2 * Routines for IEEE 802.2 LLC layer
3 * Gilbert Ramirez <gram@xiexie.org>
5 * $Id: packet-llc.c,v 1.54 2000/04/13 02:36:35 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_TYPES_H
32 # include <sys/types.h>
40 #include "packet-bpdu.h"
41 #include "packet-cdp.h"
42 #include "packet-cgmp.h"
43 #include "packet-ip.h"
44 #include "packet-ipx.h"
45 #include "packet-netbios.h"
46 #include "packet-osi.h"
47 #include "packet-sna.h"
48 #include "packet-vtp.h"
50 static int proto_llc = -1;
51 static int hf_llc_dsap = -1;
52 static int hf_llc_ssap = -1;
53 static int hf_llc_dsap_ig = -1;
54 static int hf_llc_ssap_cr = -1;
55 static int hf_llc_ctrl = -1;
56 static int hf_llc_type = -1;
57 static int hf_llc_oui = -1;
58 static int hf_llc_pid = -1;
60 static gint ett_llc = -1;
61 static gint ett_llc_ctrl = -1;
63 typedef void (capture_func_t)(const u_char *, int, packet_counts *);
64 typedef void (dissect_func_t)(const u_char *, int, frame_data *, proto_tree *);
66 /* The SAP info is split into two tables, one value_string table and one table of sap_info. This is
67 * so that the value_string can be used in the header field registration.
71 capture_func_t *capture_func;
72 dissect_func_t *dissect_func;
76 * Group/Individual bit, in the DSAP.
78 #define DSAP_GI_BIT 0x01
81 * Command/Response bit, in the SSAP.
83 * The low-order bit of the SSAP apparently determines whether this
84 * is a request or a response. (RFC 1390, "Transmission of IP and
85 * ARP over FDDI Networks", says
87 * Command frames are identified by having the low order
88 * bit of the SSAP address reset to zero. Response frames
89 * have the low order bit of the SSAP address set to one.
91 * and a page I've seen seems to imply that's part of 802.2.)
93 #define SSAP_CR_BIT 0x01
96 * Mask to extrace the SAP number from the DSAP or the SSAP.
100 #define SAP_SNAP 0xAA
103 * These are for SSAP and DSAP, wth last bit always zero.
104 * XXX - some DSAPs come in separate "individual" and "group" versions,
105 * with the last bit 0 and 1, respectively (e.g., LLC Sub-layer Management,
106 * IBM SNA Path Control, IBM Net Management), but, whilst 0xFE is
107 * the ISO Network Layer Protocol, 0xFF is the Global LSAP.
109 static const value_string sap_vals[] = {
110 { 0x00, "NULL LSAP" },
111 { 0x02, "LLC Sub-Layer Management" },
112 { 0x04, "SNA Path Control" },
116 { 0x0E, "PROWAY (IEC955) Network Management and Initialization" },
117 { 0x18, "Texas Instruments" },
118 { 0x42, "Spanning Tree BPDU" },
119 { 0x4E, "EIA RS-511 Manufacturing Message Service" },
121 /* XXX - setting the group bit makes this 0x7F; is that just
122 a group version of this? */
123 { 0x7E, "ISO 8208 (X.25 over 802.2 Type 2)" },
125 { 0x7F, "ISO 802.2" },
128 { 0x8E, "PROWAY (IEC955) Active Station List Maintenance" },
129 { 0x98, "ARP" }, /* XXX - hand to "dissect_arp()"? */
130 { SAP_SNAP, "SNAP" },
131 { 0xBA, "Banyan Vines" },
132 { 0xBC, "Banyan Vines" },
135 { 0xF4, "IBM Net Management" },
136 { 0xF8, "Remote Program Load" },
137 { 0xFA, "Ungermann-Bass" },
138 { 0xFC, "Remote Program Load" },
139 { 0xFE, "ISO Network Layer" },
140 { 0xFF, "Global LSAP" },
144 static struct sap_info saps[] = {
145 { 0x00, NULL, NULL },
146 { 0x02, NULL, NULL },
147 { 0x03, NULL, NULL },
148 { 0x04, NULL, dissect_sna },
149 { 0x05, NULL, NULL },
150 { 0x06, capture_ip, dissect_ip },
151 { 0x08, NULL, NULL },
152 { 0x0C, NULL, NULL },
153 { 0x42, NULL, dissect_bpdu },
154 { 0x7F, NULL, NULL },
155 { 0x80, NULL, NULL },
156 { SAP_SNAP, NULL, NULL },
157 { 0xBA, NULL, NULL },
158 { 0xBC, NULL, NULL },
159 { 0xE0, capture_ipx, dissect_ipx },
160 { 0xF0, capture_netbios, dissect_netbios },
161 { 0xF4, NULL, NULL },
162 { 0xF5, NULL, NULL },
163 { 0xF8, NULL, NULL },
164 { 0xFC, NULL, NULL },
165 { 0xFE, NULL, dissect_osi },
166 { 0xFF, NULL, NULL },
173 * http://www.cisco.com/univercd/cc/td/doc/product/lan/trsrb/vlan.htm
175 * for the PIDs for VTP and DRiP that go with an OUI of OUI_CISCO.
177 const value_string oui_vals[] = {
178 { OUI_ENCAP_ETHER, "Encapsulated Ethernet" },
180 http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/ibm_r/brprt1/brsrb.htm
182 { OUI_CISCO, "Cisco" },
183 { OUI_CISCO_90, "Cisco IOS 9.0 Compatible" },
184 { OUI_BFR, "Bridged Frame-Relay" }, /* RFC 2427 */
185 { OUI_ATM_FORUM, "ATM Forum" },
186 { OUI_APPLE_ATALK, "Apple (AppleTalk)" },
187 { OUI_CABLE_BPDU, "DOCSIS Spanning Tree" }, /* DOCSIS spanning tree BPDU */
191 static capture_func_t *
192 sap_capture_func(u_char sap) {
195 /* look for the second record where sap == 0, which should
198 while (saps[i].sap > 0 || i == 0) {
199 if (saps[i].sap == sap) {
200 return saps[i].capture_func;
207 static dissect_func_t *
208 sap_dissect_func(u_char sap) {
211 /* look for the second record where sap == 0, which should
214 while (saps[i].sap > 0 || i == 0) {
215 if (saps[i].sap == sap) {
216 return saps[i].dissect_func;
220 return &dissect_data;
224 capture_llc(const u_char *pd, int offset, packet_counts *ld) {
231 capture_func_t *capture;
233 if (!BYTES_ARE_IN_FRAME(offset, 2)) {
237 is_snap = (pd[offset] == SAP_SNAP) && (pd[offset+1] == SAP_SNAP);
238 llc_header_len = 2; /* DSAP + SSAP */
241 * XXX - the page referred to in the comment above about the
242 * Command/Response bit also implies that LLC Type 2 always
243 * uses extended operation, so we don't need to determine
244 * whether it's basic or extended operation; is that the case?
246 control = get_xdlc_control(pd, offset+2, pd[offset+1] & SSAP_CR_BIT,
248 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
250 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
251 if (!BYTES_ARE_IN_FRAME(offset, llc_header_len)) {
257 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
258 if (XDLC_IS_INFORMATION(control)) {
259 etype = pntohs(&pd[offset+6]);
262 case OUI_ENCAP_ETHER:
263 case OUI_APPLE_ATALK:
264 /* No, I have no idea why Apple used
265 one of their own OUIs, rather than
266 OUI_ENCAP_ETHER, and an Ethernet
267 packet type as protocol ID, for
268 AppleTalk data packets - but used
269 OUI_ENCAP_ETHER and an Ethernet
270 packet type for AARP packets. */
271 capture_ethertype(etype, offset+8, pd,
275 capture_ethertype(etype,
285 if (XDLC_IS_INFORMATION(control)) {
286 capture = sap_capture_func(pd[offset]);
289 offset += llc_header_len;
292 capture(pd, offset, ld);
302 dissect_llc(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
304 proto_tree *llc_tree = NULL;
305 proto_item *ti = NULL;
311 dissect_func_t *dissect;
313 if (!BYTES_ARE_IN_FRAME(offset, 2)) {
314 dissect_data(pd, offset, fd, tree);
317 is_snap = (pd[offset] == SAP_SNAP) && (pd[offset+1] == SAP_SNAP);
318 llc_header_len = 2; /* DSAP + SSAP */
320 if (check_col(fd, COL_PROTOCOL)) {
321 col_add_str(fd, COL_PROTOCOL, "LLC");
325 ti = proto_tree_add_item(tree, proto_llc, offset, 0, NULL);
326 llc_tree = proto_item_add_subtree(ti, ett_llc);
327 proto_tree_add_item(llc_tree, hf_llc_dsap, offset,
328 1, pd[offset] & SAP_MASK);
329 proto_tree_add_item(llc_tree, hf_llc_dsap_ig, offset,
330 1, pd[offset] & DSAP_GI_BIT);
331 proto_tree_add_item(llc_tree, hf_llc_ssap, offset+1,
332 1, pd[offset+1] & SAP_MASK);
333 proto_tree_add_item(llc_tree, hf_llc_ssap_cr, offset+1,
334 1, pd[offset+1] & SSAP_CR_BIT);
339 * XXX - the page referred to in the comment above about the
340 * Command/Response bit also implies that LLC Type 2 always
341 * uses extended operation, so we don't need to determine
342 * whether it's basic or extended operation; is that the case?
344 control = dissect_xdlc_control(pd, offset+2, fd, llc_tree,
345 hf_llc_ctrl, ett_llc_ctrl,
346 pd[offset+1] & SSAP_CR_BIT, TRUE);
347 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
349 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
350 if (!BYTES_ARE_IN_FRAME(offset, llc_header_len)) {
351 dissect_data(pd, offset, fd, tree);
355 proto_item_set_len(ti, llc_header_len);
358 * XXX - do we want to append the SAP information to the stuff
359 * "dissect_xdlc_control()" put in the COL_INFO column, rather
360 * than overwriting it?
363 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
364 etype = pntohs(&pd[offset+6]);
365 if (check_col(fd, COL_INFO)) {
366 col_add_fstr(fd, COL_INFO, "SNAP, OUI 0x%06X (%s), PID 0x%04X",
367 oui, val_to_str(oui, oui_vals, "Unknown"),
371 proto_tree_add_item(llc_tree, hf_llc_oui, offset+3, 3,
376 case OUI_ENCAP_ETHER:
377 case OUI_APPLE_ATALK:
378 /* No, I have no idea why Apple used
379 one of their own OUIs, rather than
380 OUI_ENCAP_ETHER, and an Ethernet
381 packet type as protocol ID, for
382 AppleTalk data packets - but used
383 OUI_ENCAP_ETHER and an Ethernet
384 packet type for AARP packets. */
385 if (XDLC_IS_INFORMATION(control)) {
386 ethertype(etype, offset+8, pd,
387 fd, tree, llc_tree, hf_llc_type);
389 dissect_data(pd, offset+8, fd, tree);
393 /* So are all CDP packets LLC packets
394 with an OUI of OUI_CISCO and a
395 protocol ID of 0x2000, or
396 are some of them raw or encapsulated
399 proto_tree_add_item(llc_tree,
400 hf_llc_pid, offset+6, 2, etype);
402 if (XDLC_IS_INFORMATION(control)) {
407 dissect_drip(pd, offset+8, fd, tree);
412 dissect_cdp(pd, offset+8, fd, tree);
416 dissect_cgmp(pd, offset+8, fd, tree);
420 dissect_vtp(pd, offset+8, fd, tree);
424 dissect_data(pd, offset+8, fd, tree);
428 dissect_data(pd, offset+8, fd, tree);
431 case OUI_CABLE_BPDU: /* DOCSIS cable modem spanning tree BPDU */
433 proto_tree_add_item(llc_tree,
434 hf_llc_pid, offset+6, 2, etype);
436 dissect_bpdu(pd, offset+8, fd, tree);
441 proto_tree_add_item(llc_tree,
442 hf_llc_pid, offset+6, 2, etype);
444 dissect_data(pd, offset+8, fd, tree);
449 if (check_col(fd, COL_INFO)) {
450 col_add_fstr(fd, COL_INFO,
451 "DSAP %s %s, SSAP %s %s",
452 val_to_str(pd[offset] & SAP_MASK, sap_vals, "%02x"),
453 pd[offset] & DSAP_GI_BIT ?
454 "Group" : "Individual",
455 val_to_str(pd[offset+1] & SAP_MASK, sap_vals, "%02x"),
456 pd[offset+1] & SSAP_CR_BIT ?
457 "Response" : "Command"
461 if (XDLC_IS_INFORMATION(control)) {
462 dissect = sap_dissect_func(pd[offset]);
465 offset += llc_header_len;
468 dissect(pd, offset, fd, tree);
471 dissect_data(pd, offset, fd, tree);
474 offset += llc_header_len;
475 dissect_data(pd, offset, fd, tree);
481 proto_register_llc(void)
483 static struct true_false_string ig_bit = { "Group", "Individual" };
484 static struct true_false_string cr_bit = { "Response", "Command" };
486 static hf_register_info hf[] = {
488 { "DSAP", "llc.dsap", FT_UINT8, BASE_HEX,
489 VALS(sap_vals), 0x0, "" }},
492 { "IG Bit", "llc.dsap.ig", FT_BOOLEAN, BASE_HEX,
493 &ig_bit, 0x0, "Individual/Group" }},
496 { "SSAP", "llc.ssap", FT_UINT8, BASE_HEX,
497 VALS(sap_vals), 0x0, "" }},
500 { "CR Bit", "llc.ssap.cr", FT_BOOLEAN, BASE_HEX,
501 &cr_bit, 0x0, "Command/Response" }},
504 { "Control", "llc.control", FT_UINT16, BASE_HEX,
507 /* registered here but handled in ethertype.c */
509 { "Type", "llc.type", FT_UINT16, BASE_HEX,
510 VALS(etype_vals), 0x0, "" }},
513 { "Organization Code", "llc.oui", FT_UINT24, BASE_HEX,
514 VALS(oui_vals), 0x0, ""}},
517 { "Protocol ID", "llc.pid", FT_UINT16, BASE_HEX,
520 static gint *ett[] = {
525 proto_llc = proto_register_protocol ("Logical-Link Control", "llc" );
526 proto_register_field_array(proto_llc, hf, array_length(hf));
527 proto_register_subtree_array(ett, array_length(ett));