2 * Routines for packet disassembly
4 * $Id: packet.c,v 1.40 1999/08/24 03:19:23 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
34 #ifdef HAVE_SYS_SOCKET_H
35 #include <sys/socket.h>
50 #ifdef NEED_SNPRINTF_H
51 # include "snprintf.h"
54 #ifdef HAVE_NETINET_IN_H
55 # include <netinet/in.h>
61 extern capture_file cf;
64 int hf_frame_arrival_time = -1;
65 int hf_frame_packet_len = -1;
66 int hf_frame_capture_len = -1;
69 ether_to_str(const guint8 *ad) {
70 static gchar str[3][18];
75 static const gchar hex_digits[16] = "0123456789abcdef";
77 if (cur == &str[0][0]) {
79 } else if (cur == &str[1][0]) {
89 *--p = hex_digits[octet&0xF];
91 *--p = hex_digits[octet&0xF];
101 ip_to_str(const guint8 *ad) {
102 static gchar str[3][16];
109 if (cur == &str[0][0]) {
111 } else if (cur == &str[1][0]) {
121 *--p = (octet%10) + '0';
125 if (digit != 0 || octet != 0)
137 #define PLURALIZE(n) (((n) > 1) ? "s" : "")
138 #define COMMA(do_it) ((do_it) ? ", " : "")
141 time_secs_to_str(guint32 time)
143 static gchar str[3][8+1+4+2+2+5+2+2+7+2+2+7+1];
144 static gchar *cur, *p;
145 int hours, mins, secs;
148 if (cur == &str[0][0]) {
150 } else if (cur == &str[1][0]) {
165 sprintf(p, "%u day%s", time, PLURALIZE(time));
171 sprintf(p, "%s%u hour%s", COMMA(do_comma), hours, PLURALIZE(hours));
177 sprintf(p, "%s%u minute%s", COMMA(do_comma), mins, PLURALIZE(mins));
183 sprintf(p, "%s%u second%s", COMMA(do_comma), secs, PLURALIZE(secs));
187 /* Max string length for displaying byte string. */
188 #define MAX_BYTE_STR_LEN 16
190 /* Turn an array of bytes into a string showing the bytes in hex. */
192 bytes_to_str(const guint8 *bd, int bd_len) {
193 static gchar str[3][MAX_BYTE_STR_LEN+3+1];
197 static const char hex[16] = { '0', '1', '2', '3', '4', '5', '6', '7',
198 '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
200 if (cur == &str[0][0]) {
202 } else if (cur == &str[1][0]) {
208 len = MAX_BYTE_STR_LEN;
209 while (bd_len > 0 && len > 0) {
210 *p++ = hex[(*bd) >> 4];
211 *p++ = hex[(*bd) & 0xF];
217 /* Note that we're not showing the full string. */
226 static const char *mon_names[12] = {
242 abs_time_to_str(struct timeval *abs_time)
246 static char str[3][3+1+2+2+4+1+2+1+2+1+2+1+4+1 + 5 /* extra */];
248 if (cur == &str[0][0]) {
250 } else if (cur == &str[1][0]) {
256 tmp = localtime(&abs_time->tv_sec);
257 sprintf(cur, "%s %2d, %d %02d:%02d:%02d.%04ld",
258 mon_names[tmp->tm_mon],
264 (long)abs_time->tv_usec/100);
271 * Given a pointer into a data buffer, and to the end of the buffer,
272 * find the end of the (putative) line at that position in the data
274 * Return a pointer to the EOL character(s) in "*eol".
277 find_line_end(const u_char *data, const u_char *dataend, const u_char **eol)
279 const u_char *lineend;
281 lineend = memchr(data, '\n', dataend - data);
282 if (lineend == NULL) {
284 * No LF - line is probably continued in next TCP segment.
290 * Is the LF at the beginning of the line?
292 if (lineend > data) {
294 * No - is it preceded by a carriage return?
295 * (Perhaps it's supposed to be, but that's not guaranteed....)
297 if (*(lineend - 1) == '\r') {
299 * Yes. The EOL starts with the CR.
304 * No. The EOL starts with the LF.
309 * I seem to remember that we once saw lines ending with LF-CR
310 * in an HTTP request or response, so check if it's *followed*
311 * by a carriage return.
313 if (lineend < (dataend - 1) && *(lineend + 1) == '\r') {
315 * It's <non-LF><LF><CR>; say it ends with the CR.
323 * Point to the character after the last character.
330 #define MAX_COLUMNS_LINE_DETAIL 62
333 * Get the length of the next token in a line, and the beginning of the
334 * next token after that (if any).
335 * Return 0 if there is no next token.
338 get_token_len(const u_char *linep, const u_char *lineend,
339 const u_char **next_token)
341 const u_char *tokenp;
347 * Search for a blank, a CR or an LF, or the end of the buffer.
349 while (linep < lineend && *linep != ' ' && *linep != '\r' && *linep != '\n')
351 token_len = linep - tokenp;
354 * Skip trailing blanks.
356 while (linep < lineend && *linep == ' ')
365 * Given a string, generate a string from it that shows non-printable
366 * characters as C-style escapes, and return a pointer to it.
369 format_text(const u_char *string, int len)
371 static gchar fmtbuf[MAX_COLUMNS_LINE_DETAIL + 3 + 4 + 1];
374 const u_char *stringend = string + len;
379 fmtbufp = &fmtbuf[0];
380 while (string < stringend) {
381 if (column >= MAX_COLUMNS_LINE_DETAIL) {
383 * Put "..." and quit.
385 strcpy(fmtbufp, " ...");
439 *fmtbufp++ = i + '0';
442 *fmtbufp++ = i + '0';
445 *fmtbufp++ = i + '0';
456 /* Tries to match val against each element in the value_string array vs.
457 Returns the associated string ptr on a match.
458 Formats val with fmt, and returns the resulting string, on failure. */
460 val_to_str(guint32 val, const value_string *vs, const char *fmt) {
462 static gchar str[3][64];
465 ret = match_strval(val, vs);
468 if (cur == &str[0][0]) {
470 } else if (cur == &str[1][0]) {
475 snprintf(cur, 64, fmt, val);
479 /* Tries to match val against each element in the value_string array vs.
480 Returns the associated string ptr on a match, or NULL on failure. */
482 match_strval(guint32 val, const value_string *vs) {
485 while (vs[i].strptr) {
486 if (vs[i].value == val)
487 return(vs[i].strptr);
494 /* Generate, into "buf", a string showing the bits of a bitfield.
495 Return a pointer to the character after that string. */
497 decode_bitfield_value(char *buf, guint32 val, guint32 mask, int width)
505 bit = 1 << (width - 1);
508 /* This bit is part of the field. Show its value. */
514 /* This bit is not part of the field. */
529 /* Generate a string describing a Boolean bitfield (a one-bit field that
530 says something is either true of false). */
532 decode_boolean_bitfield(guint32 val, guint32 mask, int width,
533 const char *truedesc, const char *falsedesc)
535 static char buf[1025];
538 p = decode_bitfield_value(buf, val, mask, width);
542 strcpy(p, falsedesc);
546 /* Generate a string describing an enumerated bitfield (an N-bit field
547 with various specific values having particular names). */
549 decode_enumerated_bitfield(guint32 val, guint32 mask, int width,
550 const value_string *tab, const char *fmt)
552 static char buf[1025];
555 p = decode_bitfield_value(buf, val, mask, width);
556 sprintf(p, fmt, val_to_str(val & mask, tab, "Unknown"));
560 /* Generate a string describing a numeric bitfield (an N-bit field whose
561 value is just a number). */
563 decode_numeric_bitfield(guint32 val, guint32 mask, int width,
566 static char buf[1025];
570 /* Compute the number of bits we have to shift the bitfield right
571 to extract its value. */
572 while ((mask & (1<<shift)) == 0)
575 p = decode_bitfield_value(buf, val, mask, width);
576 sprintf(p, fmt, (val & mask) >> shift);
580 /* Checks to see if a particular packet information element is needed for
583 check_col(frame_data *fd, gint el) {
587 for (i = 0; i < fd->cinfo->num_cols; i++) {
588 if (fd->cinfo->fmt_matx[i][el])
595 /* Adds a vararg list to a packet info string. */
597 col_add_fstr(frame_data *fd, gint el, gchar *format, ...) {
601 va_start(ap, format);
602 for (i = 0; i < fd->cinfo->num_cols; i++) {
603 if (fd->cinfo->fmt_matx[i][el])
604 vsnprintf(fd->cinfo->col_data[i], COL_MAX_LEN, format, ap);
609 col_add_str(frame_data *fd, gint el, const gchar* str) {
612 for (i = 0; i < fd->cinfo->num_cols; i++) {
613 if (fd->cinfo->fmt_matx[i][el]) {
614 strncpy(fd->cinfo->col_data[i], str, COL_MAX_LEN);
615 fd->cinfo->col_data[i][COL_MAX_LEN - 1] = 0;
620 /* this routine checks the frame type from the cf structure */
622 dissect_packet(const u_char *pd, frame_data *fd, proto_tree *tree)
628 /* Put in frame header information. */
630 ti = proto_tree_add_item_format(tree, proto_frame, 0, fd->cap_len,
631 NULL, "Frame (%d on wire, %d captured)", fd->pkt_len, fd->cap_len);
633 fh_tree = proto_item_add_subtree(ti, ETT_FRAME);
635 tv.tv_sec = fd->abs_secs;
636 tv.tv_usec = fd->abs_usecs;
638 proto_tree_add_item(fh_tree, hf_frame_arrival_time,
641 proto_tree_add_item_format(fh_tree, hf_frame_packet_len,
642 0, 0, fd->pkt_len, "Packet Length: %d byte%s", fd->pkt_len,
643 plurality(fd->pkt_len, "", "s"));
645 proto_tree_add_item_format(fh_tree, hf_frame_capture_len,
646 0, 0, fd->cap_len, "Capture Length: %d byte%s", fd->cap_len,
647 plurality(fd->cap_len, "", "s"));
650 /* Set the initial payload to the packet length, and the initial
651 captured payload to the capture length (other protocols may
652 reduce them if their headers say they're less). */
653 pi.len = fd->pkt_len;
654 pi.captured_len = fd->cap_len;
657 case WTAP_ENCAP_ETHERNET :
658 dissect_eth(pd, 0, fd, tree);
660 case WTAP_ENCAP_FDDI :
661 dissect_fddi(pd, fd, tree, FALSE);
663 case WTAP_ENCAP_FDDI_BITSWAPPED :
664 dissect_fddi(pd, fd, tree, TRUE);
667 dissect_tr(pd, 0, fd, tree);
669 case WTAP_ENCAP_NULL :
670 dissect_null(pd, fd, tree);
672 case WTAP_ENCAP_PPP :
673 dissect_ppp(pd, fd, tree);
675 case WTAP_ENCAP_LAPB :
676 dissect_lapb(pd, fd, tree);
678 case WTAP_ENCAP_RAW_IP :
679 dissect_raw(pd, fd, tree);
681 case WTAP_ENCAP_LINUX_ATM_CLIP :
682 dissect_clip(pd, fd, tree);
684 case WTAP_ENCAP_ATM_SNIFFER :
685 dissect_atm(pd, fd, tree);
691 proto_register_frame(void)
693 static hf_register_info hf[] = {
694 { &hf_frame_arrival_time,
695 { "Arrival Time", "frame.time", FT_ABSOLUTE_TIME, NULL }},
697 { &hf_frame_packet_len,
698 { "Total Frame Length", "frame.pkt_len", FT_UINT32, NULL }},
700 { &hf_frame_capture_len,
701 { "Capture Frame Length", "frame.cap_len", FT_UINT32, NULL }}
704 proto_frame = proto_register_protocol("Frame", "frame");
705 proto_register_field_array(proto_frame, hf, array_length(hf));