2 * Routines for IEEE 802.2 LLC layer
3 * Gilbert Ramirez <gram@alumni.rice.edu>
5 * $Id: packet-llc.c,v 1.117 2004/01/03 03:49:22 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #include <epan/packet.h>
36 #include "bridged_pids.h"
38 #include "arcnet_pids.h"
39 #include "packet-fc.h"
40 #include "packet-ip.h"
41 #include "packet-ipx.h"
42 #include "packet-netbios.h"
43 #include "packet-vines.h"
44 #include <epan/sna-utils.h>
46 #include "packet-llc.h"
48 #define UDP_PORT_LLC1 12000
49 #define UDP_PORT_LLC2 12001
50 #define UDP_PORT_LLC3 12002
51 #define UDP_PORT_LLC4 12003
52 #define UDP_PORT_LLC5 12004
54 static int proto_llc = -1;
55 static int hf_llc_dsap = -1;
56 static int hf_llc_ssap = -1;
57 static int hf_llc_dsap_ig = -1;
58 static int hf_llc_ssap_cr = -1;
59 static int hf_llc_ctrl = -1;
60 static int hf_llc_n_r = -1;
61 static int hf_llc_n_s = -1;
62 static int hf_llc_p = -1;
63 static int hf_llc_p_ext = -1;
64 static int hf_llc_f = -1;
65 static int hf_llc_f_ext = -1;
66 static int hf_llc_s_ftype = -1;
67 static int hf_llc_u_modifier_cmd = -1;
68 static int hf_llc_u_modifier_resp = -1;
69 static int hf_llc_ftype_i = -1;
70 static int hf_llc_ftype_s_u = -1;
71 static int hf_llc_ftype_s_u_ext = -1;
72 static int hf_llc_type = -1;
73 static int hf_llc_oui = -1;
74 static int hf_llc_pid = -1;
76 static gint ett_llc = -1;
77 static gint ett_llc_ctrl = -1;
79 static dissector_table_t subdissector_table;
80 static dissector_table_t xid_subdissector_table;
82 static dissector_handle_t bpdu_handle;
83 static dissector_handle_t eth_handle;
84 static dissector_handle_t fddi_handle;
85 static dissector_handle_t tr_handle;
86 static dissector_handle_t data_handle;
89 * Group/Individual bit, in the DSAP.
91 #define DSAP_GI_BIT 0x01
94 * Command/Response bit, in the SSAP.
96 * The low-order bit of the SSAP apparently determines whether this
97 * is a request or a response. (RFC 1390, "Transmission of IP and
98 * ARP over FDDI Networks", says
100 * Command frames are identified by having the low order
101 * bit of the SSAP address reset to zero. Response frames
102 * have the low order bit of the SSAP address set to one.
104 * and a page I've seen seems to imply that's part of 802.2.)
106 #define SSAP_CR_BIT 0x01
109 * Mask to extrace the SAP number from the DSAP or the SSAP.
111 #define SAP_MASK 0xFE
114 * These are for SSAP and DSAP, wth last bit always zero.
115 * XXX - some DSAPs come in separate "individual" and "group" versions,
116 * with the last bit 0 and 1, respectively (e.g., LLC Sub-layer Management,
117 * IBM SNA Path Control, IBM Net Management), but, whilst 0xFE is
118 * the ISO Network Layer Protocol, 0xFF is the Global LSAP.
120 const value_string sap_vals[] = {
121 { SAP_NULL, "NULL LSAP" },
122 { SAP_LLC_SLMGMT, "LLC Sub-Layer Management" },
123 { SAP_SNA_PATHCTRL, "SNA Path Control" },
124 { SAP_IP, "TCP/IP" },
127 { SAP_PROWAY_NM_INIT, "PROWAY (IEC955) Network Management and Initialization" },
128 { SAP_NETWARE1, "NetWare (unofficial?)" },
129 { SAP_OSINL1, "ISO Network Layer (OSLAN 1)" },
130 { SAP_TI, "Texas Instruments" },
131 { SAP_OSINL2, "ISO Network Layer (unofficial?)" },
132 { SAP_OSINL3, "ISO Network Layer (unofficial?)" },
133 { SAP_BPDU, "Spanning Tree BPDU" },
134 { SAP_RS511, "EIA RS-511 Manufacturing Message Service" },
135 { SAP_OSINL4, "ISO Network Layer (OSLAN 2)" },
136 { SAP_X25, "ISO 8208 (X.25 over 802.2)" },
138 * XXX - setting the group bit of SAP_X25 make 0x7F; is this just
139 * a group version of that?
141 { 0x7F, "ISO 802.2" },
143 { SAP_BACNET, "BACnet" },
144 { SAP_NESTAR, "Nestar" },
145 { SAP_PROWAY_ASLM, "PROWAY (IEC955) Active Station List Maintenance" },
146 { SAP_ARP, "ARP" }, /* XXX - hand to "dissect_arp()"? */
147 { SAP_SNAP, "SNAP" },
148 { SAP_VINES1, "Banyan Vines" },
149 { SAP_VINES2, "Banyan Vines" },
150 { SAP_NETWARE2, "NetWare" },
151 { SAP_NETBIOS, "NetBIOS" },
152 { SAP_IBMNM, "IBM Net Management" },
153 { SAP_HPEXT, "HP Extended LLC" },
154 { SAP_UB, "Ungermann-Bass" },
155 { SAP_RPL, "Remote Program Load" },
156 { SAP_OSINL5, "ISO Network Layer" },
157 { SAP_GLOBAL, "Global LSAP" },
164 * http://www.cisco.com/univercd/cc/td/doc/product/lan/trsrb/vlan.htm
166 * for the PIDs for VTP and DRiP that go with an OUI of OUI_CISCO.
168 const value_string oui_vals[] = {
169 { OUI_ENCAP_ETHER, "Encapsulated Ethernet" },
171 http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/ibm_r/brprt1/brsrb.htm
173 { OUI_CISCO, "Cisco" },
174 { OUI_CISCO_90, "Cisco IOS 9.0 Compatible" },
175 { OUI_BRIDGED, "Frame Relay or ATM bridged frames" },
176 /* RFC 2427, RFC 2684 */
177 { OUI_ATM_FORUM, "ATM Forum" },
178 { OUI_CABLE_BPDU, "DOCSIS Spanning Tree" }, /* DOCSIS spanning tree BPDU */
179 { OUI_APPLE_ATALK, "Apple (AppleTalk)" },
180 { OUI_NORTEL, "Nortel Networks SONMP" },
185 * Hash table for translating OUIs to a dissector table/field info pair;
186 * the dissector table maps PID values to dissectors, and the field
187 * corresponds to the PID for that OUI.
190 dissector_table_t table;
191 hf_register_info *field_info;
194 static GHashTable *oui_info_table = NULL;
197 * Add an entry for a new OUI.
200 llc_add_oui(guint32 oui, const char *table_name, char *table_ui_name,
201 hf_register_info *hf_item)
203 oui_info_t *new_info;
205 new_info = g_malloc(sizeof (oui_info_t));
206 new_info->table = register_dissector_table(table_name,
207 table_ui_name, FT_UINT16, BASE_HEX);
208 new_info->field_info = hf_item;
211 * Create the hash table for OUI information, if it doesn't
214 if (oui_info_table == NULL) {
215 oui_info_table = g_hash_table_new(g_direct_hash,
218 g_hash_table_insert(oui_info_table, (gpointer)oui, new_info);
222 capture_llc(const guchar *pd, int offset, int len, packet_counts *ld) {
230 if (!BYTES_ARE_IN_FRAME(offset, len, 2)) {
234 is_snap = (pd[offset] == SAP_SNAP) && (pd[offset+1] == SAP_SNAP);
235 llc_header_len = 2; /* DSAP + SSAP */
238 * XXX - the page referred to in the comment above about the
239 * Command/Response bit also implies that LLC Type 2 always
240 * uses extended operation, so we don't need to determine
241 * whether it's basic or extended operation; is that the case?
243 control = get_xdlc_control(pd, offset+2, pd[offset+1] & SSAP_CR_BIT);
244 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
246 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
247 if (!BYTES_ARE_IN_FRAME(offset, len, llc_header_len)) {
253 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
254 if (XDLC_IS_INFORMATION(control)) {
255 etype = pntohs(&pd[offset+6]);
258 case OUI_ENCAP_ETHER:
260 case OUI_APPLE_ATALK:
261 /* No, I have no idea why Apple used
262 one of their own OUIs, rather than
263 OUI_ENCAP_ETHER, and an Ethernet
264 packet type as protocol ID, for
265 AppleTalk data packets - but used
266 OUI_ENCAP_ETHER and an Ethernet
267 packet type for AARP packets. */
268 capture_ethertype(etype, pd, offset+8, len,
272 capture_ethertype(etype, pd, offset + 8, len,
283 if (XDLC_IS_INFORMATION(control)) {
284 switch (pd[offset]) {
287 capture_ip(pd, offset + llc_header_len, len,
313 /* Used only for U frames */
314 static const xdlc_cf_items llc_cf_items = {
320 &hf_llc_u_modifier_cmd,
321 &hf_llc_u_modifier_resp,
326 /* Used only for I and S frames */
327 static const xdlc_cf_items llc_cf_items_ext = {
336 &hf_llc_ftype_s_u_ext
340 dissect_llc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
342 proto_tree *llc_tree = NULL;
343 proto_item *ti = NULL;
350 if (check_col(pinfo->cinfo, COL_PROTOCOL)) {
351 col_set_str(pinfo->cinfo, COL_PROTOCOL, "LLC");
353 if (check_col(pinfo->cinfo, COL_INFO)) {
354 col_clear(pinfo->cinfo, COL_INFO);
357 dsap = tvb_get_guint8(tvb, 0);
359 ti = proto_tree_add_item(tree, proto_llc, tvb, 0, -1, FALSE);
360 llc_tree = proto_item_add_subtree(ti, ett_llc);
361 proto_tree_add_uint(llc_tree, hf_llc_dsap, tvb, 0,
363 proto_tree_add_boolean(llc_tree, hf_llc_dsap_ig, tvb, 0,
364 1, dsap & DSAP_GI_BIT);
368 ssap = tvb_get_guint8(tvb, 1);
370 proto_tree_add_uint(llc_tree, hf_llc_ssap, tvb, 1,
372 proto_tree_add_boolean(llc_tree, hf_llc_ssap_cr, tvb, 1,
373 1, ssap & SSAP_CR_BIT);
377 is_snap = (dsap == SAP_SNAP) && (ssap == SAP_SNAP);
378 llc_header_len = 2; /* DSAP + SSAP */
381 * XXX - the page referred to in the comment above about the
382 * Command/Response bit also implies that LLC Type 2 always
383 * uses extended operation, so we don't need to determine
384 * whether it's basic or extended operation; is that the case?
386 control = dissect_xdlc_control(tvb, 2, pinfo, llc_tree,
387 hf_llc_ctrl, ett_llc_ctrl,
388 &llc_cf_items, &llc_cf_items_ext,
389 ssap & SSAP_CR_BIT, TRUE, FALSE);
390 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
392 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
395 proto_item_set_len(ti, llc_header_len);
398 dissect_snap(tvb, 3, pinfo, tree, llc_tree, control,
399 hf_llc_oui, hf_llc_type, hf_llc_pid, 2);
402 if (check_col(pinfo->cinfo, COL_INFO)) {
403 col_append_fstr(pinfo->cinfo, COL_INFO,
404 "; DSAP %s %s, SSAP %s %s",
405 val_to_str(dsap & SAP_MASK, sap_vals, "%02x"),
407 "Group" : "Individual",
408 val_to_str(ssap & SAP_MASK, sap_vals, "%02x"),
410 "Response" : "Command"
414 if (tvb_length_remaining(tvb, llc_header_len) > 0) {
415 next_tvb = tvb_new_subset(tvb, llc_header_len, -1, -1);
416 if (XDLC_IS_INFORMATION(control)) {
418 * Non-SNAP I or UI frame.
419 * Try the regular LLC subdissector table
422 if (!dissector_try_port(subdissector_table,
423 dsap, next_tvb, pinfo, tree)) {
424 call_dissector(data_handle, next_tvb,
427 } else if ((control & (XDLC_U_MODIFIER_MASK|XDLC_U))
428 == (XDLC_XID|XDLC_U)) {
430 * Non-SNAP XID frame.
431 * Try the XID LLC subdissector table
434 if (!dissector_try_port(xid_subdissector_table,
435 dsap, next_tvb, pinfo, tree)) {
436 call_dissector(data_handle, next_tvb,
440 call_dissector(data_handle, next_tvb, pinfo,
448 * Dissect SNAP header; used elsewhere, e.g. in the Frame Relay dissector.
451 dissect_snap(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree,
452 proto_tree *snap_tree, int control, int hf_oui, int hf_type, int hf_pid,
458 oui_info_t *oui_info;
459 dissector_table_t subdissector_table;
462 oui = tvb_get_ntoh24(tvb, offset);
463 etype = tvb_get_ntohs(tvb, offset+3);
465 if (check_col(pinfo->cinfo, COL_INFO)) {
466 col_append_fstr(pinfo->cinfo, COL_INFO,
467 "; SNAP, OUI 0x%06X (%s), PID 0x%04X",
468 oui, val_to_str(oui, oui_vals, "Unknown"), etype);
471 proto_tree_add_uint(snap_tree, hf_oui, tvb, offset, 3, oui);
476 case OUI_ENCAP_ETHER:
478 case OUI_APPLE_ATALK:
479 /* No, I have no idea why Apple used
480 one of their own OUIs, rather than
481 OUI_ENCAP_ETHER, and an Ethernet
482 packet type as protocol ID, for
483 AppleTalk data packets - but used
484 OUI_ENCAP_ETHER and an Ethernet
485 packet type for AARP packets. */
486 if (XDLC_IS_INFORMATION(control)) {
487 ethertype(etype, tvb, offset+5,
488 pinfo, tree, snap_tree, hf_type, -1, 0);
490 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
491 call_dissector(data_handle,next_tvb, pinfo, tree);
497 * MAC frames bridged over ATM (RFC 2684) or Frame Relay
500 * We have to figure out how much padding to put
501 * into the frame. We were handed a "bridge_pad"
502 * argument which should be 0 for Frame Relay and
503 * 2 for ATM; we add to that the amount of padding
504 * common to both bridging types.
507 proto_tree_add_uint(snap_tree, hf_pid, tvb, offset+3, 2,
513 case BPID_ETH_WITH_FCS:
514 case BPID_ETH_WITHOUT_FCS:
515 next_tvb = tvb_new_subset(tvb, offset+5+bridge_pad,
517 call_dissector(eth_handle, next_tvb, pinfo, tree);
520 case BPID_802_5_WITH_FCS:
521 case BPID_802_5_WITHOUT_FCS:
523 * We treat the last padding byte as the Access
524 * Control byte, as that's what the Token
525 * Ring dissector expects the first byte to
528 next_tvb = tvb_new_subset(tvb, offset+5+bridge_pad,
530 call_dissector(tr_handle, next_tvb, pinfo, tree);
533 case BPID_FDDI_WITH_FCS:
534 case BPID_FDDI_WITHOUT_FCS:
535 next_tvb = tvb_new_subset(tvb, offset+5+1+bridge_pad,
537 call_dissector(fddi_handle, next_tvb, pinfo, tree);
541 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
542 call_dissector(bpdu_handle, next_tvb, pinfo, tree);
546 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
547 call_dissector(data_handle,next_tvb, pinfo, tree);
552 case OUI_CABLE_BPDU: /* DOCSIS cable modem spanning tree BPDU */
554 proto_tree_add_uint(snap_tree, hf_pid, tvb, offset+3, 2,
557 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
558 call_dissector(bpdu_handle, next_tvb, pinfo, tree);
563 * Do we have information for this OUI?
565 oui_info = g_hash_table_lookup(oui_info_table, (gpointer)oui);
566 if (oui_info != NULL) {
570 hf = *oui_info->field_info->p_id;
571 subdissector_table = oui_info->table;
574 * No, use hf_pid for the PID and just dissect
575 * the payload as data.
578 subdissector_table = NULL;
581 proto_tree_add_uint(snap_tree, hf, tvb, offset+3, 2,
584 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
585 if (XDLC_IS_INFORMATION(control)) {
586 if (subdissector_table != NULL) {
587 /* do lookup with the subdissector table */
588 if (dissector_try_port(subdissector_table,
589 etype, next_tvb, pinfo, tree))
593 call_dissector(data_handle, next_tvb, pinfo, tree);
599 proto_register_llc(void)
601 static struct true_false_string ig_bit = { "Group", "Individual" };
602 static struct true_false_string cr_bit = { "Response", "Command" };
604 static hf_register_info hf[] = {
606 { "DSAP", "llc.dsap", FT_UINT8, BASE_HEX,
607 VALS(sap_vals), 0x0, "", HFILL }},
610 { "IG Bit", "llc.dsap.ig", FT_BOOLEAN, BASE_HEX,
611 &ig_bit, 0x0, "Individual/Group", HFILL }},
614 { "SSAP", "llc.ssap", FT_UINT8, BASE_HEX,
615 VALS(sap_vals), 0x0, "", HFILL }},
618 { "CR Bit", "llc.ssap.cr", FT_BOOLEAN, BASE_HEX,
619 &cr_bit, 0x0, "Command/Response", HFILL }},
622 { "Control", "llc.control", FT_UINT16, BASE_HEX,
623 NULL, 0x0, "", HFILL }},
626 { "N(R)", "llc.control.n_r", FT_UINT16, BASE_DEC,
627 NULL, XDLC_N_R_EXT_MASK, "", HFILL }},
630 { "N(S)", "llc.control.n_s", FT_UINT16, BASE_DEC,
631 NULL, XDLC_N_S_EXT_MASK, "", HFILL }},
634 { "Poll", "llc.control.p", FT_BOOLEAN, 8,
635 TFS(&flags_set_truth), XDLC_P_F, "", HFILL }},
638 { "Poll", "llc.control.p", FT_BOOLEAN, 16,
639 TFS(&flags_set_truth), XDLC_P_F_EXT, "", HFILL }},
642 { "Final", "llc.control.f", FT_BOOLEAN, 8,
643 TFS(&flags_set_truth), XDLC_P_F, "", HFILL }},
646 { "Final", "llc.control.f", FT_BOOLEAN, 16,
647 TFS(&flags_set_truth), XDLC_P_F_EXT, "", HFILL }},
650 { "Supervisory frame type", "llc.control.s_ftype", FT_UINT16, BASE_HEX,
651 VALS(stype_vals), XDLC_S_FTYPE_MASK, "", HFILL }},
653 { &hf_llc_u_modifier_cmd,
654 { "Command", "llc.control.u_modifier_cmd", FT_UINT8, BASE_HEX,
655 VALS(modifier_vals_cmd), XDLC_U_MODIFIER_MASK, "", HFILL }},
657 { &hf_llc_u_modifier_resp,
658 { "Response", "llc.control.u_modifier_resp", FT_UINT8, BASE_HEX,
659 VALS(modifier_vals_resp), XDLC_U_MODIFIER_MASK, "", HFILL }},
662 { "Frame type", "llc.control.ftype", FT_UINT16, BASE_HEX,
663 VALS(ftype_vals), XDLC_I_MASK, "", HFILL }},
666 { "Frame type", "llc.control.ftype", FT_UINT8, BASE_HEX,
667 VALS(ftype_vals), XDLC_S_U_MASK, "", HFILL }},
669 { &hf_llc_ftype_s_u_ext,
670 { "Frame type", "llc.control.ftype", FT_UINT16, BASE_HEX,
671 VALS(ftype_vals), XDLC_S_U_MASK, "", HFILL }},
673 /* registered here but handled in ethertype.c */
675 { "Type", "llc.type", FT_UINT16, BASE_HEX,
676 VALS(etype_vals), 0x0, "", HFILL }},
679 { "Organization Code", "llc.oui", FT_UINT24, BASE_HEX,
680 VALS(oui_vals), 0x0, "", HFILL }},
683 { "Protocol ID", "llc.pid", FT_UINT16, BASE_HEX,
684 NULL, 0x0, "", HFILL }}
686 static gint *ett[] = {
691 proto_llc = proto_register_protocol("Logical-Link Control", "LLC", "llc");
692 proto_register_field_array(proto_llc, hf, array_length(hf));
693 proto_register_subtree_array(ett, array_length(ett));
695 /* subdissector code */
696 subdissector_table = register_dissector_table("llc.dsap",
697 "LLC SAP", FT_UINT8, BASE_HEX);
698 xid_subdissector_table = register_dissector_table("llc.xid_dsap",
699 "LLC XID SAP", FT_UINT8, BASE_HEX);
701 register_dissector("llc", dissect_llc, proto_llc);
705 register_hf(gpointer key _U_, gpointer value, gpointer user_data _U_)
707 oui_info_t *info = value;
709 proto_register_field_array(proto_llc, info->field_info, 1);
713 proto_reg_handoff_llc(void)
715 dissector_handle_t llc_handle;
718 * Get handles for the BPDU, Ethernet, FDDI, and Token Ring
721 bpdu_handle = find_dissector("bpdu");
722 eth_handle = find_dissector("eth");
723 fddi_handle = find_dissector("fddi");
724 tr_handle = find_dissector("tr");
725 data_handle = find_dissector("data");
727 llc_handle = find_dissector("llc");
728 dissector_add("wtap_encap", WTAP_ENCAP_ATM_RFC1483, llc_handle);
730 dissector_add("ppp.protocol", PPP_LLC, llc_handle);
732 dissector_add("udp.port", UDP_PORT_LLC1, llc_handle);
733 dissector_add("udp.port", UDP_PORT_LLC2, llc_handle);
734 dissector_add("udp.port", UDP_PORT_LLC3, llc_handle);
735 dissector_add("udp.port", UDP_PORT_LLC4, llc_handle);
736 dissector_add("udp.port", UDP_PORT_LLC5, llc_handle);
737 /* IP-over-FC when we have the full FC frame */
738 dissector_add("fc.ftype", FC_FTYPE_IP, llc_handle);
741 * BACNET-over-ARCNET is really BACNET-over-802.2 LLC-over-ARCNET,
744 dissector_add("arcnet.protocol_id", ARCNET_PROTO_BACNET, llc_handle);
747 * Register all the fields for PIDs for various OUIs.
749 g_hash_table_foreach(oui_info_table, register_hf, NULL);