2 * Routines for disassembly of packets from Linux "cooked mode" captures
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-sll.h"
34 #include "packet-ipx.h"
35 #include "packet-llc.h"
36 #include <epan/resolv.h>
39 static int proto_sll = -1;
40 static int hf_sll_pkttype = -1;
41 static int hf_sll_hatype = -1;
42 static int hf_sll_halen = -1;
43 static int hf_sll_src_eth = -1;
44 static int hf_sll_src_other = -1;
45 static int hf_sll_ltype = -1;
46 static int hf_sll_etype = -1;
47 static int hf_sll_trailer = -1;
49 static gint ett_sll = -1;
52 * A DLT_LINUX_SLL fake link-layer header.
54 #define SLL_HEADER_SIZE 16 /* total header length */
55 #define SLL_ADDRLEN 8 /* length of address field */
58 * The LINUX_SLL_ values for "sll_pkttype".
60 #define LINUX_SLL_HOST 0
61 #define LINUX_SLL_BROADCAST 1
62 #define LINUX_SLL_MULTICAST 2
63 #define LINUX_SLL_OTHERHOST 3
64 #define LINUX_SLL_OUTGOING 4
66 static const value_string packet_type_vals[] = {
67 { LINUX_SLL_HOST, "Unicast to us" },
68 { LINUX_SLL_BROADCAST, "Broadcast" },
69 { LINUX_SLL_MULTICAST, "Multicast" },
70 { LINUX_SLL_OTHERHOST, "Unicast to another host" },
71 { LINUX_SLL_OUTGOING, "Sent by us" },
76 * The LINUX_SLL_ values for "sll_protocol".
78 #define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */
79 #define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */
81 static const value_string ltype_vals[] = {
82 { LINUX_SLL_P_802_3, "Raw 802.3" },
83 { LINUX_SLL_P_802_2, "802.2 LLC" },
87 static dissector_handle_t ipx_handle;
88 static dissector_handle_t llc_handle;
89 static dissector_handle_t data_handle;
92 capture_sll(const guchar *pd, int len, packet_counts *ld)
96 if (!BYTES_ARE_IN_FRAME(0, len, SLL_HEADER_SIZE)) {
100 protocol = pntohs(&pd[14]);
101 if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
103 * "proto" is *not* a length field, it's a Linux internal
108 case LINUX_SLL_P_802_2:
112 capture_llc(pd, len, SLL_HEADER_SIZE, ld);
115 case LINUX_SLL_P_802_3:
117 * Novell IPX inside 802.3 with no 802.2 LLC
128 capture_ethertype(protocol, pd, SLL_HEADER_SIZE, len, ld);
132 dissect_sll(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
136 guint16 hatype, halen;
140 proto_tree *fh_tree = NULL;
142 if (check_col(pinfo->cinfo, COL_PROTOCOL))
143 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SLL");
144 if (check_col(pinfo->cinfo, COL_INFO))
145 col_clear(pinfo->cinfo, COL_INFO);
147 pkttype = tvb_get_ntohs(tvb, 0);
150 * Set "pinfo->p2p_dir" if the packet wasn't received
156 case LINUX_SLL_BROADCAST:
157 case LINUX_SLL_MULTICAST:
158 pinfo->p2p_dir = P2P_DIR_RECV;
161 case LINUX_SLL_OUTGOING:
162 pinfo->p2p_dir = P2P_DIR_SENT;
166 if (check_col(pinfo->cinfo, COL_INFO))
167 col_add_str(pinfo->cinfo, COL_INFO,
168 val_to_str(pkttype, packet_type_vals, "Unknown (%u)"));
171 ti = proto_tree_add_protocol_format(tree, proto_sll, tvb, 0,
172 SLL_HEADER_SIZE, "Linux cooked capture");
173 fh_tree = proto_item_add_subtree(ti, ett_sll);
174 proto_tree_add_item(fh_tree, hf_sll_pkttype, tvb, 0, 2, FALSE);
178 * XXX - check the link-layer address type value?
179 * For now, we just assume 6 means Ethernet.
181 hatype = tvb_get_ntohs(tvb, 2);
182 halen = tvb_get_ntohs(tvb, 4);
184 proto_tree_add_uint(fh_tree, hf_sll_hatype, tvb, 2, 2, hatype);
185 proto_tree_add_uint(fh_tree, hf_sll_halen, tvb, 4, 2, halen);
188 src = tvb_get_ptr(tvb, 6, 6);
189 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
190 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src);
192 proto_tree_add_ether(fh_tree, hf_sll_src_eth, tvb,
197 proto_tree_add_item(fh_tree, hf_sll_src_other, tvb,
202 protocol = tvb_get_ntohs(tvb, 14);
203 if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
205 * "proto" is *not* a length field, it's a Linux internal
207 * We therefore cannot say how much of the packet will
209 * XXX - do the same thing we do for packets with Ethertypes?
211 proto_tree_add_uint(fh_tree, hf_sll_ltype, tvb, 14, 2,
214 next_tvb = tvb_new_subset(tvb, SLL_HEADER_SIZE, -1, -1);
217 case LINUX_SLL_P_802_2:
221 call_dissector(llc_handle, next_tvb, pinfo, tree);
224 case LINUX_SLL_P_802_3:
226 * Novell IPX inside 802.3 with no 802.2 LLC
229 call_dissector(ipx_handle, next_tvb, pinfo, tree);
233 call_dissector(data_handle,next_tvb, pinfo, tree);
237 ethertype(protocol, tvb, SLL_HEADER_SIZE, pinfo, tree,
238 fh_tree, hf_sll_etype, hf_sll_trailer, 0);
243 proto_register_sll(void)
245 static hf_register_info hf[] = {
247 { "Packet type", "sll.pkttype", FT_UINT16, BASE_DEC,
248 VALS(packet_type_vals), 0x0, "Packet type", HFILL }},
250 /* ARP hardware type? With Linux extensions? */
252 { "Link-layer address type", "sll.hatype", FT_UINT16, BASE_DEC,
253 NULL, 0x0, "Link-layer address type", HFILL }},
256 { "Link-layer address length", "sll.halen", FT_UINT16, BASE_DEC,
257 NULL, 0x0, "Link-layer address length", HFILL }},
259 /* Source address if it's an Ethernet-type address */
261 { "Source", "sll.src.eth", FT_ETHER, BASE_NONE, NULL, 0x0,
262 "Source link-layer address", HFILL }},
264 /* Source address if it's not an Ethernet-type address */
266 { "Source", "sll.src.other", FT_BYTES, BASE_HEX, NULL, 0x0,
267 "Source link-layer address", HFILL }},
269 /* if the protocol field is an internal Linux protocol type */
271 { "Protocol", "sll.ltype", FT_UINT16, BASE_HEX,
272 VALS(ltype_vals), 0x0, "Linux protocol type", HFILL }},
274 /* registered here but handled in ethertype.c */
276 { "Protocol", "sll.etype", FT_UINT16, BASE_HEX,
277 VALS(etype_vals), 0x0, "Ethernet protocol type", HFILL }},
280 { "Trailer", "sll.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
283 static gint *ett[] = {
287 proto_sll = proto_register_protocol("Linux cooked-mode capture",
289 proto_register_field_array(proto_sll, hf, array_length(hf));
290 proto_register_subtree_array(ett, array_length(ett));
294 proto_reg_handoff_sll(void)
296 dissector_handle_t sll_handle;
299 * Get handles for the IPX and LLC dissectors.
301 llc_handle = find_dissector("llc");
302 ipx_handle = find_dissector("ipx");
303 data_handle = find_dissector("data");
305 sll_handle = create_dissector_handle(dissect_sll, proto_sll);
306 dissector_add("wtap_encap", WTAP_ENCAP_SLL, sll_handle);