2 * Routines for ethernet packet disassembly
4 * $Id: packet-eth.c,v 1.50 2000/11/29 05:16:15 gram Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
38 #include "packet-eth.h"
39 #include "packet-ipx.h"
40 #include "packet-isl.h"
41 #include "packet-llc.h"
43 extern const value_string etype_vals[];
45 /* protocols and header fields */
46 static int proto_eth = -1;
47 static int hf_eth_dst = -1;
48 static int hf_eth_src = -1;
49 static int hf_eth_len = -1;
50 static int hf_eth_type = -1;
51 static int hf_eth_addr = -1;
52 static int hf_eth_trailer = -1;
54 static gint ett_ieee8023 = -1;
55 static gint ett_ether2 = -1;
57 #define ETH_HEADER_SIZE 14
59 /* These are the Netware-ish names for the different Ethernet frame types.
60 EthernetII: The ethernet with a Type field instead of a length field
61 Ethernet802.2: An 802.3 header followed by an 802.2 header
62 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
63 There's not 802.2 hdr in this.
64 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
65 there's no difference between 802.2 and 802.2SNAP, since we just
66 pass it down to dissect_llc(). -- Gilbert
69 #define ETHERNET_802_2 1
70 #define ETHERNET_802_3 2
71 #define ETHERNET_SNAP 3
74 capture_eth(const u_char *pd, int offset, packet_counts *ld)
76 guint16 etype, length;
77 int ethhdr_type; /* the type of ethernet frame */
79 if (!BYTES_ARE_IN_FRAME(offset, ETH_HEADER_SIZE)) {
84 etype = pntohs(&pd[offset+12]);
86 /* either ethernet802.3 or ethernet802.2 */
87 if (etype <= IEEE_802_3_MAX_LEN) {
90 /* Is there an 802.2 layer? I can tell by looking at the first 2
91 bytes after the 802.3 header. If they are 0xffff, then what
92 follows the 802.3 header is an IPX payload, meaning no 802.2.
93 (IPX/SPX is they only thing that can be contained inside a
94 straight 802.3 packet). A non-0xffff value means that there's an
95 802.2 layer inside the 802.3 layer */
96 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
97 ethhdr_type = ETHERNET_802_3;
100 ethhdr_type = ETHERNET_802_2;
103 /* Oh, yuck. Cisco ISL frames require special interpretation of the
104 destination address field; fortunately, they can be recognized by
105 checking the first 5 octets of the destination address, which are
106 01-00-0C-00-00 for ISL frames. */
107 if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
108 && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
109 capture_isl(pd, offset, ld);
113 /* Convert the LLC length from the 802.3 header to a total
114 frame length, by adding in the size of any data that preceded
115 the Ethernet header, and adding in the Ethernet header size,
116 and set the payload and captured-payload lengths to the minima
117 of the total length and the frame lengths. */
118 length += offset + ETH_HEADER_SIZE;
121 if (pi.captured_len > length)
122 pi.captured_len = length;
124 ethhdr_type = ETHERNET_II;
126 offset += ETH_HEADER_SIZE;
128 switch (ethhdr_type) {
130 capture_ipx(pd, offset, ld);
133 capture_llc(pd, offset, ld);
136 capture_ethertype(etype, offset, pd, ld);
142 dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
144 int orig_captured_len;
149 volatile guint16 etype;
150 volatile int ethhdr_type; /* the type of Ethernet frame */
151 volatile int eth_offset;
152 volatile guint16 length;
153 tvbuff_t *volatile next_tvb;
154 tvbuff_t *volatile trailer_tvb;
155 proto_tree *volatile fh_tree;
158 CHECK_DISPLAY_AS_DATA(proto_eth, tvb, pinfo, tree);
160 tvb_compat(tvb, &pd, (int*)ð_offset);
162 pinfo->current_proto = "Ethernet";
163 orig_captured_len = pinfo->captured_len;
165 if (check_col(pinfo->fd, COL_PROTOCOL))
166 col_set_str(pinfo->fd, COL_PROTOCOL, "Ethernet");
168 src = tvb_get_ptr(tvb, 6, 6);
169 dst = tvb_get_ptr(tvb, 0, 6);
170 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
171 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src);
172 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst);
173 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst);
175 etype = tvb_get_ntohs(tvb, 12);
177 /* either ethernet802.3 or ethernet802.2 */
178 if (etype <= IEEE_802_3_MAX_LEN) {
181 /* Is there an 802.2 layer? I can tell by looking at the first 2
182 bytes after the 802.3 header. If they are 0xffff, then what
183 follows the 802.3 header is an IPX payload, meaning no 802.2.
184 (IPX/SPX is they only thing that can be contained inside a
185 straight 802.3 packet). A non-0xffff value means that there's an
186 802.2 layer inside the 802.3 layer */
187 ethhdr_type = ETHERNET_802_2;
189 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
190 ethhdr_type = ETHERNET_802_3;
193 CATCH2(BoundsError, ReportedBoundsError) {
199 /* Oh, yuck. Cisco ISL frames require special interpretation of the
200 destination address field; fortunately, they can be recognized by
201 checking the first 5 octets of the destination address, which are
202 01-00-0C-00-00 for ISL frames. */
203 if ( tvb_get_guint8(tvb, 0) == 0x01 &&
204 tvb_get_guint8(tvb, 1) == 0x00 &&
205 tvb_get_guint8(tvb, 2) == 0x0C &&
206 tvb_get_guint8(tvb, 3) == 0x00 &&
207 tvb_get_guint8(tvb, 4) == 0x00 ) {
208 dissect_isl(pd, eth_offset, pinfo->fd, tree);
212 if (check_col(pinfo->fd, COL_INFO)) {
213 col_add_fstr(pinfo->fd, COL_INFO, "IEEE 802.3 %s",
214 (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
218 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
219 "IEEE 802.3 %s", (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
221 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
223 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
224 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
226 /* add items for eth.addr filter */
227 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
228 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
230 proto_tree_add_uint(fh_tree, hf_eth_len, tvb, 12, 2, length);
233 /* Convert the LLC length from the 802.3 header to a total
234 frame length, by adding in the size of any data that preceded
235 the Ethernet header, and adding in the Ethernet header size,
236 and set the payload and captured-payload lengths to the minima
237 of the total length and the frame lengths. */
238 length += eth_offset + ETH_HEADER_SIZE;
239 if (pinfo->len > length)
241 if (pinfo->captured_len > length)
242 pinfo->captured_len = length;
244 ethhdr_type = ETHERNET_II;
245 if (check_col(pinfo->fd, COL_INFO))
246 col_set_str(pinfo->fd, COL_INFO, "Ethernet II");
249 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
252 fh_tree = proto_item_add_subtree(ti, ett_ether2);
254 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
255 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
256 /* add items for eth.addr filter */
257 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
258 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
261 eth_offset += ETH_HEADER_SIZE;
263 if (etype <= IEEE_802_3_MAX_LEN) {
264 /* Give the next dissector only 'length' number of bytes */
266 next_tvb = tvb_new_subset(tvb, ETH_HEADER_SIZE, etype, etype);
267 trailer_tvb = tvb_new_subset(tvb, ETH_HEADER_SIZE + etype, -1, -1);
269 CATCH2(BoundsError, ReportedBoundsError) {
272 the packet doesn't have "etype" bytes worth of
273 captured data left in it - or it may not even have
274 "etype" bytes worth of data in it, period -
275 so the "tvb_new_subset()" creating "next_tvb"
280 the packet has exactly "etype" bytes worth of
281 captured data left in it, so the "tvb_new_subset()"
282 creating "trailer_tvb" threw an exception.
284 In either case, this means that all the data in the frame
285 is within the length value, so we give all the data to the
286 next protocol and have no trailer. */
287 next_tvb = tvb_new_subset(tvb, ETH_HEADER_SIZE, -1, etype);
293 next_tvb = NULL; /* "ethertype()" will create the next tvb for us */
294 trailer_tvb = NULL; /* we don't know how big the trailer is */
297 switch (ethhdr_type) {
299 dissect_ipx(next_tvb, pinfo, tree);
302 dissect_llc(next_tvb, pinfo, tree);
305 length_before = tvb_reported_length(tvb);
306 length = ethertype(etype, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
307 hf_eth_type) + ETH_HEADER_SIZE;
308 if (length < length_before) {
310 * Create a tvbuff for the padding.
313 trailer_tvb = tvb_new_subset(tvb, length, -1, -1);
315 CATCH2(BoundsError, ReportedBoundsError) {
316 /* The packet doesn't have "length" bytes worth of captured
317 data left in it. No trailer to display. */
325 /* If there's some bytes left over, mark them. */
326 if (trailer_tvb && tree) {
327 guint trailer_length;
329 trailer_length = tvb_length(trailer_tvb);
330 if (trailer_length != 0) {
331 proto_tree_add_item(fh_tree, hf_eth_trailer, trailer_tvb, 0,
332 trailer_length, FALSE);
339 proto_register_eth(void)
341 static hf_register_info hf[] = {
344 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
345 "Destination Hardware Address" }},
348 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
349 "Source Hardware Address" }},
352 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
355 /* registered here but handled in ethertype.c */
357 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
360 { "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
361 "Source or Destination Hardware Address" }},
364 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
365 "Ethernet Trailer or Checksum" }},
368 static gint *ett[] = {
373 proto_eth = proto_register_protocol ("Ethernet", "eth" );
374 proto_register_field_array(proto_eth, hf, array_length(hf));
375 proto_register_subtree_array(ett, array_length(ett));
377 register_dissector("eth", dissect_eth);
381 proto_reg_handoff_eth(void)
383 dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, dissect_eth);