2 * Routines for IEEE 802.2 LLC layer
3 * Gilbert Ramirez <gram@alumni.rice.edu>
5 * $Id: packet-llc.c,v 1.96 2002/03/31 21:09:00 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
35 #include <epan/packet.h>
40 #include "bridged_pids.h"
41 #include "packet-ip.h"
42 #include "packet-ipx.h"
43 #include "packet-netbios.h"
44 #include <epan/sna-utils.h>
46 #include "packet-llc.h"
48 static int proto_llc = -1;
49 static int hf_llc_dsap = -1;
50 static int hf_llc_ssap = -1;
51 static int hf_llc_dsap_ig = -1;
52 static int hf_llc_ssap_cr = -1;
53 static int hf_llc_ctrl = -1;
54 static int hf_llc_type = -1;
55 static int hf_llc_oui = -1;
56 static int hf_llc_pid = -1;
58 static gint ett_llc = -1;
59 static gint ett_llc_ctrl = -1;
61 static dissector_table_t subdissector_table;
62 static dissector_table_t cisco_subdissector_table;
64 static dissector_handle_t bpdu_handle;
65 static dissector_handle_t eth_handle;
66 static dissector_handle_t fddi_handle;
67 static dissector_handle_t tr_handle;
68 static dissector_handle_t data_handle;
70 typedef void (capture_func_t)(const u_char *, int, int, packet_counts *);
72 /* The SAP info is split into two tables, one value_string table and one
73 * table of sap_info. This is so that the value_string can be used in the
74 * header field registration.
78 capture_func_t *capture_func;
82 * Group/Individual bit, in the DSAP.
84 #define DSAP_GI_BIT 0x01
87 * Command/Response bit, in the SSAP.
89 * The low-order bit of the SSAP apparently determines whether this
90 * is a request or a response. (RFC 1390, "Transmission of IP and
91 * ARP over FDDI Networks", says
93 * Command frames are identified by having the low order
94 * bit of the SSAP address reset to zero. Response frames
95 * have the low order bit of the SSAP address set to one.
97 * and a page I've seen seems to imply that's part of 802.2.)
99 #define SSAP_CR_BIT 0x01
102 * Mask to extrace the SAP number from the DSAP or the SSAP.
104 #define SAP_MASK 0xFE
107 * These are for SSAP and DSAP, wth last bit always zero.
108 * XXX - some DSAPs come in separate "individual" and "group" versions,
109 * with the last bit 0 and 1, respectively (e.g., LLC Sub-layer Management,
110 * IBM SNA Path Control, IBM Net Management), but, whilst 0xFE is
111 * the ISO Network Layer Protocol, 0xFF is the Global LSAP.
113 static const value_string sap_vals[] = {
114 { SAP_NULL, "NULL LSAP" },
115 { SAP_LLC_SLMGMT, "LLC Sub-Layer Management" },
116 { SAP_SNA_PATHCTRL, "SNA Path Control" },
117 { SAP_IP, "TCP/IP" },
120 { SAP_PROWAY_NM_INIT, "PROWAY (IEC955) Network Management and Initialization" },
121 { SAP_TI, "Texas Instruments" },
122 { SAP_BPDU, "Spanning Tree BPDU" },
123 { SAP_RS511, "EIA RS-511 Manufacturing Message Service" },
124 { SAP_X25, "ISO 8208 (X.25 over 802.2)" },
126 * XXX - setting the group bit of SAP_X25 make 0x7F; is this just
127 * a group version of that?
129 { 0x7F, "ISO 802.2" },
131 { SAP_NESTAR, "Nestar" },
132 { SAP_PROWAY_ASLM, "PROWAY (IEC955) Active Station List Maintenance" },
133 { SAP_ARP, "ARP" }, /* XXX - hand to "dissect_arp()"? */
134 { SAP_SNAP, "SNAP" },
135 { SAP_VINES1, "Banyan Vines" },
136 { SAP_VINES2, "Banyan Vines" },
137 { SAP_NETWARE, "NetWare" },
138 { SAP_NETBIOS, "NetBIOS" },
139 { SAP_IBMNM, "IBM Net Management" },
140 { SAP_RPL1, "Remote Program Load" },
141 { SAP_UB, "Ungermann-Bass" },
142 { SAP_RPL2, "Remote Program Load" },
143 { SAP_OSINL, "ISO Network Layer" },
144 { SAP_GLOBAL, "Global LSAP" },
148 static struct sap_info saps[] = {
149 { SAP_IP, capture_ip },
150 { SAP_NETWARE, capture_ipx },
151 { SAP_NETBIOS, capture_netbios },
158 * http://www.cisco.com/univercd/cc/td/doc/product/lan/trsrb/vlan.htm
160 * for the PIDs for VTP and DRiP that go with an OUI of OUI_CISCO.
162 const value_string oui_vals[] = {
163 { OUI_ENCAP_ETHER, "Encapsulated Ethernet" },
165 http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/ibm_r/brprt1/brsrb.htm
167 { OUI_CISCO, "Cisco" },
168 { OUI_CISCO_90, "Cisco IOS 9.0 Compatible" },
169 { OUI_BRIDGED, "Frame Relay or ATM bridged frames" },
170 /* RFC 2427, RFC 2684 */
171 { OUI_ATM_FORUM, "ATM Forum" },
172 { OUI_CABLE_BPDU, "DOCSIS Spanning Tree" }, /* DOCSIS spanning tree BPDU */
173 { OUI_APPLE_ATALK, "Apple (AppleTalk)" },
177 static capture_func_t *
178 sap_capture_func(u_char sap) {
181 /* look for the second record where sap == 0, which should
184 while (saps[i].sap > 0 || i == 0) {
185 if (saps[i].sap == sap) {
186 return saps[i].capture_func;
194 capture_llc(const u_char *pd, int offset, int len, packet_counts *ld) {
201 capture_func_t *capture;
203 if (!BYTES_ARE_IN_FRAME(offset, len, 2)) {
207 is_snap = (pd[offset] == SAP_SNAP) && (pd[offset+1] == SAP_SNAP);
208 llc_header_len = 2; /* DSAP + SSAP */
211 * XXX - the page referred to in the comment above about the
212 * Command/Response bit also implies that LLC Type 2 always
213 * uses extended operation, so we don't need to determine
214 * whether it's basic or extended operation; is that the case?
216 control = get_xdlc_control(pd, offset+2, pd[offset+1] & SSAP_CR_BIT);
217 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
219 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
220 if (!BYTES_ARE_IN_FRAME(offset, len, llc_header_len)) {
226 oui = pd[offset+3] << 16 | pd[offset+4] << 8 | pd[offset+5];
227 if (XDLC_IS_INFORMATION(control)) {
228 etype = pntohs(&pd[offset+6]);
231 case OUI_ENCAP_ETHER:
233 case OUI_APPLE_ATALK:
234 /* No, I have no idea why Apple used
235 one of their own OUIs, rather than
236 OUI_ENCAP_ETHER, and an Ethernet
237 packet type as protocol ID, for
238 AppleTalk data packets - but used
239 OUI_ENCAP_ETHER and an Ethernet
240 packet type for AARP packets. */
241 capture_ethertype(etype, pd, offset+8, len,
245 capture_ethertype(etype, pd, offset + 8, len,
255 if (XDLC_IS_INFORMATION(control)) {
256 capture = sap_capture_func(pd[offset]);
259 offset += llc_header_len;
262 capture(pd, offset, len, ld);
272 dissect_llc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
274 proto_tree *llc_tree = NULL;
275 proto_item *ti = NULL;
282 if (check_col(pinfo->cinfo, COL_PROTOCOL)) {
283 col_set_str(pinfo->cinfo, COL_PROTOCOL, "LLC");
285 if (check_col(pinfo->cinfo, COL_INFO)) {
286 col_clear(pinfo->cinfo, COL_INFO);
289 dsap = tvb_get_guint8(tvb, 0);
291 ti = proto_tree_add_item(tree, proto_llc, tvb, 0, -1, FALSE);
292 llc_tree = proto_item_add_subtree(ti, ett_llc);
293 proto_tree_add_uint(llc_tree, hf_llc_dsap, tvb, 0,
295 proto_tree_add_boolean(llc_tree, hf_llc_dsap_ig, tvb, 0,
296 1, dsap & DSAP_GI_BIT);
300 ssap = tvb_get_guint8(tvb, 1);
302 proto_tree_add_uint(llc_tree, hf_llc_ssap, tvb, 1,
304 proto_tree_add_boolean(llc_tree, hf_llc_ssap_cr, tvb, 1,
305 1, ssap & SSAP_CR_BIT);
309 is_snap = (dsap == SAP_SNAP) && (ssap == SAP_SNAP);
310 llc_header_len = 2; /* DSAP + SSAP */
313 * XXX - the page referred to in the comment above about the
314 * Command/Response bit also implies that LLC Type 2 always
315 * uses extended operation, so we don't need to determine
316 * whether it's basic or extended operation; is that the case?
318 control = dissect_xdlc_control(tvb, 2, pinfo, llc_tree,
319 hf_llc_ctrl, ett_llc_ctrl,
320 ssap & SSAP_CR_BIT, TRUE);
321 llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
323 llc_header_len += 5; /* 3 bytes of OUI, 2 bytes of protocol ID */
326 proto_item_set_len(ti, llc_header_len);
329 dissect_snap(tvb, 3, pinfo, tree, llc_tree, control,
330 hf_llc_oui, hf_llc_type, hf_llc_pid, 2);
333 if (check_col(pinfo->cinfo, COL_INFO)) {
334 col_append_fstr(pinfo->cinfo, COL_INFO,
335 "; DSAP %s %s, SSAP %s %s",
336 val_to_str(dsap & SAP_MASK, sap_vals, "%02x"),
338 "Group" : "Individual",
339 val_to_str(ssap & SAP_MASK, sap_vals, "%02x"),
341 "Response" : "Command"
345 next_tvb = tvb_new_subset(tvb, llc_header_len, -1, -1);
346 if (XDLC_IS_INFORMATION(control)) {
348 /* do lookup with the subdissector table */
349 if (!dissector_try_port(subdissector_table, dsap,
350 next_tvb, pinfo, tree)) {
351 call_dissector(data_handle,next_tvb, pinfo, tree);
354 call_dissector(data_handle,next_tvb, pinfo, tree);
360 * Dissect SNAP header; used elsewhere, e.g. in the Frame Relay dissector.
363 dissect_snap(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree,
364 proto_tree *snap_tree, int control, int hf_oui, int hf_type, int hf_pid,
371 oui = tvb_get_ntoh24(tvb, offset);
372 etype = tvb_get_ntohs(tvb, offset+3);
374 if (check_col(pinfo->cinfo, COL_INFO)) {
375 col_append_fstr(pinfo->cinfo, COL_INFO,
376 "; SNAP, OUI 0x%06X (%s), PID 0x%04X",
377 oui, val_to_str(oui, oui_vals, "Unknown"), etype);
380 proto_tree_add_uint(snap_tree, hf_oui, tvb, offset, 3, oui);
385 case OUI_ENCAP_ETHER:
387 case OUI_APPLE_ATALK:
388 /* No, I have no idea why Apple used
389 one of their own OUIs, rather than
390 OUI_ENCAP_ETHER, and an Ethernet
391 packet type as protocol ID, for
392 AppleTalk data packets - but used
393 OUI_ENCAP_ETHER and an Ethernet
394 packet type for AARP packets. */
395 if (XDLC_IS_INFORMATION(control)) {
396 ethertype(etype, tvb, offset+5,
397 pinfo, tree, snap_tree, hf_type, -1);
399 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
400 call_dissector(data_handle,next_tvb, pinfo, tree);
406 * MAC frames bridged over ATM (RFC 2684) or Frame Relay
409 * We have to figure out how much padding to put
410 * into the frame. We were handed a "bridge_pad"
411 * argument which should be 0 for Frame Relay and
412 * 2 for ATM; we add to that the amount of padding
413 * common to both bridging types.
416 proto_tree_add_uint(snap_tree, hf_pid, tvb, offset+3, 2,
422 case BPID_ETH_WITH_FCS:
423 case BPID_ETH_WITHOUT_FCS:
424 next_tvb = tvb_new_subset(tvb, offset+5+bridge_pad,
426 call_dissector(eth_handle, next_tvb, pinfo, tree);
429 case BPID_802_5_WITH_FCS:
430 case BPID_802_5_WITHOUT_FCS:
432 * We treat the last padding byte as the Access
433 * Control byte, as that's what the Token
434 * Ring dissector expects the first byte to
437 next_tvb = tvb_new_subset(tvb, offset+5+bridge_pad,
439 call_dissector(tr_handle, next_tvb, pinfo, tree);
442 case BPID_FDDI_WITH_FCS:
443 case BPID_FDDI_WITHOUT_FCS:
444 next_tvb = tvb_new_subset(tvb, offset+5+1+bridge_pad,
446 call_dissector(fddi_handle, next_tvb, pinfo, tree);
450 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
451 call_dissector(bpdu_handle, next_tvb, pinfo, tree);
455 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
456 call_dissector(data_handle,next_tvb, pinfo, tree);
462 /* So are all CDP packets LLC packets
463 with an OUI of OUI_CISCO and a
464 protocol ID of 0x2000, or
465 are some of them raw or encapsulated
468 proto_tree_add_uint(snap_tree, hf_pid, tvb, offset+3, 2,
471 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
472 if (XDLC_IS_INFORMATION(control)) {
473 /* do lookup with the subdissector table */
474 /* for future reference, 0x0102 is Cisco DRIP */
475 if (!dissector_try_port(cisco_subdissector_table,
476 etype, next_tvb, pinfo, tree))
477 call_dissector(data_handle,next_tvb, pinfo, tree);
479 call_dissector(data_handle,next_tvb, pinfo, tree);
482 case OUI_CABLE_BPDU: /* DOCSIS cable modem spanning tree BPDU */
484 proto_tree_add_uint(snap_tree, hf_pid, tvb, offset+3, 2,
487 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
488 call_dissector(bpdu_handle, next_tvb, pinfo, tree);
493 proto_tree_add_uint(snap_tree, hf_pid, tvb, offset+3, 2,
496 next_tvb = tvb_new_subset(tvb, offset+5, -1, -1);
497 call_dissector(data_handle,next_tvb, pinfo, tree);
503 proto_register_llc(void)
505 static struct true_false_string ig_bit = { "Group", "Individual" };
506 static struct true_false_string cr_bit = { "Response", "Command" };
508 static hf_register_info hf[] = {
510 { "DSAP", "llc.dsap", FT_UINT8, BASE_HEX,
511 VALS(sap_vals), 0x0, "", HFILL }},
514 { "IG Bit", "llc.dsap.ig", FT_BOOLEAN, BASE_HEX,
515 &ig_bit, 0x0, "Individual/Group", HFILL }},
518 { "SSAP", "llc.ssap", FT_UINT8, BASE_HEX,
519 VALS(sap_vals), 0x0, "", HFILL }},
522 { "CR Bit", "llc.ssap.cr", FT_BOOLEAN, BASE_HEX,
523 &cr_bit, 0x0, "Command/Response", HFILL }},
526 { "Control", "llc.control", FT_UINT16, BASE_HEX,
527 NULL, 0x0, "", HFILL }},
529 /* registered here but handled in ethertype.c */
531 { "Type", "llc.type", FT_UINT16, BASE_HEX,
532 VALS(etype_vals), 0x0, "", HFILL }},
535 { "Organization Code", "llc.oui", FT_UINT24, BASE_HEX,
536 VALS(oui_vals), 0x0, "", HFILL }},
539 { "Protocol ID", "llc.pid", FT_UINT16, BASE_HEX,
540 NULL, 0x0, "", HFILL }}
542 static gint *ett[] = {
547 proto_llc = proto_register_protocol("Logical-Link Control", "LLC", "llc");
548 proto_register_field_array(proto_llc, hf, array_length(hf));
549 proto_register_subtree_array(ett, array_length(ett));
551 /* subdissector code */
552 subdissector_table = register_dissector_table("llc.dsap",
553 "LLC SAP", FT_UINT8, BASE_HEX);
554 cisco_subdissector_table = register_dissector_table("llc.cisco_pid",
555 "Cisco OUI PID", FT_UINT16, BASE_HEX);
557 register_dissector("llc", dissect_llc, proto_llc);
561 proto_reg_handoff_llc(void)
563 dissector_handle_t llc_handle;
566 * Get handles for the BPDU, Ethernet, FDDI, and Token Ring
569 bpdu_handle = find_dissector("bpdu");
570 eth_handle = find_dissector("eth");
571 fddi_handle = find_dissector("fddi");
572 tr_handle = find_dissector("tr");
573 data_handle = find_dissector("data");
575 llc_handle = find_dissector("llc");
576 dissector_add("wtap_encap", WTAP_ENCAP_ATM_RFC1483, llc_handle);