3 * Top-most dissector. Decides dissector based on Wiretap Encapsulation Type.
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 2000 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
36 #include <epan/packet.h>
37 #include <epan/timestamp.h>
38 #include <epan/tvbuff.h>
39 #include "packet-frame.h"
40 #include <epan/prefs.h>
42 #include <epan/expert.h>
43 #include <epan/crypt/crypt-md5.h>
46 #include "color_filters.h"
49 int hf_frame_arrival_time = -1;
50 static int hf_frame_time_invalid = -1;
51 static int hf_frame_time_delta = -1;
52 static int hf_frame_time_delta_displayed = -1;
53 static int hf_frame_time_relative = -1;
54 static int hf_frame_time_reference = -1;
55 int hf_frame_number = -1;
56 int hf_frame_len = -1;
57 int hf_frame_capture_len = -1;
58 static int hf_frame_p2p_dir = -1;
59 static int hf_frame_file_off = -1;
60 static int hf_frame_md5_hash = -1;
61 static int hf_frame_marked = -1;
62 static int hf_link_number = -1;
63 static int hf_frame_protocols = -1;
64 static int hf_frame_color_filter_name = -1;
65 static int hf_frame_color_filter_text = -1;
67 static int proto_short = -1;
68 int proto_malformed = -1;
69 static int proto_unreassembled = -1;
71 static gint ett_frame = -1;
73 static int frame_tap = -1;
75 static dissector_handle_t data_handle;
76 static dissector_handle_t docsis_handle;
79 static gboolean show_file_off = FALSE;
80 static gboolean force_docsis_encap = FALSE;
81 static gboolean generate_md5_hash = FALSE;
83 static const value_string p2p_dirs[] = {
84 { P2P_DIR_UNKNOWN, "Unknown" },
85 { P2P_DIR_SENT, "Sent" },
86 { P2P_DIR_RECV, "Received" },
90 dissector_table_t wtap_encap_dissector_table;
92 static GSList *frame_end_routines = NULL;
95 * Routine used to register frame end routine. The routine should only
96 * be registered when the dissector is used in the frame, not in the
97 * proto_register_XXX function.
100 register_frame_end_routine(void (*func)(void))
102 frame_end_routines = g_slist_append(frame_end_routines, (gpointer)func);
105 typedef void (*void_func_t)(void);
108 call_frame_end_routine(gpointer routine, gpointer dummy _U_)
110 void_func_t func = (void_func_t)routine;
115 dissect_frame(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
117 proto_item *volatile ti = NULL;
119 int cap_len = 0, frame_len = 0;
120 proto_tree *volatile tree;
122 guint32 frame_number;
124 frame_number=pinfo->fd->num; /* dummy so that the buildbot crashdumps
125 will show the packetnumber where the
130 pinfo->current_proto = "Frame";
132 if (pinfo->pseudo_header != NULL) {
133 switch (pinfo->fd->lnk_t) {
135 case WTAP_ENCAP_WFLEET_HDLC:
136 case WTAP_ENCAP_CHDLC_WITH_PHDR:
137 case WTAP_ENCAP_PPP_WITH_PHDR:
138 case WTAP_ENCAP_SDLC:
139 case WTAP_ENCAP_BLUETOOTH_H4:
140 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR:
141 pinfo->p2p_dir = pinfo->pseudo_header->p2p.sent ?
142 P2P_DIR_SENT : P2P_DIR_RECV;
145 case WTAP_ENCAP_BLUETOOTH_HCI:
146 pinfo->p2p_dir = pinfo->pseudo_header->bthci.sent;
149 case WTAP_ENCAP_LAPB:
150 case WTAP_ENCAP_FRELAY_WITH_PHDR:
152 (pinfo->pseudo_header->x25.flags & FROM_DCE) ?
153 P2P_DIR_RECV : P2P_DIR_SENT;
156 case WTAP_ENCAP_ISDN:
157 pinfo->p2p_dir = pinfo->pseudo_header->isdn.uton ?
158 P2P_DIR_SENT : P2P_DIR_RECV;
161 case WTAP_ENCAP_LINUX_LAPD:
162 pinfo->p2p_dir = (pinfo->pseudo_header->lapd.pkttype == 3 ||
163 pinfo->pseudo_header->lapd.pkttype == 4) ?
164 P2P_DIR_SENT : P2P_DIR_RECV;
167 case WTAP_ENCAP_MTP2_WITH_PHDR:
168 pinfo->p2p_dir = pinfo->pseudo_header->mtp2.sent ?
169 P2P_DIR_SENT : P2P_DIR_RECV;
170 pinfo->link_number = pinfo->pseudo_header->mtp2.link_number;
171 pinfo->annex_a_used = pinfo->pseudo_header->mtp2.annex_a_used;
174 case WTAP_ENCAP_GSM_UM:
175 pinfo->p2p_dir = pinfo->pseudo_header->gsm_um.uplink ?
176 P2P_DIR_SENT : P2P_DIR_RECV;
182 /* if FRAME is not referenced from any filters we dont need to worry about
183 generating any tree items. */
184 if(!proto_field_is_referenced(tree, proto_frame)) {
186 if(pinfo->fd->abs_ts.nsecs < 0 || pinfo->fd->abs_ts.nsecs >= 1000000000)
187 expert_add_info_format(pinfo, NULL, PI_MALFORMED, PI_WARN,
188 "Arrival Time: Fractional second out of range (0-1000000000)");
191 gboolean old_visible;
193 /* Put in frame header information. */
194 cap_len = tvb_length(tvb);
195 frame_len = tvb_reported_length(tvb);
197 ti = proto_tree_add_protocol_format(tree, proto_frame, tvb, 0, -1,
198 "Frame %u (%u bytes on wire, %u bytes captured)", pinfo->fd->num, frame_len, cap_len);
200 fh_tree = proto_item_add_subtree(ti, ett_frame);
202 ts = pinfo->fd->abs_ts;
204 proto_tree_add_time(fh_tree, hf_frame_arrival_time, tvb,
206 if(ts.nsecs < 0 || ts.nsecs >= 1000000000) {
207 item = proto_tree_add_none_format(fh_tree, hf_frame_time_invalid, tvb,
208 0, 0, "Arrival Time: Fractional second %09ld is invalid, the valid range is 0-1000000000", (long) ts.nsecs);
209 PROTO_ITEM_SET_GENERATED(item);
210 expert_add_info_format(pinfo, item, PI_MALFORMED, PI_WARN, "Arrival Time: Fractional second out of range (0-1000000000)");
213 ts = pinfo->fd->del_cap_ts;
215 item = proto_tree_add_time(fh_tree, hf_frame_time_delta, tvb,
217 PROTO_ITEM_SET_GENERATED(item);
219 ts = pinfo->fd->del_dis_ts;
221 item = proto_tree_add_time(fh_tree, hf_frame_time_delta_displayed, tvb,
223 PROTO_ITEM_SET_GENERATED(item);
225 ts = pinfo->fd->rel_ts;
227 item = proto_tree_add_time(fh_tree, hf_frame_time_relative, tvb,
229 PROTO_ITEM_SET_GENERATED(item);
231 if(pinfo->fd->flags.ref_time){
232 ti = proto_tree_add_item(fh_tree, hf_frame_time_reference, tvb, 0, 0, FALSE);
233 PROTO_ITEM_SET_GENERATED(ti);
236 proto_tree_add_uint(fh_tree, hf_frame_number, tvb,
237 0, 0, pinfo->fd->num);
239 proto_tree_add_uint_format(fh_tree, hf_frame_len, tvb,
240 0, 0, frame_len, "Frame Length: %d byte%s", frame_len,
241 plurality(frame_len, "", "s"));
243 proto_tree_add_uint_format(fh_tree, hf_frame_capture_len, tvb,
244 0, 0, cap_len, "Capture Length: %d byte%s", cap_len,
245 plurality(cap_len, "", "s"));
247 if (generate_md5_hash) {
250 md5_byte_t digest[16];
251 gchar *digest_string;
253 cp = tvb_get_ptr(tvb, 0, cap_len);
256 md5_append(&md_ctx, cp, cap_len);
257 md5_finish(&md_ctx, digest);
259 digest_string = bytestring_to_str(digest, 16, '\0');
260 ti = proto_tree_add_string(fh_tree, hf_frame_md5_hash, tvb, 0, 0, digest_string);
261 PROTO_ITEM_SET_GENERATED(ti);
264 ti = proto_tree_add_boolean(fh_tree, hf_frame_marked, tvb, 0, 0,pinfo->fd->flags.marked);
265 PROTO_ITEM_SET_GENERATED(ti);
267 if(proto_field_is_referenced(tree, hf_frame_protocols)) {
268 /* we are going to be using proto_item_append_string() on
269 * hf_frame_protocols, and we must therefore disable the
270 * TRY_TO_FAKE_THIS_ITEM() optimisation for the tree by
271 * setting it as visible.
273 * See proto.h for details.
275 old_visible = proto_tree_set_visible(fh_tree, TRUE);
276 ti = proto_tree_add_string(fh_tree, hf_frame_protocols, tvb, 0, 0, "");
277 PROTO_ITEM_SET_GENERATED(ti);
278 proto_tree_set_visible(fh_tree, old_visible);
280 pinfo->layer_names = g_string_new("");
283 pinfo->layer_names = NULL;
285 /* Check for existences of P2P pseudo header */
286 if (pinfo->p2p_dir != P2P_DIR_UNKNOWN) {
287 proto_tree_add_int(fh_tree, hf_frame_p2p_dir, tvb,
288 0, 0, pinfo->p2p_dir);
291 /* Check for existences of MTP2 link number */
292 if ((pinfo->pseudo_header != NULL ) && (pinfo->fd->lnk_t == WTAP_ENCAP_MTP2_WITH_PHDR)) {
293 proto_tree_add_uint(fh_tree, hf_link_number, tvb,
294 0, 0, pinfo->link_number);
298 proto_tree_add_int64_format(fh_tree, hf_frame_file_off, tvb,
299 0, 0, pinfo->fd->file_off,
300 "File Offset: %" G_GINT64_MODIFIER "d (0x%" G_GINT64_MODIFIER "x)",
301 pinfo->fd->file_off, pinfo->fd->file_off);
304 if(pinfo->fd->color_filter != NULL) {
305 const color_filter_t *color_filter = pinfo->fd->color_filter;
306 item = proto_tree_add_string(fh_tree, hf_frame_color_filter_name, tvb,
307 0, 0, color_filter->filter_name);
308 PROTO_ITEM_SET_GENERATED(item);
309 item = proto_tree_add_string(fh_tree, hf_frame_color_filter_text, tvb,
310 0, 0, color_filter->filter_text);
311 PROTO_ITEM_SET_GENERATED(item);
315 /* Portable Exception Handling to trap Wireshark specific exceptions like BoundsError exceptions */
318 /* Win32: Visual-C Structured Exception Handling (SEH) to trap hardware exceptions like memory access violations */
319 /* (a running debugger will be called before the except part below) */
322 if ((force_docsis_encap) && (docsis_handle)) {
323 call_dissector(docsis_handle, tvb, pinfo, parent_tree);
325 if (!dissector_try_port(wtap_encap_dissector_table, pinfo->fd->lnk_t,
326 tvb, pinfo, parent_tree)) {
328 col_set_str(pinfo->cinfo, COL_PROTOCOL, "UNKNOWN");
329 col_add_fstr(pinfo->cinfo, COL_INFO, "WTAP_ENCAP = %d",
331 call_dissector(data_handle,tvb, pinfo, parent_tree);
335 } __except(TRUE /* handle all exceptions */) {
336 switch(GetExceptionCode()) {
337 case(STATUS_ACCESS_VIOLATION):
338 show_exception(tvb, pinfo, parent_tree, DissectorError,
339 "STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address");
341 case(STATUS_INTEGER_DIVIDE_BY_ZERO):
342 show_exception(tvb, pinfo, parent_tree, DissectorError,
343 "STATUS_INTEGER_DIVIDE_BY_ZERO: dissector tried an integer division by zero");
345 case(STATUS_STACK_OVERFLOW):
346 show_exception(tvb, pinfo, parent_tree, DissectorError,
347 "STATUS_STACK_OVERFLOW: dissector overflowed the stack (e.g. endless loop)");
348 /* XXX - this will have probably corrupted the stack, which makes problems later in the exception code */
350 /* XXX - add other hardware exception codes as required */
352 show_exception(tvb, pinfo, parent_tree, DissectorError,
353 g_strdup_printf("dissector caused an unknown exception: 0x%x", GetExceptionCode()));
358 CATCH(OutOfMemoryError) {
362 show_exception(tvb, pinfo, parent_tree, EXCEPT_CODE, GET_MESSAGE);
366 if (tree && pinfo->layer_names) {
367 proto_item_append_string(ti, pinfo->layer_names->str);
368 g_string_free(pinfo->layer_names, TRUE);
369 pinfo->layer_names = NULL;
372 /* Call postdissectors if we have any (while trying to avoid another
375 if (have_postdissector()) {
378 /* Win32: Visual-C Structured Exception Handling (SEH) to trap hardware exceptions like memory access violations */
379 /* (a running debugger will be called before the except part below) */
382 call_all_postdissectors(tvb, pinfo, parent_tree);
384 } __except(TRUE /* handle all exceptions */) {
385 switch(GetExceptionCode()) {
386 case(STATUS_ACCESS_VIOLATION):
387 show_exception(tvb, pinfo, parent_tree, DissectorError,
388 "STATUS_ACCESS_VIOLATION: dissector accessed an invalid memory address");
390 case(STATUS_INTEGER_DIVIDE_BY_ZERO):
391 show_exception(tvb, pinfo, parent_tree, DissectorError,
392 "STATUS_INTEGER_DIVIDE_BY_ZERO: dissector tried an integer division by zero");
394 case(STATUS_STACK_OVERFLOW):
395 show_exception(tvb, pinfo, parent_tree, DissectorError,
396 "STATUS_STACK_OVERFLOW: dissector overflowed the stack (e.g. endless loop)");
397 /* XXX - this will have probably corrupted the stack, which makes problems later in the exception code */
399 /* XXX - add other hardware exception codes as required */
401 show_exception(tvb, pinfo, parent_tree, DissectorError,
402 g_strdup_printf("dissector caused an unknown exception: 0x%x", GetExceptionCode()));
407 CATCH(OutOfMemoryError) {
411 show_exception(tvb, pinfo, parent_tree, EXCEPT_CODE, GET_MESSAGE);
416 tap_queue_packet(frame_tap, pinfo, NULL);
419 if (frame_end_routines) {
420 g_slist_foreach(frame_end_routines, &call_frame_end_routine, NULL);
421 g_slist_free(frame_end_routines);
422 frame_end_routines = NULL;
427 show_exception(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
428 unsigned long exception, const char *exception_message)
430 static const char dissector_error_nomsg[] =
431 "Dissector writer didn't bother saying what the error was";
437 case ScsiBoundsError:
438 col_append_str(pinfo->cinfo, COL_INFO, "[SCSI transfer limited due to allocation_length too small]");
439 /*item =*/ proto_tree_add_protocol_format(tree, proto_short, tvb, 0, 0,
440 "SCSI transfer limited due to allocation_length too small: %s truncated]", pinfo->current_proto);
441 /* Don't record ScsiBoundsError exceptions as expert events - they merely
442 * reflect a normal SCSI condition.
443 * (any case where it's caused by something else is a bug). */
444 /* expert_add_info_format(pinfo, item, PI_MALFORMED, PI_ERROR, "Packet size limited");*/
448 col_append_str(pinfo->cinfo, COL_INFO, "[Packet size limited during capture]");
449 /*item =*/ proto_tree_add_protocol_format(tree, proto_short, tvb, 0, 0,
450 "[Packet size limited during capture: %s truncated]", pinfo->current_proto);
451 /* Don't record BoundsError exceptions as expert events - they merely
452 * reflect a capture done with a snapshot length too short to capture
454 * (any case where it's caused by something else is a bug). */
455 /* expert_add_info_format(pinfo, item, PI_MALFORMED, PI_ERROR, "Packet size limited");*/
458 case ReportedBoundsError:
459 show_reported_bounds_error(tvb, pinfo, tree);
463 col_append_fstr(pinfo->cinfo, COL_INFO,
464 "[Dissector bug, protocol %s: %s]",
465 pinfo->current_proto,
466 exception_message == NULL ?
467 dissector_error_nomsg : exception_message);
468 item = proto_tree_add_protocol_format(tree, proto_malformed, tvb, 0, 0,
469 "[Dissector bug, protocol %s: %s]",
470 pinfo->current_proto,
471 exception_message == NULL ?
472 dissector_error_nomsg : exception_message);
473 g_warning("Dissector bug, protocol %s, in packet %u: %s",
474 pinfo->current_proto, pinfo->fd->num,
475 exception_message == NULL ?
476 dissector_error_nomsg : exception_message);
477 expert_add_info_format(pinfo, item, PI_MALFORMED, PI_ERROR,
479 exception_message == NULL ?
480 dissector_error_nomsg : exception_message);
484 /* XXX - we want to know, if an unknown exception passed until here, don't we? */
485 g_assert_not_reached();
490 show_reported_bounds_error(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
494 if (pinfo->fragmented) {
496 * We were dissecting an unreassembled fragmented
497 * packet when the exception was thrown, so the
498 * problem isn't that the dissector expected
499 * something but it wasn't in the packet, the
500 * problem is that the dissector expected something
501 * but it wasn't in the fragment we dissected.
503 col_append_fstr(pinfo->cinfo, COL_INFO,
504 "[Unreassembled Packet%s] ",
505 pinfo->noreassembly_reason);
506 item = proto_tree_add_protocol_format(tree, proto_unreassembled,
507 tvb, 0, 0, "[Unreassembled Packet%s: %s]",
508 pinfo->noreassembly_reason, pinfo->current_proto);
509 expert_add_info_format(pinfo, item, PI_REASSEMBLE, PI_WARN, "Unreassembled Packet (Exception occurred)");
511 col_append_str(pinfo->cinfo, COL_INFO,
512 "[Malformed Packet]");
513 item = proto_tree_add_protocol_format(tree, proto_malformed,
514 tvb, 0, 0, "[Malformed Packet: %s]", pinfo->current_proto);
515 expert_add_info_format(pinfo, item, PI_MALFORMED, PI_ERROR, "Malformed Packet (Exception occurred)");
520 proto_register_frame(void)
522 static hf_register_info hf[] = {
523 { &hf_frame_arrival_time,
524 { "Arrival Time", "frame.time", FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
525 "Absolute time when this frame was captured", HFILL }},
527 { &hf_frame_time_invalid,
528 { "Arrival Timestamp invalid", "frame.time_invalid", FT_NONE, BASE_NONE, NULL, 0x0,
529 "The timestamp from the capture is out of the valid range", HFILL }},
531 { &hf_frame_time_delta,
532 { "Time delta from previous captured frame", "frame.time_delta", FT_RELATIVE_TIME, BASE_NONE, NULL,
536 { &hf_frame_time_delta_displayed,
537 { "Time delta from previous displayed frame", "frame.time_delta_displayed", FT_RELATIVE_TIME, BASE_NONE, NULL,
541 { &hf_frame_time_relative,
542 { "Time since reference or first frame", "frame.time_relative", FT_RELATIVE_TIME, BASE_NONE, NULL,
544 "Time relative to time reference or first frame", HFILL }},
546 { &hf_frame_time_reference,
547 { "This is a Time Reference frame", "frame.ref_time", FT_NONE, BASE_NONE, NULL, 0x0,
548 "This frame is a Time Reference frame", HFILL }},
551 { "Frame Number", "frame.number", FT_UINT32, BASE_DEC, NULL, 0x0,
555 { "Frame length on the wire", "frame.len", FT_UINT32, BASE_DEC, NULL, 0x0,
558 { &hf_frame_capture_len,
559 { "Frame length stored into the capture file", "frame.cap_len", FT_UINT32, BASE_DEC, NULL, 0x0,
562 { &hf_frame_md5_hash,
563 { "Frame MD5 Hash", "frame.md5_hash", FT_STRING, BASE_NONE, NULL, 0x0,
567 { "Point-to-Point Direction", "frame.p2p_dir", FT_INT8, BASE_DEC, VALS(p2p_dirs), 0x0,
571 { "Link Number", "frame.link_nr", FT_UINT16, BASE_DEC, NULL, 0x0,
574 { &hf_frame_file_off,
575 { "File Offset", "frame.file_off", FT_INT64, BASE_DEC, NULL, 0x0,
579 { "Frame is marked", "frame.marked", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
580 "Frame is marked in the GUI", HFILL }},
582 { &hf_frame_protocols,
583 { "Protocols in frame", "frame.protocols", FT_STRING, BASE_NONE, NULL, 0x0,
584 "Protocols carried by this frame", HFILL }},
586 { &hf_frame_color_filter_name,
587 { "Coloring Rule Name", "frame.coloring_rule.name", FT_STRING, BASE_NONE, NULL, 0x0,
588 "The frame matched the coloring rule with this name", HFILL }},
590 { &hf_frame_color_filter_text,
591 { "Coloring Rule String", "frame.coloring_rule.string", FT_STRING, BASE_NONE, NULL, 0x0,
592 "The frame matched this coloring rule string", HFILL }}
594 static gint *ett[] = {
597 module_t *frame_module;
599 wtap_encap_dissector_table = register_dissector_table("wtap_encap",
600 "Wiretap encapsulation type", FT_UINT32, BASE_DEC);
602 proto_frame = proto_register_protocol("Frame", "Frame", "frame");
603 proto_register_field_array(proto_frame, hf, array_length(hf));
604 proto_register_subtree_array(ett, array_length(ett));
605 register_dissector("frame",dissect_frame,proto_frame);
607 /* You can't disable dissection of "Frame", as that would be
608 tantamount to not doing any dissection whatsoever. */
609 proto_set_cant_toggle(proto_frame);
611 proto_short = proto_register_protocol("Short Frame", "Short frame", "short");
612 proto_malformed = proto_register_protocol("Malformed Packet",
613 "Malformed packet", "malformed");
614 proto_unreassembled = proto_register_protocol(
615 "Unreassembled Fragmented Packet",
616 "Unreassembled fragmented packet", "unreassembled");
618 /* "Short Frame", "Malformed Packet", and "Unreassembled Fragmented
619 Packet" aren't really protocols, they're error indications;
620 disabling them makes no sense. */
621 proto_set_cant_toggle(proto_short);
622 proto_set_cant_toggle(proto_malformed);
623 proto_set_cant_toggle(proto_unreassembled);
625 /* Our preferences */
626 frame_module = prefs_register_protocol(proto_frame, NULL);
627 prefs_register_bool_preference(frame_module, "show_file_off",
628 "Show File Offset", "Show offset of frame in capture file", &show_file_off);
629 prefs_register_bool_preference(frame_module, "force_docsis_encap",
630 "Treat all frames as DOCSIS frames", "Treat all frames as DOCSIS Frames", &force_docsis_encap);
631 prefs_register_bool_preference(frame_module, "generate_md5_hash",
632 "Generate an MD5 hash of each frame",
633 "Whether or not MD5 hashes should be generated for each frame, useful for finding duplicate frames.",
636 frame_tap=register_tap("frame");
640 proto_reg_handoff_frame(void)
642 data_handle = find_dissector("data");
643 docsis_handle = find_dissector("docsis");