2 * Routines for dissection of packets from the Axent Raptor firewall/
3 * Symantec Enterprise Firewall/Symantec Gateway Security appliance
4 * v2/Symantec Gateway Security appliance v3.
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
34 #include <epan/etypes.h>
36 static dissector_table_t ethertype_dissector_table;
38 /* protocols and header fields */
39 static int proto_symantec = -1;
40 static int hf_symantec_if = -1;
41 static int hf_symantec_etype = -1;
43 static gint ett_symantec = -1;
46 dissect_symantec(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
49 proto_tree *symantec_tree = NULL;
50 guint16 etypev2, etypev3;
54 * Symantec records come in two variants:
56 * The older variant, dating from Axent days and continuing until
57 * the SGS v2.0.1 code level, is 44 bytes long.
58 * The first 4 bytes are the IPv4 address of the interface that
59 * captured the data, followed by 2 bytes of 0, then an Ethernet
60 * type, followed by 36 bytes of 0.
62 * The newer variant, introduced either in SGS v3.0 or v3.0.1
63 * (possibly in concert with VLAN support), is 56 bytes long.
64 * The first 4 bytes are the IPv4 address of the interface that
65 * captured the data, followed by 6 bytes of 0, then an Ethernet
66 * type, followed by 44 bytes of 0.
68 * Unfortunately, there is no flag to distiguish between the two
69 * flavours. The only indication of which flavour you have is the
70 * offset of the ETHERTYPE field. Fortunately, Symantec didn't
71 * use ETHERTYPE_UNK as a valid value.
74 etypev2 = tvb_get_ntohs(tvb, 6);
75 etypev3 = tvb_get_ntohs(tvb, 10);
77 /* a valid packet can't be both v2 and v3 or neither v2 nor v3, */
78 if ((etypev2 == 0) == (etypev3 == 0))
81 if (check_col(pinfo->cinfo, COL_PROTOCOL))
82 col_add_str(pinfo->cinfo, COL_PROTOCOL, "Symantec");
84 if (etypev3 == 0) { /* SEF and SGS v2 processing */
85 if (check_col(pinfo->cinfo, COL_INFO))
86 col_add_str(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
88 ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
89 0, 44, "Symantec firewall");
90 symantec_tree = proto_item_add_subtree(ti, ett_symantec);
93 proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
95 proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
98 next_tvb = tvb_new_subset(tvb, 44, -1, -1);
99 dissector_try_port(ethertype_dissector_table, etypev2, next_tvb, pinfo,
103 if (etypev2 == 0) { /* SGS v3 processing */
104 if (check_col(pinfo->cinfo, COL_INFO))
105 col_add_str(pinfo->cinfo, COL_INFO, "Symantec SGS v3");
107 ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
108 0, 56, "Symantec SGSv3");
109 symantec_tree = proto_item_add_subtree(ti, ett_symantec);
112 proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
114 proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
118 * Dissection of VLAN information will have to wait until
119 * availability of a capture file from an SGSv3 box using VLAN
122 next_tvb = tvb_new_subset(tvb, 56, -1, -1);
123 dissector_try_port(ethertype_dissector_table, etypev3, next_tvb, pinfo,
129 proto_register_symantec(void)
131 static hf_register_info hf[] = {
133 { "Interface", "symantec.if", FT_IPv4, BASE_NONE, NULL, 0x0,
134 "Interface", HFILL }},
135 { &hf_symantec_etype,
136 { "Type", "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
139 static gint *ett[] = {
143 proto_symantec = proto_register_protocol("Symantec Enterprise Firewall",
144 "Symantec", "symantec");
145 proto_register_field_array(proto_symantec, hf, array_length(hf));
146 proto_register_subtree_array(ett, array_length(ett));
150 proto_reg_handoff_symantec(void)
152 dissector_handle_t symantec_handle;
154 ethertype_dissector_table = find_dissector_table("ethertype");
156 symantec_handle = create_dissector_handle(dissect_symantec,
158 dissector_add("wtap_encap", WTAP_ENCAP_SYMANTEC, symantec_handle);