2 * Routines for Token-Ring packet disassembly
3 * Gilbert Ramirez <gram@alumni.rice.edu>
5 * $Id: packet-tr.c,v 1.73 2002/08/28 21:00:36 jmayer Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
33 #include <epan/packet.h>
34 #include "packet-tr.h"
35 #include "packet-llc.h"
37 static int proto_tr = -1;
38 static int hf_tr_dst = -1;
39 static int hf_tr_src = -1;
40 static int hf_tr_addr = -1;
41 static int hf_tr_sr = -1;
42 static int hf_tr_ac = -1;
43 static int hf_tr_priority = -1;
44 static int hf_tr_frame = -1;
45 static int hf_tr_monitor_cnt = -1;
46 static int hf_tr_priority_reservation = -1;
47 static int hf_tr_fc = -1;
48 static int hf_tr_fc_type = -1;
49 static int hf_tr_fc_pcf = -1;
50 static int hf_tr_rif_bytes = -1;
51 static int hf_tr_broadcast = -1;
52 static int hf_tr_max_frame_size = -1;
53 static int hf_tr_direction = -1;
54 static int hf_tr_rif = -1;
55 static int hf_tr_rif_ring = -1;
56 static int hf_tr_rif_bridge = -1;
58 static gint ett_token_ring = -1;
59 static gint ett_token_ring_ac = -1;
60 static gint ett_token_ring_fc = -1;
62 #define TR_MIN_HEADER_LEN 14
63 #define TR_MAX_HEADER_LEN 32
65 static const true_false_string ac_truth = { "Frame", "Token" };
67 static const value_string pcf_vals[] = {
68 { 0, "Normal buffer" },
69 { 1, "Express buffer" },
73 { 5, "Active Monitor Present" },
74 { 6, "Standby Monitor Present" },
78 static const value_string frame_vals[] = {
85 static const value_string broadcast_vals[] = {
86 { 0 << 5, "Non-broadcast" },
87 { 1 << 5, "Non-broadcast" },
88 { 2 << 5, "Non-broadcast" },
89 { 3 << 5, "Non-broadcast" },
90 { 4 << 5, "All-routes broadcast" },
91 { 5 << 5, "All-routes broadcast" },
92 { 6 << 5, "Single-route broadcast" },
93 { 7 << 5, "Single-route broadcast" },
97 static const value_string max_frame_size_vals[] = {
109 static const value_string direction_vals[] = {
110 { 0, "From originating station (-->)" },
111 { 128, "To originating station (<--)" },
115 static dissector_handle_t trmac_handle;
116 static dissector_handle_t llc_handle;
117 static dissector_handle_t data_handle;
120 * DODGY LINUX HACK DODGY LINUX HACK
121 * Linux 2.0.x always passes frames to the Token Ring driver for transmission with
122 * 18 bytes padding for source routing information. Some drivers copy the first
123 * (18 - srlen) bytes up the frame (18 - srlen) bytes thus removing the padding.
124 * Other drivers just make a copy of the entire frame and then hack about with it
125 * so the frame the sniffer gets is fine (just has extra sr routing).
126 * In the first instance (driver hacking frame in situ) the sniffer gets a garbled
128 * This function trys to detect this and returns the offset of where
129 * the frame really starts.
130 * This only detects frames that we have sent ourselves so if we are packet sniffing
131 * on the machine we are watching this is useful.
132 * Compare offset 0 with offset x+1 for a length of x bytes for all value of x = 1 to 18
133 * if match then Linux driver has done in situ source route compression of the crappy
134 * Linux 2.0.x frame so the beginning of the real frame is x bytes in.
135 * (And this real frame x bytes in looks like a proper TR frame that goes on the wire
136 * with none of the Linux idiosyncrasies).
139 int check_for_old_linux_tvb(tvbuff_t *tvb)
144 /* Restrict our looping to the boundaries of the frame */
145 bytes = tvb_length(tvb);
150 data = tvb_get_ptr(tvb, 0, bytes);
152 for(x = 1; x <= bytes-1 ;x++)
154 if (memcmp(&data[0], &data[x], x) == 0)
163 int check_for_old_linux(const guchar * pd)
168 if (memcmp(&pd[0],&pd[x],x) == 0)
178 add_ring_bridge_pairs(int rcf_len, tvbuff_t*, proto_tree *tree);
181 capture_tr(const guchar *pd, int offset, int len, packet_counts *ld) {
183 int source_routed = 0;
186 guint8 trn_rif_bytes;
187 guint8 actual_rif_bytes;
190 /* The trn_hdr struct, as separate variables */
191 guint8 trn_fc; /* field control field */
192 const guint8 *trn_shost; /* source host */
194 if (!BYTES_ARE_IN_FRAME(offset, len, TR_MIN_HEADER_LEN)) {
199 if ((x = check_for_old_linux(pd)))
201 /* Actually packet starts x bytes into what we have got but with all
202 source routing compressed
204 /* pd = &pd[x]; */ offset+=x;
208 trn_fc = pd[offset + 1];
209 trn_shost = &pd[offset + 8];
211 frame_type = (trn_fc & 192) >> 6;
213 /* if the high bit on the first byte of src hwaddr is 1, then
214 this packet is source-routed */
215 source_routed = trn_shost[0] & 128;
217 trn_rif_bytes = pd[offset + 14] & 31;
219 /* the Linux 2.0 TR code strips source-route bits in
220 * order to test for SR. This can be removed from most
221 * packets with oltr, but not all. So, I try to figure out
222 * which packets should have been SR here. I'll check to
223 * see if there's a SNAP or IPX field right after
226 * The Linux 2.4.18 code, at least appears to do the
227 * same thing, from a capture I got from somebody running
228 * 2.4.18 (RH 7.1, so perhaps this is a Red Hat
231 if (!source_routed && trn_rif_bytes > 0) {
232 if (pd[offset + 0x0e] != pd[offset + 0x0f]) {
233 first2_sr = pntohs(&pd[offset + 0xe0 + trn_rif_bytes]);
235 (first2_sr == 0xaaaa &&
236 pd[offset + 0x10 + trn_rif_bytes] == 0x03) ||
238 first2_sr == 0xe0e0 ||
239 first2_sr == 0xe0aa ) {
247 actual_rif_bytes = trn_rif_bytes;
251 actual_rif_bytes = 0;
254 /* this is a silly hack for Linux 2.0.x. Read the comment below,
255 in front of the other #ifdef linux. If we're sniffing our own NIC,
256 we get a full RIF, sometimes with garbage */
257 if ((source_routed && trn_rif_bytes == 2 && frame_type == 1) ||
258 (!source_routed && frame_type == 1)) {
259 /* look for SNAP or IPX only */
260 if ( (pd[offset + 0x20] == 0xaa && pd[offset + 0x21] == 0xaa && pd[offset + 0x22] == 03) ||
261 (pd[offset + 0x20] == 0xe0 && pd[offset + 0x21] == 0xe0) ) {
262 actual_rif_bytes = 18;
264 pd[offset + 0x23] == 0 &&
265 pd[offset + 0x24] == 0 &&
266 pd[offset + 0x25] == 0 &&
267 pd[offset + 0x26] == 0x00 &&
268 pd[offset + 0x27] == 0x11) {
270 actual_rif_bytes = 18;
272 /* Linux 2.0.x also requires drivers pass up a fake SNAP and LLC header before th
273 real LLC hdr for all Token Ring frames that arrive with DSAP and SSAP != 0xAA
274 (i.e. for non SNAP frames e.g. for Netware frames)
275 the fake SNAP header has the ETH_P_TR_802_2 ether type (0x0011) and the protocol id
276 bytes as zero frame looks like :-
277 TR Header | Fake LLC | Fake SNAP | Wire LLC | Rest of data */
278 offset += 8; /* Skip fake LLC and SNAP */
282 offset += actual_rif_bytes + TR_MIN_HEADER_LEN;
284 /* The package is either MAC or LLC */
285 switch (frame_type) {
291 capture_llc(pd, offset, len, ld);
294 /* non-MAC, non-LLC, i.e., "Reserved" */
302 dissect_tr(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
304 proto_tree *tr_tree, *bf_tree;
310 volatile int fixoffset = 0;
311 volatile int source_routed = 0;
312 volatile guint8 trn_rif_bytes;
313 volatile guint8 actual_rif_bytes;
314 volatile guint8 c1_nonsr;
315 volatile guint8 c2_nonsr;
316 volatile guint16 first2_sr;
317 tvbuff_t *volatile tr_tvb;
319 /* The trn_hdr struct, as separate variables */
320 guint8 trn_ac; /* access control field */
321 guint8 trn_fc; /* field control field */
322 const guint8 *trn_dhost; /* destination host */
323 const guint8 *trn_shost; /* source host */
325 /* non-source-routed version of source addr */
326 static guint8 trn_shost_nonsr[6];
329 /* Token-Ring Strings */
330 char *fc[] = { "MAC", "LLC", "Reserved", "Unknown" };
332 if (check_col(pinfo->cinfo, COL_PROTOCOL))
333 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TR");
335 if ((x = check_for_old_linux_tvb((tvbuff_t*) tvb))) {
336 /* Actually packet starts x bytes into what we have got but with all
337 source routing compressed. See comment above */
338 tr_tvb = tvb_new_subset((tvbuff_t*) tvb, x, -1, -1);
345 trn_fc = tvb_get_guint8(tr_tvb, 1);
346 trn_dhost = tvb_get_ptr(tr_tvb, 2, 6);
347 trn_shost = tvb_get_ptr(tr_tvb, 8, 6);
350 memcpy(trn_shost_nonsr, trn_shost, 6);
351 trn_shost_nonsr[0] &= 127;
352 frame_type = (trn_fc & 192) >> 6;
354 if (check_col(pinfo->cinfo, COL_INFO))
355 col_add_fstr(pinfo->cinfo, COL_INFO, "Token-Ring %s", fc[frame_type]);
357 /* if the high bit on the first byte of src hwaddr is 1, then
358 this packet is source-routed */
359 source_routed = trn_shost[0] & 128;
361 trn_rif_bytes = tvb_get_guint8(tr_tvb, 14) & 31;
363 /* the Linux 2.0 TR code strips source-route bits in
364 * order to test for SR. This can be removed from most
365 * packets with oltr, but not all. So, I try to figure out
366 * which packets should have been SR here. I'll check to
367 * see if there's a SNAP or IPX field right after
370 * The Linux 2.4.18 code, at least appears to do the
371 * same thing, from a capture I got from somebody running
372 * 2.4.18 (RH 7.1, so perhaps this is a Red Hat
375 if (frame_type == 1 && !source_routed && trn_rif_bytes > 0) {
378 c1_nonsr = tvb_get_guint8(tr_tvb, 14);
379 c2_nonsr = tvb_get_guint8(tr_tvb, 15);
381 if (c1_nonsr != c2_nonsr) {
383 first2_sr = tvb_get_ntohs(tr_tvb, trn_rif_bytes + 0x0e);
385 if ( ( first2_sr == 0xaaaa &&
386 tvb_get_guint8(tr_tvb, trn_rif_bytes + 0x10) == 0x03) ||
388 first2_sr == 0xe0e0 ||
389 first2_sr == 0xe0aa ) {
396 /* We had no information beyond the TR header. Just assume
397 * this is a normal (non-Linux) TR header. */
404 actual_rif_bytes = trn_rif_bytes;
408 actual_rif_bytes = 0;
411 /* this is a silly hack for Linux 2.0.x. Read the comment below,
412 in front of the other #ifdef linux. If we're sniffing our own NIC,
413 we get a full RIF, sometimes with garbage */
415 if (frame_type == 1 && ( (source_routed && trn_rif_bytes == 2) ||
417 /* look for SNAP or IPX only */
419 (tvb_get_ntohs(tr_tvb, 0x20) == 0xaaaa &&
420 tvb_get_guint8(tr_tvb, 0x22) == 0x03)
422 tvb_get_ntohs(tr_tvb, 0x20) == 0xe0e0 ) {
424 actual_rif_bytes = 18;
427 tvb_get_ntohl(tr_tvb, 0x23) == 0 &&
428 tvb_get_guint8(tr_tvb, 0x27) == 0x11) {
430 actual_rif_bytes = 18;
432 /* Linux 2.0.x also requires drivers pass up a fake SNAP and LLC header before th
433 real LLC hdr for all Token Ring frames that arrive with DSAP and SSAP != 0xAA
434 (i.e. for non SNAP frames e.g. for Netware frames)
435 the fake SNAP header has the ETH_P_TR_802_2 ether type (0x0011) and the protocol id
436 bytes as zero frame looks like :-
437 TR Header | Fake LLC | Fake SNAP | Wire LLC | Rest of data */
438 fixoffset += 8; /* Skip fake LLC and SNAP */
443 /* We had no information beyond the TR header. Just assume
444 * this is a normal (non-Linux) TR header. */
450 /* XXX - copy it to some buffer associated with "*pinfo", rather than
451 just making "trn_shost_nonsr" static? */
452 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, trn_shost_nonsr);
453 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, trn_shost_nonsr);
454 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, trn_dhost);
455 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, trn_dhost);
457 /* protocol analysis tree */
459 /* Create Token-Ring Tree */
460 ti = proto_tree_add_item(tree, proto_tr, tr_tvb, 0, TR_MIN_HEADER_LEN + actual_rif_bytes, FALSE);
461 tr_tree = proto_item_add_subtree(ti, ett_token_ring);
463 /* Create the Access Control bitfield tree */
464 trn_ac = tvb_get_guint8(tr_tvb, 0);
465 ti = proto_tree_add_uint(tr_tree, hf_tr_ac, tr_tvb, 0, 1, trn_ac);
466 bf_tree = proto_item_add_subtree(ti, ett_token_ring_ac);
468 proto_tree_add_uint(bf_tree, hf_tr_priority, tr_tvb, 0, 1, trn_ac);
469 proto_tree_add_boolean(bf_tree, hf_tr_frame, tr_tvb, 0, 1, trn_ac);
470 proto_tree_add_uint(bf_tree, hf_tr_monitor_cnt, tr_tvb, 0, 1, trn_ac);
471 proto_tree_add_uint(bf_tree, hf_tr_priority_reservation, tr_tvb, 0, 1, trn_ac);
473 /* Create the Frame Control bitfield tree */
474 ti = proto_tree_add_uint(tr_tree, hf_tr_fc, tr_tvb, 1, 1, trn_fc);
475 bf_tree = proto_item_add_subtree(ti, ett_token_ring_fc);
477 proto_tree_add_uint(bf_tree, hf_tr_fc_type, tr_tvb, 1, 1, trn_fc);
478 proto_tree_add_uint(bf_tree, hf_tr_fc_pcf, tr_tvb, 1, 1, trn_fc);
479 proto_tree_add_ether(tr_tree, hf_tr_dst, tr_tvb, 2, 6, trn_dhost);
480 proto_tree_add_ether(tr_tree, hf_tr_src, tr_tvb, 8, 6, trn_shost);
481 proto_tree_add_ether_hidden(tr_tree, hf_tr_addr, tr_tvb, 2, 6, trn_dhost);
482 proto_tree_add_ether_hidden(tr_tree, hf_tr_addr, tr_tvb, 8, 6, trn_shost);
484 proto_tree_add_boolean(tr_tree, hf_tr_sr, tr_tvb, 8, 1, source_routed);
486 /* non-source-routed version of src addr */
487 proto_tree_add_ether_hidden(tr_tree, hf_tr_src, tr_tvb, 8, 6, trn_shost_nonsr);
491 rcf1 = tvb_get_guint8(tr_tvb, 14);
492 proto_tree_add_uint(tr_tree, hf_tr_rif_bytes, tr_tvb, 14, 1, trn_rif_bytes);
493 proto_tree_add_uint(tr_tree, hf_tr_broadcast, tr_tvb, 14, 1, rcf1 & 224);
496 rcf2 = tvb_get_guint8(tr_tvb, 15);
497 proto_tree_add_uint(tr_tree, hf_tr_max_frame_size, tr_tvb, 15, 1, rcf2 & 112);
498 proto_tree_add_uint(tr_tree, hf_tr_direction, tr_tvb, 15, 1, rcf2 & 128);
500 /* if we have more than 2 bytes of RIF, then we have
502 if (trn_rif_bytes > 2) {
503 add_ring_bridge_pairs(trn_rif_bytes, tr_tvb, tr_tree);
507 /* Linux 2.0.x has a problem in that the 802.5 code creates
508 an emtpy full (18-byte) RIF area. It's up to the tr driver to
509 either fill it in or remove it before sending the bytes out
510 to the wire. If you run tcpdump on a Linux 2.0.x machine running
511 token-ring, tcpdump will capture these 18 filler bytes. They
512 are filled with garbage. The best way to detect this problem is
513 to know the src hwaddr of the machine from which you were running
514 tcpdump. W/o that, however, I'm guessing that DSAP == SSAP if the
515 frame type is LLC. It's very much a hack. */
516 if (actual_rif_bytes > trn_rif_bytes) {
517 proto_tree_add_text(tr_tree, tr_tvb, TR_MIN_HEADER_LEN + trn_rif_bytes, actual_rif_bytes - trn_rif_bytes,
518 "Empty RIF from Linux 2.0.x driver. The sniffing NIC "
519 "is also running a protocol stack.");
522 proto_tree_add_text(tr_tree, tr_tvb, TR_MIN_HEADER_LEN + 18,8,"Linux 2.0.x fake LLC and SNAP header");
526 next_tvb = tvb_new_subset(tr_tvb, TR_MIN_HEADER_LEN + actual_rif_bytes + fixoffset, -1, -1);
528 /* The package is either MAC or LLC */
529 switch (frame_type) {
532 call_dissector(trmac_handle, next_tvb, pinfo, tree);
535 call_dissector(llc_handle, next_tvb, pinfo, tree);
538 /* non-MAC, non-LLC, i.e., "Reserved" */
539 call_dissector(data_handle,next_tvb, pinfo, tree);
544 /* this routine is taken from the Linux net/802/tr.c code, which shows
545 ring-bridge pairs in the /proc/net/tr_rif virtual file. */
547 add_ring_bridge_pairs(int rcf_len, tvbuff_t *tvb, proto_tree *tree)
550 int segment, brdgnmb, unprocessed_rif;
553 #define RIF_OFFSET 16
554 #define RIF_BYTES_TO_PROCESS 30
556 char buffer[3 + (RIF_BYTES_TO_PROCESS / 2) * 6 + 1];
558 /* Only process so many bytes of RIF, as per TR spec, and not overflow
559 * static buffer above */
560 unprocessed_rif = rcf_len - RIF_BYTES_TO_PROCESS;
561 rcf_len = MIN(rcf_len, RIF_BYTES_TO_PROCESS);
563 /* Ignore the 2 RCF bytes, since they don't make up the ring/bride pairs */
566 for(j = 1; j < rcf_len - 1; j += 2) {
568 segment = tvb_get_ntohs(tvb, RIF_OFFSET) >> 4;
569 size = sprintf(buffer, "%03X",segment);
570 proto_tree_add_uint_hidden(tree, hf_tr_rif_ring, tvb, TR_MIN_HEADER_LEN + 2, 2, segment);
573 segment = tvb_get_ntohs(tvb, RIF_OFFSET + 1 + j) >> 4;
574 brdgnmb = tvb_get_guint8(tvb, RIF_OFFSET + j) & 0x0f;
575 size = sprintf(buffer+buff_offset, "-%01X-%03X",brdgnmb,segment);
576 proto_tree_add_uint_hidden(tree, hf_tr_rif_ring, tvb, TR_MIN_HEADER_LEN + 3 + j, 2, segment);
577 proto_tree_add_uint_hidden(tree, hf_tr_rif_bridge, tvb, TR_MIN_HEADER_LEN + 2 + j, 1, brdgnmb);
580 proto_tree_add_string(tree, hf_tr_rif, tvb, TR_MIN_HEADER_LEN + 2, rcf_len, buffer);
582 if (unprocessed_rif > 0) {
583 proto_tree_add_text(tree, tvb, TR_MIN_HEADER_LEN + RIF_BYTES_TO_PROCESS, unprocessed_rif,
584 "Extra RIF bytes beyond spec: %d", unprocessed_rif);
589 proto_register_tr(void)
591 static hf_register_info hf[] = {
593 { "Access Control", "tr.ac", FT_UINT8, BASE_HEX, NULL, 0x0,
597 { "Priority", "tr.priority", FT_UINT8, BASE_DEC, NULL, 0xe0,
601 { "Frame", "tr.frame", FT_BOOLEAN, 8, TFS(&ac_truth), 0x10,
604 { &hf_tr_monitor_cnt,
605 { "Monitor Count", "tr.monitor_cnt", FT_UINT8, BASE_DEC, NULL, 0x08,
608 { &hf_tr_priority_reservation,
609 { "Priority Reservation","tr.priority_reservation", FT_UINT8, BASE_DEC, NULL, 0x07,
613 { "Frame Control", "tr.fc", FT_UINT8, BASE_HEX, NULL, 0x0,
617 { "Frame Type", "tr.frame_type", FT_UINT8, BASE_DEC, VALS(frame_vals), 0xc0,
621 { "Frame PCF", "tr.frame_pcf", FT_UINT8, BASE_DEC, VALS(pcf_vals), 0x0f,
625 { "Destination", "tr.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
626 "Destination Hardware Address", HFILL }},
629 { "Source", "tr.src", FT_ETHER, BASE_NONE, NULL, 0x0,
630 "Source Hardware Address", HFILL }},
633 { "Source or Destination Address", "tr.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
634 "Source or Destination Hardware Address", HFILL }},
637 { "Source Routed", "tr.sr", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
638 "Source Routed", HFILL }},
641 { "RIF Bytes", "tr.rif_bytes", FT_UINT8, BASE_DEC, NULL, 0x0,
642 "Number of bytes in Routing Information Fields, including "
643 "the two bytes of Routing Control Field", HFILL }},
646 { "Broadcast Type", "tr.broadcast", FT_UINT8, BASE_DEC, VALS(broadcast_vals), 0x0,
647 "Type of Token-Ring Broadcast", HFILL }},
649 { &hf_tr_max_frame_size,
650 { "Maximum Frame Size", "tr.max_frame_size", FT_UINT8, BASE_DEC, VALS(max_frame_size_vals),
655 { "Direction", "tr.direction", FT_UINT8, BASE_DEC, VALS(direction_vals), 0x0,
656 "Direction of RIF", HFILL }},
659 { "Ring-Bridge Pairs", "tr.rif", FT_STRING, BASE_NONE, NULL, 0x0,
660 "String representing Ring-Bridge Pairs", HFILL }},
663 { "RIF Ring", "tr.rif.ring", FT_UINT16, BASE_HEX, NULL, 0x0,
667 { "RIF Bridge", "tr.rif.bridge", FT_UINT8, BASE_HEX, NULL, 0x0,
670 static gint *ett[] = {
676 proto_tr = proto_register_protocol("Token-Ring", "Token-Ring", "tr");
677 proto_register_field_array(proto_tr, hf, array_length(hf));
678 proto_register_subtree_array(ett, array_length(ett));
679 register_dissector("tr", dissect_tr, proto_tr);
683 proto_reg_handoff_tr(void)
685 dissector_handle_t tr_handle;
688 * Get handles for the TR MAC and LLC dissectors.
690 trmac_handle = find_dissector("trmac");
691 llc_handle = find_dissector("llc");
692 data_handle = find_dissector("data");
694 tr_handle = find_dissector("tr");
695 dissector_add("wtap_encap", WTAP_ENCAP_TOKEN_RING, tr_handle);
git.samba.org / obnox / wireshark / wip.git / blob