2 * Routines for ethernet packet disassembly
4 * $Id: packet-eth.c,v 1.89 2004/02/03 23:19:54 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #include <epan/packet.h>
33 #include <epan/resolv.h>
34 #include "packet-eth.h"
35 #include "packet-ieee8023.h"
36 #include "packet-ipx.h"
37 #include "packet-isl.h"
38 #include "packet-llc.h"
42 /* Interpret capture file as FW1 monitor file */
43 static gboolean eth_interpret_as_fw1_monitor = FALSE;
45 /* protocols and header fields */
46 static int proto_eth = -1;
47 static int hf_eth_dst = -1;
48 static int hf_eth_src = -1;
49 static int hf_eth_len = -1;
50 static int hf_eth_type = -1;
51 static int hf_eth_addr = -1;
52 static int hf_eth_trailer = -1;
54 static gint ett_ieee8023 = -1;
55 static gint ett_ether2 = -1;
57 static dissector_handle_t isl_handle;
58 static dissector_handle_t fw1_handle;
59 static heur_dissector_list_t heur_subdissector_list;
61 static int eth_tap = -1;
63 #define ETH_HEADER_SIZE 14
65 /* These are the Netware-ish names for the different Ethernet frame types.
66 EthernetII: The ethernet with a Type field instead of a length field
67 Ethernet802.2: An 802.3 header followed by an 802.2 header
68 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
69 There's no 802.2 hdr in this.
70 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
71 there's no difference between 802.2 and 802.2SNAP, since we just
72 pass it down to the LLC dissector. -- Gilbert
75 #define ETHERNET_802_2 1
76 #define ETHERNET_802_3 2
77 #define ETHERNET_SNAP 3
80 capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
82 guint16 etype, length;
83 int ethhdr_type; /* the type of ethernet frame */
85 if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
90 etype = pntohs(&pd[offset+12]);
93 * If the type/length field is <= the maximum 802.3 length,
94 * and is not zero, this is an 802.3 frame, and it's a length
95 * field; it might be an Novell "raw 802.3" frame, with no
96 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
99 * If the type/length field is > the maximum 802.3 length,
100 * this is an Ethernet II frame, and it's a type field.
102 * If the type/length field is zero (ETHERTYPE_UNK), this is
103 * a frame used internally by the Cisco MDS switch to contain
104 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
105 * frame; the dissector for those frames registers itself with
106 * an ethernet type of ETHERTYPE_UNK.
108 if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
111 /* Is there an 802.2 layer? I can tell by looking at the first 2
112 bytes after the 802.3 header. If they are 0xffff, then what
113 follows the 802.3 header is an IPX payload, meaning no 802.2.
114 (IPX/SPX is they only thing that can be contained inside a
115 straight 802.3 packet). A non-0xffff value means that there's an
116 802.2 layer inside the 802.3 layer */
117 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
118 ethhdr_type = ETHERNET_802_3;
121 ethhdr_type = ETHERNET_802_2;
124 /* Oh, yuck. Cisco ISL frames require special interpretation of the
125 destination address field; fortunately, they can be recognized by
126 checking the first 5 octets of the destination address, which are
127 01-00-0C-00-00 for ISL frames. */
128 if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
129 && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
130 capture_isl(pd, offset, len, ld);
134 /* Convert the LLC length from the 802.3 header to a total
135 frame length, by adding in the size of any data that preceded
136 the Ethernet header, and adding in the Ethernet header size,
137 and set the payload and captured-payload lengths to the minima
138 of the total length and the frame lengths. */
139 length += offset + ETH_HEADER_SIZE;
143 ethhdr_type = ETHERNET_II;
145 offset += ETH_HEADER_SIZE;
147 switch (ethhdr_type) {
152 capture_llc(pd, offset, len, ld);
155 capture_ethertype(etype, pd, offset, len, ld);
161 dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
166 volatile gboolean is_802_2;
167 proto_tree *volatile fh_tree = NULL;
168 const char *src_addr, *dst_addr;
169 static eth_hdr ehdrs[4];
170 static int ehdr_num=0;
176 ehdr=&ehdrs[ehdr_num];
179 if (check_col(pinfo->cinfo, COL_PROTOCOL))
180 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
182 src_addr=tvb_get_ptr(tvb, 6, 6);
183 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src_addr);
184 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src_addr);
185 SET_ADDRESS(&ehdr->src, AT_ETHER, 6, src_addr);
186 dst_addr=tvb_get_ptr(tvb, 0, 6);
187 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst_addr);
188 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst_addr);
189 SET_ADDRESS(&ehdr->dst, AT_ETHER, 6, dst_addr);
191 ehdr->type = tvb_get_ntohs(tvb, 12);
194 * In case the packet is a non-Ethernet packet inside
195 * Ethernet framing, allow heuristic dissectors to take
196 * a first look before we assume that it's actually an
199 if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, tree))
203 * If the type/length field is <= the maximum 802.3 length,
204 * and is not zero, this is an 802.3 frame, and it's a length
205 * field; it might be an Novell "raw 802.3" frame, with no
206 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
209 * If the type/length field is > the maximum 802.3 length,
210 * this is an Ethernet II frame, and it's a type field.
212 * If the type/length field is zero (ETHERTYPE_UNK), this is
213 * a frame used internally by the Cisco MDS switch to contain
214 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
215 * frame; the dissector for those frames registers itself with
216 * an ethernet type of ETHERTYPE_UNK.
218 if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) {
219 /* Oh, yuck. Cisco ISL frames require special interpretation of the
220 destination address field; fortunately, they can be recognized by
221 checking the first 5 octets of the destination address, which are
222 01-00-0C-00-00 for ISL frames. */
223 if ( tvb_get_guint8(tvb, 0) == 0x01 &&
224 tvb_get_guint8(tvb, 1) == 0x00 &&
225 tvb_get_guint8(tvb, 2) == 0x0C &&
226 tvb_get_guint8(tvb, 3) == 0x00 &&
227 tvb_get_guint8(tvb, 4) == 0x00 ) {
228 call_dissector(isl_handle, tvb, pinfo, tree);
232 /* Is there an 802.2 layer? I can tell by looking at the first 2
233 bytes after the 802.3 header. If they are 0xffff, then what
234 follows the 802.3 header is an IPX payload, meaning no 802.2.
235 (IPX/SPX is they only thing that can be contained inside a
236 straight 802.3 packet). A non-0xffff value means that there's an
237 802.2 layer inside the 802.3 layer */
240 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
244 CATCH2(BoundsError, ReportedBoundsError) {
250 if (check_col(pinfo->cinfo, COL_INFO)) {
251 col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
252 (is_802_2 ? "" : "Raw "));
255 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
256 "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
258 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
261 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
262 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
264 /* add items for eth.addr filter */
265 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
266 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
268 dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
269 hf_eth_len, hf_eth_trailer, fcs_len);
271 if (eth_interpret_as_fw1_monitor) {
272 call_dissector(fw1_handle, tvb, pinfo, tree);
276 if (check_col(pinfo->cinfo, COL_INFO))
277 col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
279 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
280 "Ethernet II, Src: %s, Dst: %s",
281 ether_to_str(src_addr), ether_to_str(dst_addr));
283 fh_tree = proto_item_add_subtree(ti, ett_ether2);
286 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
287 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
288 /* add items for eth.addr filter */
289 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
290 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
292 ethertype(ehdr->type, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, hf_eth_type,
293 hf_eth_trailer, fcs_len);
297 tap_queue_packet(eth_tap, pinfo, ehdr);
302 * Add an Ethernet trailer - which, for some captures, might be the FCS
303 * rather than a pad-to-60-bytes trailer.
305 * If fcs_len is 0, we assume the frame has no FCS; if it's 4, we assume
306 * it has an FCS; if it's anything else (such as -1, which means "maybe
307 * it does, maybe it doesn't"), we try to infer whether it has an FCS.
310 add_ethernet_trailer(proto_tree *fh_tree, int trailer_id, tvbuff_t *tvb,
311 tvbuff_t *trailer_tvb, int fcs_len)
313 /* If there're some bytes left over, show those bytes as a trailer.
315 However, if the Ethernet frame was claimed to have had 64 or more
316 bytes - i.e., it was at least an FCS worth of data longer than
317 the minimum payload size - assume the last 4 bytes of the trailer
319 if (trailer_tvb && fh_tree) {
320 guint trailer_length, trailer_reported_length;
321 gboolean has_fcs = FALSE;
323 trailer_length = tvb_length(trailer_tvb);
324 trailer_reported_length = tvb_reported_length(trailer_tvb);
326 /* If fcs_len is 4, we assume we definitely have an FCS.
327 Otherwise, then, if the frame is big enough that, if we
328 have a trailer, it probably inclues an FCS, and we have
329 enough space in the trailer for the FCS, we assume we
332 "Big enough" means 64 bytes or more; any frame that big
333 needs no trailer, as there's no need to pad an Ethernet
334 packet past 60 bytes.
336 The trailer must be at least 4 bytes long to have enough
339 if (fcs_len == 4 || (tvb_reported_length(tvb) >= 64 &&
340 trailer_reported_length >= 4)) {
341 /* Either we know we have an FCS, or we believe we have an FCS. */
342 if (trailer_length < trailer_reported_length) {
343 /* The packet is claimed to have enough data for a 4-byte FCS,
344 but we didn't capture all of the packet.
345 Slice off the 4-byte FCS from the reported length, and
346 trim the captured length so it's no more than the reported
347 length; that will slice off what of the FCS, if any, is
348 in the captured packet. */
349 trailer_reported_length -= 4;
350 if (trailer_length > trailer_reported_length)
351 trailer_length = trailer_reported_length;
354 /* We captured all of the packet, including what appears to
355 be a 4-byte FCS. Slice it off. */
357 trailer_reported_length -= 4;
362 if (trailer_length != 0) {
363 proto_tree_add_item(fh_tree, trailer_id, trailer_tvb, 0,
364 trailer_length, FALSE);
367 guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, trailer_length);
368 guint32 fcs = crc32_tvb_802(tvb, tvb_length(tvb) - 4);
369 if (fcs == sent_fcs) {
370 proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
371 "Frame check sequence: 0x%08x (correct)",
374 proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
375 "Frame check sequence: 0x%08x (incorrect, should be 0x%08x)",
382 /* Called for the Ethernet Wiretap encapsulation type; pass the FCS length
385 dissect_eth_maybefcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
387 dissect_eth_common(tvb, pinfo, tree, pinfo->pseudo_header->eth.fcs_len);
390 /* Called by other dissectors - for now, we assume Ethernet encapsulated
391 inside other protocols doesn't include the FCS. */
393 dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
395 dissect_eth_common(tvb, pinfo, tree, 0);
399 proto_register_eth(void)
401 static hf_register_info hf[] = {
404 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
405 "Destination Hardware Address", HFILL }},
408 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
409 "Source Hardware Address", HFILL }},
412 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
415 /* registered here but handled in ethertype.c */
417 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
420 { "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
421 "Source or Destination Hardware Address", HFILL }},
424 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
425 "Ethernet Trailer or Checksum", HFILL }},
428 static gint *ett[] = {
432 module_t *eth_module;
434 proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
435 proto_register_field_array(proto_eth, hf, array_length(hf));
436 proto_register_subtree_array(ett, array_length(ett));
438 /* subdissector code */
439 register_heur_dissector_list("eth", &heur_subdissector_list);
441 /* Register configuration preferences */
442 eth_module = prefs_register_protocol(proto_eth, NULL);
443 prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
444 "Interpret as FireWall-1 monitor file",
445 "Whether the capture file should be interpreted as a CheckPoint FireWall-1 monitor file",
446 ð_interpret_as_fw1_monitor);
448 register_dissector("eth", dissect_eth, proto_eth);
449 eth_tap = register_tap("eth");
453 proto_reg_handoff_eth(void)
455 dissector_handle_t eth_handle, eth_maybefcs_handle;
458 * Get a handle for the ISL dissector.
460 isl_handle = find_dissector("isl");
461 fw1_handle = find_dissector("fw1");
463 eth_maybefcs_handle = create_dissector_handle(dissect_eth_maybefcs,
465 dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle);
467 eth_handle = find_dissector("eth");
468 dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_handle);
469 dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_handle);
470 dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_handle);