2 * Routines for ethernet packet disassembly
4 * $Id: packet-eth.c,v 1.88 2003/10/01 07:11:44 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #include <epan/packet.h>
33 #include <epan/resolv.h>
34 #include "packet-eth.h"
35 #include "packet-ieee8023.h"
36 #include "packet-ipx.h"
37 #include "packet-isl.h"
38 #include "packet-llc.h"
42 /* Interpret capture file as FW1 monitor file */
43 static gboolean eth_interpret_as_fw1_monitor = FALSE;
45 /* protocols and header fields */
46 static int proto_eth = -1;
47 static int hf_eth_dst = -1;
48 static int hf_eth_src = -1;
49 static int hf_eth_len = -1;
50 static int hf_eth_type = -1;
51 static int hf_eth_addr = -1;
52 static int hf_eth_trailer = -1;
54 static gint ett_ieee8023 = -1;
55 static gint ett_ether2 = -1;
57 static dissector_handle_t isl_handle;
58 static dissector_handle_t fw1_handle;
60 static int eth_tap = -1;
62 #define ETH_HEADER_SIZE 14
64 /* These are the Netware-ish names for the different Ethernet frame types.
65 EthernetII: The ethernet with a Type field instead of a length field
66 Ethernet802.2: An 802.3 header followed by an 802.2 header
67 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
68 There's no 802.2 hdr in this.
69 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
70 there's no difference between 802.2 and 802.2SNAP, since we just
71 pass it down to the LLC dissector. -- Gilbert
74 #define ETHERNET_802_2 1
75 #define ETHERNET_802_3 2
76 #define ETHERNET_SNAP 3
79 capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
81 guint16 etype, length;
82 int ethhdr_type; /* the type of ethernet frame */
84 if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
89 etype = pntohs(&pd[offset+12]);
92 * If the type/length field is <= the maximum 802.3 length,
93 * and is not zero, this is an 802.3 frame, and it's a length
94 * field; it might be an Novell "raw 802.3" frame, with no
95 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
98 * If the type/length field is > the maximum 802.3 length,
99 * this is an Ethernet II frame, and it's a type field.
101 * If the type/length field is zero (ETHERTYPE_UNK), this is
102 * a frame used internally by the Cisco MDS switch to contain
103 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
104 * frame; the dissector for those frames registers itself with
105 * an ethernet type of ETHERTYPE_UNK.
107 if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
110 /* Is there an 802.2 layer? I can tell by looking at the first 2
111 bytes after the 802.3 header. If they are 0xffff, then what
112 follows the 802.3 header is an IPX payload, meaning no 802.2.
113 (IPX/SPX is they only thing that can be contained inside a
114 straight 802.3 packet). A non-0xffff value means that there's an
115 802.2 layer inside the 802.3 layer */
116 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
117 ethhdr_type = ETHERNET_802_3;
120 ethhdr_type = ETHERNET_802_2;
123 /* Oh, yuck. Cisco ISL frames require special interpretation of the
124 destination address field; fortunately, they can be recognized by
125 checking the first 5 octets of the destination address, which are
126 01-00-0C-00-00 for ISL frames. */
127 if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
128 && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
129 capture_isl(pd, offset, len, ld);
133 /* Convert the LLC length from the 802.3 header to a total
134 frame length, by adding in the size of any data that preceded
135 the Ethernet header, and adding in the Ethernet header size,
136 and set the payload and captured-payload lengths to the minima
137 of the total length and the frame lengths. */
138 length += offset + ETH_HEADER_SIZE;
142 ethhdr_type = ETHERNET_II;
144 offset += ETH_HEADER_SIZE;
146 switch (ethhdr_type) {
151 capture_llc(pd, offset, len, ld);
154 capture_ethertype(etype, pd, offset, len, ld);
160 dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
165 volatile gboolean is_802_2;
166 proto_tree *volatile fh_tree = NULL;
167 const char *src_addr, *dst_addr;
168 static eth_hdr ehdrs[4];
169 static int ehdr_num=0;
175 ehdr=&ehdrs[ehdr_num];
178 if (check_col(pinfo->cinfo, COL_PROTOCOL))
179 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
181 src_addr=tvb_get_ptr(tvb, 6, 6);
182 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src_addr);
183 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src_addr);
184 SET_ADDRESS(&ehdr->src, AT_ETHER, 6, src_addr);
185 dst_addr=tvb_get_ptr(tvb, 0, 6);
186 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst_addr);
187 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst_addr);
188 SET_ADDRESS(&ehdr->dst, AT_ETHER, 6, dst_addr);
190 ehdr->type = tvb_get_ntohs(tvb, 12);
193 * If the type/length field is <= the maximum 802.3 length,
194 * and is not zero, this is an 802.3 frame, and it's a length
195 * field; it might be an Novell "raw 802.3" frame, with no
196 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
199 * If the type/length field is > the maximum 802.3 length,
200 * this is an Ethernet II frame, and it's a type field.
202 * If the type/length field is zero (ETHERTYPE_UNK), this is
203 * a frame used internally by the Cisco MDS switch to contain
204 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
205 * frame; the dissector for those frames registers itself with
206 * an ethernet type of ETHERTYPE_UNK.
208 if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) {
209 /* Oh, yuck. Cisco ISL frames require special interpretation of the
210 destination address field; fortunately, they can be recognized by
211 checking the first 5 octets of the destination address, which are
212 01-00-0C-00-00 for ISL frames. */
213 if ( tvb_get_guint8(tvb, 0) == 0x01 &&
214 tvb_get_guint8(tvb, 1) == 0x00 &&
215 tvb_get_guint8(tvb, 2) == 0x0C &&
216 tvb_get_guint8(tvb, 3) == 0x00 &&
217 tvb_get_guint8(tvb, 4) == 0x00 ) {
218 call_dissector(isl_handle, tvb, pinfo, tree);
222 /* Is there an 802.2 layer? I can tell by looking at the first 2
223 bytes after the 802.3 header. If they are 0xffff, then what
224 follows the 802.3 header is an IPX payload, meaning no 802.2.
225 (IPX/SPX is they only thing that can be contained inside a
226 straight 802.3 packet). A non-0xffff value means that there's an
227 802.2 layer inside the 802.3 layer */
230 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
234 CATCH2(BoundsError, ReportedBoundsError) {
240 if (check_col(pinfo->cinfo, COL_INFO)) {
241 col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
242 (is_802_2 ? "" : "Raw "));
245 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
246 "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
248 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
251 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
252 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
254 /* add items for eth.addr filter */
255 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
256 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
258 dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
259 hf_eth_len, hf_eth_trailer, fcs_len);
261 if (eth_interpret_as_fw1_monitor) {
262 call_dissector(fw1_handle, tvb, pinfo, tree);
266 if (check_col(pinfo->cinfo, COL_INFO))
267 col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
269 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
270 "Ethernet II, Src: %s, Dst: %s",
271 ether_to_str(src_addr), ether_to_str(dst_addr));
273 fh_tree = proto_item_add_subtree(ti, ett_ether2);
276 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
277 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
278 /* add items for eth.addr filter */
279 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
280 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
282 ethertype(ehdr->type, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, hf_eth_type,
283 hf_eth_trailer, fcs_len);
287 tap_queue_packet(eth_tap, pinfo, ehdr);
292 * Add an Ethernet trailer - which, for some captures, might be the FCS
293 * rather than a pad-to-60-bytes trailer.
295 * If fcs_len is 0, we assume the frame has no FCS; if it's 4, we assume
296 * it has an FCS; if it's anything else (such as -1, which means "maybe
297 * it does, maybe it doesn't"), we try to infer whether it has an FCS.
300 add_ethernet_trailer(proto_tree *fh_tree, int trailer_id, tvbuff_t *tvb,
301 tvbuff_t *trailer_tvb, int fcs_len)
303 /* If there're some bytes left over, show those bytes as a trailer.
305 However, if the Ethernet frame was claimed to have had 64 or more
306 bytes - i.e., it was at least an FCS worth of data longer than
307 the minimum payload size - assume the last 4 bytes of the trailer
309 if (trailer_tvb && fh_tree) {
310 guint trailer_length, trailer_reported_length;
311 gboolean has_fcs = FALSE;
313 trailer_length = tvb_length(trailer_tvb);
314 trailer_reported_length = tvb_reported_length(trailer_tvb);
316 /* If fcs_len is 4, we assume we definitely have an FCS.
317 Otherwise, then, if the frame is big enough that, if we
318 have a trailer, it probably inclues an FCS, and we have
319 enough space in the trailer for the FCS, we assume we
322 "Big enough" means 64 bytes or more; any frame that big
323 needs no trailer, as there's no need to pad an Ethernet
324 packet past 60 bytes.
326 The trailer must be at least 4 bytes long to have enough
329 if (fcs_len == 4 || (tvb_reported_length(tvb) >= 64 &&
330 trailer_reported_length >= 4)) {
331 /* Either we know we have an FCS, or we believe we have an FCS. */
332 if (trailer_length < trailer_reported_length) {
333 /* The packet is claimed to have enough data for a 4-byte FCS,
334 but we didn't capture all of the packet.
335 Slice off the 4-byte FCS from the reported length, and
336 trim the captured length so it's no more than the reported
337 length; that will slice off what of the FCS, if any, is
338 in the captured packet. */
339 trailer_reported_length -= 4;
340 if (trailer_length > trailer_reported_length)
341 trailer_length = trailer_reported_length;
344 /* We captured all of the packet, including what appears to
345 be a 4-byte FCS. Slice it off. */
347 trailer_reported_length -= 4;
352 if (trailer_length != 0) {
353 proto_tree_add_item(fh_tree, trailer_id, trailer_tvb, 0,
354 trailer_length, FALSE);
357 guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, trailer_length);
358 guint32 fcs = crc32_tvb_802(tvb, tvb_length(tvb) - 4);
359 if (fcs == sent_fcs) {
360 proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
361 "Frame check sequence: 0x%08x (correct)",
364 proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
365 "Frame check sequence: 0x%08x (incorrect, should be 0x%08x)",
372 /* Called for the Ethernet Wiretap encapsulation type; pass the FCS length
375 dissect_eth_maybefcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
377 dissect_eth_common(tvb, pinfo, tree, pinfo->pseudo_header->eth.fcs_len);
380 /* Called by other dissectors - for now, we assume Ethernet encapsulated
381 inside other protocols doesn't include the FCS. */
383 dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
385 dissect_eth_common(tvb, pinfo, tree, 0);
389 proto_register_eth(void)
391 static hf_register_info hf[] = {
394 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
395 "Destination Hardware Address", HFILL }},
398 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
399 "Source Hardware Address", HFILL }},
402 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
405 /* registered here but handled in ethertype.c */
407 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
410 { "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
411 "Source or Destination Hardware Address", HFILL }},
414 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
415 "Ethernet Trailer or Checksum", HFILL }},
418 static gint *ett[] = {
422 module_t *eth_module;
424 proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
425 proto_register_field_array(proto_eth, hf, array_length(hf));
426 proto_register_subtree_array(ett, array_length(ett));
428 /* Register configuration preferences */
429 eth_module = prefs_register_protocol(proto_eth, NULL);
430 prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
431 "Interpret as FireWall-1 monitor file",
432 "Whether the capture file should be interpreted as a CheckPoint FireWall-1 monitor file",
433 ð_interpret_as_fw1_monitor);
435 register_dissector("eth", dissect_eth, proto_eth);
436 eth_tap = register_tap("eth");
440 proto_reg_handoff_eth(void)
442 dissector_handle_t eth_handle, eth_maybefcs_handle;
445 * Get a handle for the ISL dissector.
447 isl_handle = find_dissector("isl");
448 fw1_handle = find_dissector("fw1");
450 eth_maybefcs_handle = create_dissector_handle(dissect_eth_maybefcs,
452 dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle);
454 eth_handle = find_dissector("eth");
455 dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_handle);
456 dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_handle);
457 dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_handle);