/* packet-eth.c
* Routines for ethernet packet disassembly
*
- * $Id: packet-eth.c,v 1.54 2001/01/09 06:31:35 guy Exp $
+ * $Id: packet-eth.c,v 1.76 2002/08/26 19:08:59 guy Exp $
*
* Ethereal - Network traffic analyzer
- * By Gerald Combs <gerald@zing.org>
+ * By Gerald Combs <gerald@ethereal.com>
* Copyright 1998 Gerald Combs
- *
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
# include "config.h"
#endif
-#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-
#include <glib.h>
-#include "packet.h"
+#include <epan/packet.h>
+#include "prefs.h"
#include "etypes.h"
-#include "resolv.h"
+#include <epan/resolv.h>
#include "packet-eth.h"
+#include "packet-ieee8023.h"
#include "packet-ipx.h"
#include "packet-isl.h"
#include "packet-llc.h"
-extern const value_string etype_vals[];
+/* Interpret capture file as FW1 monitor file */
+static gboolean eth_interpret_as_fw1_monitor = FALSE;
/* protocols and header fields */
static int proto_eth = -1;
static gint ett_ether2 = -1;
static dissector_handle_t isl_handle;
-static dissector_handle_t llc_handle;
+static dissector_handle_t fw1_handle;
#define ETH_HEADER_SIZE 14
#define ETHERNET_SNAP 3
void
-capture_eth(const u_char *pd, int offset, packet_counts *ld)
+capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
{
guint16 etype, length;
int ethhdr_type; /* the type of ethernet frame */
- if (!BYTES_ARE_IN_FRAME(offset, ETH_HEADER_SIZE)) {
+ if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
ld->other++;
return;
}
01-00-0C-00-00 for ISL frames. */
if (pd[offset] == 0x01 && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C
&& pd[offset+3] == 0x00 && pd[offset+4] == 0x00) {
- capture_isl(pd, offset, ld);
+ capture_isl(pd, offset, len, ld);
return;
}
and set the payload and captured-payload lengths to the minima
of the total length and the frame lengths. */
length += offset + ETH_HEADER_SIZE;
- if (pi.len > length)
- pi.len = length;
- if (pi.captured_len > length)
- pi.captured_len = length;
+ if (len > length)
+ len = length;
} else {
ethhdr_type = ETHERNET_II;
}
switch (ethhdr_type) {
case ETHERNET_802_3:
- capture_ipx(pd, offset, ld);
+ capture_ipx(ld);
break;
case ETHERNET_802_2:
- capture_llc(pd, offset, ld);
+ capture_llc(pd, offset, len, ld);
break;
case ETHERNET_II:
- capture_ethertype(etype, offset, pd, ld);
+ capture_ethertype(etype, pd, offset, len, ld);
break;
}
}
-void
+static void
dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
- int orig_captured_len;
proto_item *ti;
- guint8 *dst, *src;
- const guint8 *pd;
+ const guint8 *dst, *src;
- volatile guint16 etype;
- volatile int ethhdr_type; /* the type of Ethernet frame */
- volatile int eth_offset;
- volatile guint16 length;
- tvbuff_t *volatile next_tvb;
- tvbuff_t *volatile trailer_tvb;
- proto_tree *volatile fh_tree;
- guint length_before;
+ guint16 etype;
+ volatile gboolean is_802_2;
+ proto_tree *volatile fh_tree = NULL;
- CHECK_DISPLAY_AS_DATA(proto_eth, tvb, pinfo, tree);
-
- tvb_compat(tvb, &pd, (int*)ð_offset);
-
- pinfo->current_proto = "Ethernet";
- orig_captured_len = pinfo->captured_len;
-
- if (check_col(pinfo->fd, COL_PROTOCOL))
- col_set_str(pinfo->fd, COL_PROTOCOL, "Ethernet");
+ if (check_col(pinfo->cinfo, COL_PROTOCOL))
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
src = tvb_get_ptr(tvb, 6, 6);
dst = tvb_get_ptr(tvb, 0, 6);
/* either ethernet802.3 or ethernet802.2 */
if (etype <= IEEE_802_3_MAX_LEN) {
- length = etype;
+ /* Oh, yuck. Cisco ISL frames require special interpretation of the
+ destination address field; fortunately, they can be recognized by
+ checking the first 5 octets of the destination address, which are
+ 01-00-0C-00-00 for ISL frames. */
+ if ( tvb_get_guint8(tvb, 0) == 0x01 &&
+ tvb_get_guint8(tvb, 1) == 0x00 &&
+ tvb_get_guint8(tvb, 2) == 0x0C &&
+ tvb_get_guint8(tvb, 3) == 0x00 &&
+ tvb_get_guint8(tvb, 4) == 0x00 ) {
+ call_dissector(isl_handle, tvb, pinfo, tree);
+ return;
+ }
/* Is there an 802.2 layer? I can tell by looking at the first 2
bytes after the 802.3 header. If they are 0xffff, then what
(IPX/SPX is they only thing that can be contained inside a
straight 802.3 packet). A non-0xffff value means that there's an
802.2 layer inside the 802.3 layer */
- ethhdr_type = ETHERNET_802_2;
+ is_802_2 = TRUE;
TRY {
if (tvb_get_ntohs(tvb, 14) == 0xffff) {
- ethhdr_type = ETHERNET_802_3;
+ is_802_2 = FALSE;
}
}
CATCH2(BoundsError, ReportedBoundsError) {
}
ENDTRY;
- /* Oh, yuck. Cisco ISL frames require special interpretation of the
- destination address field; fortunately, they can be recognized by
- checking the first 5 octets of the destination address, which are
- 01-00-0C-00-00 for ISL frames. */
- if ( tvb_get_guint8(tvb, 0) == 0x01 &&
- tvb_get_guint8(tvb, 1) == 0x00 &&
- tvb_get_guint8(tvb, 2) == 0x0C &&
- tvb_get_guint8(tvb, 3) == 0x00 &&
- tvb_get_guint8(tvb, 4) == 0x00 ) {
- call_dissector(isl_handle, tvb, pinfo, tree);
- return;
- }
-
- if (check_col(pinfo->fd, COL_INFO)) {
- col_add_fstr(pinfo->fd, COL_INFO, "IEEE 802.3 %s",
- (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
+ if (check_col(pinfo->cinfo, COL_INFO)) {
+ col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
+ (is_802_2 ? "" : "Raw "));
}
if (tree) {
+ ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
+ "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
- ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
- "IEEE 802.3 %s", (ethhdr_type == ETHERNET_802_3 ? "Raw " : ""));
-
- fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
+ fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
- proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
- proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
+ proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
+ proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
/* add items for eth.addr filter */
- proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
- proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
-
- proto_tree_add_uint(fh_tree, hf_eth_len, tvb, 12, 2, length);
+ proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
+ proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
}
- /* Convert the LLC length from the 802.3 header to a total
- frame length, by adding in the size of any data that preceded
- the Ethernet header, and adding in the Ethernet header size,
- and set the payload and captured-payload lengths to the minima
- of the total length and the frame lengths.
-
- XXX - when all dissectors are tvbuffified we shouldn't have to
- do this any more. */
- length += eth_offset + ETH_HEADER_SIZE;
- if (pinfo->len > length)
- pinfo->len = length;
- if (pinfo->captured_len > length)
- pinfo->captured_len = length;
+ dissect_802_3(etype, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
+ hf_eth_len, hf_eth_trailer);
} else {
- ethhdr_type = ETHERNET_II;
- if (check_col(pinfo->fd, COL_INFO))
- col_set_str(pinfo->fd, COL_INFO, "Ethernet II");
- if (tree) {
+ if (eth_interpret_as_fw1_monitor) {
+ call_dissector(fw1_handle, tvb, pinfo, tree);
+ return;
+ }
- ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
- "Ethernet II");
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
+ if (tree) {
+ ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
+ "Ethernet II, Src: %s, Dst: %s",
+ ether_to_str(src), ether_to_str(dst));
- fh_tree = proto_item_add_subtree(ti, ett_ether2);
+ fh_tree = proto_item_add_subtree(ti, ett_ether2);
- proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
- proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
+ proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst);
+ proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src);
/* add items for eth.addr filter */
- proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
- proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
+ proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 0, 6, dst);
+ proto_tree_add_ether_hidden(fh_tree, hf_eth_addr, tvb, 6, 6, src);
}
- }
- eth_offset += ETH_HEADER_SIZE;
-
- if (etype <= IEEE_802_3_MAX_LEN) {
- /* Give the next dissector only 'length' number of bytes */
- TRY {
- next_tvb = tvb_new_subset(tvb, ETH_HEADER_SIZE, etype, etype);
- trailer_tvb = tvb_new_subset(tvb, ETH_HEADER_SIZE + etype, -1, -1);
- }
- CATCH2(BoundsError, ReportedBoundsError) {
- /* Either:
-
- the packet doesn't have "etype" bytes worth of
- captured data left in it - or it may not even have
- "etype" bytes worth of data in it, period -
- so the "tvb_new_subset()" creating "next_tvb"
- threw an exception
-
- or
-
- the packet has exactly "etype" bytes worth of
- captured data left in it, so the "tvb_new_subset()"
- creating "trailer_tvb" threw an exception.
-
- In either case, this means that all the data in the frame
- is within the length value, so we give all the data to the
- next protocol and have no trailer. */
- next_tvb = tvb_new_subset(tvb, ETH_HEADER_SIZE, -1, etype);
- trailer_tvb = NULL;
- }
- ENDTRY;
- }
- else {
- next_tvb = NULL; /* "ethertype()" will create the next tvb for us */
- trailer_tvb = NULL; /* we don't know how big the trailer is */
- }
-
- switch (ethhdr_type) {
- case ETHERNET_802_3:
- dissect_ipx(next_tvb, pinfo, tree);
- break;
- case ETHERNET_802_2:
- call_dissector(llc_handle, next_tvb, pinfo, tree);
- break;
- case ETHERNET_II:
- length_before = tvb_reported_length(tvb);
- length = ethertype(etype, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree,
- hf_eth_type) + ETH_HEADER_SIZE;
- if (length < length_before) {
- /*
- * Create a tvbuff for the padding.
- */
- TRY {
- trailer_tvb = tvb_new_subset(tvb, length, -1, -1);
- }
- CATCH2(BoundsError, ReportedBoundsError) {
- /* The packet doesn't have "length" bytes worth of captured
- data left in it. No trailer to display. */
- trailer_tvb = NULL;
- }
- ENDTRY;
- }
- break;
- }
- /* If there's some bytes left over, mark them. */
- if (trailer_tvb && tree) {
- guint trailer_length;
-
- trailer_length = tvb_length(trailer_tvb);
- if (trailer_length != 0) {
- proto_tree_add_item(fh_tree, hf_eth_trailer, trailer_tvb, 0,
- trailer_length, FALSE);
- }
+ ethertype(etype, tvb, ETH_HEADER_SIZE, pinfo, tree, fh_tree, hf_eth_type,
+ hf_eth_trailer);
}
-
}
void
{ &hf_eth_dst,
{ "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
- "Destination Hardware Address" }},
+ "Destination Hardware Address", HFILL }},
{ &hf_eth_src,
{ "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
- "Source Hardware Address" }},
+ "Source Hardware Address", HFILL }},
{ &hf_eth_len,
{ "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
- "" }},
+ "", HFILL }},
/* registered here but handled in ethertype.c */
{ &hf_eth_type,
{ "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
- "" }},
+ "", HFILL }},
{ &hf_eth_addr,
{ "Source or Destination Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
- "Source or Destination Hardware Address" }},
+ "Source or Destination Hardware Address", HFILL }},
{ &hf_eth_trailer,
{ "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
- "Ethernet Trailer or Checksum" }},
+ "Ethernet Trailer or Checksum", HFILL }},
};
static gint *ett[] = {
&ett_ieee8023,
&ett_ether2,
};
+ module_t *eth_module;
proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
proto_register_field_array(proto_eth, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
+ /* Register configuration preferences */
+ eth_module = prefs_register_protocol(proto_eth, NULL);
+ prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
+ "Interpret as FireWall-1 monitor file",
+"Whether the capture file should be interpreted as a CheckPoint FireWall-1 monitor file",
+ ð_interpret_as_fw1_monitor);
+
register_dissector("eth", dissect_eth, proto_eth);
}
void
proto_reg_handoff_eth(void)
{
+ dissector_handle_t eth_handle;
+
/*
- * Get handles for the ISL and LLC dissectors.
+ * Get a handle for the ISL dissector.
*/
isl_handle = find_dissector("isl");
- llc_handle = find_dissector("llc");
+ fw1_handle = find_dissector("fw1");
- dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, dissect_eth,
- proto_eth);
+ eth_handle = find_dissector("eth");
+ dissector_add("wtap_encap", WTAP_ENCAP_ETHERNET, eth_handle);
+ dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_handle);
+ dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_handle);
+ dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_handle);
}