/* packet-eth.c
* Routines for ethernet packet disassembly
*
- * $Id: packet-eth.c,v 1.5 1998/10/10 03:32:11 gerald Exp $
+ * $Id: packet-eth.c,v 1.85 2003/08/26 05:52:44 guy Exp $
*
* Ethereal - Network traffic analyzer
- * By Gerald Combs <gerald@zing.org>
+ * By Gerald Combs <gerald@ethereal.com>
* Copyright 1998 Gerald Combs
*
- *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# include "config.h"
#endif
-#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
+#include <glib.h>
+#include <epan/packet.h>
+#include "prefs.h"
+#include "etypes.h"
+#include <epan/resolv.h>
+#include "packet-eth.h"
+#include "packet-ieee8023.h"
+#include "packet-ipx.h"
+#include "packet-isl.h"
+#include "packet-llc.h"
+#include "crc32.h"
+#include "tap.h"
-#include <gtk/gtk.h>
+/* Interpret capture file as FW1 monitor file */
+static gboolean eth_interpret_as_fw1_monitor = FALSE;
-#include <stdio.h>
+/* protocols and header fields */
+static int proto_eth = -1;
+static int hf_eth_dst = -1;
+static int hf_eth_src = -1;
+static int hf_eth_len = -1;
+static int hf_eth_type = -1;
+static int hf_eth_addr = -1;
+static int hf_eth_trailer = -1;
-#include <pcap.h>
+static gint ett_ieee8023 = -1;
+static gint ett_ether2 = -1;
-#include "ethereal.h"
-#include "packet.h"
-#include "etypes.h"
-#include "resolv.h"
+static dissector_handle_t isl_handle;
+static dissector_handle_t fw1_handle;
+
+static int eth_tap = -1;
+
+#define ETH_HEADER_SIZE 14
/* These are the Netware-ish names for the different Ethernet frame types.
EthernetII: The ethernet with a Type field instead of a length field
- Ethernet802.2: An 802.3 header followed by an 802.3 header
+ Ethernet802.2: An 802.3 header followed by an 802.2 header
Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
- There's not 802.2 hdr in this.
+ There's no 802.2 hdr in this.
EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
there's no difference between 802.2 and 802.2SNAP, since we just
- pass it down to dissect_llc(). -- Gilbert
+ pass it down to the LLC dissector. -- Gilbert
*/
#define ETHERNET_II 0
#define ETHERNET_802_2 1
#define ETHERNET_SNAP 3
void
-dissect_eth(const u_char *pd, frame_data *fd, GtkTree *tree) {
+capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
+{
guint16 etype, length;
- int offset = 14;
- GtkWidget *fh_tree = NULL, *ti;
- int ethhdr_type; /* the type of ethernet frame */
-
- if (fd->win_info[COL_NUM]) {
- strcpy(fd->win_info[COL_DESTINATION], get_ether_name((u_char *)&pd[0]));
- strcpy(fd->win_info[COL_SOURCE], get_ether_name((u_char *)&pd[6]));
- strcpy(fd->win_info[COL_INFO], "Ethernet II");
+ int ethhdr_type; /* the type of ethernet frame */
+
+ if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
+ ld->other++;
+ return;
}
- etype = (pd[12] << 8) | pd[13];
+ etype = pntohs(&pd[offset+12]);
- /* either ethernet802.3 or ethernet802.2 */
- if (etype <= IEEE_802_3_MAX_LEN) {
+ /*
+ * If the type/length field is <= the maximum 802.3 length,
+ * and is not zero, this is an 802.3 frame, and it's a length
+ * field; it might be an Novell "raw 802.3" frame, with no
+ * 802.2 LLC header, or it might be a frame with an 802.2 LLC
+ * header.
+ *
+ * If the type/length field is > the maximum 802.3 length,
+ * this is an Ethernet II frame, and it's a type field.
+ *
+ * If the type/length field is zero (ETHERTYPE_UNK), this is
+ * a frame used internally by the Cisco MDS switch to contain
+ * Fibre Channel ("Vegas"). We treat that as an Ethernet II
+ * frame; the dissector for those frames registers itself with
+ * an ethernet type of ETHERTYPE_UNK.
+ */
+ if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
length = etype;
- /* Is there an 802.2 layer? I can tell by looking at the first 2
- bytes after the 802.3 header. If they are 0xffff, then what
- follows the 802.3 header is an IPX payload, meaning no 802.2.
- (IPX/SPX is they only thing that can be contained inside a
- straight 802.3 packet). A non-0xffff value means that there's an
- 802.2 layer inside the 802.3 layer */
- if (pd[14] == 0xff && pd[15] == 0xff) {
+ /* Is there an 802.2 layer? I can tell by looking at the first 2
+ bytes after the 802.3 header. If they are 0xffff, then what
+ follows the 802.3 header is an IPX payload, meaning no 802.2.
+ (IPX/SPX is they only thing that can be contained inside a
+ straight 802.3 packet). A non-0xffff value means that there's an
+ 802.2 layer inside the 802.3 layer */
+ if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
ethhdr_type = ETHERNET_802_3;
}
else {
ethhdr_type = ETHERNET_802_2;
}
- if (fd->win_info[COL_NUM]) { sprintf(fd->win_info[COL_INFO], "802.3"); }
- if (tree) {
- ti = add_item_to_tree(GTK_WIDGET(tree), 0, offset,
- "IEEE 802.3 %s", (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
-
- fh_tree = gtk_tree_new();
- add_subtree(ti, fh_tree, ETT_IEEE8023);
- add_item_to_tree(fh_tree, 0, 6, "Destination: %s (%s)",
- ether_to_str((guint8 *) &pd[0]),
- get_ether_name((u_char *) &pd[0]));
- add_item_to_tree(fh_tree, 6, 6, "Source: %s (%s)",
- ether_to_str((guint8 *) &pd[6]),
- get_ether_name((u_char *)&pd[6]));
- add_item_to_tree(fh_tree, 12, 2, "Length: %d", length);
+ /* Oh, yuck. Cisco ISL frames require special interpretation of the
+ destination address field; fortunately, they can be recognized by
+ checking the first 5 octets of the destination address, which are
+ 01-00-0C-00-00 for ISL frames. */
+ if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
+ && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
+ capture_isl(pd, offset, len, ld);
+ return;
}
+ /* Convert the LLC length from the 802.3 header to a total
+ frame length, by adding in the size of any data that preceded
+ the Ethernet header, and adding in the Ethernet header size,
+ and set the payload and captured-payload lengths to the minima
+ of the total length and the frame lengths. */
+ length += offset + ETH_HEADER_SIZE;
+ if (len > length)
+ len = length;
} else {
ethhdr_type = ETHERNET_II;
+ }
+ offset += ETH_HEADER_SIZE;
+
+ switch (ethhdr_type) {
+ case ETHERNET_802_3:
+ capture_ipx(ld);
+ break;
+ case ETHERNET_802_2:
+ capture_llc(pd, offset, len, ld);
+ break;
+ case ETHERNET_II:
+ capture_ethertype(etype, pd, offset, len, ld);
+ break;
+ }
+}
+
+static void
+dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+{
+ proto_item *ti;
+ eth_hdr *ehdr;
+ volatile gboolean is_802_2;
+ proto_tree *volatile fh_tree = NULL;
+ const char *src_addr, *dst_addr;
+ static eth_hdr ehdrs[4];
+ static int ehdr_num=0;
+
+ ehdr_num++;
+ if(ehdr_num>=4){
+ ehdr_num=0;
+ }
+ ehdr=&ehdrs[ehdr_num];
+
+
+ if (check_col(pinfo->cinfo, COL_PROTOCOL))
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
+
+ src_addr=tvb_get_ptr(tvb, 6, 6);
+ SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src_addr);
+ SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src_addr);
+ SET_ADDRESS(&ehdr->src, AT_ETHER, 6, src_addr);
+ dst_addr=tvb_get_ptr(tvb, 0, 6);
+ SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst_addr);
+ SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst_addr);
+ SET_ADDRESS(&ehdr->dst, AT_ETHER, 6, dst_addr);
+
+ ehdr->type = tvb_get_ntohs(tvb, 12);
+
+ /*
+ * If the type/length field is <= the maximum 802.3 length,
+ * and is not zero, this is an 802.3 frame, and it's a length
+ * field; it might be an Novell "raw 802.3" frame, with no
+ * 802.2 LLC header, or it might be a frame with an 802.2 LLC
+ * header.
+ *
+ * If the type/length field is > the maximum 802.3 length,
+ * this is an Ethernet II frame, and it's a type field.
+ *
+ * If the type/length field is zero (ETHERTYPE_UNK), this is
+ * a frame used internally by the Cisco MDS switch to contain
+ * Fibre Channel ("Vegas"). We treat that as an Ethernet II
+ * frame; the dissector for those frames registers itself with
+ * an ethernet type of ETHERTYPE_UNK.
+ */
+ if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) {
+ /* Oh, yuck. Cisco ISL frames require special interpretation of the
+ destination address field; fortunately, they can be recognized by
+ checking the first 5 octets of the destination address, which are
+ 01-00-0C-00-00 for ISL frames. */
+ if ( tvb_get_guint8(tvb, 0) == 0x01 &&
+ tvb_get_guint8(tvb, 1) == 0x00 &&
+ tvb_get_guint8(tvb, 2) == 0x0C &&
+ tvb_get_guint8(tvb, 3) == 0x00 &&
+ tvb_get_guint8(tvb, 4) == 0x00 ) {
+ call_dissector(isl_handle, tvb, pinfo, tree);
+ goto end_of_eth;
+ }
+
+ /* Is there an 802.2 layer? I can tell by looking at the first 2
+ bytes after the 802.3 header. If they are 0xffff, then what
+ follows the 802.3 header is an IPX payload, meaning no 802.2.
+ (IPX/SPX is they only thing that can be contained inside a
+ straight 802.3 packet). A non-0xffff value means that there's an
+ 802.2 layer inside the 802.3 layer */
+ is_802_2 = TRUE;
+ TRY {
+ if (tvb_get_ntohs(tvb, 14) == 0xffff) {
+ is_802_2 = FALSE;
+ }
+ }
+ CATCH2(BoundsError, ReportedBoundsError) {
+ ; /* do nothing */
+
+ }
+ ENDTRY;
+
+ if (check_col(pinfo->cinfo, COL_INFO)) {
+ col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
+ (is_802_2 ? "" : "Raw "));
+ }
if (tree) {
- ti = add_item_to_tree(GTK_WIDGET(tree), 0, 14, "Ethernet II");
- fh_tree = gtk_tree_new();
- add_subtree(ti, fh_tree, ETT_ETHER2);
- add_item_to_tree(fh_tree, 0, 6, "Destination: %s (%s)",
- ether_to_str((guint8 *) &pd[0]),
- get_ether_name((u_char *)&pd[0]));
- add_item_to_tree(fh_tree, 6, 6, "Source: %s (%s)",
- ether_to_str((guint8 *) &pd[6]),
- get_ether_name((u_char *)&pd[6]));
+ ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
+ "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
+
+ fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
}
+
+ proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
+ proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
+
+/* add items for eth.addr filter */
+ proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
+ proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
+
+ dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
+ hf_eth_len, hf_eth_trailer);
+ } else {
+ if (eth_interpret_as_fw1_monitor) {
+ call_dissector(fw1_handle, tvb, pinfo, tree);
+ goto end_of_eth;
+ }
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
+ if (tree) {
+ ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
+ "Ethernet II, Src: %s, Dst: %s",
+ ether_to_str(src_addr), ether_to_str(dst_addr));
+
+ fh_tree = proto_item_add_subtree(ti, ett_ether2);
+ }
+
+ proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
+ proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
+/* add items for eth.addr filter */
+ proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
+ proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src_addr);
+
+ ethertype(ehdr->type, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, hf_eth_type,
+ hf_eth_trailer);
}
- /* either ethernet802.3 or ethernet802.2 */
- switch (ethhdr_type) {
- case ETHERNET_802_3:
- dissect_ipx(pd, offset, fd, tree);
- return;
- case ETHERNET_802_2:
- dissect_llc(pd, offset, fd, tree);
- return;
+end_of_eth:
+ tap_queue_packet(eth_tap, pinfo, ehdr);
+ return;
+}
+
+/*
+ * Add an Ethernet trailer - which, for some captures, might be the FCS
+ * rather than a pad-to-60-bytes trailer.
+ */
+void
+add_ethernet_trailer(proto_tree *fh_tree, int trailer_id, tvbuff_t *tvb,
+ tvbuff_t *trailer_tvb)
+{
+ /* If there're some bytes left over, show those bytes as a trailer.
+
+ However, if the Ethernet frame was claimed to have had 64 or more
+ bytes - i.e., it was at least an FCS worth of data longer than
+ the minimum payload size - assume the last 4 bytes of the trailer
+ are an FCS. */
+ if (trailer_tvb && fh_tree) {
+ guint trailer_length, trailer_reported_length;
+ gboolean has_fcs = FALSE;
+
+ trailer_length = tvb_length(trailer_tvb);
+ trailer_reported_length = tvb_reported_length(trailer_tvb);
+ if (tvb_reported_length(tvb) >= 64) {
+ /* OK, the frame is big enough that, if we have a trailer, it
+ probably includes an FCS; there's no need to pad an Ethernet
+ packet past 60 bytes.
+
+ Do we have enough space in the trailer for an FCS? */
+ if (trailer_reported_length >= 4) {
+ /* Yes, as the claimed trailer length is at least as big as
+ a 4-byte FCS. */
+ if (trailer_length < trailer_reported_length) {
+ /* The packet is claimed to have enough data for a 4-byte FCS,
+ but we didn't capture all of the packet.
+ Slice off the 4-byte FCS from the reported length, and
+ trim the captured length so it's no more than the reported
+ length; that will slice off what of the FCS, if any, is
+ in the captured packet. */
+ trailer_reported_length -= 4;
+ if (trailer_length > trailer_reported_length)
+ trailer_length = trailer_reported_length;
+ has_fcs = TRUE;
+ } else {
+ /* We captured all of the packet, including what appears to
+ be a 4-byte FCS. Slice it off. */
+ trailer_length -= 4;
+ trailer_reported_length -= 4;
+ has_fcs = TRUE;
+ }
+ }
+ }
+ if (trailer_length != 0) {
+ proto_tree_add_item(fh_tree, trailer_id, trailer_tvb, 0,
+ trailer_length, FALSE);
+ }
+ if (has_fcs) {
+ guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, trailer_length);
+ guint32 fcs = crc32_802(tvb_get_ptr(tvb, 0, tvb_length(tvb) - 4),
+ tvb_length(tvb) - 4);
+ if (fcs == sent_fcs) {
+ proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
+ "Frane check sequence: 0x%08x (correct)",
+ sent_fcs);
+ } else {
+ proto_tree_add_text(fh_tree, trailer_tvb, trailer_length, 4,
+ "Frane check sequence: 0x%08x (incorrect, should be 0x%08x)",
+ sent_fcs, fcs);
+ }
+ }
}
+}
+
+void
+proto_register_eth(void)
+{
+ static hf_register_info hf[] = {
+
+ { &hf_eth_dst,
+ { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
+ "Destination Hardware Address", HFILL }},
+
+ { &hf_eth_src,
+ { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
+ "Source Hardware Address", HFILL }},
+
+ { &hf_eth_len,
+ { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
+ "", HFILL }},
+
+ /* registered here but handled in ethertype.c */
+ { &hf_eth_type,
+ { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
+ "", HFILL }},
+ { &hf_eth_addr,
+ { "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
+ "Source or Destination Hardware Address", HFILL }},
- /* Ethernet_II */
- ethertype(etype, offset, pd, fd, tree, fh_tree);
+ { &hf_eth_trailer,
+ { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
+ "Ethernet Trailer or Checksum", HFILL }},
+
+ };
+ static gint *ett[] = {
+ &ett_ieee8023,
+ &ett_ether2,
+ };
+ module_t *eth_module;
+
+ proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
+ proto_register_field_array(proto_eth, hf, array_length(hf));
+ proto_register_subtree_array(ett, array_length(ett));
+
+ /* Register configuration preferences */
+ eth_module = prefs_register_protocol(proto_eth, NULL);
+ prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
+ "Interpret as FireWall-1 monitor file",
+"Whether the capture file should be interpreted as a CheckPoint FireWall-1 monitor file",
+ ð_interpret_as_fw1_monitor);
+
+ register_dissector("eth", dissect_eth, proto_eth);
+ eth_tap = register_tap("eth");
}
+void
+proto_reg_handoff_eth(void)
+{
+ dissector_handle_t eth_handle;
+
+ /*
+ * Get a handle for the ISL dissector.
+ */
+ isl_handle = find_dissector("isl");
+ fw1_handle = find_dissector("fw1");
+
+ eth_handle = find_dissector("eth");
+ dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_handle);
+ dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_handle);
+ dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_handle);
+ dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_handle);
+}