2 * Routines for ethernet packet disassembly
4 * $Id: packet-eth.c,v 1.73 2002/04/24 06:03:33 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #ifdef HAVE_SYS_TYPES_H
30 # include <sys/types.h>
34 #include <epan/packet.h>
36 #include <epan/resolv.h>
37 #include "packet-eth.h"
38 #include "packet-ieee8023.h"
39 #include "packet-ipx.h"
40 #include "packet-isl.h"
41 #include "packet-llc.h"
43 /* protocols and header fields */
44 static int proto_eth = -1;
45 static int hf_eth_dst = -1;
46 static int hf_eth_src = -1;
47 static int hf_eth_len = -1;
48 static int hf_eth_type = -1;
49 static int hf_eth_addr = -1;
50 static int hf_eth_trailer = -1;
52 static gint ett_ieee8023 = -1;
53 static gint ett_ether2 = -1;
55 static dissector_handle_t isl_handle;
57 #define ETH_HEADER_SIZE 14
59 /* These are the Netware-ish names for the different Ethernet frame types.
60 EthernetII: The ethernet with a Type field instead of a length field
61 Ethernet802.2: An 802.3 header followed by an 802.2 header
62 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
63 There's no 802.2 hdr in this.
64 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
65 there's no difference between 802.2 and 802.2SNAP, since we just
66 pass it down to the LLC dissector. -- Gilbert
69 #define ETHERNET_802_2 1
70 #define ETHERNET_802_3 2
71 #define ETHERNET_SNAP 3
74 capture_eth(const u_char *pd, int offset, int len, packet_counts *ld)
76 guint16 etype, length;
77 int ethhdr_type; /* the type of ethernet frame */
79 if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
84 etype = pntohs(&pd[offset+12]);
86 /* either ethernet802.3 or ethernet802.2 */
87 if (etype <= IEEE_802_3_MAX_LEN) {
90 /* Is there an 802.2 layer? I can tell by looking at the first 2
91 bytes after the 802.3 header. If they are 0xffff, then what
92 follows the 802.3 header is an IPX payload, meaning no 802.2.
93 (IPX/SPX is they only thing that can be contained inside a
94 straight 802.3 packet). A non-0xffff value means that there's an
95 802.2 layer inside the 802.3 layer */
96 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
97 ethhdr_type = ETHERNET_802_3;
100 ethhdr_type = ETHERNET_802_2;
103 /* Oh, yuck. Cisco ISL frames require special interpretation of the
104 destination address field; fortunately, they can be recognized by
105 checking the first 5 octets of the destination address, which are
106 01-00-0C-00-00 for ISL frames. */
107 if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
108 && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
109 capture_isl(pd, offset, len, ld);
113 /* Convert the LLC length from the 802.3 header to a total
114 frame length, by adding in the size of any data that preceded
115 the Ethernet header, and adding in the Ethernet header size,
116 and set the payload and captured-payload lengths to the minima
117 of the total length and the frame lengths. */
118 length += offset + ETH_HEADER_SIZE;
122 ethhdr_type = ETHERNET_II;
124 offset += ETH_HEADER_SIZE;
126 switch (ethhdr_type) {
131 capture_llc(pd, offset, len, ld);
134 capture_ethertype(etype, pd, offset, len, ld);
140 dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
143 const guint8 *dst, *src;
146 volatile gboolean is_802_2;
147 proto_tree *volatile fh_tree = NULL;
149 if (check_col(pinfo->cinfo, COL_PROTOCOL))
150 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
152 src = tvb_get_ptr(tvb, 6, 6);
153 dst = tvb_get_ptr(tvb, 0, 6);
154 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
155 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src);
156 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst);
157 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst);
159 etype = tvb_get_ntohs(tvb, 12);
161 /* either ethernet802.3 or ethernet802.2 */
162 if (etype <= IEEE_802_3_MAX_LEN) {
163 /* Oh, yuck. Cisco ISL frames require special interpretation of the
164 destination address field; fortunately, they can be recognized by
165 checking the first 5 octets of the destination address, which are
166 01-00-0C-00-00 for ISL frames. */
167 if ( tvb_get_guint8(tvb, 0) == 0x01 &&
168 tvb_get_guint8(tvb, 1) == 0x00 &&
169 tvb_get_guint8(tvb, 2) == 0x0C &&
170 tvb_get_guint8(tvb, 3) == 0x00 &&
171 tvb_get_guint8(tvb, 4) == 0x00 ) {
172 call_dissector(isl_handle, tvb, pinfo, tree);
176 /* Is there an 802.2 layer? I can tell by looking at the first 2
177 bytes after the 802.3 header. If they are 0xffff, then what
178 follows the 802.3 header is an IPX payload, meaning no 802.2.
179 (IPX/SPX is they only thing that can be contained inside a
180 straight 802.3 packet). A non-0xffff value means that there's an
181 802.2 layer inside the 802.3 layer */
184 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
188 CATCH2(BoundsError, ReportedBoundsError) {
194 if (check_col(pinfo->cinfo, COL_INFO)) {
195 col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
196 (is_802_2 ? "" : "Raw "));
199 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
200 "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
202 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
204 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
205 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
207 /* add items for eth.addr filter */
208 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
209 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
212 dissect_802_3(etype, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
213 hf_eth_len, hf_eth_trailer);
215 if (check_col(pinfo->cinfo, COL_INFO))
216 col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
218 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
221 fh_tree = proto_item_add_subtree(ti, ett_ether2);
223 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
224 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
225 /* add items for eth.addr filter */
226 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
227 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
230 ethertype(etype, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, hf_eth_type,
236 proto_register_eth(void)
238 static hf_register_info hf[] = {
241 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
242 "Destination Hardware Address", HFILL }},
245 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
246 "Source Hardware Address", HFILL }},
249 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
252 /* registered here but handled in ethertype.c */
254 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
257 { "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
258 "Source or Destination Hardware Address", HFILL }},
261 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
262 "Ethernet Trailer or Checksum", HFILL }},
265 static gint *ett[] = {
270 proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
271 proto_register_field_array(proto_eth, hf, array_length(hf));
272 proto_register_subtree_array(ett, array_length(ett));
274 register_dissector("eth", dissect_eth, proto_eth);
278 proto_reg_handoff_eth(void)
280 dissector_handle_t eth_handle;
283 * Get a handle for the ISL dissector.
285 isl_handle = find_dissector("isl");
287 eth_handle = find_dissector("eth");
288 dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_handle);
289 dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_handle);
290 dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_handle);
291 dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_handle);