2 * Routines for ethernet packet disassembly
4 * $Id: packet-eth.c,v 1.85 2003/08/26 05:52:44 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #include <epan/packet.h>
33 #include <epan/resolv.h>
34 #include "packet-eth.h"
35 #include "packet-ieee8023.h"
36 #include "packet-ipx.h"
37 #include "packet-isl.h"
38 #include "packet-llc.h"
42 /* Interpret capture file as FW1 monitor file */
43 static gboolean eth_interpret_as_fw1_monitor = FALSE;
45 /* protocols and header fields */
46 static int proto_eth = -1;
47 static int hf_eth_dst = -1;
48 static int hf_eth_src = -1;
49 static int hf_eth_len = -1;
50 static int hf_eth_type = -1;
51 static int hf_eth_addr = -1;
52 static int hf_eth_trailer = -1;
54 static gint ett_ieee8023 = -1;
55 static gint ett_ether2 = -1;
57 static dissector_handle_t isl_handle;
58 static dissector_handle_t fw1_handle;
60 static int eth_tap = -1;
62 #define ETH_HEADER_SIZE 14
64 /* These are the Netware-ish names for the different Ethernet frame types.
65 EthernetII: The ethernet with a Type field instead of a length field
66 Ethernet802.2: An 802.3 header followed by an 802.2 header
67 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
68 There's no 802.2 hdr in this.
69 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
70 there's no difference between 802.2 and 802.2SNAP, since we just
71 pass it down to the LLC dissector. -- Gilbert
74 #define ETHERNET_802_2 1
75 #define ETHERNET_802_3 2
76 #define ETHERNET_SNAP 3
79 capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
81 guint16 etype, length;
82 int ethhdr_type; /* the type of ethernet frame */
84 if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
89 etype = pntohs(&pd[offset+12]);
92 * If the type/length field is <= the maximum 802.3 length,
93 * and is not zero, this is an 802.3 frame, and it's a length
94 * field; it might be an Novell "raw 802.3" frame, with no
95 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
98 * If the type/length field is > the maximum 802.3 length,
99 * this is an Ethernet II frame, and it's a type field.
101 * If the type/length field is zero (ETHERTYPE_UNK), this is
102 * a frame used internally by the Cisco MDS switch to contain
103 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
104 * frame; the dissector for those frames registers itself with
105 * an ethernet type of ETHERTYPE_UNK.
107 if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
110 /* Is there an 802.2 layer? I can tell by looking at the first 2
111 bytes after the 802.3 header. If they are 0xffff, then what
112 follows the 802.3 header is an IPX payload, meaning no 802.2.
113 (IPX/SPX is they only thing that can be contained inside a
114 straight 802.3 packet). A non-0xffff value means that there's an
115 802.2 layer inside the 802.3 layer */
116 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
117 ethhdr_type = ETHERNET_802_3;
120 ethhdr_type = ETHERNET_802_2;
123 /* Oh, yuck. Cisco ISL frames require special interpretation of the
124 destination address field; fortunately, they can be recognized by
125 checking the first 5 octets of the destination address, which are
126 01-00-0C-00-00 for ISL frames. */
127 if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
128 && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
129 capture_isl(pd, offset, len, ld);
133 /* Convert the LLC length from the 802.3 header to a total
134 frame length, by adding in the size of any data that preceded
135 the Ethernet header, and adding in the Ethernet header size,
136 and set the payload and captured-payload lengths to the minima
137 of the total length and the frame lengths. */
138 length += offset + ETH_HEADER_SIZE;
142 ethhdr_type = ETHERNET_II;
144 offset += ETH_HEADER_SIZE;
146 switch (ethhdr_type) {
151 capture_llc(pd, offset, len, ld);
154 capture_ethertype(etype, pd, offset, len, ld);
160 dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
164 volatile gboolean is_802_2;
165 proto_tree *volatile fh_tree = NULL;
166 const char *src_addr, *dst_addr;
167 static eth_hdr ehdrs[4];
168 static int ehdr_num=0;
174 ehdr=&ehdrs[ehdr_num];
177 if (check_col(pinfo->cinfo, COL_PROTOCOL))
178 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
180 src_addr=tvb_get_ptr(tvb, 6, 6);
181 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src_addr);
182 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src_addr);
183 SET_ADDRESS(&ehdr->src, AT_ETHER, 6, src_addr);
184 dst_addr=tvb_get_ptr(tvb, 0, 6);
185 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst_addr);
186 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst_addr);
187 SET_ADDRESS(&ehdr->dst, AT_ETHER, 6, dst_addr);
189 ehdr->type = tvb_get_ntohs(tvb, 12);
192 * If the type/length field is <= the maximum 802.3 length,
193 * and is not zero, this is an 802.3 frame, and it's a length
194 * field; it might be an Novell "raw 802.3" frame, with no
195 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
198 * If the type/length field is > the maximum 802.3 length,
199 * this is an Ethernet II frame, and it's a type field.
201 * If the type/length field is zero (ETHERTYPE_UNK), this is
202 * a frame used internally by the Cisco MDS switch to contain
203 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
204 * frame; the dissector for those frames registers itself with
205 * an ethernet type of ETHERTYPE_UNK.
207 if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) {
208 /* Oh, yuck. Cisco ISL frames require special interpretation of the
209 destination address field; fortunately, they can be recognized by
210 checking the first 5 octets of the destination address, which are
211 01-00-0C-00-00 for ISL frames. */
212 if ( tvb_get_guint8(tvb, 0) == 0x01 &&
213 tvb_get_guint8(tvb, 1) == 0x00 &&
214 tvb_get_guint8(tvb, 2) == 0x0C &&
215 tvb_get_guint8(tvb, 3) == 0x00 &&
216 tvb_get_guint8(tvb, 4) == 0x00 ) {
217 call_dissector(isl_handle, tvb, pinfo, tree);
221 /* Is there an 802.2 layer? I can tell by looking at the first 2
222 bytes after the 802.3 header. If they are 0xffff, then what
223 follows the 802.3 header is an IPX payload, meaning no 802.2.
224 (IPX/SPX is they only thing that can be contained inside a
225 straight 802.3 packet). A non-0xffff value means that there's an
226 802.2 layer inside the 802.3 layer */
229 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
233 CATCH2(BoundsError, ReportedBoundsError) {
239 if (check_col(pinfo->cinfo, COL_INFO)) {
240 col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
241 (is_802_2 ? "" : "Raw "));
244 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
245 "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
247 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
250 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
251 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
253 /* add items for eth.addr filter */
254 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
255 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
257 dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
258 hf_eth_len, hf_eth_trailer);
260 if (eth_interpret_as_fw1_monitor) {
261 call_dissector(fw1_handle, tvb, pinfo, tree);
265 if (check_col(pinfo->cinfo, COL_INFO))
266 col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
268 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
269 "Ethernet II, Src: %s, Dst: %s",
270 ether_to_str(src_addr), ether_to_str(dst_addr));
272 fh_tree = proto_item_add_subtree(ti, ett_ether2);
275 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
276 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
277 /* add items for eth.addr filter */
278 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
279 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
281 ethertype(ehdr->type, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, hf_eth_type,
286 tap_queue_packet(eth_tap, pinfo, ehdr);
291 * Add an Ethernet trailer - which, for some captures, might be the FCS
292 * rather than a pad-to-60-bytes trailer.
295 add_ethernet_trailer(proto_tree *fh_tree, int trailer_id, tvbuff_t *tvb,
296 tvbuff_t *trailer_tvb)
298 /* If there're some bytes left over, show those bytes as a trailer.
300 However, if the Ethernet frame was claimed to have had 64 or more
301 bytes - i.e., it was at least an FCS worth of data longer than
302 the minimum payload size - assume the last 4 bytes of the trailer
304 if (trailer_tvb && fh_tree) {
305 guint trailer_length, trailer_reported_length;
306 gboolean has_fcs = FALSE;
308 trailer_length = tvb_length(trailer_tvb);
309 trailer_reported_length = tvb_reported_length(trailer_tvb);
310 if (tvb_reported_length(tvb) >= 64) {
311 /* OK, the frame is big enough that, if we have a trailer, it
312 probably includes an FCS; there's no need to pad an Ethernet
313 packet past 60 bytes.
315 Do we have enough space in the trailer for an FCS? */
316 if (trailer_reported_length >= 4) {
317 /* Yes, as the claimed trailer length is at least as big as
319 if (trailer_length < trailer_reported_length) {
320 /* The packet is claimed to have enough data for a 4-byte FCS,
321 but we didn't capture all of the packet.
322 Slice off the 4-byte FCS from the reported length, and
323 trim the captured length so it's no more than the reported
324 length; that will slice off what of the FCS, if any, is
325 in the captured packet. */
326 trailer_reported_length -= 4;
327 if (trailer_length > trailer_reported_length)
328 trailer_length = trailer_reported_length;
331 /* We captured all of the packet, including what appears to
332 be a 4-byte FCS. Slice it off. */
334 trailer_reported_length -= 4;
339 if (trailer_length != 0) {
340 proto_tree_add_item(fh_tree, trailer_id, trailer_tvb, 0,
341 trailer_length, FALSE);
344 guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, trailer_length);
345 guint32 fcs = crc32_802(tvb_get_ptr(tvb, 0, tvb_length(tvb) - 4),
346 tvb_length(tvb) - 4);
347 if (fcs == sent_fcs) {
348 proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
349 "Frane check sequence: 0x%08x (correct)",
352 proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
353 "Frane check sequence: 0x%08x (incorrect, should be 0x%08x)",
361 proto_register_eth(void)
363 static hf_register_info hf[] = {
366 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
367 "Destination Hardware Address", HFILL }},
370 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
371 "Source Hardware Address", HFILL }},
374 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
377 /* registered here but handled in ethertype.c */
379 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
382 { "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
383 "Source or Destination Hardware Address", HFILL }},
386 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
387 "Ethernet Trailer or Checksum", HFILL }},
390 static gint *ett[] = {
394 module_t *eth_module;
396 proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
397 proto_register_field_array(proto_eth, hf, array_length(hf));
398 proto_register_subtree_array(ett, array_length(ett));
400 /* Register configuration preferences */
401 eth_module = prefs_register_protocol(proto_eth, NULL);
402 prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
403 "Interpret as FireWall-1 monitor file",
404 "Whether the capture file should be interpreted as a CheckPoint FireWall-1 monitor file",
405 ð_interpret_as_fw1_monitor);
407 register_dissector("eth", dissect_eth, proto_eth);
408 eth_tap = register_tap("eth");
412 proto_reg_handoff_eth(void)
414 dissector_handle_t eth_handle;
417 * Get a handle for the ISL dissector.
419 isl_handle = find_dissector("isl");
420 fw1_handle = find_dissector("fw1");
422 eth_handle = find_dissector("eth");
423 dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_handle);
424 dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_handle);
425 dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_handle);
426 dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_handle);