2 * Routines for Token-Ring packet disassembly
3 * Gilbert Ramirez <gram@verdict.uthscsa.edu>
5 * $Id: packet-tr.c,v 1.27 1999/09/17 04:20:22 gram Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@unicom.net>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_TYPES_H
32 # include <sys/types.h>
39 static int proto_tr = -1;
40 static int hf_tr_dst = -1;
41 static int hf_tr_src = -1;
42 static int hf_tr_sr = -1;
43 static int hf_tr_ac = -1;
44 static int hf_tr_priority = -1;
45 static int hf_tr_frame = -1;
46 static int hf_tr_monitor_cnt = -1;
47 static int hf_tr_priority_reservation = -1;
48 static int hf_tr_fc = -1;
49 static int hf_tr_fc_type = -1;
50 static int hf_tr_fc_pcf = -1;
51 static int hf_tr_rif_bytes = -1;
52 static int hf_tr_broadcast = -1;
53 static int hf_tr_max_frame_size = -1;
54 static int hf_tr_direction = -1;
55 static int hf_tr_rif = -1;
56 static int hf_tr_rif_ring = -1;
57 static int hf_tr_rif_bridge = -1;
59 #define TR_MIN_HEADER_LEN 14
60 #define TR_MAX_HEADER_LEN 32
62 static const value_string ac_vals[] = {
68 static const value_string pcf_vals[] = {
69 { 0, "Normal buffer" },
70 { 1, "Express buffer" },
74 { 5, "Active Monitor Present" },
75 { 6, "Standby Monitor Present" },
79 static const value_string frame_vals[] = {
86 static const value_string broadcast_vals[] = {
87 { 0 << 5, "Non-broadcast" },
88 { 1 << 5, "Non-broadcast" },
89 { 2 << 5, "Non-broadcast" },
90 { 3 << 5, "Non-broadcast" },
91 { 4 << 5, "All-routes broadcast" },
92 { 5 << 5, "All-routes broadcast" },
93 { 6 << 5, "Single-route broadcast" },
94 { 7 << 5, "Single-route broadcast" },
98 static const value_string max_frame_size_vals[] = {
109 static const value_string direction_vals[] = {
110 { 0, "From originating station (-->)" },
111 { 128, "To originating station (<--)" },
116 * DODGY LINUX HACK DODGY LINUX HACK
117 * Linux 2.0.x always passes frames to the Token Ring driver for transmission with
118 * 18 bytes padding for source routing information. Some drivers copy the first
119 * (18 - srlen) bytes up the frame (18 - srlen) bytes thus removing the padding.
120 * Other drivers just make a copy of the entire frame and then hack about with it
121 * so the frame the sniffer gets is fine (just has extra sr routing).
122 * In the first instance (driver hacking frame in situ) the sniffer gets a garbled
124 * This function trys to detect this and returns the offset of where
125 * the frame really starts.
126 * This only detects frames that we have sent ourselves so if we are packet sniffing
127 * on the machine we are watching this is useful.
128 * Compare offset 0 with offset x+1 for a length of x bytes for all value of x = 1 to 18
129 * if match then Linux driver has done in situ source route compression of the crappy
130 * Linux 2.0.x frame so the beginning of the real frame is x bytes in.
131 * (And this real frame x bytes in looks like a proper TR frame that goes on the wire
132 * with none of the Linux idiosyncrasies).
134 int check_for_old_linux(const u_char * pd)
139 if (memcmp(&pd[0],&pd[x],x) == 0)
148 add_ring_bridge_pairs(int rcf_len, const u_char *pd, int offset, proto_tree *tree);
151 capture_tr(const u_char *pd, guint32 cap_len, packet_counts *ld) {
155 int source_routed = 0;
158 guint8 trn_rif_bytes;
159 guint8 actual_rif_bytes;
161 /* The trn_hdr struct, as separate variables */
162 guint8 trn_fc; /* field control field */
163 guint8 trn_shost[6]; /* source host */
165 if (cap_len < TR_MAX_HEADER_LEN) {
170 if ((x = check_for_old_linux(pd)))
172 /* Actually packet starts x bytes into what we have got but with all
173 source routing compressed
175 /* pd = &pd[x]; */ offset+=x;
179 memcpy(&trn_fc, &pd[offset + 1], sizeof(guint8));
180 memcpy(trn_shost, &pd[offset + 8], 6 * sizeof(guint8));
182 frame_type = (trn_fc & 192) >> 6;
184 /* if the high bit on the first byte of src hwaddr is 1, then
185 this packet is source-routed */
186 source_routed = trn_shost[0] & 128;
188 trn_rif_bytes = pd[offset + 14] & 31;
190 /* sometimes we have a RCF but no RIF... half source-routed? */
191 if (!source_routed && trn_rif_bytes > 0) {
192 /* I'll check for 2 bytes of RIF and mark the packet as source
193 * routed even though I'm not sure _what_ that kind of packet is */
194 if (trn_rif_bytes == 2) {
197 /* the Linux 2.0 TR code strips source-route bits in
198 * order to test for SR. This can be removed from most
199 * packets with oltr, but not all. So, I try to figure out
200 * which packets should have been SR here. I'll check to
201 * see if there's a SNAP or IPX field right after
205 pd[offset + 0x0e + trn_rif_bytes] == 0xaa &&
206 pd[offset + 0x0f + trn_rif_bytes] == 0xaa &&
207 pd[offset + 0x10 + trn_rif_bytes] == 0x03) ||
209 pd[offset + 0x0e + trn_rif_bytes] == 0xe0 &&
210 pd[offset + 0x0f + trn_rif_bytes] == 0xe0) ) {
218 actual_rif_bytes = trn_rif_bytes;
222 actual_rif_bytes = 0;
225 /* this is a silly hack for Linux 2.0.x. Read the comment below,
226 in front of the other #ifdef linux. If we're sniffing our own NIC,
227 we get a full RIF, sometimes with garbage */
228 if ((source_routed && trn_rif_bytes == 2 && frame_type == 1) ||
229 (!source_routed && frame_type == 1)) {
230 /* look for SNAP or IPX only */
231 if ( (pd[offset + 0x20] == 0xaa && pd[offset + 0x21] == 0xaa && pd[offset + 0x22] == 03) ||
232 (pd[offset + 0x20] == 0xe0 && pd[offset + 0x21] == 0xe0) ) {
233 actual_rif_bytes = 18;
235 pd[offset + 0x23] == 0 &&
236 pd[offset + 0x24] == 0 &&
237 pd[offset + 0x25] == 0 &&
238 pd[offset + 0x26] == 0x00 &&
239 pd[offset + 0x27] == 0x11) {
241 actual_rif_bytes = 18;
243 /* Linux 2.0.x also requires drivers pass up a fake SNAP and LLC header before th
244 real LLC hdr for all Token Ring frames that arrive with DSAP and SSAP != 0xAA
245 (i.e. for non SNAP frames e.g. for Netware frames)
246 the fake SNAP header has the ETH_P_TR_802_2 ether type (0x0011) and the protocol id
247 bytes as zero frame looks like :-
248 TR Header | Fake LLC | Fake SNAP | Wire LLC | Rest of data */
249 offset += 8; /* Skip fake LLC and SNAP */
253 offset += actual_rif_bytes + 14;
255 /* The package is either MAC or LLC */
256 switch (frame_type) {
262 capture_llc(pd, offset, cap_len, ld);
265 /* non-MAC, non-LLC, i.e., "Reserved" */
273 dissect_tr(const u_char *pd, int offset, frame_data *fd, proto_tree *tree) {
275 proto_tree *tr_tree, *bf_tree;
278 int source_routed = 0;
280 guint8 trn_rif_bytes;
281 guint8 actual_rif_bytes;
283 /* The trn_hdr struct, as separate variables */
284 guint8 trn_ac; /* access control field */
285 guint8 trn_fc; /* field control field */
286 guint8 trn_dhost[6]; /* destination host */
287 guint8 trn_shost[6]; /* source host */
288 guint16 trn_rcf; /* routing control field */
289 guint16 trn_rseg[8]; /* routing registers */
291 /* non-source-routed version of source addr */
292 guint8 trn_shost_nonsr[6];
295 /* Token-Ring Strings */
296 char *fc[] = { "MAC", "LLC", "Reserved", "Unknown" };
298 if (fd->cap_len < TR_MIN_HEADER_LEN) {
299 dissect_data(pd, offset, fd, tree);
303 if ((x = check_for_old_linux(pd)))
305 /* Actually packet starts x bytes into what we have got but with all
306 source routing compressed. See comment above */
313 memcpy(&trn_ac, &pd[offset+0], sizeof(guint8));
314 memcpy(&trn_fc, &pd[offset+1], sizeof(guint8));
315 memcpy(trn_dhost, &pd[offset+2], 6 * sizeof(guint8));
316 memcpy(trn_shost, &pd[offset+8], 6 * sizeof(guint8));
317 memcpy(&trn_rcf, &pd[offset+14], sizeof(guint16));
318 memcpy(trn_rseg, &pd[offset+16], 8 * sizeof(guint16));
320 memcpy(trn_shost_nonsr, &pd[offset+8], 6 * sizeof(guint8));
321 trn_shost_nonsr[0] &= 127;
322 frame_type = (trn_fc & 192) >> 6;
324 /* if the high bit on the first byte of src hwaddr is 1, then
325 this packet is source-routed */
326 source_routed = trn_shost[0] & 128;
328 trn_rif_bytes = pd[offset+14] & 31;
330 /* sometimes we have a RCF but no RIF... half source-routed? */
331 /* I'll check for 2 bytes of RIF and the 0x70 byte */
332 if (!source_routed && trn_rif_bytes > 0) {
333 if (trn_rif_bytes == 2) {
336 /* the Linux 2.0 TR code strips source-route bits in
337 * order to test for SR. This can be removed from most
338 * packets with oltr, but not all. So, I try to figure out
339 * which packets should have been SR here. I'll check to
340 * see if there's a SNAP or IPX field right after
344 pd[offset + 0x0e + trn_rif_bytes] == 0xaa &&
345 pd[offset + 0x0f + trn_rif_bytes] == 0xaa &&
346 pd[offset + 0x10 + trn_rif_bytes] == 0x03) ||
348 pd[offset + 0x0e + trn_rif_bytes] == 0xe0 &&
349 pd[offset + 0x0f + trn_rif_bytes] == 0xe0) ) {
354 printf("0e+%d = %02X 0f+%d = %02X\n", trn_rif_bytes,
355 pd[offset + 0x0e + trn_rif_bytes],
357 pd[offset + 0x0f + trn_rif_bytes]);
363 actual_rif_bytes = trn_rif_bytes;
367 actual_rif_bytes = 0;
370 /* this is a silly hack for Linux 2.0.x. Read the comment below,
371 in front of the other #ifdef linux. If we're sniffing our own NIC,
372 we get a full RIF, sometimes with garbage */
373 if ((source_routed && trn_rif_bytes == 2 && frame_type == 1) ||
374 (!source_routed && frame_type == 1)) {
375 /* look for SNAP or IPX only */
376 if ( (pd[offset + 0x20] == 0xaa &&
377 pd[offset + 0x21] == 0xaa &&
378 pd[offset + 0x22] == 03)
380 (pd[offset + 0x20] == 0xe0 &&
381 pd[offset + 0x21] == 0xe0) ) {
383 actual_rif_bytes = 18;
392 actual_rif_bytes = 18;
394 /* Linux 2.0.x also requires drivers pass up a fake SNAP and LLC header before th
395 real LLC hdr for all Token Ring frames that arrive with DSAP and SSAP != 0xAA
396 (i.e. for non SNAP frames e.g. for Netware frames)
397 the fake SNAP header has the ETH_P_TR_802_2 ether type (0x0011) and the protocol id
398 bytes as zero frame looks like :-
399 TR Header | Fake LLC | Fake SNAP | Wire LLC | Rest of data */
400 fixoffset += 8; /* Skip fake LLC and SNAP */
404 /* information window */
405 if (check_col(fd, COL_RES_DL_DST))
406 col_add_str(fd, COL_RES_DL_DST,
407 ether_to_str((guint8 *)&pd[offset + 2]));
408 if (check_col(fd, COL_RES_DL_SRC))
409 col_add_str(fd, COL_RES_DL_SRC, ether_to_str(trn_shost_nonsr));
410 if (check_col(fd, COL_PROTOCOL))
411 col_add_str(fd, COL_PROTOCOL, "TR");
412 if (check_col(fd, COL_INFO))
413 col_add_fstr(fd, COL_INFO, "Token-Ring %s", fc[frame_type]);
415 /* protocol analysis tree */
417 /* Create Token-Ring Tree */
418 ti = proto_tree_add_item(tree, proto_tr, offset, 14 + actual_rif_bytes, NULL);
419 tr_tree = proto_item_add_subtree(ti, ETT_TOKEN_RING);
421 /* Create the Access Control bitfield tree */
422 ti = proto_tree_add_item_format(tr_tree, hf_tr_ac, offset, 1, trn_ac,
423 "Access Control (0x%02x)", trn_ac);
424 bf_tree = proto_item_add_subtree(ti, ETT_TOKEN_RING_AC);
426 proto_tree_add_item_format(bf_tree, hf_tr_priority, offset, 1, trn_ac & 0xe0,
427 decode_numeric_bitfield(trn_ac, 0xe0, 8, "Priority = %d"));
429 proto_tree_add_item_format(bf_tree, hf_tr_frame, offset, 1, trn_ac & 0x10,
430 decode_enumerated_bitfield(trn_ac, 0x10, 8, ac_vals, "%s"));
432 proto_tree_add_item_format(bf_tree, hf_tr_monitor_cnt, offset, 1, trn_ac & 0x08,
433 decode_numeric_bitfield(trn_ac, 0x08, 8, "Monitor Count"));
435 proto_tree_add_item_format(bf_tree, hf_tr_priority_reservation, offset, 1, trn_ac & 0x07,
436 decode_numeric_bitfield(trn_ac, 0x07, 8, "Priority Reservation = %d"));
438 /* Create the Frame Control bitfield tree */
439 ti = proto_tree_add_item_format(tr_tree, hf_tr_fc, offset + 1, 1, trn_fc,
440 "Frame Control (0x%02x)", trn_fc);
441 bf_tree = proto_item_add_subtree(ti, ETT_TOKEN_RING_FC);
443 proto_tree_add_item_format(bf_tree, hf_tr_fc_type, offset + 1, 1, trn_fc & 0xc0,
444 decode_enumerated_bitfield(trn_fc, 0xc0, 8, frame_vals, "%s"));
446 proto_tree_add_item_format(bf_tree, hf_tr_fc_pcf, offset + 1, 1, trn_fc & 0x0f,
447 decode_enumerated_bitfield(trn_fc, 0x0f, 8, pcf_vals, "%s"));
449 proto_tree_add_item(tr_tree, hf_tr_dst, offset + 2, 6, trn_dhost);
450 proto_tree_add_item(tr_tree, hf_tr_src, offset + 8, 6, trn_shost);
452 proto_tree_add_item_hidden(tr_tree, hf_tr_sr, offset + 8, 1, source_routed);
454 /* non-source-routed version of src addr */
455 proto_tree_add_item_hidden(tr_tree, hf_tr_src, offset + 8, 6, trn_shost_nonsr);
459 proto_tree_add_item(tr_tree, hf_tr_rif_bytes, offset + 14, 1, trn_rif_bytes);
460 proto_tree_add_item(tr_tree, hf_tr_broadcast, offset + 14, 1, pd[offset + 14] & 224);
463 proto_tree_add_item(tr_tree, hf_tr_max_frame_size, offset + 15, 1, pd[offset + 15] & 112);
464 proto_tree_add_item(tr_tree, hf_tr_direction, offset + 15, 1, pd[offset + 15] & 128);
466 /* if we have more than 2 bytes of RIF, then we have
468 if (trn_rif_bytes > 18) {
469 proto_tree_add_text(tr_tree, offset + 14, 1,
470 "Illegal number of RIF bytes: %d", trn_rif_bytes);
471 } else if (trn_rif_bytes > 2) {
472 add_ring_bridge_pairs(trn_rif_bytes,
473 pd + offset, offset, tr_tree);
477 /* Linux 2.0.x has a problem in that the 802.5 code creates
478 an emtpy full (18-byte) RIF area. It's up to the tr driver to
479 either fill it in or remove it before sending the bytes out
480 to the wire. If you run tcpdump on a Linux 2.0.x machine running
481 token-ring, tcpdump will capture these 18 filler bytes. They
482 are filled with garbage. The best way to detect this problem is
483 to know the src hwaddr of the machine from which you were running
484 tcpdump. W/o that, however, I'm guessing that DSAP == SSAP if the
485 frame type is LLC. It's very much a hack. -- Gilbert Ramirez */
486 if (actual_rif_bytes > trn_rif_bytes) {
487 proto_tree_add_text(tr_tree, 14 + trn_rif_bytes, actual_rif_bytes - trn_rif_bytes,
488 "Empty RIF from Linux 2.0.x driver. The sniffing NIC "
489 "is also running a protocol stack.");
492 proto_tree_add_text(tr_tree, 14 + 18,8,"Linux 2.0.x fake LLC and SNAP header");
495 offset += 14 + actual_rif_bytes + fixoffset;
497 /* The package is either MAC or LLC */
498 switch (frame_type) {
501 dissect_trmac(pd, offset, fd, tree);
504 dissect_llc(pd, offset, fd, tree);
507 /* non-MAC, non-LLC, i.e., "Reserved" */
508 dissect_data(pd, offset, fd, tree);
513 /* this routine is taken from the Linux net/802/tr.c code, which shows
514 ring-bridge pairs in the /proc/net/tr_rif virtual file. */
516 add_ring_bridge_pairs(int rcf_len, const u_char *pd, int offset, proto_tree *tree)
519 int segment, brdgnmb;
525 for(j = 1; j < rcf_len - 1; j += 2) {
527 segment=pntohs(&pd[offset + 16]) >> 4;
528 size = sprintf(buffer, "%03X",segment);
529 proto_tree_add_item_hidden(tree, hf_tr_rif_ring, offset + 16, 2, segment);
532 segment=pntohs(&pd[offset+17+j]) >> 4;
533 brdgnmb=pd[offset+16+j] & 0x0f;
534 size = sprintf(buffer+buff_offset, "-%01X-%03X",brdgnmb,segment);
535 proto_tree_add_item_hidden(tree, hf_tr_rif_ring, offset+17+j, 2, segment);
536 proto_tree_add_item_hidden(tree, hf_tr_rif_bridge, offset+16+j, 1, brdgnmb);
539 proto_tree_add_item(tree, hf_tr_rif, offset+16, rcf_len, buffer);
543 proto_register_tr(void)
545 static hf_register_info hf[] = {
547 { "Access Control", "tr.ac", FT_UINT8, NULL }},
550 { "Priority", "tr.priority", FT_UINT8, NULL }},
553 { "Frame", "tr.frame", FT_VALS_UINT8, VALS(ac_vals) }},
555 { &hf_tr_monitor_cnt,
556 { "Monitor Count", "tr.monitor_cnt", FT_UINT8, NULL }},
558 { &hf_tr_priority_reservation,
559 { "Priority Reservation","tr.priority_reservation", FT_UINT8, NULL }},
562 { "Frame Control", "tr.fc", FT_UINT8, NULL }},
565 { "Frame Type", "tr.frame_type", FT_VALS_UINT8, VALS(frame_vals) }},
568 { "Frame PCF", "tr.frame_pcf", FT_VALS_UINT8, VALS(pcf_vals) }},
571 { "Destination", "tr.dst", FT_ETHER, NULL }},
574 { "Source", "tr.src", FT_ETHER, NULL }},
577 { "Source Routed", "tr.sr", FT_BOOLEAN, NULL }},
580 { "RIF Bytes", "tr.rif_bytes", FT_UINT8, NULL }},
583 { "Broadcast Type", "tr.broadcast", FT_VALS_UINT8, VALS(broadcast_vals) }},
585 { &hf_tr_max_frame_size,
586 { "Maximum Frame Size", "tr.max_frame_size", FT_VALS_UINT8, VALS(max_frame_size_vals) }},
589 { "Direction", "tr.direction", FT_VALS_UINT8, VALS(direction_vals) }},
592 { "Ring-Bridge Pairs", "tr.rif", FT_STRING, NULL }},
595 { "RIF Ring", "tr.rif.ring", FT_UINT16, NULL }},
598 { "RIF Bridge", "tr.rif.bridge", FT_UINT8, NULL }}
601 proto_tr = proto_register_protocol("Token-Ring", "tr");
602 proto_register_field_array(proto_tr, hf, array_length(hf));