2 * Routines for ethernet packet disassembly
4 * $Id: packet-eth.c,v 1.51 2000/12/28 09:49:09 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
38 #include "packet-eth.h"
39 #include "packet-ipx.h"
40 #include "packet-isl.h"
41 #include "packet-llc.h"
43 extern const value_string etype_vals[];
45 /* protocols and header fields */
46 static int proto_eth = -1;
47 static int hf_eth_dst = -1;
48 static int hf_eth_src = -1;
49 static int hf_eth_len = -1;
50 static int hf_eth_type = -1;
51 static int hf_eth_addr = -1;
52 static int hf_eth_trailer = -1;
54 static gint ett_ieee8023 = -1;
55 static gint ett_ether2 = -1;
57 static dissector_handle_t isl_handle;
59 #define ETH_HEADER_SIZE 14
61 /* These are the Netware-ish names for the different Ethernet frame types.
62 EthernetII: The ethernet with a Type field instead of a length field
63 Ethernet802.2: An 802.3 header followed by an 802.2 header
64 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
65 There's not 802.2 hdr in this.
66 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
67 there's no difference between 802.2 and 802.2SNAP, since we just
68 pass it down to dissect_llc(). -- Gilbert
71 #define ETHERNET_802_2 1
72 #define ETHERNET_802_3 2
73 #define ETHERNET_SNAP 3
76 capture_eth(const u_char *pd, int offset, packet_counts *ld)
78 guint16 etype, length;
79 int ethhdr_type; /* the type of ethernet frame */
81 if (!BYTES_ARE_IN_FRAME(offset, ETH_HEADER_SIZE)) {
86 etype = pntohs(&pd[offset+12]);
88 /* either ethernet802.3 or ethernet802.2 */
89 if (etype <= IEEE_802_3_MAX_LEN) {
92 /* Is there an 802.2 layer? I can tell by looking at the first 2
93 bytes after the 802.3 header. If they are 0xffff, then what
94 follows the 802.3 header is an IPX payload, meaning no 802.2.
95 (IPX/SPX is they only thing that can be contained inside a
96 straight 802.3 packet). A non-0xffff value means that there's an
97 802.2 layer inside the 802.3 layer */
98 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
99 ethhdr_type = ETHERNET_802_3;
102 ethhdr_type = ETHERNET_802_2;
105 /* Oh, yuck. Cisco ISL frames require special interpretation of the
106 destination address field; fortunately, they can be recognized by
107 checking the first 5 octets of the destination address, which are
108 01-00-0C-00-00 for ISL frames. */
109 if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
110 && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
111 capture_isl(pd, offset, ld);
115 /* Convert the LLC length from the 802.3 header to a total
116 frame length, by adding in the size of any data that preceded
117 the Ethernet header, and adding in the Ethernet header size,
118 and set the payload and captured-payload lengths to the minima
119 of the total length and the frame lengths. */
120 length += offset + ETH_HEADER_SIZE;
123 if (pi.captured_len > length)
124 pi.captured_len = length;
126 ethhdr_type = ETHERNET_II;
128 offset += ETH_HEADER_SIZE;
130 switch (ethhdr_type) {
132 capture_ipx(pd, offset, ld);
135 capture_llc(pd, offset, ld);
138 capture_ethertype(etype, offset, pd, ld);
144 dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
146 int orig_captured_len;
151 volatile guint16 etype;
152 volatile int ethhdr_type; /* the type of Ethernet frame */
153 volatile int eth_offset;
154 volatile guint16 length;
155 tvbuff_t *volatile next_tvb;
156 tvbuff_t *volatile trailer_tvb;
157 proto_tree *volatile fh_tree;
160 CHECK_DISPLAY_AS_DATA(proto_eth, tvb, pinfo, tree);
162 tvb_compat(tvb, &pd, (int*)ð_offset);
164 pinfo->current_proto = "Ethernet";
165 orig_captured_len = pinfo->captured_len;
167 if (check_col(pinfo->fd, COL_PROTOCOL))
168 col_set_str(pinfo->fd, COL_PROTOCOL, "Ethernet");
170 src = tvb_get_ptr(tvb, 6, 6);
171 dst = tvb_get_ptr(tvb, 0, 6);
172 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
173 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src);
174 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst);
175 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst);
177 etype = tvb_get_ntohs(tvb, 12);
179 /* either ethernet802.3 or ethernet802.2 */
180 if (etype <= IEEE_802_3_MAX_LEN) {
183 /* Is there an 802.2 layer? I can tell by looking at the first 2
184 bytes after the 802.3 header. If they are 0xffff, then what
185 follows the 802.3 header is an IPX payload, meaning no 802.2.
186 (IPX/SPX is they only thing that can be contained inside a
187 straight 802.3 packet). A non-0xffff value means that there's an
188 802.2 layer inside the 802.3 layer */
189 ethhdr_type = ETHERNET_802_2;
191 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
192 ethhdr_type = ETHERNET_802_3;
195 CATCH2(BoundsError, ReportedBoundsError) {
201 /* Oh, yuck. Cisco ISL frames require special interpretation of the
202 destination address field; fortunately, they can be recognized by
203 checking the first 5 octets of the destination address, which are
204 01-00-0C-00-00 for ISL frames. */
205 if ( tvb_get_guint8(tvb, 0) == 0x01 &&
206 tvb_get_guint8(tvb, 1) == 0x00 &&
207 tvb_get_guint8(tvb, 2) == 0x0C &&
208 tvb_get_guint8(tvb, 3) == 0x00 &&
209 tvb_get_guint8(tvb, 4) == 0x00 ) {
210 call_dissector(isl_handle, tvb, pinfo, tree);
214 if (check_col(pinfo->fd, COL_INFO)) {
215 col_add_fstr(pinfo->fd, COL_INFO, "IEEE 802.3 %s",
216 (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
220 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
221 "IEEE 802.3 %s", (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
223 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
225 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
226 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
228 /* add items for eth.addr filter */
229 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
230 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
232 proto_tree_add_uint(fh_tree, hf_eth_len, tvb, 12, 2, length);
235 /* Convert the LLC length from the 802.3 header to a total
236 frame length, by adding in the size of any data that preceded
237 the Ethernet header, and adding in the Ethernet header size,
238 and set the payload and captured-payload lengths to the minima
239 of the total length and the frame lengths.
241 XXX - when all dissectors are tvbuffified we shouldn't have to
243 length += eth_offset + ETH_HEADER_SIZE;
244 if (pinfo->len > length)
246 if (pinfo->captured_len > length)
247 pinfo->captured_len = length;
249 ethhdr_type = ETHERNET_II;
250 if (check_col(pinfo->fd, COL_INFO))
251 col_set_str(pinfo->fd, COL_INFO, "Ethernet II");
254 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
257 fh_tree = proto_item_add_subtree(ti, ett_ether2);
259 proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
260 proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
261 /* add items for eth.addr filter */
262 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
263 proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
266 eth_offset += ETH_HEADER_SIZE;
268 if (etype <= IEEE_802_3_MAX_LEN) {
269 /* Give the next dissector only 'length' number of bytes */
271 next_tvb = tvb_new_subset(tvb, ETH_HEADER_SIZE, etype, etype);
272 trailer_tvb = tvb_new_subset(tvb, ETH_HEADER_SIZE + etype, -1, -1);
274 CATCH2(BoundsError, ReportedBoundsError) {
277 the packet doesn't have "etype" bytes worth of
278 captured data left in it - or it may not even have
279 "etype" bytes worth of data in it, period -
280 so the "tvb_new_subset()" creating "next_tvb"
285 the packet has exactly "etype" bytes worth of
286 captured data left in it, so the "tvb_new_subset()"
287 creating "trailer_tvb" threw an exception.
289 In either case, this means that all the data in the frame
290 is within the length value, so we give all the data to the
291 next protocol and have no trailer. */
292 next_tvb = tvb_new_subset(tvb, ETH_HEADER_SIZE, -1, etype);
298 next_tvb = NULL; /* "ethertype()" will create the next tvb for us */
299 trailer_tvb = NULL; /* we don't know how big the trailer is */
302 switch (ethhdr_type) {
304 dissect_ipx(next_tvb, pinfo, tree);
307 dissect_llc(next_tvb, pinfo, tree);
310 length_before = tvb_reported_length(tvb);
311 length = ethertype(etype, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
312 hf_eth_type) + ETH_HEADER_SIZE;
313 if (length < length_before) {
315 * Create a tvbuff for the padding.
318 trailer_tvb = tvb_new_subset(tvb, length, -1, -1);
320 CATCH2(BoundsError, ReportedBoundsError) {
321 /* The packet doesn't have "length" bytes worth of captured
322 data left in it. No trailer to display. */
330 /* If there's some bytes left over, mark them. */
331 if (trailer_tvb && tree) {
332 guint trailer_length;
334 trailer_length = tvb_length(trailer_tvb);
335 if (trailer_length != 0) {
336 proto_tree_add_item(fh_tree, hf_eth_trailer, trailer_tvb, 0,
337 trailer_length, FALSE);
344 proto_register_eth(void)
346 static hf_register_info hf[] = {
349 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
350 "Destination Hardware Address" }},
353 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
354 "Source Hardware Address" }},
357 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
360 /* registered here but handled in ethertype.c */
362 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
365 { "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
366 "Source or Destination Hardware Address" }},
369 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
370 "Ethernet Trailer or Checksum" }},
373 static gint *ett[] = {
378 proto_eth = proto_register_protocol ("Ethernet", "eth" );
379 proto_register_field_array(proto_eth, hf, array_length(hf));
380 proto_register_subtree_array(ett, array_length(ett));
382 register_dissector("eth", dissect_eth);
386 proto_reg_handoff_eth(void)
389 * Get a handle for the ISL dissector.
391 isl_handle = find_dissector("isl");
393 dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, dissect_eth);