2 * Routines for packet disassembly
4 * $Id: packet.c,v 1.63 2000/01/10 17:32:52 gram Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
34 #ifdef HAVE_SYS_SOCKET_H
35 #include <sys/socket.h>
50 #ifdef NEED_SNPRINTF_H
51 # include "snprintf.h"
54 #ifdef HAVE_NETINET_IN_H
55 # include <netinet/in.h>
58 #ifdef HAVE_ARPA_INET_H
59 #include <arpa/inet.h>
62 #ifdef NEED_INET_V6DEFS_H
63 # include "inet_v6defs.h"
68 #include "timestamp.h"
71 #include "packet-atalk.h"
73 #include "packet-ipv6.h"
75 #include "packet-sna.h"
77 #include "packet-vines.h"
83 extern capture_file cf;
85 static int proto_frame = -1;
86 static int hf_frame_arrival_time = -1;
87 static int hf_frame_time_delta = -1;
88 static int hf_frame_number = -1;
89 static int hf_frame_packet_len = -1;
90 static int hf_frame_capture_len = -1;
92 static gint ett_frame = -1;
94 /* Wrapper for the most common case of asking
95 * for a string using a colon as the hex-digit separator.
98 ether_to_str(const guint8 *ad)
100 return ether_to_str_punct(ad, ':');
103 /* Places char punct in the string as the hex-digit separator.
104 * If punct is '\0', no punctuation is applied (and thus
105 * the resulting string is 5 bytes shorter)
108 ether_to_str_punct(const guint8 *ad, char punct) {
109 static gchar str[3][18];
114 static const gchar hex_digits[16] = "0123456789abcdef";
116 if (cur == &str[0][0]) {
118 } else if (cur == &str[1][0]) {
128 *--p = hex_digits[octet&0xF];
130 *--p = hex_digits[octet&0xF];
141 ip_to_str(const guint8 *ad) {
142 static gchar str[3][16];
149 if (cur == &str[0][0]) {
151 } else if (cur == &str[1][0]) {
161 *--p = (octet%10) + '0';
165 if (digit != 0 || octet != 0)
178 ip6_to_str(struct e_in6_addr *ad) {
179 #ifndef INET6_ADDRSTRLEN
180 #define INET6_ADDRSTRLEN 46
182 static gchar buf[INET6_ADDRSTRLEN];
184 inet_ntop(AF_INET6, (u_char*)ad, (gchar*)buf, sizeof(buf));
189 #define PLURALIZE(n) (((n) > 1) ? "s" : "")
190 #define COMMA(do_it) ((do_it) ? ", " : "")
193 time_secs_to_str(guint32 time)
195 static gchar str[3][8+1+4+2+2+5+2+2+7+2+2+7+1];
196 static gchar *cur, *p;
197 int hours, mins, secs;
200 if (cur == &str[0][0]) {
202 } else if (cur == &str[1][0]) {
209 sprintf(cur, "0 time");
222 sprintf(p, "%u day%s", time, PLURALIZE(time));
228 sprintf(p, "%s%u hour%s", COMMA(do_comma), hours, PLURALIZE(hours));
234 sprintf(p, "%s%u minute%s", COMMA(do_comma), mins, PLURALIZE(mins));
240 sprintf(p, "%s%u second%s", COMMA(do_comma), secs, PLURALIZE(secs));
244 /* Max string length for displaying byte string. */
245 #define MAX_BYTE_STR_LEN 20
247 /* Turn an array of bytes into a string showing the bytes in hex. */
248 #define N_BYTES_TO_STR_STRINGS 6
250 bytes_to_str(const guint8 *bd, int bd_len) {
251 static gchar str[N_BYTES_TO_STR_STRINGS][MAX_BYTE_STR_LEN+3+1];
256 static const char hex[16] = { '0', '1', '2', '3', '4', '5', '6', '7',
257 '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
260 if (cur_idx >= N_BYTES_TO_STR_STRINGS)
262 cur = &str[cur_idx][0];
264 len = MAX_BYTE_STR_LEN;
265 while (bd_len > 0 && len > 0) {
266 *p++ = hex[(*bd) >> 4];
267 *p++ = hex[(*bd) & 0xF];
273 /* Note that we're not showing the full string. */
282 static const char *mon_names[12] = {
298 abs_time_to_str(struct timeval *abs_time)
302 static char str[3][3+1+2+2+4+1+2+1+2+1+2+1+4+1 + 5 /* extra */];
304 if (cur == &str[0][0]) {
306 } else if (cur == &str[1][0]) {
312 tmp = localtime(&abs_time->tv_sec);
313 sprintf(cur, "%s %2d, %d %02d:%02d:%02d.%04ld",
314 mon_names[tmp->tm_mon],
320 (long)abs_time->tv_usec/100);
326 rel_time_to_str(struct timeval *rel_time)
329 static char str[3][10+1+6+1];
331 if (cur == &str[0][0]) {
333 } else if (cur == &str[1][0]) {
339 sprintf(cur, "%ld.%06ld", (long)rel_time->tv_sec,
340 (long)rel_time->tv_usec);
346 * Given a pointer into a data buffer, and to the end of the buffer,
347 * find the end of the (putative) line at that position in the data
349 * Return a pointer to the EOL character(s) in "*eol".
352 find_line_end(const u_char *data, const u_char *dataend, const u_char **eol)
354 const u_char *lineend;
356 lineend = memchr(data, '\n', dataend - data);
357 if (lineend == NULL) {
359 * No LF - line is probably continued in next TCP segment.
365 * Is the LF at the beginning of the line?
367 if (lineend > data) {
369 * No - is it preceded by a carriage return?
370 * (Perhaps it's supposed to be, but that's not guaranteed....)
372 if (*(lineend - 1) == '\r') {
374 * Yes. The EOL starts with the CR.
379 * No. The EOL starts with the LF.
384 * I seem to remember that we once saw lines ending with LF-CR
385 * in an HTTP request or response, so check if it's *followed*
386 * by a carriage return.
388 if (lineend < (dataend - 1) && *(lineend + 1) == '\r') {
390 * It's <non-LF><LF><CR>; say it ends with the CR.
398 * Point to the character after the last character.
405 #define MAX_COLUMNS_LINE_DETAIL 62
408 * Get the length of the next token in a line, and the beginning of the
409 * next token after that (if any).
410 * Return 0 if there is no next token.
413 get_token_len(const u_char *linep, const u_char *lineend,
414 const u_char **next_token)
416 const u_char *tokenp;
422 * Search for a blank, a CR or an LF, or the end of the buffer.
424 while (linep < lineend && *linep != ' ' && *linep != '\r' && *linep != '\n')
426 token_len = linep - tokenp;
429 * Skip trailing blanks.
431 while (linep < lineend && *linep == ' ')
440 * Given a string, generate a string from it that shows non-printable
441 * characters as C-style escapes, and return a pointer to it.
444 format_text(const u_char *string, int len)
446 static gchar fmtbuf[MAX_COLUMNS_LINE_DETAIL + 3 + 4 + 1];
449 const u_char *stringend = string + len;
454 fmtbufp = &fmtbuf[0];
455 while (string < stringend) {
456 if (column >= MAX_COLUMNS_LINE_DETAIL) {
458 * Put "..." and quit.
460 strcpy(fmtbufp, " ...");
515 *fmtbufp++ = i + '0';
518 *fmtbufp++ = i + '0';
521 *fmtbufp++ = i + '0';
532 /* Tries to match val against each element in the value_string array vs.
533 Returns the associated string ptr on a match.
534 Formats val with fmt, and returns the resulting string, on failure. */
536 val_to_str(guint32 val, const value_string *vs, const char *fmt) {
538 static gchar str[3][64];
541 ret = match_strval(val, vs);
544 if (cur == &str[0][0]) {
546 } else if (cur == &str[1][0]) {
551 snprintf(cur, 64, fmt, val);
555 /* Tries to match val against each element in the value_string array vs.
556 Returns the associated string ptr on a match, or NULL on failure. */
558 match_strval(guint32 val, const value_string *vs) {
561 while (vs[i].strptr) {
562 if (vs[i].value == val)
563 return(vs[i].strptr);
570 /* Generate, into "buf", a string showing the bits of a bitfield.
571 Return a pointer to the character after that string. */
573 decode_bitfield_value(char *buf, guint32 val, guint32 mask, int width)
581 bit = 1 << (width - 1);
584 /* This bit is part of the field. Show its value. */
590 /* This bit is not part of the field. */
605 /* Generate a string describing a Boolean bitfield (a one-bit field that
606 says something is either true of false). */
608 decode_boolean_bitfield(guint32 val, guint32 mask, int width,
609 const char *truedesc, const char *falsedesc)
611 static char buf[1025];
614 p = decode_bitfield_value(buf, val, mask, width);
618 strcpy(p, falsedesc);
622 /* Generate a string describing an enumerated bitfield (an N-bit field
623 with various specific values having particular names). */
625 decode_enumerated_bitfield(guint32 val, guint32 mask, int width,
626 const value_string *tab, const char *fmt)
628 static char buf[1025];
631 p = decode_bitfield_value(buf, val, mask, width);
632 sprintf(p, fmt, val_to_str(val & mask, tab, "Unknown"));
636 /* Generate a string describing a numeric bitfield (an N-bit field whose
637 value is just a number). */
639 decode_numeric_bitfield(guint32 val, guint32 mask, int width,
642 static char buf[1025];
646 /* Compute the number of bits we have to shift the bitfield right
647 to extract its value. */
648 while ((mask & (1<<shift)) == 0)
651 p = decode_bitfield_value(buf, val, mask, width);
652 sprintf(p, fmt, (val & mask) >> shift);
656 /* Checks to see if a particular packet information element is needed for
659 check_col(frame_data *fd, gint el) {
663 for (i = 0; i < fd->cinfo->num_cols; i++) {
664 if (fd->cinfo->fmt_matx[i][el])
671 /* Adds a vararg list to a packet info string. */
673 col_add_fstr(frame_data *fd, gint el, gchar *format, ...) {
678 va_start(ap, format);
679 for (i = 0; i < fd->cinfo->num_cols; i++) {
680 if (fd->cinfo->fmt_matx[i][el]) {
682 max_len = COL_MAX_INFO_LEN;
684 max_len = COL_MAX_LEN;
685 vsnprintf(fd->cinfo->col_data[i], max_len, format, ap);
691 col_add_str(frame_data *fd, gint el, const gchar* str) {
695 for (i = 0; i < fd->cinfo->num_cols; i++) {
696 if (fd->cinfo->fmt_matx[i][el]) {
698 max_len = COL_MAX_INFO_LEN;
700 max_len = COL_MAX_LEN;
701 strncpy(fd->cinfo->col_data[i], str, max_len);
702 fd->cinfo->col_data[i][max_len - 1] = 0;
707 /* Appends a vararg list to a packet info string. */
709 col_append_fstr(frame_data *fd, gint el, gchar *format, ...) {
714 va_start(ap, format);
715 for (i = 0; i < fd->cinfo->num_cols; i++) {
716 if (fd->cinfo->fmt_matx[i][el]) {
717 len = strlen(fd->cinfo->col_data[i]);
719 max_len = COL_MAX_INFO_LEN;
721 max_len = COL_MAX_LEN;
722 vsnprintf(&fd->cinfo->col_data[i][len], max_len - len, format, ap);
728 col_append_str(frame_data *fd, gint el, gchar* str) {
732 for (i = 0; i < fd->cinfo->num_cols; i++) {
733 if (fd->cinfo->fmt_matx[i][el]) {
734 len = strlen(fd->cinfo->col_data[i]);
736 max_len = COL_MAX_LEN;
738 max_len = COL_MAX_INFO_LEN;
739 strncat(fd->cinfo->col_data[i], str, max_len - len);
740 fd->cinfo->col_data[i][max_len - 1] = 0;
745 /* To do: Add check_col checks to the col_add* routines */
748 col_set_abs_time(frame_data *fd, int col)
754 tmp = localtime(&then);
755 snprintf(fd->cinfo->col_data[col], COL_MAX_LEN, "%02d:%02d:%02d.%04ld",
759 (long)fd->abs_usecs/100);
763 col_set_rel_time(frame_data *fd, int col)
765 snprintf(fd->cinfo->col_data[col], COL_MAX_LEN, "%d.%06d", fd->rel_secs,
770 col_set_delta_time(frame_data *fd, int col)
772 snprintf(fd->cinfo->col_data[col], COL_MAX_LEN, "%d.%06d", fd->del_secs,
776 /* Add "command-line-specified" time.
777 XXX - this is called from "file.c" when the user changes the time
778 format they want for "command-line-specified" time; it's a bit ugly
779 that we have to export it, but if we go to a CList-like widget that
780 invokes callbacks to get the text for the columns rather than
781 requiring us to stuff the text into the widget from outside, we
782 might be able to clean this up. */
784 col_set_cls_time(frame_data *fd, int col)
786 switch (timestamp_type) {
788 col_set_abs_time(fd, col);
792 col_set_rel_time(fd, col);
796 col_set_delta_time(fd, col);
802 col_set_addr(frame_data *fd, int col, address *addr, gboolean is_res)
805 struct e_in6_addr ipv6_addr;
806 struct atalk_ddp_addr ddp_addr;
807 struct sna_fid_type_4_addr sna_fid_type_4_addr;
809 switch (addr->type) {
813 strncpy(fd->cinfo->col_data[col], get_ether_name(addr->data), COL_MAX_LEN);
815 strncpy(fd->cinfo->col_data[col], ether_to_str(addr->data), COL_MAX_LEN);
819 memcpy(&ipv4_addr, addr->data, sizeof ipv4_addr);
821 strncpy(fd->cinfo->col_data[col], get_hostname(ipv4_addr), COL_MAX_LEN);
823 strncpy(fd->cinfo->col_data[col], ip_to_str(addr->data), COL_MAX_LEN);
827 memcpy(&ipv6_addr.s6_addr, addr->data, sizeof ipv6_addr.s6_addr);
829 strncpy(fd->cinfo->col_data[col], get_hostname6(&ipv6_addr), COL_MAX_LEN);
831 strncpy(fd->cinfo->col_data[col], ip6_to_str(&ipv6_addr), COL_MAX_LEN);
835 strncpy(fd->cinfo->col_data[col],
836 ipx_addr_to_str(pntohl(&addr->data[0]), &addr->data[4]), COL_MAX_LEN);
843 snprintf(fd->cinfo->col_data[col], COL_MAX_LEN, "%04X", addr->data[0]);
847 snprintf(fd->cinfo->col_data[col], COL_MAX_LEN, "%04X",
848 pntohs(&addr->data[0]));
851 case SNA_FID_TYPE_4_ADDR_LEN:
852 memcpy(&sna_fid_type_4_addr, addr->data, SNA_FID_TYPE_4_ADDR_LEN);
853 strncpy(fd->cinfo->col_data[col],
854 sna_fid_type_4_addr_to_str(&sna_fid_type_4_addr), COL_MAX_LEN);
860 memcpy(&ddp_addr, addr->data, sizeof ddp_addr);
861 strncpy(fd->cinfo->col_data[col], atalk_addr_to_str(&ddp_addr),
866 strncpy(fd->cinfo->col_data[col], vines_addr_to_str(&addr->data[0]),
873 fd->cinfo->col_data[col][COL_MAX_LEN - 1] = '\0';
877 col_set_port(frame_data *fd, int col, port_type ptype, guint32 port,
884 strncpy(fd->cinfo->col_data[col], get_tcp_port(port), COL_MAX_LEN);
886 snprintf(fd->cinfo->col_data[col], COL_MAX_LEN, "%u", port);
891 strncpy(fd->cinfo->col_data[col], get_udp_port(port), COL_MAX_LEN);
893 snprintf(fd->cinfo->col_data[col], COL_MAX_LEN, "%u", port);
899 fd->cinfo->col_data[col][COL_MAX_LEN - 1] = '\0';
903 fill_in_columns(frame_data *fd)
907 for (i = 0; i < fd->cinfo->num_cols; i++) {
908 switch (fd->cinfo->col_fmt[i]) {
911 snprintf(fd->cinfo->col_data[i], COL_MAX_LEN, "%u", fd->num);
915 col_set_cls_time(fd, i);
919 col_set_abs_time(fd, i);
923 col_set_rel_time(fd, i);
927 col_set_delta_time(fd, i);
931 case COL_RES_SRC: /* COL_DEF_SRC is currently just like COL_RES_SRC */
932 col_set_addr(fd, i, &pi.src, TRUE);
936 col_set_addr(fd, i, &pi.src, FALSE);
941 col_set_addr(fd, i, &pi.dl_src, TRUE);
944 case COL_UNRES_DL_SRC:
945 col_set_addr(fd, i, &pi.dl_src, FALSE);
948 case COL_DEF_NET_SRC:
949 case COL_RES_NET_SRC:
950 col_set_addr(fd, i, &pi.net_src, TRUE);
953 case COL_UNRES_NET_SRC:
954 col_set_addr(fd, i, &pi.net_src, FALSE);
958 case COL_RES_DST: /* COL_DEF_DST is currently just like COL_RES_DST */
959 col_set_addr(fd, i, &pi.dst, TRUE);
963 col_set_addr(fd, i, &pi.dst, FALSE);
968 col_set_addr(fd, i, &pi.dl_dst, TRUE);
971 case COL_UNRES_DL_DST:
972 col_set_addr(fd, i, &pi.dl_dst, FALSE);
975 case COL_DEF_NET_DST:
976 case COL_RES_NET_DST:
977 col_set_addr(fd, i, &pi.net_dst, TRUE);
980 case COL_UNRES_NET_DST:
981 col_set_addr(fd, i, &pi.net_dst, FALSE);
984 case COL_DEF_SRC_PORT:
985 case COL_RES_SRC_PORT: /* COL_DEF_SRC_PORT is currently just like COL_RES_SRC_PORT */
986 col_set_port(fd, i, pi.ptype, pi.srcport, TRUE);
989 case COL_UNRES_SRC_PORT:
990 col_set_port(fd, i, pi.ptype, pi.srcport, FALSE);
993 case COL_DEF_DST_PORT:
994 case COL_RES_DST_PORT: /* COL_DEF_DST_PORT is currently just like COL_RES_DST_PORT */
995 col_set_port(fd, i, pi.ptype, pi.destport, TRUE);
998 case COL_UNRES_DST_PORT:
999 col_set_port(fd, i, pi.ptype, pi.destport, FALSE);
1002 case COL_PROTOCOL: /* currently done by dissectors */
1003 case COL_INFO: /* currently done by dissectors */
1006 case COL_PACKET_LENGTH:
1007 snprintf(fd->cinfo->col_data[i], COL_MAX_LEN, "%d", fd->pkt_len);
1010 case NUM_COL_FMTS: /* keep compiler happy - shouldn't get here */
1016 void blank_packetinfo(void)
1018 pi.dl_src.type = AT_NONE;
1019 pi.dl_dst.type = AT_NONE;
1020 pi.net_src.type = AT_NONE;
1021 pi.net_dst.type = AT_NONE;
1022 pi.src.type = AT_NONE;
1023 pi.dst.type = AT_NONE;
1030 /* Allow protocols to register "init" routines, which are called before
1031 we make a pass through a capture file and dissect all its packets
1032 (e.g., when we read in a new capture file, or run a "filter packets"
1033 or "colorize packets" pass over the current capture file). */
1034 static GSList *init_routines;
1037 register_init_routine(void (*func)(void))
1039 init_routines = g_slist_append(init_routines, func);
1042 /* Call all the registered "init" routines. */
1044 call_init_routine(gpointer routine, gpointer dummy)
1046 void (*func)(void) = routine;
1052 init_all_protocols(void)
1054 g_slist_foreach(init_routines, &call_init_routine, NULL);
1057 /* this routine checks the frame type from the cf structure */
1059 dissect_packet(const u_char *pd, frame_data *fd, proto_tree *tree)
1061 proto_tree *fh_tree;
1065 /* Put in frame header information. */
1067 ti = proto_tree_add_item_format(tree, proto_frame, 0, fd->cap_len,
1068 NULL, "Frame %u (%u on wire, %u captured)", fd->num,
1069 fd->pkt_len, fd->cap_len);
1071 fh_tree = proto_item_add_subtree(ti, ett_frame);
1073 tv.tv_sec = fd->abs_secs;
1074 tv.tv_usec = fd->abs_usecs;
1076 proto_tree_add_item(fh_tree, hf_frame_arrival_time,
1079 tv.tv_sec = fd->del_secs;
1080 tv.tv_usec = fd->del_usecs;
1082 proto_tree_add_item(fh_tree, hf_frame_time_delta,
1085 proto_tree_add_item(fh_tree, hf_frame_number,
1088 proto_tree_add_item_format(fh_tree, hf_frame_packet_len,
1089 0, 0, fd->pkt_len, "Packet Length: %d byte%s", fd->pkt_len,
1090 plurality(fd->pkt_len, "", "s"));
1092 proto_tree_add_item_format(fh_tree, hf_frame_capture_len,
1093 0, 0, fd->cap_len, "Capture Length: %d byte%s", fd->cap_len,
1094 plurality(fd->cap_len, "", "s"));
1099 /* Set the initial payload to the packet length, and the initial
1100 captured payload to the capture length (other protocols may
1101 reduce them if their headers say they're less). */
1102 pi.len = fd->pkt_len;
1103 pi.captured_len = fd->cap_len;
1105 switch (fd->lnk_t) {
1106 case WTAP_ENCAP_ETHERNET :
1107 dissect_eth(pd, 0, fd, tree);
1109 case WTAP_ENCAP_FDDI :
1110 dissect_fddi(pd, fd, tree, FALSE);
1112 case WTAP_ENCAP_FDDI_BITSWAPPED :
1113 dissect_fddi(pd, fd, tree, TRUE);
1115 case WTAP_ENCAP_TR :
1116 dissect_tr(pd, 0, fd, tree);
1118 case WTAP_ENCAP_NULL :
1119 dissect_null(pd, fd, tree);
1121 case WTAP_ENCAP_PPP :
1122 dissect_ppp(pd, fd, tree);
1124 case WTAP_ENCAP_LAPB :
1125 dissect_lapb(pd, fd, tree);
1127 case WTAP_ENCAP_RAW_IP :
1128 dissect_raw(pd, fd, tree);
1130 case WTAP_ENCAP_LINUX_ATM_CLIP :
1131 dissect_clip(pd, fd, tree);
1133 case WTAP_ENCAP_ATM_SNIFFER :
1134 dissect_atm(pd, fd, tree);
1136 case WTAP_ENCAP_ASCEND :
1137 dissect_ascend(pd, fd, tree);
1139 case WTAP_ENCAP_LAPD :
1140 dissect_lapd(pd, fd, tree);
1142 case WTAP_ENCAP_V120 :
1143 dissect_v120(pd, fd, tree);
1149 proto_register_frame(void)
1151 static hf_register_info hf[] = {
1152 { &hf_frame_arrival_time,
1153 { "Arrival Time", "frame.time", FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
1156 { &hf_frame_time_delta,
1157 { "Time delta from previous packet", "frame.time_delta", FT_RELATIVE_TIME, BASE_NONE, NULL,
1162 { "Frame Number", "frame.number", FT_UINT32, BASE_DEC, NULL, 0x0,
1165 { &hf_frame_packet_len,
1166 { "Total Frame Length", "frame.pkt_len", FT_UINT32, BASE_DEC, NULL, 0x0,
1169 { &hf_frame_capture_len,
1170 { "Capture Frame Length", "frame.cap_len", FT_UINT32, BASE_DEC, NULL, 0x0,
1173 static gint *ett[] = {
1177 proto_frame = proto_register_protocol("Frame", "frame");
1178 proto_register_field_array(proto_frame, hf, array_length(hf));
1179 proto_register_subtree_array(ett, array_length(ett));