2 * Routines for disassembly of packets from Linux "cooked mode" captures
4 * $Id: packet-sll.c,v 1.1 2000/12/23 08:06:14 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
38 #include "packet-ipx.h"
39 #include "packet-llc.h"
42 static int proto_sll = -1;
43 static int hf_sll_pkttype = -1;
44 static int hf_sll_hatype = -1;
45 static int hf_sll_halen = -1;
46 static int hf_sll_src_eth = -1;
47 static int hf_sll_src_other = -1;
48 static int hf_sll_ltype = -1;
49 static int hf_sll_etype = -1;
50 static int hf_sll_trailer = -1;
52 static gint ett_sll = -1;
55 * A DLT_LINUX_SLL fake link-layer header.
57 #define SLL_HEADER_SIZE 16 /* total header length */
58 #define SLL_ADDRLEN 8 /* length of address field */
61 * The LINUX_SLL_ values for "sll_pkttype".
63 #define LINUX_SLL_HOST 0
64 #define LINUX_SLL_BROADCAST 1
65 #define LINUX_SLL_MULTICAST 2
66 #define LINUX_SLL_OTHERHOST 3
67 #define LINUX_SLL_OUTGOING 4
69 static const value_string packet_type_vals[] = {
70 { LINUX_SLL_HOST, "Unicast to us" },
71 { LINUX_SLL_BROADCAST, "Broadcast" },
72 { LINUX_SLL_MULTICAST, "Multicast" },
73 { LINUX_SLL_OTHERHOST, "Unicast to another host" },
74 { LINUX_SLL_OUTGOING, "Sent by us" },
79 * The LINUX_SLL_ values for "sll_protocol".
81 #define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */
82 #define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */
84 static const value_string ltype_vals[] = {
85 { LINUX_SLL_P_802_3, "Raw 802.3" },
86 { LINUX_SLL_P_802_2, "802.2 LLC" },
91 capture_sll(const u_char *pd, packet_counts *ld)
95 if (!BYTES_ARE_IN_FRAME(0, SLL_HEADER_SIZE)) {
99 protocol = pntohs(&pd[14]);
100 if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
102 * "proto" is *not* a length field, it's a Linux internal
107 case LINUX_SLL_P_802_2:
111 capture_llc(pd, SLL_HEADER_SIZE, ld);
114 case LINUX_SLL_P_802_3:
116 * Novell IPX inside 802.3 with no 802.2 LLC
119 capture_ipx(pd, SLL_HEADER_SIZE, ld);
127 capture_ethertype(protocol, SLL_HEADER_SIZE, pd, ld);
131 dissect_sll(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
135 guint16 hatype, halen;
138 volatile guint16 length;
139 tvbuff_t *volatile next_tvb;
140 tvbuff_t *volatile trailer_tvb;
141 proto_tree *volatile fh_tree = NULL;
144 CHECK_DISPLAY_AS_DATA(proto_sll, tvb, pinfo, tree);
146 pinfo->current_proto = "SLL";
147 if (check_col(pinfo->fd, COL_PROTOCOL))
148 col_set_str(pinfo->fd, COL_PROTOCOL, "SLL");
150 pkttype = tvb_get_ntohs(tvb, 0);
152 if (check_col(pinfo->fd, COL_INFO))
153 col_add_str(pinfo->fd, COL_INFO,
154 val_to_str(pkttype, packet_type_vals, "Unknown (%u)"));
157 ti = proto_tree_add_protocol_format(tree, proto_sll, tvb, 0,
158 SLL_HEADER_SIZE, "Linux cooked capture");
159 fh_tree = proto_item_add_subtree(ti, ett_sll);
160 proto_tree_add_item(fh_tree, hf_sll_pkttype, tvb, 0, 2, FALSE);
164 * XXX - check the link-layer address type value?
165 * For now, we just assume 6 means Ethernet.
167 hatype = tvb_get_ntohs(tvb, 2);
168 halen = tvb_get_ntohs(tvb, 4);
170 proto_tree_add_uint(fh_tree, hf_sll_hatype, tvb, 2, 2, hatype);
171 proto_tree_add_uint(fh_tree, hf_sll_halen, tvb, 4, 2, halen);
174 src = tvb_get_ptr(tvb, 6, 6);
175 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
176 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src);
178 proto_tree_add_ether(fh_tree, hf_sll_src_eth, tvb,
183 proto_tree_add_bytes(fh_tree, hf_sll_src_other, tvb,
184 6, halen, tvb_get_ptr(tvb, 6, halen));
188 protocol = tvb_get_ntohs(tvb, 14);
189 if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
191 * "proto" is *not* a length field, it's a Linux internal
193 * We therefore cannot say how much of the packet will
195 * XXX - do the same thing we do for packets with Ethertypes?
197 proto_tree_add_uint(fh_tree, hf_sll_ltype, tvb, 14, 2,
200 next_tvb = tvb_new_subset(tvb, SLL_HEADER_SIZE, -1, -1);
204 case LINUX_SLL_P_802_2:
208 dissect_llc(next_tvb, pinfo, tree);
211 case LINUX_SLL_P_802_3:
213 * Novell IPX inside 802.3 with no 802.2 LLC
216 dissect_ipx(next_tvb, pinfo, tree);
220 dissect_data(next_tvb, 0, pinfo, tree);
224 length_before = tvb_reported_length(tvb);
225 length = ethertype(protocol, tvb, SLL_HEADER_SIZE, pinfo, tree,
226 fh_tree, hf_sll_etype) + SLL_HEADER_SIZE;
227 if (length < length_before) {
229 * Create a tvbuff for the padding.
232 trailer_tvb = tvb_new_subset(tvb, length, -1,
235 CATCH2(BoundsError, ReportedBoundsError) {
236 /* The packet doesn't have "length" bytes
237 worth of captured data left in it. No
238 trailer to display. */
244 * There is no padding.
250 /* If there's some bytes left over, mark them. */
251 if (trailer_tvb && tree) {
252 guint trailer_length;
254 trailer_length = tvb_length(trailer_tvb);
255 if (trailer_length != 0) {
256 proto_tree_add_item(fh_tree, hf_sll_trailer,
257 trailer_tvb, 0, trailer_length, FALSE);
263 proto_register_sll(void)
265 static hf_register_info hf[] = {
267 { "Packet type", "sll.pkttype", FT_UINT16, BASE_DEC,
268 VALS(packet_type_vals), 0x0, "Packet type" }},
270 /* ARP hardware type? With Linux extensions? */
272 { "Link-layer address type", "sll.hatype", FT_UINT16, BASE_DEC,
273 NULL, 0x0, "Link-layer address type" }},
276 { "Link-layer address length", "sll.halen", FT_UINT16, BASE_DEC,
277 NULL, 0x0, "Link-layer address length" }},
279 /* Source address if it's an Ethernet-type address */
281 { "Source", "sll.src.eth", FT_ETHER, BASE_NONE, NULL, 0x0,
282 "Source link-layer address" }},
284 /* Source address if it's not an Ethernet-type address */
286 { "Source", "sll.src.other", FT_BYTES, BASE_HEX, NULL, 0x0,
287 "Source link-layer address" }},
289 /* if the protocol field is an internal Linux protocol type */
291 { "Protocol", "sll.ltype", FT_UINT16, BASE_HEX,
292 VALS(ltype_vals), 0x0, "Linux protocol type" }},
294 /* registered here but handled in ethertype.c */
296 { "Protocol", "sll.etype", FT_UINT16, BASE_HEX,
297 VALS(etype_vals), 0x0, "Ethernet protocol type" }},
300 { "Trailer", "sll.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
303 static gint *ett[] = {
307 proto_sll = proto_register_protocol("Linux cooked-mode capture", "sll" );
308 proto_register_field_array(proto_sll, hf, array_length(hf));
309 proto_register_subtree_array(ett, array_length(ett));
313 proto_reg_handoff_sll(void)
315 dissector_add("wtap_encap", WTAP_ENCAP_SLL, dissect_sll);