epan/dissectors/packet-symantec.c

   1 /* packet-symantec.c
   2  * Routines for dissection of packets from the Axent Raptor firewall/
   3  * Symantec Enterprise Firewall/Symantec Gateway Security appliance
   4  * v2/Symantec Gateway Security appliance v3.
   5  *
   6  * $Id$
   7  *
   8  * Wireshark - Network traffic analyzer
   9  * By Gerald Combs <gerald@wireshark.org>
  10  *
  11  * This program is free software; you can redistribute it and/or
  12  * modify it under the terms of the GNU General Public License
  13  * as published by the Free Software Foundation; either version 2
  14  * of the License, or (at your option) any later version.
  15  *
  16  * This program is distributed in the hope that it will be useful,
  17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19  * GNU General Public License for more details.
  20  *
  21  * You should have received a copy of the GNU General Public License
  22  * along with this program; if not, write to the Free Software
  23  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
  24  */
  25
  26 #ifdef HAVE_CONFIG_H
  27 # include "config.h"
  28 #endif
  29
  30 #include <glib.h>
  31
  32 #include <epan/packet.h>
  33
  34 #include <epan/etypes.h>
  35
  36 static dissector_table_t ethertype_dissector_table;
  37
  38 /* protocols and header fields */
  39 static int proto_symantec = -1;
  40 static int hf_symantec_if = -1;
  41 static int hf_symantec_etype = -1;
  42
  43 static gint ett_symantec = -1;
  44
  45 static void
  46 dissect_symantec(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
  47 {
  48         proto_item *ti;
  49         proto_tree *symantec_tree = NULL;
  50         guint16 etypev2, etypev3;
  51         tvbuff_t *next_tvb;
  52
  53         /*
  54          * Symantec records come in two variants:
  55          *
  56          * The older variant, dating from Axent days and continuing until
  57          * the SGS v2.0.1 code level, is 44 bytes long.
  58          * The first 4 bytes are the IPv4 address of the interface that
  59          * captured the data, followed by 2 bytes of 0, then an Ethernet
  60          * type, followed by 36 bytes of 0.
  61          *
  62          * The newer variant, introduced either in SGS v3.0 or v3.0.1
  63          * (possibly in concert with VLAN support), is 56 bytes long.
  64          * The first 4 bytes are the IPv4 address of the interface that
  65          * captured the data, followed by 6 bytes of 0, then an Ethernet
  66          * type, followed by 44 bytes of 0.
  67          *
  68          * Unfortunately, there is no flag to distiguish between the two
  69          * flavours.  The only indication of which flavour you have is the
  70          * offset of the ETHERTYPE field.  Fortunately, Symantec didn't
  71          * use ETHERTYPE_UNK as a valid value.
  72          */
  73
  74         etypev2 = tvb_get_ntohs(tvb, 6);
  75         etypev3 = tvb_get_ntohs(tvb, 10);
  76
  77         /* a valid packet can't be both v2 and v3 or neither v2 nor v3, */
  78         if ((etypev2 == 0) == (etypev3 == 0))
  79                 return;
  80
  81         if (check_col(pinfo->cinfo, COL_PROTOCOL))
  82                 col_add_str(pinfo->cinfo, COL_PROTOCOL, "Symantec");
  83
  84         if (etypev3 == 0) {     /* SEF and SGS v2 processing */
  85                 if (check_col(pinfo->cinfo, COL_INFO))
  86                         col_add_str(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
  87                 if (tree) {
  88                         ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
  89                                 0, 44, "Symantec firewall");
  90                         symantec_tree = proto_item_add_subtree(ti, ett_symantec);
  91                 }
  92                 if (tree) {
  93                         proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
  94                                 0, 4, FALSE);
  95                         proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
  96                                 6, 2, etypev2);
  97                 }
  98                 next_tvb = tvb_new_subset(tvb, 44, -1, -1);
  99                 dissector_try_port(ethertype_dissector_table, etypev2, next_tvb, pinfo,
 100                         tree);
 101         }
 102
 103         if (etypev2 == 0) {     /* SGS v3 processing */
 104                 if (check_col(pinfo->cinfo, COL_INFO))
 105                         col_add_str(pinfo->cinfo, COL_INFO, "Symantec SGS v3");
 106                 if (tree) {
 107                         ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
 108                                 0, 56, "Symantec SGSv3");
 109                         symantec_tree = proto_item_add_subtree(ti, ett_symantec);
 110                 }
 111                 if (tree) {
 112                         proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
 113                                 0, 4, FALSE);
 114                         proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
 115                                 10, 2, etypev3);
 116                 }
 117                 /*
 118                  * Dissection of VLAN information will have to wait until
 119                  * availability of a capture file from an SGSv3 box using VLAN
 120                  * tagging.
 121                  */
 122                 next_tvb = tvb_new_subset(tvb, 56, -1, -1);
 123                 dissector_try_port(ethertype_dissector_table, etypev3, next_tvb, pinfo,
 124                         tree);
 125         }
 126 }
 127
 128 void
 129 proto_register_symantec(void)
 130 {
 131         static hf_register_info hf[] = {
 132                 { &hf_symantec_if,
 133                     { "Interface", "symantec.if", FT_IPv4,  BASE_NONE, NULL, 0x0,
 134                         "Interface", HFILL }},
 135                 { &hf_symantec_etype,
 136                     { "Type",    "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
 137                         "", HFILL }},
 138         };
 139         static gint *ett[] = {
 140                 &ett_symantec,
 141         };
 142
 143         proto_symantec = proto_register_protocol("Symantec Enterprise Firewall",
 144             "Symantec", "symantec");
 145         proto_register_field_array(proto_symantec, hf, array_length(hf));
 146         proto_register_subtree_array(ett, array_length(ett));
 147 }
 148
 149 void
 150 proto_reg_handoff_symantec(void)
 151 {
 152         dissector_handle_t symantec_handle;
 153
 154         ethertype_dissector_table = find_dissector_table("ethertype");
 155
 156         symantec_handle = create_dissector_handle(dissect_symantec,
 157             proto_symantec);
 158         dissector_add("wtap_encap", WTAP_ENCAP_SYMANTEC, symantec_handle);
 159 }