2 * Routines for ethernet packet disassembly
4 * $Id: packet-eth.c,v 1.28 2000/01/24 18:46:44 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
39 extern const value_string etype_vals[];
41 /* protocols and header fields */
42 static int proto_eth = -1;
43 static int hf_eth_dst = -1;
44 static int hf_eth_src = -1;
45 static int hf_eth_len = -1;
46 static int hf_eth_type = -1;
48 static gint ett_ieee8023 = -1;
49 static gint ett_ether2 = -1;
51 #define ETH_HEADER_SIZE 14
53 /* These are the Netware-ish names for the different Ethernet frame types.
54 EthernetII: The ethernet with a Type field instead of a length field
55 Ethernet802.2: An 802.3 header followed by an 802.3 header
56 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
57 There's not 802.2 hdr in this.
58 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
59 there's no difference between 802.2 and 802.2SNAP, since we just
60 pass it down to dissect_llc(). -- Gilbert
63 #define ETHERNET_802_2 1
64 #define ETHERNET_802_3 2
65 #define ETHERNET_SNAP 3
68 capture_eth(const u_char *pd, int offset, packet_counts *ld)
70 guint16 etype, length;
71 int ethhdr_type; /* the type of ethernet frame */
73 if (!BYTES_ARE_IN_FRAME(offset, ETH_HEADER_SIZE)) {
78 etype = pntohs(&pd[offset+12]);
80 /* either ethernet802.3 or ethernet802.2 */
81 if (etype <= IEEE_802_3_MAX_LEN) {
84 /* Is there an 802.2 layer? I can tell by looking at the first 2
85 bytes after the 802.3 header. If they are 0xffff, then what
86 follows the 802.3 header is an IPX payload, meaning no 802.2.
87 (IPX/SPX is they only thing that can be contained inside a
88 straight 802.3 packet). A non-0xffff value means that there's an
89 802.2 layer inside the 802.3 layer */
90 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
91 ethhdr_type = ETHERNET_802_3;
94 ethhdr_type = ETHERNET_802_2;
97 /* Oh, yuck. Cisco ISL frames require special interpretation of the
98 destination address field; fortunately, they can be recognized by
99 checking the first 5 octets of the destination address, which are
100 01-00-0C-00-00 for ISL frames. */
101 if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
102 && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
103 capture_isl(pd, offset, ld);
107 /* Convert the LLC length from the 802.3 header to a total
108 frame length, by adding in the size of any data that preceded
109 the Ethernet header, and adding in the Ethernet header size,
110 and set the payload and captured-payload lengths to the minima
111 of the total length and the frame lengths. */
112 length += offset + ETH_HEADER_SIZE;
115 if (pi.captured_len > length)
116 pi.captured_len = length;
118 ethhdr_type = ETHERNET_II;
120 offset += ETH_HEADER_SIZE;
122 switch (ethhdr_type) {
124 capture_ipx(pd, offset, ld);
127 capture_llc(pd, offset, ld);
130 capture_ethertype(etype, offset, pd, ld);
136 dissect_eth(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
138 guint16 etype, length;
139 proto_tree *fh_tree = NULL;
141 int ethhdr_type; /* the type of ethernet frame */
143 if (!BYTES_ARE_IN_FRAME(offset, ETH_HEADER_SIZE)) {
144 dissect_data(pd, offset, fd, tree);
148 SET_ADDRESS(&pi.dl_src, AT_ETHER, 6, &pd[offset+6]);
149 SET_ADDRESS(&pi.src, AT_ETHER, 6, &pd[offset+6]);
150 SET_ADDRESS(&pi.dl_dst, AT_ETHER, 6, &pd[offset+0]);
151 SET_ADDRESS(&pi.dst, AT_ETHER, 6, &pd[offset+0]);
153 if (check_col(fd, COL_PROTOCOL))
154 col_add_str(fd, COL_PROTOCOL, "Ethernet");
156 etype = pntohs(&pd[offset+12]);
158 /* either ethernet802.3 or ethernet802.2 */
159 if (etype <= IEEE_802_3_MAX_LEN) {
162 /* Is there an 802.2 layer? I can tell by looking at the first 2
163 bytes after the 802.3 header. If they are 0xffff, then what
164 follows the 802.3 header is an IPX payload, meaning no 802.2.
165 (IPX/SPX is they only thing that can be contained inside a
166 straight 802.3 packet). A non-0xffff value means that there's an
167 802.2 layer inside the 802.3 layer */
168 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
169 ethhdr_type = ETHERNET_802_3;
172 ethhdr_type = ETHERNET_802_2;
175 /* Oh, yuck. Cisco ISL frames require special interpretation of the
176 destination address field; fortunately, they can be recognized by
177 checking the first 5 octets of the destination address, which are
178 01-00-0C-00-00 for ISL frames. */
179 if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
180 && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
181 dissect_isl(pd, offset, fd, tree);
185 if (check_col(fd, COL_INFO)) {
186 col_add_fstr(fd, COL_INFO, "IEEE 802.3 %s",
187 (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
191 ti = proto_tree_add_item_format(tree, proto_eth, offset, ETH_HEADER_SIZE,
192 NULL, "IEEE 802.3 %s", (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
194 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
196 proto_tree_add_item(fh_tree, hf_eth_dst, offset+0, 6, &pd[offset+0]);
197 proto_tree_add_item(fh_tree, hf_eth_src, offset+6, 6, &pd[offset+6]);
198 proto_tree_add_item(fh_tree, hf_eth_len, offset+12, 2, length);
201 /* Convert the LLC length from the 802.3 header to a total
202 frame length, by adding in the size of any data that preceded
203 the Ethernet header, and adding in the Ethernet header size,
204 and set the payload and captured-payload lengths to the minima
205 of the total length and the frame lengths. */
206 length += offset + ETH_HEADER_SIZE;
209 if (pi.captured_len > length)
210 pi.captured_len = length;
212 ethhdr_type = ETHERNET_II;
213 if (check_col(fd, COL_INFO))
214 col_add_str(fd, COL_INFO, "Ethernet II");
217 ti = proto_tree_add_item_format(tree, proto_eth, offset, ETH_HEADER_SIZE,
218 NULL, "Ethernet II");
220 fh_tree = proto_item_add_subtree(ti, ett_ether2);
222 proto_tree_add_item(fh_tree, hf_eth_dst, offset+0, 6, &pd[offset+0]);
223 proto_tree_add_item(fh_tree, hf_eth_src, offset+6, 6, &pd[offset+6]);
226 offset += ETH_HEADER_SIZE;
228 switch (ethhdr_type) {
230 dissect_ipx(pd, offset, fd, tree);
233 dissect_llc(pd, offset, fd, tree);
236 ethertype(etype, offset, pd, fd, tree, fh_tree, hf_eth_type);
242 proto_register_eth(void)
244 static hf_register_info hf[] = {
247 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
248 "Destination Hardware Address" }},
251 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
252 "Source Hardware Address" }},
255 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
258 /* registered here but handled in ethertype.c */
260 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
263 static gint *ett[] = {
268 proto_eth = proto_register_protocol ("Ethernet", "eth" );
269 proto_register_field_array(proto_eth, hf, array_length(hf));
270 proto_register_subtree_array(ett, array_length(ett));