2 * Routines for null packet disassembly
4 * $Id: packet-null.c,v 1.9 1999/07/13 02:52:53 gram Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
9 * This file created and by Mike Hall <mlh@io.com>
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_TYPES_H
32 #include <sys/types.h>
37 #ifdef HAVE_SYS_SOCKET_H
38 #include <sys/socket.h>
44 int hf_null_next = -1;
46 int hf_null_family = -1;
48 /* Null/loopback structs and definitions */
50 typedef struct _e_nullhdr {
57 capture_null( const u_char *pd, guint32 cap_len, packet_counts *ld ) {
60 memcpy((char *)&nh.null_family, (char *)&pd[2], sizeof(nh.null_family));
63 From what I've read in various sources, this is supposed to be an
64 address family, e.g. AF_INET. However, a FreeBSD ISDN PPP dump that
65 Andreas Klemm sent to ethereal-dev has a packet type of DLT_NULL, and
66 the family bits look like PPP's protocol field. A dump of the loopback
67 interface on my Linux box also has a link type of DLT_NULL (as it should
68 be), but the family bits look like ethernet's protocol type. To
69 further confuse matters, nobody seems to be paying attention to byte
74 switch (nh.null_family) {
79 capture_ip(pd, 4, cap_len, ld);
88 dissect_null( const u_char *pd, frame_data *fd, proto_tree *tree ) {
95 memcpy((char *)&nh.null_family, (char *)&pd[2], sizeof(nh.null_family));
97 /* load the top pane info. This should be overwritten by
98 the next protocol in the stack */
99 if(check_col(fd, COL_RES_DL_SRC))
100 col_add_str(fd, COL_RES_DL_SRC, "N/A" );
101 if(check_col(fd, COL_RES_DL_DST))
102 col_add_str(fd, COL_RES_DL_DST, "N/A" );
103 if(check_col(fd, COL_PROTOCOL))
104 col_add_str(fd, COL_PROTOCOL, "N/A" );
105 if(check_col(fd, COL_INFO))
106 col_add_str(fd, COL_INFO, "Null/Loopback" );
108 /* populate a tree in the second pane with the status of the link
111 ti = proto_tree_add_item(tree, proto_null, 0, 4, NULL);
112 fh_tree = proto_item_add_subtree(ti, ETT_NULL);
113 proto_tree_add_item(fh_tree, hf_null_next, 0, 1, nh.null_next);
114 proto_tree_add_item(fh_tree, hf_null_len, 1, 1, nh.null_len);
115 proto_tree_add_item(fh_tree, hf_null_family, 2, 2, nh.null_family);
119 From what I've read in various sources, this is supposed to be an
120 address family, e.g. AF_INET. However, a FreeBSD ISDN PPP dump that
121 Andreas Klemm sent to ethereal-dev has a packet type of DLT_NULL, and
122 the family bits look like PPP's protocol field. A dump of the loopback
123 interface on my Linux box also has a link type of DLT_NULL (as it should
124 be), but the family bits look like ethernet's protocol type. To
125 further confuse matters, nobody seems to be paying attention to byte
130 switch (nh.null_family) {
135 dissect_ip(pd, 4, fd, tree);
138 dissect_data(pd, 4, fd, tree);
144 proto_register_null(void)
146 proto_null = proto_register_protocol (
147 /* name */ "Null/Loopback",
148 /* abbrev */ "null" );
150 hf_null_next = proto_register_field (
152 /* abbrev */ "null.next",
153 /* ftype */ FT_UINT8,
154 /* parent */ proto_null,
157 hf_null_len = proto_register_field (
159 /* abbrev */ "null.len",
160 /* ftype */ FT_UINT8,
161 /* parent */ proto_null,
164 hf_null_family = proto_register_field (
166 /* abbrev */ "null.family",
167 /* ftype */ FT_UINT16,
168 /* parent */ proto_null,