2 * Routines for packet disassembly
4 * $Id: packet.c,v 1.42 1999/09/12 06:11:36 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
34 #ifdef HAVE_SYS_SOCKET_H
35 #include <sys/socket.h>
50 #ifdef NEED_SNPRINTF_H
51 # include "snprintf.h"
54 #ifdef HAVE_NETINET_IN_H
55 # include <netinet/in.h>
61 extern capture_file cf;
64 int hf_frame_arrival_time = -1;
65 int hf_frame_time_delta = -1;
66 int hf_frame_number = -1;
67 int hf_frame_packet_len = -1;
68 int hf_frame_capture_len = -1;
71 ether_to_str(const guint8 *ad) {
72 static gchar str[3][18];
77 static const gchar hex_digits[16] = "0123456789abcdef";
79 if (cur == &str[0][0]) {
81 } else if (cur == &str[1][0]) {
91 *--p = hex_digits[octet&0xF];
93 *--p = hex_digits[octet&0xF];
103 ip_to_str(const guint8 *ad) {
104 static gchar str[3][16];
111 if (cur == &str[0][0]) {
113 } else if (cur == &str[1][0]) {
123 *--p = (octet%10) + '0';
127 if (digit != 0 || octet != 0)
139 #define PLURALIZE(n) (((n) > 1) ? "s" : "")
140 #define COMMA(do_it) ((do_it) ? ", " : "")
143 time_secs_to_str(guint32 time)
145 static gchar str[3][8+1+4+2+2+5+2+2+7+2+2+7+1];
146 static gchar *cur, *p;
147 int hours, mins, secs;
150 if (cur == &str[0][0]) {
152 } else if (cur == &str[1][0]) {
167 sprintf(p, "%u day%s", time, PLURALIZE(time));
173 sprintf(p, "%s%u hour%s", COMMA(do_comma), hours, PLURALIZE(hours));
179 sprintf(p, "%s%u minute%s", COMMA(do_comma), mins, PLURALIZE(mins));
185 sprintf(p, "%s%u second%s", COMMA(do_comma), secs, PLURALIZE(secs));
189 /* Max string length for displaying byte string. */
190 #define MAX_BYTE_STR_LEN 16
192 /* Turn an array of bytes into a string showing the bytes in hex. */
194 bytes_to_str(const guint8 *bd, int bd_len) {
195 static gchar str[3][MAX_BYTE_STR_LEN+3+1];
199 static const char hex[16] = { '0', '1', '2', '3', '4', '5', '6', '7',
200 '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
202 if (cur == &str[0][0]) {
204 } else if (cur == &str[1][0]) {
210 len = MAX_BYTE_STR_LEN;
211 while (bd_len > 0 && len > 0) {
212 *p++ = hex[(*bd) >> 4];
213 *p++ = hex[(*bd) & 0xF];
219 /* Note that we're not showing the full string. */
228 static const char *mon_names[12] = {
244 abs_time_to_str(struct timeval *abs_time)
248 static char str[3][3+1+2+2+4+1+2+1+2+1+2+1+4+1 + 5 /* extra */];
250 if (cur == &str[0][0]) {
252 } else if (cur == &str[1][0]) {
258 tmp = localtime(&abs_time->tv_sec);
259 sprintf(cur, "%s %2d, %d %02d:%02d:%02d.%04ld",
260 mon_names[tmp->tm_mon],
266 (long)abs_time->tv_usec/100);
272 rel_time_to_str(struct timeval *rel_time)
275 static char str[3][10+1+6+1];
277 if (cur == &str[0][0]) {
279 } else if (cur == &str[1][0]) {
285 sprintf(cur, "%ld.%06ld", (long)rel_time->tv_sec,
286 (long)rel_time->tv_usec);
292 * Given a pointer into a data buffer, and to the end of the buffer,
293 * find the end of the (putative) line at that position in the data
295 * Return a pointer to the EOL character(s) in "*eol".
298 find_line_end(const u_char *data, const u_char *dataend, const u_char **eol)
300 const u_char *lineend;
302 lineend = memchr(data, '\n', dataend - data);
303 if (lineend == NULL) {
305 * No LF - line is probably continued in next TCP segment.
311 * Is the LF at the beginning of the line?
313 if (lineend > data) {
315 * No - is it preceded by a carriage return?
316 * (Perhaps it's supposed to be, but that's not guaranteed....)
318 if (*(lineend - 1) == '\r') {
320 * Yes. The EOL starts with the CR.
325 * No. The EOL starts with the LF.
330 * I seem to remember that we once saw lines ending with LF-CR
331 * in an HTTP request or response, so check if it's *followed*
332 * by a carriage return.
334 if (lineend < (dataend - 1) && *(lineend + 1) == '\r') {
336 * It's <non-LF><LF><CR>; say it ends with the CR.
344 * Point to the character after the last character.
351 #define MAX_COLUMNS_LINE_DETAIL 62
354 * Get the length of the next token in a line, and the beginning of the
355 * next token after that (if any).
356 * Return 0 if there is no next token.
359 get_token_len(const u_char *linep, const u_char *lineend,
360 const u_char **next_token)
362 const u_char *tokenp;
368 * Search for a blank, a CR or an LF, or the end of the buffer.
370 while (linep < lineend && *linep != ' ' && *linep != '\r' && *linep != '\n')
372 token_len = linep - tokenp;
375 * Skip trailing blanks.
377 while (linep < lineend && *linep == ' ')
386 * Given a string, generate a string from it that shows non-printable
387 * characters as C-style escapes, and return a pointer to it.
390 format_text(const u_char *string, int len)
392 static gchar fmtbuf[MAX_COLUMNS_LINE_DETAIL + 3 + 4 + 1];
395 const u_char *stringend = string + len;
400 fmtbufp = &fmtbuf[0];
401 while (string < stringend) {
402 if (column >= MAX_COLUMNS_LINE_DETAIL) {
404 * Put "..." and quit.
406 strcpy(fmtbufp, " ...");
460 *fmtbufp++ = i + '0';
463 *fmtbufp++ = i + '0';
466 *fmtbufp++ = i + '0';
477 /* Tries to match val against each element in the value_string array vs.
478 Returns the associated string ptr on a match.
479 Formats val with fmt, and returns the resulting string, on failure. */
481 val_to_str(guint32 val, const value_string *vs, const char *fmt) {
483 static gchar str[3][64];
486 ret = match_strval(val, vs);
489 if (cur == &str[0][0]) {
491 } else if (cur == &str[1][0]) {
496 snprintf(cur, 64, fmt, val);
500 /* Tries to match val against each element in the value_string array vs.
501 Returns the associated string ptr on a match, or NULL on failure. */
503 match_strval(guint32 val, const value_string *vs) {
506 while (vs[i].strptr) {
507 if (vs[i].value == val)
508 return(vs[i].strptr);
515 /* Generate, into "buf", a string showing the bits of a bitfield.
516 Return a pointer to the character after that string. */
518 decode_bitfield_value(char *buf, guint32 val, guint32 mask, int width)
526 bit = 1 << (width - 1);
529 /* This bit is part of the field. Show its value. */
535 /* This bit is not part of the field. */
550 /* Generate a string describing a Boolean bitfield (a one-bit field that
551 says something is either true of false). */
553 decode_boolean_bitfield(guint32 val, guint32 mask, int width,
554 const char *truedesc, const char *falsedesc)
556 static char buf[1025];
559 p = decode_bitfield_value(buf, val, mask, width);
563 strcpy(p, falsedesc);
567 /* Generate a string describing an enumerated bitfield (an N-bit field
568 with various specific values having particular names). */
570 decode_enumerated_bitfield(guint32 val, guint32 mask, int width,
571 const value_string *tab, const char *fmt)
573 static char buf[1025];
576 p = decode_bitfield_value(buf, val, mask, width);
577 sprintf(p, fmt, val_to_str(val & mask, tab, "Unknown"));
581 /* Generate a string describing a numeric bitfield (an N-bit field whose
582 value is just a number). */
584 decode_numeric_bitfield(guint32 val, guint32 mask, int width,
587 static char buf[1025];
591 /* Compute the number of bits we have to shift the bitfield right
592 to extract its value. */
593 while ((mask & (1<<shift)) == 0)
596 p = decode_bitfield_value(buf, val, mask, width);
597 sprintf(p, fmt, (val & mask) >> shift);
601 /* Checks to see if a particular packet information element is needed for
604 check_col(frame_data *fd, gint el) {
608 for (i = 0; i < fd->cinfo->num_cols; i++) {
609 if (fd->cinfo->fmt_matx[i][el])
616 /* Adds a vararg list to a packet info string. */
618 col_add_fstr(frame_data *fd, gint el, gchar *format, ...) {
622 va_start(ap, format);
623 for (i = 0; i < fd->cinfo->num_cols; i++) {
624 if (fd->cinfo->fmt_matx[i][el])
625 vsnprintf(fd->cinfo->col_data[i], COL_MAX_LEN, format, ap);
630 col_add_str(frame_data *fd, gint el, const gchar* str) {
633 for (i = 0; i < fd->cinfo->num_cols; i++) {
634 if (fd->cinfo->fmt_matx[i][el]) {
635 strncpy(fd->cinfo->col_data[i], str, COL_MAX_LEN);
636 fd->cinfo->col_data[i][COL_MAX_LEN - 1] = 0;
641 /* this routine checks the frame type from the cf structure */
643 dissect_packet(const u_char *pd, frame_data *fd, proto_tree *tree)
649 /* Put in frame header information. */
651 ti = proto_tree_add_item_format(tree, proto_frame, 0, fd->cap_len,
652 NULL, "Frame (%d on wire, %d captured)", fd->pkt_len, fd->cap_len);
654 fh_tree = proto_item_add_subtree(ti, ETT_FRAME);
656 tv.tv_sec = fd->abs_secs;
657 tv.tv_usec = fd->abs_usecs;
659 proto_tree_add_item(fh_tree, hf_frame_arrival_time,
662 tv.tv_sec = fd->del_secs;
663 tv.tv_usec = fd->del_usecs;
665 proto_tree_add_item(fh_tree, hf_frame_time_delta,
668 proto_tree_add_item(fh_tree, hf_frame_number,
671 proto_tree_add_item_format(fh_tree, hf_frame_packet_len,
672 0, 0, fd->pkt_len, "Packet Length: %d byte%s", fd->pkt_len,
673 plurality(fd->pkt_len, "", "s"));
675 proto_tree_add_item_format(fh_tree, hf_frame_capture_len,
676 0, 0, fd->cap_len, "Capture Length: %d byte%s", fd->cap_len,
677 plurality(fd->cap_len, "", "s"));
680 /* Set the initial payload to the packet length, and the initial
681 captured payload to the capture length (other protocols may
682 reduce them if their headers say they're less). */
683 pi.len = fd->pkt_len;
684 pi.captured_len = fd->cap_len;
687 case WTAP_ENCAP_ETHERNET :
688 dissect_eth(pd, 0, fd, tree);
690 case WTAP_ENCAP_FDDI :
691 dissect_fddi(pd, fd, tree, FALSE);
693 case WTAP_ENCAP_FDDI_BITSWAPPED :
694 dissect_fddi(pd, fd, tree, TRUE);
697 dissect_tr(pd, 0, fd, tree);
699 case WTAP_ENCAP_NULL :
700 dissect_null(pd, fd, tree);
702 case WTAP_ENCAP_PPP :
703 dissect_ppp(pd, fd, tree);
705 case WTAP_ENCAP_LAPB :
706 dissect_lapb(pd, fd, tree);
708 case WTAP_ENCAP_RAW_IP :
709 dissect_raw(pd, fd, tree);
711 case WTAP_ENCAP_LINUX_ATM_CLIP :
712 dissect_clip(pd, fd, tree);
714 case WTAP_ENCAP_ATM_SNIFFER :
715 dissect_atm(pd, fd, tree);
717 case WTAP_ENCAP_ASCEND :
718 dissect_ascend(pd, fd, tree);
724 proto_register_frame(void)
726 static hf_register_info hf[] = {
727 { &hf_frame_arrival_time,
728 { "Arrival Time", "frame.time", FT_ABSOLUTE_TIME, NULL }},
730 { &hf_frame_time_delta,
731 { "Time delta from previous packet", "frame.time_delta", FT_RELATIVE_TIME, NULL }},
734 { "Frame Number", "frame.number", FT_UINT32, NULL }},
736 { &hf_frame_packet_len,
737 { "Total Frame Length", "frame.pkt_len", FT_UINT32, NULL }},
739 { &hf_frame_capture_len,
740 { "Capture Frame Length", "frame.cap_len", FT_UINT32, NULL }}
743 proto_frame = proto_register_protocol("Frame", "frame");
744 proto_register_field_array(proto_frame, hf, array_length(hf));