment_init(void)
343 fragment_table_init(&ip_fragment_table);
344 reassembled_table_init(&ip_reassembled_table);
348 capture_ip(const guchar *pd, int offset, int len, packet_counts *ld) {
349 if (!BYTES_ARE_IN_FRAME(offset, len, IPH_MIN_LEN)) {
353 switch (pd[offset + 9]) {
358 case IP_PROTO_UDPLITE:
362 case IP_PROTO_ICMPV6: /* XXX - separate counters? */
384 add_geoip_info(proto_tree *tree, tvbuff_t *tvb, gint offset, guint32 src32, guint32 dst32)
386 guint dbnum, num_dbs;
387 int geoip_hf, geoip_src_hf, geoip_dst_hf;
388 const char *geoip_src_str, *geoip_dst_str;
389 proto_item *geoip_info_item;
390 proto_tree *geoip_info_tree;
394 num_dbs = geoip_db_num_dbs();
396 geoip_info_item = proto_tree_add_text(tree, tvb, offset + IPH_SRC, 4, "Source GeoIP: ");
397 geoip_info_tree = proto_item_add_subtree(geoip_info_item, ett_geoip_info);
398 PROTO_ITEM_SET_GENERATED(geoip_info_item);
401 for (dbnum = 0; dbnum < num_dbs; dbnum++) {
402 geoip_src_str = geoip_db_lookup_ipv4(dbnum, src32, NULL);
404 switch (geoip_db_type(dbnum)) {
405 case GEOIP_COUNTRY_EDITION:
406 geoip_hf = hf_geoip_country;
407 geoip_src_hf = hf_geoip_src_country;
409 case GEOIP_CITY_EDITION_REV0:
410 geoip_hf = hf_geoip_city;
411 geoip_src_hf = hf_geoip_src_city;
413 case GEOIP_CITY_EDITION_REV1:
414 geoip_hf = hf_geoip_city;
415 geoip_src_hf = hf_geoip_src_city;
417 case GEOIP_ORG_EDITION:
418 geoip_hf = hf_geoip_org;
419 geoip_src_hf = hf_geoip_src_org;
421 case GEOIP_ISP_EDITION:
422 geoip_hf = hf_geoip_isp;
423 geoip_src_hf = hf_geoip_src_isp;
425 case GEOIP_ASNUM_EDITION:
426 geoip_hf = hf_geoip_asnum;
427 geoip_src_hf = hf_geoip_src_asnum;
429 case WS_LAT_FAKE_EDITION:
430 geoip_hf = hf_geoip_lat;
431 geoip_src_hf = hf_geoip_src_lat;
433 case WS_LON_FAKE_EDITION:
434 geoip_hf = hf_geoip_lon;
435 geoip_src_hf = hf_geoip_src_lon;
443 item = proto_tree_add_string_format_value(geoip_info_tree, geoip_src_hf, tvb,
444 offset + IPH_SRC, 4, geoip_src_str, "%s", geoip_src_str);
445 PROTO_ITEM_SET_GENERATED(item);
446 item = proto_tree_add_string_format_value(geoip_info_tree, geoip_hf, tvb,
447 offset + IPH_SRC, 4, geoip_src_str, "%s", geoip_src_str);
448 PROTO_ITEM_SET_GENERATED(item);
449 PROTO_ITEM_SET_HIDDEN(item);
452 proto_item_append_text(geoip_info_item, "%s%s", plurality(item_cnt, "", ", "), geoip_src_str);
457 proto_item_append_text(geoip_info_item, "Unknown");
459 geoip_info_item = proto_tree_add_text(tree, tvb, offset + IPH_DST, 4, "Destination GeoIP: ");
460 geoip_info_tree = proto_item_add_subtree(geoip_info_item, ett_geoip_info);
461 PROTO_ITEM_SET_GENERATED(geoip_info_item);
464 for (dbnum = 0; dbnum < num_dbs; dbnum++) {
465 geoip_dst_str = geoip_db_lookup_ipv4(dbnum, dst32, NULL);
467 switch (geoip_db_type(dbnum)) {
468 case GEOIP_COUNTRY_EDITION:
469 geoip_hf = hf_geoip_country;
470 geoip_dst_hf = hf_geoip_dst_country;
472 case GEOIP_CITY_EDITION_REV0:
473 geoip_hf = hf_geoip_city;
474 geoip_dst_hf = hf_geoip_dst_city;
476 case GEOIP_CITY_EDITION_REV1:
477 geoip_hf = hf_geoip_city;
478 geoip_dst_hf = hf_geoip_dst_city;
480 case GEOIP_ORG_EDITION:
481 geoip_hf = hf_geoip_org;
482 geoip_dst_hf = hf_geoip_dst_org;
484 case GEOIP_ISP_EDITION:
485 geoip_hf = hf_geoip_isp;
486 geoip_dst_hf = hf_geoip_dst_isp;
488 case GEOIP_ASNUM_EDITION:
489 geoip_hf = hf_geoip_asnum;
490 geoip_dst_hf = hf_geoip_dst_asnum;
492 case WS_LAT_FAKE_EDITION:
493 geoip_hf = hf_geoip_lat;
494 geoip_dst_hf = hf_geoip_dst_lat;
496 case WS_LON_FAKE_EDITION:
497 geoip_hf = hf_geoip_lon;
498 geoip_dst_hf = hf_geoip_dst_lon;
506 item = proto_tree_add_string_format_value(geoip_info_tree, geoip_dst_hf, tvb,
507 offset + IPH_DST, 4, geoip_dst_str, "%s", geoip_dst_str);
508 PROTO_ITEM_SET_GENERATED(item);
509 item = proto_tree_add_string_format_value(geoip_info_tree, geoip_hf, tvb,
510 offset + IPH_DST, 4, geoip_dst_str, "%s", geoip_dst_str);
511 PROTO_ITEM_SET_GENERATED(item);
512 PROTO_ITEM_SET_HIDDEN(item);
515 proto_item_append_text(geoip_info_item, "%s%s", plurality(item_cnt, "", ", "), geoip_dst_str);
520 proto_item_append_text(geoip_info_item, "Unknown");
522 #endif /* HAVE_GEOIP */
525 dissect_ipopt_security(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
526 guint optlen, packet_info *pinfo _U_,
527 proto_tree *opt_tree)
529 proto_tree *field_tree = NULL;
532 static const value_string secl_vals[] = {
533 {IPSEC_UNCLASSIFIED, "Unclassified"},
534 {IPSEC_CONFIDENTIAL, "Confidential"},
535 {IPSEC_EFTO, "EFTO" },
536 {IPSEC_MMMM, "MMMM" },
537 {IPSEC_RESTRICTED, "Restricted" },
538 {IPSEC_SECRET, "Secret" },
539 {IPSEC_TOPSECRET, "Top secret" },
540 {IPSEC_RESERVED1, "Reserved" },
541 {IPSEC_RESERVED2, "Reserved" },
542 {IPSEC_RESERVED3, "Reserved" },
543 {IPSEC_RESERVED4, "Reserved" },
544 {IPSEC_RESERVED5, "Reserved" },
545 {IPSEC_RESERVED6, "Reserved" },
546 {IPSEC_RESERVED7, "Reserved" },
547 {IPSEC_RESERVED8, "Reserved" },
550 tf = proto_tree_add_text(opt_tree, tvb, offset, optlen, "%s:", optp->name);
551 field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
554 val = tvb_get_ntohs(tvb, offset);
555 proto_tree_add_text(field_tree, tvb, offset, 2,
556 "Security: %s", val_to_str(val, secl_vals, "Unknown (0x%x)"));
559 val = tvb_get_ntohs(tvb, offset);
560 proto_tree_add_text(field_tree, tvb, offset, 2,
561 "Compartments: %u", val);
564 proto_tree_add_text(field_tree, tvb, offset, 2,
565 "Handling restrictions: %c%c",
566 tvb_get_guint8(tvb, offset),
567 tvb_get_guint8(tvb, offset + 1));
570 proto_tree_add_text(field_tree, tvb, offset, 3,
571 "Transmission control code: %c%c%c",
572 tvb_get_guint8(tvb, offset),
573 tvb_get_guint8(tvb, offset + 1),
574 tvb_get_guint8(tvb, offset + 2));
577 /* USHRT_MAX can hold at most 5 (base 10) digits (6 for the NULL byte) */
578 #define USHRT_MAX_STRLEN 6
580 /* Maximum CIPSO tag length:
581 * (IP hdr max)60 - (IPv4 hdr std)20 - (CIPSO base)6 = 34 */
582 #define CIPSO_TAG_LEN_MAX 34
584 /* The Commercial IP Security Option (CIPSO) is defined in IETF draft
585 * draft-ietf-cipso-ipsecurity-01.txt and FIPS 188, a copy of both documents
586 * can be found at the NetLabel project page, http://netlabel.sf.net. */
588 dissect_ipopt_cipso(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
589 guint optlen, packet_info *pinfo _U_, proto_tree *opt_tree)
591 proto_tree *field_tree = NULL;
593 guint tagtype, taglen;
594 int offset_max = offset + optlen;
596 tf = proto_tree_add_text(opt_tree, tvb, offset, optlen, "%s", optp->name);
597 field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
600 proto_tree_add_text(field_tree, tvb, offset, 4, "DOI: %u",
601 tvb_get_ntohl(tvb, offset));
604 /* loop through all of the tags in the CIPSO option */
605 while (offset < offset_max) {
606 tagtype = tvb_get_guint8(tvb, offset);
608 if ((offset + 1) < offset_max)
609 taglen = tvb_get_guint8(tvb, offset + 1);
615 /* padding - skip this tag */
619 /* restrictive bitmap, see CIPSO draft section 3.4.2 for tag format */
620 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
621 ((offset + (int)taglen - 1) > offset_max)) {
622 proto_tree_add_text(field_tree, tvb, offset, offset_max - offset,
623 "Malformed CIPSO tag");
627 proto_tree_add_text(field_tree, tvb, offset, 1,
628 "Tag Type: Restrictive Category Bitmap (%u)",
631 /* skip past alignment octet */
634 proto_tree_add_text(field_tree, tvb, offset, 1, "Sensitivity Level: %u",
635 tvb_get_guint8(tvb, offset));
641 unsigned char bitmask;
643 char *cat_str_tmp = ep_alloc(USHRT_MAX_STRLEN);
645 const guint8 *val_ptr = tvb_get_ptr(tvb, offset, taglen - 4);
647 /* this is just a guess regarding string size, but we grow it below
650 cat_str = ep_alloc0(cat_str_len);
652 /* we checked the length above so the highest category value
653 * possibile here is 240 */
654 while (byte_spot < (taglen - 4)) {
657 while (bit_spot < 8) {
658 if (val_ptr[byte_spot] & bitmask) {
659 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN, "%u",
660 byte_spot * 8 + bit_spot);
661 cat_str_tmp[USHRT_MAX_STRLEN - 1] = '\0';
662 if (cat_str_len < (strlen(cat_str) + 2 + USHRT_MAX_STRLEN)) {
664 while (cat_str_len < (strlen(cat_str) + 2 + USHRT_MAX_STRLEN))
665 cat_str_len += cat_str_len;
666 cat_str_new = ep_alloc(cat_str_len);
667 g_strlcpy(cat_str_new, cat_str, cat_str_len);
668 cat_str_new[cat_str_len - 1] = '\0';
669 cat_str = cat_str_new;
671 if (cat_str[0] != '\0')
672 g_strlcat(cat_str, ",", cat_str_len);
673 g_strlcat(cat_str, cat_str_tmp, cat_str_len);
682 proto_tree_add_text(field_tree, tvb, offset, taglen - 4,
683 "Categories: %s", cat_str);
685 proto_tree_add_text(field_tree, tvb, offset, taglen - 4,
686 "Categories: ERROR PARSING CATEGORIES");
688 offset += taglen - 4;
692 /* enumerated categories, see CIPSO draft section 3.4.3 for tag format */
693 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
694 ((offset + (int)taglen - 1) > offset_max)) {
695 proto_tree_add_text(field_tree, tvb, offset, offset_max - offset,
696 "Malformed CIPSO tag");
700 proto_tree_add_text(field_tree, tvb, offset, 1,
701 "Tag Type: Enumerated Categories (%u)", tagtype);
703 /* skip past alignment octet */
706 /* sensitvity level */
707 proto_tree_add_text(field_tree, tvb, offset, 1, "Sensitivity Level: %u",
708 tvb_get_guint8(tvb, offset));
712 int offset_max_cat = offset + taglen - 4;
713 char *cat_str = ep_alloc0(USHRT_MAX_STRLEN * 15);
714 char *cat_str_tmp = ep_alloc(USHRT_MAX_STRLEN);
716 while ((offset + 2) <= offset_max_cat) {
717 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN, "%u",
718 tvb_get_ntohs(tvb, offset));
720 cat_str_tmp[USHRT_MAX_STRLEN - 1] = '\0';
721 if (cat_str[0] != '\0')
722 g_strlcat(cat_str, ",", USHRT_MAX_STRLEN * 15);
723 g_strlcat(cat_str, cat_str_tmp, USHRT_MAX_STRLEN * 15);
726 proto_tree_add_text(field_tree, tvb, offset - taglen + 4, taglen - 4,
727 "Categories: %s", cat_str);
731 /* ranged categories, see CIPSO draft section 3.4.4 for tag format */
732 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
733 ((offset + (int)taglen - 1) > offset_max)) {
734 proto_tree_add_text(field_tree, tvb, offset, offset_max - offset,
735 "Malformed CIPSO tag");
739 proto_tree_add_text(field_tree, tvb, offset, 1,
740 "Tag Type: Ranged Categories (%u)", tagtype);
742 /* skip past alignment octet */
745 /* sensitvity level */
746 proto_tree_add_text(field_tree, tvb, offset, 1, "Sensitivity Level: %u",
747 tvb_get_guint8(tvb, offset));
751 guint16 cat_low, cat_high;
752 int offset_max_cat = offset + taglen - 4;
753 char *cat_str = ep_alloc0(USHRT_MAX_STRLEN * 16);
754 char *cat_str_tmp = ep_alloc(USHRT_MAX_STRLEN * 2);
756 while ((offset + 2) <= offset_max_cat) {
757 cat_high = tvb_get_ntohs(tvb, offset);
758 if ((offset + 4) <= offset_max_cat) {
759 cat_low = tvb_get_ntohs(tvb, offset + 2);
765 if (cat_low != cat_high)
766 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN * 2, "%u-%u",
769 g_snprintf(cat_str_tmp, USHRT_MAX_STRLEN * 2, "%u", cat_high);
770 if (cat_str[0] != '\0')
771 g_strlcat(cat_str, ",", USHRT_MAX_STRLEN * 16);
772 g_strlcat(cat_str, cat_str_tmp, USHRT_MAX_STRLEN * 16);
775 proto_tree_add_text(field_tree, tvb, offset - taglen + 4, taglen - 4,
776 "Categories: %s", cat_str);
780 /* permissive categories, see FIPS 188 section 6.9 for tag format */
781 if ((taglen < 4) || (taglen > CIPSO_TAG_LEN_MAX) ||
782 ((offset + (int)taglen - 1) > offset_max)) {
783 proto_tree_add_text(field_tree, tvb, offset, offset_max - offset,
784 "Malformed CIPSO tag");
788 proto_tree_add_text(field_tree, tvb, offset, 1,
789 "Tag Type: Permissive Categories (%u)", tagtype);
790 proto_tree_add_text(field_tree, tvb, offset + 2, taglen - 2, "Tag data");
794 /* free form, see FIPS 188 section 6.10 for tag format */
795 if ((taglen < 2) || (taglen > CIPSO_TAG_LEN_MAX) ||
796 ((offset + (int)taglen - 1) > offset_max)) {
797 proto_tree_add_text(field_tree, tvb, offset, offset_max - offset,
798 "Malformed CIPSO tag");
802 proto_tree_add_text(field_tree, tvb, offset, 1,
803 "Tag Type: Free Form (%u)", tagtype);
804 proto_tree_add_text(field_tree, tvb, offset + 2, taglen - 2, "Tag data");
808 /* unknown tag - stop parsing this IPv4 option */
809 if ((offset + 1) <= offset_max) {
810 taglen = tvb_get_guint8(tvb, offset + 1);
811 proto_tree_add_text(field_tree, tvb, offset, 1,
812 "Tag Type: Unknown (%u) (%u bytes)",
816 proto_tree_add_text(field_tree, tvb, offset, 1,
817 "Tag Type: Unknown (%u) (invalid format)",
825 dissect_ipopt_route(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
826 guint optlen, packet_info *pinfo _U_,
827 proto_tree *opt_tree)
829 proto_tree *field_tree = NULL;
835 tf = proto_tree_add_text(opt_tree, tvb, offset, optlen, "%s (%u bytes)",
837 field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
839 optoffset += 2; /* skip past type and length */
840 optlen -= 2; /* subtract size of type and length */
842 ptr = tvb_get_guint8(tvb, offset + optoffset);
843 proto_tree_add_text(field_tree, tvb, offset + optoffset, 1,
844 "Pointer: %d%s", ptr,
845 ((ptr < 4) ? " (points before first address)" :
846 ((ptr & 3) ? " (points to middle of address)" : "")));
849 ptr--; /* ptr is 1-origin */
853 proto_tree_add_text(field_tree, tvb, offset, optlen,
854 "(suboption would go past end of option)");
858 addr = tvb_get_ipv4(tvb, offset + optoffset);
859 proto_tree_add_text(field_tree, tvb, offset + optoffset, 4,
861 ((addr == 0) ? "-" : (const char *)get_hostname(addr)),
862 ((optoffset == ptr) ? " <- (current)" : ""));
869 dissect_ipopt_sid(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
870 guint optlen, packet_info *pinfo _U_,
871 proto_tree *opt_tree)
873 proto_tree_add_text(opt_tree, tvb, offset, optlen,
874 "%s: %u", optp->name, tvb_get_ntohs(tvb, offset + 2));
879 dissect_ipopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
880 int offset, guint optlen, packet_info *pinfo _U_, proto_tree *opt_tree)
882 proto_tree *field_tree = NULL;
887 static const value_string flag_vals[] = {
888 {IPOPT_TS_TSONLY, "Time stamps only" },
889 {IPOPT_TS_TSANDADDR, "Time stamp and address" },
890 {IPOPT_TS_PRESPEC, "Time stamps for prespecified addresses"},
895 tf = proto_tree_add_text(opt_tree, tvb, offset, optlen, "%s:", optp->name);
896 field_tree = proto_item_add_subtree(tf, *optp->subtree_index);
898 optoffset += 2; /* skip past type and length */
899 optlen -= 2; /* subtract size of type and length */
901 ptr = tvb_get_guint8(tvb, offset + optoffset);
902 proto_tree_add_text(field_tree, tvb, offset + optoffset, 1,
903 "Pointer: %d%s", ptr,
904 ((ptr < 5) ? " (points before first address)" :
905 (((ptr - 1) & 3) ? " (points to middle of address)" : "")));
908 ptr--; /* ptr is 1-origin */
910 flg = tvb_get_guint8(tvb, offset + optoffset);
911 proto_tree_add_text(field_tree, tvb, offset + optoffset, 1,
912 "Overflow: %u", flg >> 4);
914 proto_tree_add_text(field_tree, tvb, offset + optoffset, 1,
915 "Flag: %s", val_to_str(flg, flag_vals, "Unknown (0x%x)"));
920 if (flg == IPOPT_TS_TSANDADDR) {
922 proto_tree_add_text(field_tree, tvb, offset + optoffset, optlen,
923 "(suboption would go past end of option)");
926 addr = tvb_get_ipv4(tvb, offset + optoffset);
927 ts = tvb_get_ntohl(tvb, offset + optoffset + 4);
929 proto_tree_add_text(field_tree, tvb, offset + optoffset, 8,
930 "Address = %s, time stamp = %u",
931 ((addr == 0) ? "-" : (const char *)get_hostname(addr)),
936 proto_tree_add_text(field_tree, tvb, offset + optoffset, optlen,
937 "(suboption would go past end of option)");
940 ts = tvb_get_ntohl(tvb, offset + optoffset);
942 proto_tree_add_text(field_tree, tvb, offset + optoffset, 4,
943 "Time stamp = %u", ts);
950 dissect_ipopt_ra(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
951 guint optlen, packet_info *pinfo _U_, proto_tree *opt_tree)
953 /* Router-Alert, as defined by RFC2113 */
954 int opt = tvb_get_ntohs(tvb, offset + 2);
955 static const value_string ra_opts[] = {
956 {0, "Every router examines packet"},
960 proto_tree_add_text(opt_tree, tvb, offset, optlen,
961 "%s: %s", optp->name, val_to_str(opt, ra_opts, "Unknown (%d)"));
966 dissect_ipopt_qs(const ip_tcp_opt *optp, tvbuff_t *tvb, int offset,
967 guint optlen, packet_info *pinfo _U_, proto_tree *opt_tree)
969 /* Quick-Start TCP option, as defined by RFC4782 */
970 static const value_string qs_rates[] = {
979 { 8, "10.24 Mbit/s"},
980 { 9, "20.48 Mbit/s"},
981 {10, "40.96 Mbit/s"},
982 {11, "81.92 Mbit/s"},
983 {12, "163.84 Mbit/s"},
984 {13, "327.68 Mbit/s"},
985 {14, "655.36 Mbit/s"},
986 {15, "1.31072 Gbit/s"},
990 guint8 command = tvb_get_guint8(tvb, offset + 2);
991 guint8 function = command >> 4;
992 guint8 rate = command & 0x0f;
995 case 0x00: /* rate request */
996 proto_tree_add_text(opt_tree, tvb, offset, optlen,
997 "%s: Rate request, %s, QS TTL %u", optp->name,
998 val_to_str(rate, qs_rates, "Unknown"),
999 tvb_get_guint8(tvb, offset + 3));
1001 case 0x08: /* rate report */
1002 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1003 "%s: Rate report, %s", optp->name,
1004 val_to_str(rate, qs_rates, "Unknown"));
1007 proto_tree_add_text(opt_tree, tvb, offset, optlen,
1008 "%s: Unknown function", optp->name);
1012 static const ip_tcp_opt ipopts[] = {
1035 dissect_ipopt_security
1039 "Strict source route",
1040 &ett_ip_option_route,
1047 "Loose source route",
1048 &ett_ip_option_route,
1055 "Commercial IP security option",
1056 &ett_ip_option_cipso,
1064 &ett_ip_option_route,
1071 "Stream identifier",
1080 &ett_ip_option_timestamp,
1082 IPOLEN_TIMESTAMP_MIN,
1083 dissect_ipopt_timestamp
1103 #define N_IP_OPTS (sizeof ipopts / sizeof ipopts[0])
1105 /* Dissect the IP or TCP options in a packet. */
1107 dissect_ip_tcp_options(tvbuff_t *tvb, int offset, guint length,
1108 const ip_tcp_opt *opttab, int nopts, int eol,
1109 packet_info *pinfo, proto_tree *opt_tree)
1112 const ip_tcp_opt *optp;
1113 opt_len_type len_type;
1114 unsigned int optlen;
1116 void (*dissect)(const struct ip_tcp_opt *, tvbuff_t *,
1117 int, guint, packet_info *, proto_tree *);
1120 while (length > 0) {
1121 opt = tvb_get_guint8(tvb, offset);
1122 for (optp = &opttab[0]; optp < &opttab[nopts]; optp++) {
1123 if (optp->optcode == opt)
1126 if (optp == &opttab[nopts]) {
1127 /* We assume that the only NO_LENGTH options are EOL and NOP options,
1128 so that we can treat unknown options as VARIABLE_LENGTH with a
1129 minimum of 2, and at least be able to move on to the next option
1130 by using the length in the option. */
1131 optp = NULL; /* indicate that we don't know this option */
1132 len_type = VARIABLE_LENGTH;
1134 name = ep_strdup_printf("Unknown (0x%02x)", opt);
1137 len_type = optp->len_type;
1138 optlen = optp->optlen;
1140 dissect = optp->dissect;
1142 --length; /* account for type byte */
1143 if (len_type != NO_LENGTH) {
1144 /* Option has a length. Is it in the packet? */
1146 /* Bogus - packet must at least include option code byte and
1148 proto_tree_add_text(opt_tree, tvb, offset, 1,
1149 "%s (length byte past end of options)", name);
1152 len = tvb_get_guint8(tvb, offset + 1); /* total including type, len */
1153 --length; /* account for length byte */
1155 /* Bogus - option length is too short to include option code and
1157 proto_tree_add_text(opt_tree, tvb, offset, 2,
1158 "%s (with too-short option length = %u byte%s)", name,
1159 len, plurality(len, "", "s"));
1161 } else if (len - 2 > length) {
1162 /* Bogus - option goes past the end of the header. */
1163 proto_tree_add_text(opt_tree, tvb, offset, length,
1164 "%s (option length = %u byte%s says option goes past end of options)",
1165 name, len, plurality(len, "", "s"));
1167 } else if (len_type == FIXED_LENGTH && len != optlen) {
1168 /* Bogus - option length isn't what it's supposed to be for this
1170 proto_tree_add_text(opt_tree, tvb, offset, len,
1171 "%s (with option length = %u byte%s; should be %u)", name,
1172 len, plurality(len, "", "s"), optlen);
1174 } else if (len_type == VARIABLE_LENGTH && len < optlen) {
1175 /* Bogus - option length is less than what it's supposed to be for
1177 proto_tree_add_text(opt_tree, tvb, offset, len,
1178 "%s (with option length = %u byte%s; should be >= %u)", name,
1179 len, plurality(len, "", "s"), optlen);
1183 proto_tree_add_text(opt_tree, tvb, offset, len, "%s (%u byte%s)",
1184 name, len, plurality(len, "", "s"));
1186 if (dissect != NULL) {
1187 /* Option has a dissector. */
1188 (*dissect)(optp, tvb, offset, len, pinfo, opt_tree);
1190 /* Option has no data, hence no dissector. */
1191 proto_tree_add_text(opt_tree, tvb, offset, len, "%s", name);
1194 len -= 2; /* subtract size of type and length */
1199 proto_tree_add_text(opt_tree, tvb, offset, 1, "%s", name);
1207 /* Returns the valid ttl for the group address */
1209 local_network_control_block_addr_valid_ttl(guint32 addr)
1211 /* An exception list, as some protocols seem to insist on
1212 * doing differently:
1215 /* IETF's VRRP (rfc3768) */
1216 if (IPLOCAL_NETWRK_CTRL_BLK_VRRP_ADDR == addr)
1217 return IPLOCAL_NETWRK_CTRL_BLK_VRRP_TTL;
1219 if (IPLOCAL_NETWRK_CTRL_BLK_GLPB_ADDR == addr)
1220 return IPLOCAL_NETWRK_CTRL_BLK_GLPB_TTL;
1221 /* mDNS (draft-cheshire-dnsext-multicastdns-07) */
1222 if (IPLOCAL_NETWRK_CTRL_BLK_MDNS_ADDR == addr)
1223 return IPLOCAL_NETWRK_CTRL_BLK_MDNS_TTL;
1224 /* LLMNR (rfc4795) */
1225 if (IPLOCAL_NETWRK_CTRL_BLK_LLMNR_ADDR == addr)
1226 return IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL;
1227 return IPLOCAL_NETWRK_CTRL_BLK_DEFAULT_TTL;
1230 const value_string dscp_vals[] = {
1231 { IPDSFIELD_DSCP_DEFAULT, "Default" },
1232 { IPDSFIELD_DSCP_CS1, "Class Selector 1" },
1233 { IPDSFIELD_DSCP_CS2, "Class Selector 2" },
1234 { IPDSFIELD_DSCP_CS3, "Class Selector 3" },
1235 { IPDSFIELD_DSCP_CS4, "Class Selector 4" },
1236 { IPDSFIELD_DSCP_CS5, "Class Selector 5" },
1237 { IPDSFIELD_DSCP_CS6, "Class Selector 6" },
1238 { IPDSFIELD_DSCP_CS7, "Class Selector 7" },
1239 { IPDSFIELD_DSCP_AF11, "Assured Forwarding 11" },
1240 { IPDSFIELD_DSCP_AF12, "Assured Forwarding 12" },
1241 { IPDSFIELD_DSCP_AF13, "Assured Forwarding 13" },
1242 { IPDSFIELD_DSCP_AF21, "Assured Forwarding 21" },
1243 { IPDSFIELD_DSCP_AF22, "Assured Forwarding 22" },
1244 { IPDSFIELD_DSCP_AF23, "Assured Forwarding 23" },
1245 { IPDSFIELD_DSCP_AF31, "Assured Forwarding 31" },
1246 { IPDSFIELD_DSCP_AF32, "Assured Forwarding 32" },
1247 { IPDSFIELD_DSCP_AF33, "Assured Forwarding 33" },
1248 { IPDSFIELD_DSCP_AF41, "Assured Forwarding 41" },
1249 { IPDSFIELD_DSCP_AF42, "Assured Forwarding 42" },
1250 { IPDSFIELD_DSCP_AF43, "Assured Forwarding 43" },
1251 { IPDSFIELD_DSCP_EF, "Expedited Forwarding" },
1254 static const value_string precedence_vals[] = {
1255 { IPTOS_PREC_ROUTINE, "routine" },
1256 { IPTOS_PREC_PRIORITY, "priority" },
1257 { IPTOS_PREC_IMMEDIATE, "immediate" },
1258 { IPTOS_PREC_FLASH, "flash" },
1259 { IPTOS_PREC_FLASHOVERRIDE, "flash override" },
1260 { IPTOS_PREC_CRITIC_ECP, "CRITIC/ECP" },
1261 { IPTOS_PREC_INTERNETCONTROL, "internetwork control" },
1262 { IPTOS_PREC_NETCONTROL, "network control" },
1265 static const value_string iptos_vals[] = {
1266 { IPTOS_NONE, "None" },
1267 { IPTOS_LOWCOST, "Minimize cost" },
1268 { IPTOS_RELIABILITY, "Maximize reliability" },
1269 { IPTOS_THROUGHPUT, "Maximize throughput" },
1270 { IPTOS_LOWDELAY, "Minimize delay" },
1271 { IPTOS_SECURITY, "Maximize security" },
1275 static const true_false_string tos_set_low = {
1280 static const true_false_string tos_set_high = {
1285 guint16 ip_checksum(const guint8 *ptr, int len)
1289 cksum_vec[0].ptr = ptr;
1290 cksum_vec[0].len = len;
1291 return in_cksum(&cksum_vec[0], 1);
1295 dissect_ip(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
1297 proto_tree *ip_tree = NULL, *field_tree;
1298 proto_item *ti = NULL, *tf;
1305 fragment_data *ipfd_head=NULL;
1307 gboolean update_col_info = TRUE;
1308 gboolean save_fragmented;
1310 const guchar *src_addr, *dst_addr;
1311 guint32 src32, dst32;
1313 proto_item *item, *ttl_item;
1314 proto_tree *checksum_tree;
1319 iph=ep_alloc(sizeof(ws_ip));
1321 col_set_str(pinfo->cinfo, COL_PROTOCOL, "IP");
1322 col_clear(pinfo->cinfo, COL_INFO);
1324 iph->ip_v_hl = tvb_get_guint8(tvb, offset);
1325 if ( hi_nibble(iph->ip_v_hl) == 6){
1326 call_dissector(ipv6_handle, tvb, pinfo, parent_tree);
1330 hlen = lo_nibble(iph->ip_v_hl) * 4; /* IP header length, in bytes */
1333 ti = proto_tree_add_item(tree, proto_ip, tvb, offset, hlen, FALSE);
1334 ip_tree = proto_item_add_subtree(ti, ett_ip);
1336 proto_tree_add_uint(ip_tree, hf_ip_version, tvb, offset, 1,
1337 hi_nibble(iph->ip_v_hl));
1340 /* if IP is not referenced from any filters we dont need to worry about
1341 generating any tree items. We must do this after we created the actual
1342 protocol above so that proto hier stat still works though.
1344 if(!proto_field_is_referenced(parent_tree, proto_ip)){
1348 if (hlen < IPH_MIN_LEN) {
1349 col_add_fstr(pinfo->cinfo, COL_INFO, "Bogus IP header length (%u, must be at least %u)",
1352 proto_tree_add_uint_format(ip_tree, hf_ip_hdr_len, tvb, offset, 1, hlen,
1353 "Header length: %u bytes (bogus, must be at least %u)", hlen,
1360 proto_tree_add_uint_format(ip_tree, hf_ip_hdr_len, tvb, offset, 1, hlen,
1361 "Header length: %u bytes", hlen);
1364 iph->ip_tos = tvb_get_guint8(tvb, offset + 1);
1367 if (g_ip_dscp_actif) {
1368 tf = proto_tree_add_uint_format(ip_tree, hf_ip_dsfield, tvb, offset + 1, 1, iph->ip_tos,
1369 "Differentiated Services Field: 0x%02x (DSCP 0x%02x: %s; ECN: 0x%02x)", iph->ip_tos,
1370 IPDSFIELD_DSCP(iph->ip_tos), val_to_str(IPDSFIELD_DSCP(iph->ip_tos), dscp_vals,
1371 "Unknown DSCP"),IPDSFIELD_ECN(iph->ip_tos));
1373 field_tree = proto_item_add_subtree(tf, ett_ip_dsfield);
1374 proto_tree_add_uint(field_tree, hf_ip_dsfield_dscp, tvb, offset + 1, 1, iph->ip_tos);
1375 proto_tree_add_uint(field_tree, hf_ip_dsfield_ect, tvb, offset + 1, 1, iph->ip_tos);
1376 proto_tree_add_uint(field_tree, hf_ip_dsfield_ce, tvb, offset + 1, 1, iph->ip_tos);
1378 tf = proto_tree_add_uint_format(ip_tree, hf_ip_tos, tvb, offset + 1, 1, iph->ip_tos,
1379 "Type of service: 0x%02x (%s)", iph->ip_tos,
1380 val_to_str( IPTOS_TOS(iph->ip_tos), iptos_vals, "Unknown") );
1382 field_tree = proto_item_add_subtree(tf, ett_ip_tos);
1383 proto_tree_add_uint(field_tree, hf_ip_tos_precedence, tvb, offset + 1, 1, iph->ip_tos);
1384 proto_tree_add_boolean(field_tree, hf_ip_tos_delay, tvb, offset + 1, 1, iph->ip_tos);
1385 proto_tree_add_boolean(field_tree, hf_ip_tos_throughput, tvb, offset + 1, 1, iph->ip_tos);
1386 proto_tree_add_boolean(field_tree, hf_ip_tos_reliability, tvb, offset + 1, 1, iph->ip_tos);
1387 proto_tree_add_boolean(field_tree, hf_ip_tos_cost, tvb, offset + 1, 1, iph->ip_tos);
1391 /* Length of IP datagram.
1392 XXX - what if this is greater than the reported length of the
1393 tvbuff? This could happen, for example, in an IP datagram
1394 inside an ICMP datagram; we need to somehow let the
1395 dissector we call know that, as it might want to avoid
1396 doing its checksumming. */
1397 iph->ip_len = tvb_get_ntohs(tvb, offset + 2);
1399 /* Correct for zero-length TSO packets
1400 * If ip_len is zero, assume TSO and use the reported length instead. Note
1401 * that we need to use the frame/reported length instead of the
1402 * actually-available length, just in case a snaplen was used on capture. */
1403 if (ip_tso_supported && !iph->ip_len)
1404 iph->ip_len = tvb_reported_length(tvb);
1406 if (iph->ip_len < hlen) {
1407 col_add_fstr(pinfo->cinfo, COL_INFO, "Bogus IP length (%u, less than header length %u)",
1410 proto_tree_add_uint_format(ip_tree, hf_ip_len, tvb, offset + 2, 2, iph->ip_len,
1411 "Total length: %u bytes (bogus, less than header length %u)", iph->ip_len,
1418 * Now that we know that the total length of this IP datagram isn't
1419 * obviously bogus, adjust the length of this tvbuff to include only
1422 set_actual_length(tvb, iph->ip_len);
1425 proto_tree_add_uint(ip_tree, hf_ip_len, tvb, offset + 2, 2, iph->ip_len);
1427 iph->ip_id = tvb_get_ntohs(tvb, offset + 4);
1429 proto_tree_add_uint(ip_tree, hf_ip_id, tvb, offset + 4, 2, iph->ip_id);
1431 iph->ip_off = tvb_get_ntohs(tvb, offset + 6);
1433 flags = (iph->ip_off & (IP_RF | IP_DF | IP_MF)) >> 12;
1434 tf = proto_tree_add_uint(ip_tree, hf_ip_flags, tvb, offset + 6, 1, flags);
1435 field_tree = proto_item_add_subtree(tf, ett_ip_off);
1436 proto_tree_add_boolean(field_tree, hf_ip_flags_rf, tvb, offset + 6, 1, flags);
1437 if (flags & (IP_DF>>12)) proto_item_append_text(tf, " (Don't Fragment)");
1438 proto_tree_add_boolean(field_tree, hf_ip_flags_df, tvb, offset + 6, 1, flags);
1439 if (flags & (IP_MF>>12)) proto_item_append_text(tf, " (More Fragments)");
1440 proto_tree_add_boolean(field_tree, hf_ip_flags_mf, tvb, offset + 6, 1, flags);
1442 proto_tree_add_uint(ip_tree, hf_ip_frag_offset, tvb, offset + 6, 2,
1443 (iph->ip_off & IP_OFFSET)*8);
1446 iph->ip_ttl = tvb_get_guint8(tvb, offset + 8);
1448 ttl_item = proto_tree_add_item(ip_tree, hf_ip_ttl, tvb, offset + 8, 1, FALSE);
1453 iph->ip_p = tvb_get_guint8(tvb, offset + 9);
1455 proto_tree_add_uint_format(ip_tree, hf_ip_proto, tvb, offset + 9, 1, iph->ip_p,
1456 "Protocol: %s (0x%02x)", ipprotostr(iph->ip_p), iph->ip_p);
1459 iph->ip_sum = tvb_get_ntohs(tvb, offset + 10);
1462 * If we have the entire IP header available, check the checksum.
1464 if (ip_check_checksum && tvb_bytes_exist(tvb, offset, hlen)) {
1465 ipsum = ip_checksum(tvb_get_ptr(tvb, offset, hlen), hlen);
1468 item = proto_tree_add_uint_format(ip_tree, hf_ip_checksum, tvb, offset + 10, 2, iph->ip_sum,
1469 "Header checksum: 0x%04x [correct]", iph->ip_sum);
1470 checksum_tree = proto_item_add_subtree(item, ett_ip_checksum);
1471 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_good, tvb, offset + 10, 2, TRUE);
1472 PROTO_ITEM_SET_GENERATED(item);
1473 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_bad, tvb, offset + 10, 2, FALSE);
1474 PROTO_ITEM_SET_GENERATED(item);
1476 item = proto_tree_add_uint_format(ip_tree, hf_ip_checksum, tvb, offset + 10, 2, iph->ip_sum,
1477 "Header checksum: 0x%04x [incorrect, should be 0x%04x]", iph->ip_sum,
1478 in_cksum_shouldbe(iph->ip_sum, ipsum));
1479 checksum_tree = proto_item_add_subtree(item, ett_ip_checksum);
1480 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_good, tvb, offset + 10, 2, FALSE);
1481 PROTO_ITEM_SET_GENERATED(item);
1482 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_bad, tvb, offset + 10, 2, TRUE);
1483 PROTO_ITEM_SET_GENERATED(item);
1484 expert_add_info_format(pinfo, item, PI_CHECKSUM, PI_ERROR, "Bad checksum");
1490 item = proto_tree_add_uint_format(ip_tree, hf_ip_checksum, tvb, offset + 10, 2, iph->ip_sum,
1491 "Header checksum: 0x%04x [%s]", iph->ip_sum,
1492 ip_check_checksum ? "not all data available" : "validation disabled");
1493 checksum_tree = proto_item_add_subtree(item, ett_ip_checksum);
1494 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_good, tvb, offset + 10, 2, FALSE);
1495 PROTO_ITEM_SET_GENERATED(item);
1496 item = proto_tree_add_boolean(checksum_tree, hf_ip_checksum_bad, tvb, offset + 10, 2, FALSE);
1497 PROTO_ITEM_SET_GENERATED(item);
1500 src_addr = tvb_get_ptr(tvb, offset + IPH_SRC, 4);
1501 src32 = tvb_get_ntohl(tvb, offset + IPH_SRC);
1502 SET_ADDRESS(&pinfo->net_src, AT_IPv4, 4, src_addr);
1503 SET_ADDRESS(&pinfo->src, AT_IPv4, 4, src_addr);
1504 SET_ADDRESS(&iph->ip_src, AT_IPv4, 4, src_addr);
1506 const char *src_host;
1508 memcpy(&addr, iph->ip_src.data, 4);
1509 src_host = get_hostname(addr);
1510 if (ip_summary_in_tree) {
1511 proto_item_append_text(ti, ", Src: %s (%s)", src_host, ip_to_str(iph->ip_src.data));
1513 proto_tree_add_ipv4(ip_tree, hf_ip_src, tvb, offset + 12, 4, addr);
1514 item = proto_tree_add_ipv4(ip_tree, hf_ip_addr, tvb, offset + 12, 4, addr);
1515 PROTO_ITEM_SET_HIDDEN(item);
1516 item = proto_tree_add_string(ip_tree, hf_ip_src_host, tvb, offset + 12, 4, src_host);
1517 PROTO_ITEM_SET_GENERATED(item);
1518 PROTO_ITEM_SET_HIDDEN(item);
1519 item = proto_tree_add_string(ip_tree, hf_ip_host, tvb, offset + 12, 4, src_host);
1520 PROTO_ITEM_SET_GENERATED(item);
1521 PROTO_ITEM_SET_HIDDEN(item);
1523 dst_addr = tvb_get_ptr(tvb, offset + IPH_DST, 4);
1524 dst32 = tvb_get_ntohl(tvb, offset + IPH_DST);
1525 SET_ADDRESS(&pinfo->net_dst, AT_IPv4, 4, dst_addr);
1526 SET_ADDRESS(&pinfo->dst, AT_IPv4, 4, dst_addr);
1527 SET_ADDRESS(&iph->ip_dst, AT_IPv4, 4, dst_addr);
1529 tap_queue_packet(ip_tap, pinfo, iph);
1532 /* If an IP is destined for an IP address in the Local Network Control Block
1533 * (e.g. 224.0.0.0/24), the packet should never be routed and the TTL would
1534 * be expected to be 1. (see RFC 3171) Flag a TTL greater than 1.
1536 * Flag a low TTL if the packet is not destined for a multicast address
1537 * (e.g. 224.0.0.0/4).
1539 if (is_a_local_network_control_block_addr(dst32)) {
1540 ttl = local_network_control_block_addr_valid_ttl(dst32);
1541 if (ttl != iph->ip_ttl && ttl != IPLOCAL_NETWRK_CTRL_BLK_ANY_TTL) {
1542 expert_add_info_format(pinfo, ttl_item, PI_SEQUENCE, PI_NOTE,
1543 "\"Time To Live\" != %d for a packet sent to the Local Network Control Block (see RFC 3171)", ttl);
1545 } else if (!is_a_multicast_addr(dst32) && iph->ip_ttl < 5) {
1546 expert_add_info_format(pinfo, ttl_item, PI_SEQUENCE, PI_NOTE, "\"Time To Live\" only %u", iph->ip_ttl);
1550 const char *dst_host;
1552 memcpy(&addr, iph->ip_dst.data, 4);
1553 dst_host = get_hostname(addr);
1554 if (ip_summary_in_tree) {
1555 proto_item_append_text(ti, ", Dst: %s (%s)", dst_host, ip_to_str(iph->ip_dst.data));
1557 proto_tree_add_ipv4(ip_tree, hf_ip_dst, tvb, offset + 16, 4, addr);
1558 item = proto_tree_add_ipv4(ip_tree, hf_ip_addr, tvb, offset + 16, 4, addr);
1559 PROTO_ITEM_SET_HIDDEN(item);
1560 item = proto_tree_add_string(ip_tree, hf_ip_dst_host, tvb, offset + 16, 4, dst_host);
1561 PROTO_ITEM_SET_GENERATED(item);
1562 PROTO_ITEM_SET_HIDDEN(item);
1563 item = proto_tree_add_string(ip_tree, hf_ip_host, tvb, offset + 16, 4, dst_host);
1564 PROTO_ITEM_SET_GENERATED(item);
1565 PROTO_ITEM_SET_HIDDEN(item);
1569 if (tree && ip_use_geoip) {
1570 add_geoip_info(ip_tree, tvb, offset, src32, dst32);
1575 /* Decode IP options, if any. */
1576 if (hlen > IPH_MIN_LEN) {
1577 /* There's more than just the fixed-length header. Decode the
1579 optlen = hlen - IPH_MIN_LEN; /* length of options, in bytes */
1580 tf = proto_tree_add_text(ip_tree, tvb, offset + 20, optlen,
1581 "Options: (%u bytes)", optlen);
1582 field_tree = proto_item_add_subtree(tf, ett_ip_options);
1583 dissect_ip_tcp_options(tvb, offset + 20, optlen,
1584 ipopts, N_IP_OPTS, IPOPT_END, pinfo, field_tree);
1588 pinfo->ipproto = iph->ip_p;
1590 pinfo->iplen = iph->ip_len;
1592 pinfo->iphdrlen = hlen;
1594 /* Skip over header + options */
1596 nxt = iph->ip_p; /* XXX - what if this isn't the same for all fragments? */
1598 /* If ip_defragment is on, this is a fragment, we have all the data
1599 * in the fragment, and the header checksum is valid, then just add
1600 * the fragment to the hashtable.
1602 save_fragmented = pinfo->fragmented;
1603 if (ip_defragment && (iph->ip_off & (IP_MF|IP_OFFSET)) &&
1604 tvb_bytes_exist(tvb, offset, pinfo->iplen - pinfo->iphdrlen) &&
1606 ipfd_head = fragment_add_check(tvb, offset, pinfo,
1607 iph->ip_p ^ iph->ip_id ^ src32 ^ dst32,
1609 ip_reassembled_table,
1610 (iph->ip_off & IP_OFFSET)*8,
1611 pinfo->iplen - pinfo->iphdrlen,
1612 iph->ip_off & IP_MF);
1614 next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled IPv4",
1615 ipfd_head, &ip_frag_items, &update_col_info, ip_tree);
1617 /* If this is the first fragment, dissect its contents, otherwise
1618 just show it as a fragment.
1620 XXX - if we eventually don't save the reassembled contents of all
1621 fragmented datagrams, we may want to always reassemble. */
1622 if (iph->ip_off & IP_OFFSET) {
1623 /* Not the first fragment - don't dissect it. */
1626 /* First fragment, or not fragmented. Dissect what we have here. */
1628 /* Get a tvbuff for the payload. */
1629 next_tvb = tvb_new_subset_remaining(tvb, offset);
1632 * If this is the first fragment, but not the only fragment,
1633 * tell the next protocol that.
1635 if (iph->ip_off & IP_MF)
1636 pinfo->fragmented = TRUE;
1638 pinfo->fragmented = FALSE;
1642 if (next_tvb == NULL) {
1643 /* Just show this as a fragment. */
1644 col_add_fstr(pinfo->cinfo, COL_INFO, "Fragmented IP protocol (proto=%s 0x%02x, off=%u, ID=%04x)",
1645 ipprotostr(iph->ip_p), iph->ip_p, (iph->ip_off & IP_OFFSET) * 8,
1647 if( ipfd_head && ipfd_head->reassembled_in != pinfo->fd->num ){
1648 col_append_fstr(pinfo->cinfo, COL_INFO, " [Reassembled in #%u]",
1649 ipfd_head->reassembled_in);
1652 call_dissector(data_handle, tvb_new_subset_remaining(tvb, offset), pinfo,
1654 pinfo->fragmented = save_fragmented;
1658 /* XXX This is an ugly hack because I didn't manage to make the IPIP
1659 * dissector a heuristic one [JMayer]
1660 * The TAPA protocol also uses IP protocol number 4 but it isn't really
1661 * IPIP, so try to detect it first and call it explicitly before calling
1662 * the generic ip.proto dispatcher
1664 if (nxt == IP_PROTO_IPIP &&
1665 (tvb_get_guint8(next_tvb, 0) & 0xF0) != 40 &&
1666 tvb_get_ntohs(next_tvb, 2) < 20) {
1667 call_dissector(tapa_handle,next_tvb, pinfo, parent_tree);
1669 /* Hand off to the next protocol.
1671 XXX - setting the columns only after trying various dissectors means
1672 that if one of those dissectors throws an exception, the frame won't
1673 even be labelled as an IP frame; ideally, if a frame being dissected
1674 throws an exception, it'll be labelled as a mangled frame of the
1675 type in question. */
1676 } else if (!dissector_try_port(ip_dissector_table, nxt, next_tvb, pinfo, parent_tree)) {
1677 /* Unknown protocol */
1678 if (update_col_info) {
1679 col_add_fstr(pinfo->cinfo, COL_INFO, "%s (0x%02x)", ipprotostr(iph->ip_p), iph->ip_p);
1681 call_dissector(data_handle,next_tvb, pinfo, parent_tree);
1683 pinfo->fragmented = save_fragmented;
1687 proto_register_ip(void)
1689 static hf_register_info hf[] = {
1692 { "Version", "ip.version", FT_UINT8, BASE_DEC, NULL, 0x0,
1696 { "Header Length", "ip.hdr_len", FT_UINT8, BASE_DEC, NULL, 0x0,
1700 { "Differentiated Services field", "ip.dsfield", FT_UINT8, BASE_DEC, NULL, 0x0,
1703 { &hf_ip_dsfield_dscp,
1704 { "Differentiated Services Codepoint", "ip.dsfield.dscp", FT_UINT8, BASE_HEX,
1705 VALS(dscp_vals), IPDSFIELD_DSCP_MASK,
1708 { &hf_ip_dsfield_ect,
1709 { "ECN-Capable Transport (ECT)", "ip.dsfield.ect", FT_UINT8, BASE_DEC, NULL,
1713 { &hf_ip_dsfield_ce,
1714 { "ECN-CE", "ip.dsfield.ce", FT_UINT8, BASE_DEC, NULL,
1719 { "Type of Service", "ip.tos", FT_UINT8, BASE_DEC, NULL, 0x0,
1722 { &hf_ip_tos_precedence,
1723 { "Precedence", "ip.tos.precedence", FT_UINT8, BASE_DEC, VALS(precedence_vals),
1728 { "Delay", "ip.tos.delay", FT_BOOLEAN, 8, TFS(&tos_set_low),
1732 { &hf_ip_tos_throughput,
1733 { "Throughput", "ip.tos.throughput", FT_BOOLEAN, 8, TFS(&tos_set_high),
1737 { &hf_ip_tos_reliability,
1738 { "Reliability", "ip.tos.reliability", FT_BOOLEAN, 8, TFS(&tos_set_high),
1743 { "Cost", "ip.tos.cost", FT_BOOLEAN, 8, TFS(&tos_set_low),
1748 { "Total Length", "ip.len", FT_UINT16, BASE_DEC, NULL, 0x0,
1752 { "Identification", "ip.id", FT_UINT16, BASE_HEX_DEC, NULL, 0x0,
1756 { "Destination", "ip.dst", FT_IPv4, BASE_NONE, NULL, 0x0,
1760 { "Destination Host", "ip.dst_host", FT_STRING, BASE_NONE, NULL, 0x0,
1764 { "Source", "ip.src", FT_IPv4, BASE_NONE, NULL, 0x0,
1768 { "Source Host", "ip.src_host", FT_STRING, BASE_NONE, NULL, 0x0,
1772 { "Source or Destination Address", "ip.addr", FT_IPv4, BASE_NONE, NULL, 0x0,
1776 { "Source or Destination Host", "ip.host", FT_STRING, BASE_NONE, NULL, 0x0,
1779 { &hf_geoip_country,
1780 { "Source or Destination GeoIP Country", "ip.geoip.country", FT_STRING, BASE_NONE, NULL, 0x0,
1783 { "Source or Destination GeoIP City", "ip.geoip.city", FT_STRING, BASE_NONE, NULL, 0x0,
1786 { "Source or Destination GeoIP Organization", "ip.geoip.org", FT_STRING, BASE_NONE, NULL, 0x0,
1789 { "Source or Destination GeoIP ISP", "ip.geoip.isp", FT_STRING, BASE_NONE, NULL, 0x0,
1792 { "Source or Destination GeoIP AS Number", "ip.geoip.asnum", FT_STRING, BASE_NONE, NULL, 0x0,
1795 { "Source or Destination GeoIP Latitude", "ip.geoip.lat", FT_STRING, BASE_NONE, NULL, 0x0,
1798 { "Source or Destination GeoIP Longitude", "ip.geoip.lon", FT_STRING, BASE_NONE, NULL, 0x0,
1800 { &hf_geoip_src_country,
1801 { "Source GeoIP Country", "ip.geoip.src_country", FT_STRING, BASE_NONE, NULL, 0x0,
1803 { &hf_geoip_src_city,
1804 { "Source GeoIP City", "ip.geoip.src_city", FT_STRING, BASE_NONE, NULL, 0x0,
1806 { &hf_geoip_src_org,
1807 { "Source GeoIP Organization", "ip.geoip.src_org", FT_STRING, BASE_NONE, NULL, 0x0,
1809 { &hf_geoip_src_isp,
1810 { "Source GeoIP ISP", "ip.geoip.src_isp", FT_STRING, BASE_NONE, NULL, 0x0,
1812 { &hf_geoip_src_asnum,
1813 { "Source GeoIP AS Number", "ip.geoip.src_asnum", FT_STRING, BASE_NONE, NULL, 0x0,
1815 { &hf_geoip_src_lat,
1816 { "Source GeoIP Latitude", "ip.geoip.src_lat", FT_STRING, BASE_NONE, NULL, 0x0,
1818 { &hf_geoip_src_lon,
1819 { "Source GeoIP Longitude", "ip.geoip.src_lon", FT_STRING, BASE_NONE, NULL, 0x0,
1821 { &hf_geoip_dst_country,
1822 { "Destination GeoIP Country", "ip.geoip.dst_country", FT_STRING, BASE_NONE, NULL, 0x0,
1824 { &hf_geoip_dst_city,
1825 { "Destination GeoIP City", "ip.geoip.dst_city", FT_STRING, BASE_NONE, NULL, 0x0,
1827 { &hf_geoip_dst_org,
1828 { "Destination GeoIP Organization", "ip.geoip.dst_org", FT_STRING, BASE_NONE, NULL, 0x0,
1830 { &hf_geoip_dst_isp,
1831 { "Destination GeoIP ISP", "ip.geoip.dst_isp", FT_STRING, BASE_NONE, NULL, 0x0,
1833 { &hf_geoip_dst_asnum,
1834 { "Destination GeoIP AS Number", "ip.geoip.dst_asnum", FT_STRING, BASE_NONE, NULL, 0x0,
1836 { &hf_geoip_dst_lat,
1837 { "Destination GeoIP Latitude", "ip.geoip.dst_lat", FT_STRING, BASE_NONE, NULL, 0x0,
1839 { &hf_geoip_dst_lon,
1840 { "Destination GeoIP Longitude", "ip.geoip.dst_lon", FT_STRING, BASE_NONE, NULL, 0x0,
1842 #endif /* HAVE_GEOIP */
1844 { "Flags", "ip.flags", FT_UINT8, BASE_HEX, NULL, 0x0,
1848 { "Reserved bit", "ip.flags.rb", FT_BOOLEAN, 4, TFS(&tfs_set_notset), IP_RF >> 12,
1852 { "Don't fragment", "ip.flags.df", FT_BOOLEAN, 4, TFS(&tfs_set_notset), IP_DF >> 12,
1856 { "More fragments", "ip.flags.mf", FT_BOOLEAN, 4, TFS(&tfs_set_notset), IP_MF >> 12,
1859 { &hf_ip_frag_offset,
1860 { "Fragment offset", "ip.frag_offset", FT_UINT16, BASE_DEC, NULL, 0x0,
1861 "Fragment offset (13 bits)", HFILL }},
1864 { "Time to live", "ip.ttl", FT_UINT8, BASE_DEC, NULL, 0x0,
1868 { "Protocol", "ip.proto", FT_UINT8, BASE_HEX, NULL, 0x0,
1872 { "Header checksum", "ip.checksum", FT_UINT16, BASE_HEX, NULL, 0x0,
1875 { &hf_ip_checksum_good,
1876 { "Good", "ip.checksum_good", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1877 "True: checksum matches packet content; False: doesn't match content or not checked", HFILL }},
1879 { &hf_ip_checksum_bad,
1880 { "Bad", "ip.checksum_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1881 "True: checksum doesn't match packet content; False: matches content or not checked", HFILL }},
1883 { &hf_ip_fragment_overlap,
1884 { "Fragment overlap", "ip.fragment.overlap", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1885 "Fragment overlaps with other fragments", HFILL }},
1887 { &hf_ip_fragment_overlap_conflict,
1888 { "Conflicting data in fragment overlap", "ip.fragment.overlap.conflict", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1889 "Overlapping fragments contained conflicting data", HFILL }},
1891 { &hf_ip_fragment_multiple_tails,
1892 { "Multiple tail fragments found", "ip.fragment.multipletails", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1893 "Several tails were found when defragmenting the packet", HFILL }},
1895 { &hf_ip_fragment_too_long_fragment,
1896 { "Fragment too long", "ip.fragment.toolongfragment", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1897 "Fragment contained data past end of packet", HFILL }},
1899 { &hf_ip_fragment_error,
1900 { "Defragmentation error", "ip.fragment.error", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
1901 "Defragmentation error due to illegal fragments", HFILL }},
1904 { "IP Fragment", "ip.fragment", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
1908 { "IP Fragments", "ip.fragments", FT_NONE, BASE_NONE, NULL, 0x0,
1911 { &hf_ip_reassembled_in,
1912 { "Reassembled IP in frame", "ip.reassembled_in", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
1913 "This IP packet is reassembled in this frame", HFILL }}
1915 static gint *ett[] = {
1922 &ett_ip_option_route,
1923 &ett_ip_option_timestamp,
1924 &ett_ip_option_cipso,
1932 module_t *ip_module;
1934 proto_ip = proto_register_protocol("Internet Protocol", "IP", "ip");
1935 proto_register_field_array(proto_ip, hf, array_length(hf));
1936 proto_register_subtree_array(ett, array_length(ett));
1938 /* subdissector code */
1939 ip_dissector_table = register_dissector_table("ip.proto",
1940 "IP protocol", FT_UINT8, BASE_DEC);
1942 /* Register configuration options */
1943 ip_module = prefs_register_protocol(proto_ip, NULL);
1944 prefs_register_bool_preference(ip_module, "decode_tos_as_diffserv",
1945 "Decode IPv4 TOS field as DiffServ field",
1946 "Whether the IPv4 type-of-service field should be decoded as a Differentiated Services field (see RFC2474/RFC2475)",
1948 prefs_register_bool_preference(ip_module, "defragment",
1949 "Reassemble fragmented IP datagrams",
1950 "Whether fragmented IP datagrams should be reassembled",
1952 prefs_register_bool_preference(ip_module, "summary_in_tree",
1953 "Show IP summary in protocol tree",
1954 "Whether the IP summary line should be shown in the protocol tree",
1955 &ip_summary_in_tree);
1956 prefs_register_bool_preference(ip_module, "check_checksum" ,
1957 "Validate the IP checksum if possible",
1958 "Whether to validate the IP checksum",
1959 &ip_check_checksum);
1960 prefs_register_bool_preference(ip_module, "tso_support" ,
1961 "Support packet-capture from IP TSO-enabled hardware",
1962 "Whether to correct for TSO-enabled hardware captures, such as spoofing the IP packet length",
1965 prefs_register_bool_preference(ip_module, "use_geoip" ,
1966 "Enable GeoIP lookups",
1967 "Whether to look up IP addresses in each GeoIP database we have loaded",
1969 #endif /* HAVE_GEOIP */
1971 register_dissector("ip", dissect_ip, proto_ip);
1972 register_init_routine(ip_defragment_init);
1973 ip_tap=register_tap("ip");
1977 proto_reg_handoff_ip(void)
1979 dissector_handle_t ip_handle;
1981 ip_handle = find_dissector("ip");
1982 ipv6_handle = find_dissector("ipv6");
1983 tapa_handle = find_dissector("tapa");
1984 data_handle = find_dissector("data");
1986 dissector_add("ethertype", ETHERTYPE_IP, ip_handle);
1987 dissector_add("ppp.protocol", PPP_IP, ip_handle);
1988 dissector_add("ppp.protocol", ETHERTYPE_IP, ip_handle);
1989 dissector_add("gre.proto", ETHERTYPE_IP, ip_handle);
1990 dissector_add("gre.proto", GRE_WCCP, ip_handle);
1991 dissector_add("llc.dsap", SAP_IP, ip_handle);
1992 dissector_add("ip.proto", IP_PROTO_IPIP, ip_handle);
1993 dissector_add("null.type", BSD_AF_INET, ip_handle);
1994 dissector_add("chdlctype", ETHERTYPE_IP, ip_handle);
1995 dissector_add("osinl.excl", NLPID_IP, ip_handle);
1996 dissector_add("fr.ietf", NLPID_IP, ip_handle);
1997 dissector_add("x.25.spi", NLPID_IP, ip_handle);
1998 dissector_add("arcnet.protocol_id", ARCNET_PROTO_IP_1051, ip_handle);
1999 dissector_add("arcnet.protocol_id", ARCNET_PROTO_IP_1201, ip_handle);
2000 dissector_add_handle("udp.port", ip_handle);