2 * Routines for IPsec/IPComp packet disassembly
4 * $Id: packet-ipsec.c,v 1.13 2000/04/16 22:46:20 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #ifdef HAVE_SYS_TYPES_H
33 # include <sys/types.h>
36 #ifdef HAVE_NETINET_IN_H
37 # include <netinet/in.h>
42 #include "packet-ipsec.h"
43 #include "packet-ip.h"
46 static int proto_ah = -1;
47 static int hf_ah_spi = -1;
48 static int hf_ah_sequence = -1;
49 static int proto_esp = -1;
50 static int hf_esp_spi = -1;
51 static int hf_esp_sequence = -1;
52 static int proto_ipcomp = -1;
53 static int hf_ipcomp_flags = -1;
54 static int hf_ipcomp_cpi = -1;
56 static gint ett_ah = -1;
57 static gint ett_esp = -1;
58 static gint ett_ipcomp = -1;
61 guint8 ah_nxt; /* Next Header */
62 guint8 ah_len; /* Length of data + 1, in 32bit */
63 guint16 ah_reserve; /* Reserved for future use */
64 guint32 ah_spi; /* Security parameter index */
65 guint32 ah_seq; /* Sequence number field */
66 /* variable size, 32bit bound*/ /* Authentication data */
70 guint32 esp_spi; /* ESP */
71 guint32 esp_seq; /* Sequence number */
72 /*variable size*/ /* (IV and) Payload data */
73 /*variable size*/ /* padding */
74 /*8bit*/ /* pad size */
75 /*8bit*/ /* next header */
76 /*8bit*/ /* next header */
77 /*variable size, 32bit bound*/ /* Authentication data */
81 guint8 comp_nxt; /* Next Header */
82 guint8 comp_flags; /* Must be zero */
83 guint16 comp_cpi; /* Compression parameter index */
86 /* well-known algorithm number (in CPI), from RFC2409 */
87 #define IPCOMP_OUI 1 /* vendor specific */
88 #define IPCOMP_DEFLATE 2 /* RFC2394 */
89 #define IPCOMP_LZS 3 /* RFC2395 */
92 static const value_string cpi2val[] = {
93 { IPCOMP_OUI, "OUI" },
94 { IPCOMP_DEFLATE, "DEFLATE" },
95 { IPCOMP_LZS, "LZS" },
100 #define offsetof(type, member) ((size_t)(&((type *)0)->member))
104 dissect_ah(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
111 memcpy(&ah, (void *) &pd[offset], sizeof(ah));
112 advance = sizeof(ah) + ((ah.ah_len - 1) << 2);
114 if (check_col(fd, COL_PROTOCOL))
115 col_add_str(fd, COL_PROTOCOL, "AH");
116 if (check_col(fd, COL_INFO)) {
117 col_add_fstr(fd, COL_INFO, "AH (SPI=0x%08x)",
118 (guint32)ntohl(ah.ah_spi));
122 /* !!! specify length */
123 ti = proto_tree_add_item(tree, proto_ah, offset, advance, NULL);
124 ah_tree = proto_item_add_subtree(ti, ett_ah);
126 proto_tree_add_text(ah_tree, offset + offsetof(struct newah, ah_nxt), 1,
127 "Next Header: %s (0x%02x)", ipprotostr(ah.ah_nxt), ah.ah_nxt);
128 proto_tree_add_text(ah_tree, offset + offsetof(struct newah, ah_len), 1,
129 "Length: %d", ah.ah_len << 2);
130 proto_tree_add_item(ah_tree, hf_ah_spi,
131 offset + offsetof(struct newah, ah_spi), 4,
132 (guint32)ntohl(ah.ah_spi));
133 proto_tree_add_item(ah_tree, hf_ah_sequence,
134 offset + offsetof(struct newah, ah_seq), 4,
135 (guint32)ntohl(ah.ah_seq));
136 proto_tree_add_text(ah_tree, offset + sizeof(ah), (ah.ah_len - 1) << 2,
140 /* start of the new header (could be a extension header) */
145 dissect_esp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
147 proto_tree *esp_tree;
151 memcpy(&esp, (void *) &pd[offset], sizeof(esp));
154 * load the top pane info. This should be overwritten by
155 * the next protocol in the stack
157 if (check_col(fd, COL_PROTOCOL))
158 col_add_str(fd, COL_PROTOCOL, "ESP");
159 if (check_col(fd, COL_INFO)) {
160 col_add_fstr(fd, COL_INFO, "ESP (SPI=0x%08x)",
161 (guint32)ntohl(esp.esp_spi));
165 * populate a tree in the second pane with the status of the link layer
169 ti = proto_tree_add_item(tree, proto_esp, offset, END_OF_FRAME, NULL);
170 esp_tree = proto_item_add_subtree(ti, ett_esp);
171 proto_tree_add_item(esp_tree, hf_esp_spi,
172 offset + offsetof(struct newesp, esp_spi), 4,
173 (guint32)ntohl(esp.esp_spi));
174 proto_tree_add_item(esp_tree, hf_esp_sequence,
175 offset + offsetof(struct newesp, esp_seq), 4,
176 (guint32)ntohl(esp.esp_seq));
177 dissect_data(pd, offset + sizeof(struct newesp), fd, esp_tree);
182 dissect_ipcomp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
184 proto_tree *ipcomp_tree;
186 struct ipcomp ipcomp;
189 memcpy(&ipcomp, (void *) &pd[offset], sizeof(ipcomp));
192 * load the top pane info. This should be overwritten by
193 * the next protocol in the stack
195 if (check_col(fd, COL_PROTOCOL))
196 col_add_str(fd, COL_PROTOCOL, "IPComp");
197 if (check_col(fd, COL_INFO)) {
198 p = val_to_str(ntohs(ipcomp.comp_cpi), cpi2val, "");
200 col_add_fstr(fd, COL_INFO, "IPComp (CPI=0x%04x)",
201 ntohs(ipcomp.comp_cpi));
203 col_add_fstr(fd, COL_INFO, "IPComp (CPI=%s)", p);
207 * populate a tree in the second pane with the status of the link layer
211 ti = proto_tree_add_item(tree, proto_ipcomp, offset, END_OF_FRAME,
213 ipcomp_tree = proto_item_add_subtree(ti, ett_ipcomp);
215 proto_tree_add_text(ipcomp_tree,
216 offset + offsetof(struct ipcomp, comp_nxt), 1,
217 "Next Header: %s (0x%02x)",
218 ipprotostr(ipcomp.comp_nxt), ipcomp.comp_nxt);
219 proto_tree_add_item(ipcomp_tree, hf_ipcomp_flags,
220 offset + offsetof(struct ipcomp, comp_flags), 1,
222 p = val_to_str(ntohs(ipcomp.comp_cpi), cpi2val, "");
224 proto_tree_add_item(ipcomp_tree, hf_ipcomp_cpi,
225 offset + offsetof(struct ipcomp, comp_cpi), 2,
226 ntohs(ipcomp.comp_cpi));
228 proto_tree_add_uint_format(ipcomp_tree, hf_ipcomp_cpi,
229 offset + offsetof(struct ipcomp, comp_cpi), 2,
230 ntohs(ipcomp.comp_cpi),
232 p, ntohs(ipcomp.comp_cpi));
234 dissect_data(pd, offset + sizeof(struct ipcomp), fd, ipcomp_tree);
239 proto_register_ipsec(void)
242 static hf_register_info hf_ah[] = {
244 { "SPI", "ah.spi", FT_UINT32, BASE_HEX, NULL, 0x0,
247 { "Sequence", "ah.sequence", FT_UINT32, BASE_HEX, NULL, 0x0,
251 static hf_register_info hf_esp[] = {
253 { "SPI", "esp.spi", FT_UINT32, BASE_HEX, NULL, 0x0,
256 { "Sequence", "esp.sequence", FT_UINT32, BASE_HEX, NULL, 0x0,
260 static hf_register_info hf_ipcomp[] = {
262 { "Flags", "ipcomp.flags", FT_UINT8, BASE_HEX, NULL, 0x0,
265 { "CPI", "ipcomp.cpi", FT_UINT16, BASE_HEX, NULL, 0x0,
268 static gint *ett[] = {
274 proto_ah = proto_register_protocol("Authentication Header", "ah");
275 proto_register_field_array(proto_ah, hf_ah, array_length(hf_ah));
277 proto_esp = proto_register_protocol("Encapsulated Security Payload", "esp");
278 proto_register_field_array(proto_esp, hf_esp, array_length(hf_esp));
280 proto_ipcomp = proto_register_protocol("IP Payload Compression", "ipcomp");
281 proto_register_field_array(proto_ipcomp, hf_ipcomp, array_length(hf_ipcomp));
283 proto_register_subtree_array(ett, array_length(ett));
287 proto_reg_handoff_ipsec(void)
289 dissector_add("ip.proto", IP_PROTO_ESP, dissect_esp);
290 dissector_add("ip.proto", IP_PROTO_IPCOMP, dissect_ipcomp);