| blob | 043ddd466bea6dc96e60dbd77d9f722adaead9a8 |
1 /* packet-eth.c
2 * Routines for ethernet packet disassembly
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
13 #include <epan/packet.h>
14 #include <epan/exceptions.h>
15 #include <epan/prefs.h>
16 #include <epan/etypes.h>
17 #include <epan/ipproto.h>
18 #include <epan/addr_resolv.h>
19 #include <epan/expert.h>
20 #include <epan/conversation_table.h>
21 #include <epan/conversation_filter.h>
22 #include <epan/capture_dissectors.h>
23 #include <epan/exported_pdu.h>
24 #include <epan/tfs.h>
25 #include <wsutil/pint.h>
40 #include <epan/crc32-tvb.h>
41 #include <wiretap/erf_record.h>
46 #define PADDING_NONE 0
47 #define PADDING_ZEROS 1
48 #define PADDING_ANY 2
52 /* By default, try to autodetect FCS */
55 /* Interpret packets as FW1 monitor file packets if they look as if they are */
57 /* When capturing on a Cisco FEX some frames start with an extra destination mac */
59 /* Preference settings defining conditions for which the CCSDS dissector is called */
65 /* protocols and header fields */
121 #define ETH_HEADER_SIZE 14
125 "Individual address (unicast)"
126 };
129 "Globally unique address (factory default)"
130 };
137 };
144 };
147 {
158 }
162 static tap_packet_status
163 eth_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
164 {
169 add_conversation_table_data_with_conv_id(hash, &ehdr->src, &ehdr->dst, 0, 0, (conv_id_t)ehdr->stream, 1, pinfo->fd->pkt_len,
173 }
175 static const char* eth_endpoint_get_filter_type(endpoint_item_t* endpoint, conv_filter_type_e filter)
176 {
181 }
185 static tap_packet_status
186 eth_endpoint_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, const void *vip, tap_flags_t flags)
187 {
192 /* Take two "add" passes per packet, adding for each direction, ensures that all
193 packets are counted properly (even if address is sending to itself)
194 XXX - this could probably be done more efficiently inside endpoint_table */
195 add_endpoint_table_data(hash, &ehdr->src, 0, true, 1, pinfo->fd->pkt_len, ð_endpoint_dissector_info, ENDPOINT_NONE);
196 add_endpoint_table_data(hash, &ehdr->dst, 0, false, 1, pinfo->fd->pkt_len, ð_endpoint_dissector_info, ENDPOINT_NONE);
199 }
201 static bool
203 {
205 }
209 {
213 }
216 /* These are the Netware-ish names for the different Ethernet frame types.
217 EthernetII: The ethernet with a Type field instead of a length field
218 Ethernet802.2: An 802.3 header followed by an 802.2 header
219 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
220 There's no 802.2 hdr in this.
221 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
222 there's no difference between 802.2 and 802.2SNAP, since we just
223 pass it down to the LLC dissector. -- Gilbert
224 */
225 #define ETHERNET_II 0
226 #define ETHERNET_802_2 1
227 #define ETHERNET_802_3 2
228 #define ETHERNET_SNAP 3
230 static bool
231 capture_eth(const unsigned char *pd, int offset, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header)
232 {
242 /* Oh, yuck. Cisco ISL frames require special interpretation of the
243 destination address field; fortunately, they can be recognized by
244 checking the first 5 octets of the destination address, which are
245 01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */
250 }
251 }
253 /*
254 * If the type/length field is <= the maximum 802.3 length,
255 * and is not zero, this is an 802.3 frame, and it's a length
256 * field; it might be an Novell "raw 802.3" frame, with no
257 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
258 * header.
259 *
260 * If the type/length field is >= the minimum Ethernet II length,
261 * this is an Ethernet II frame, and it's a type field.
262 *
263 * If the type/length field is > maximum 802.3 length and < minimum
264 * Ethernet II length, then this is an invalid packet.
265 *
266 * If the type/length field is zero (ETHERTYPE_UNK), this is
267 * a frame used internally by the Cisco MDS switch to contain
268 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
269 * frame; the dissector for those frames registers itself with
270 * an ethernet type of ETHERTYPE_UNK.
271 */
278 /* Is there an 802.2 layer? I can tell by looking at the first 2
279 bytes after the 802.3 header. If they are 0xffff, then what
280 follows the 802.3 header is an IPX payload, meaning no 802.2.
281 (IPX/SPX is they only thing that can be contained inside a
282 straight 802.3 packet). A non-0xffff value means that there's an
283 802.2 layer inside the 802.3 layer */
286 }
289 }
291 /* Convert the LLC length from the 802.3 header to a total
292 frame length, by adding in the size of any data that preceded
293 the Ethernet header, and adding in the Ethernet header size,
294 and set the payload and captured-payload lengths to the minima
295 of the total length and the frame lengths. */
301 }
311 }
314 }
318 static void
320 {
328 };
336 };
344 };
353 }
354 }
355 }
357 static void
359 {
367 }
368 }
372 {
375 /* Initialize the eth protocol data structure to add to the ip conversation */
383 }
387 {
390 /* Did the caller supply the conversation pointer? */
393 }
395 /* Get the data for this conversation */
401 }
405 }
408 }
413 {
421 ethertype_data_t ethertype_data;
424 /* a facility for not duplicating long code */
427 /* Rotating buffer */
428 ehdr_num++;
431 }
451 /*
452 * In case the packet is a non-Ethernet packet inside
453 * Ethernet framing, allow heuristic dissectors to take
454 * a first look before we assume that it's actually an
455 * Ethernet packet.
456 *
457 * Tell the heuristic dissectors what FCS length was reported for
458 * this packet - the non-Ethernet packet might or might not include
459 * the FCS, or might have a different calculation. (Heuristic
460 * dissectors also can't report a number of bytes consumed, so we
461 * can't really handle the "maybefcs" case otherwise.)
462 */
465 if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, parent_tree, &hdtbl_entry, &phdr))
469 /* Oh, yuck. Cisco ISL frames require special interpretation of the
470 destination address field; fortunately, they can be recognized by
471 checking the first 5 octets of the destination address, which are
472 01-00-0C-00-00 for ISL frames. */
481 }
482 }
484 /*
485 * If the type/length field is <= the maximum 802.3 length,
486 * and is not zero, this is an 802.3 frame, and it's a length
487 * field; it might be an Novell "raw 802.3" frame, with no
488 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
489 * header.
490 *
491 * If the type/length field is >= the minimum Ethernet II length,
492 * this is an Ethernet II frame, and it's a type field.
493 *
494 * If the type/length field is > maximum 802.3 length and < minimum
495 * Ethernet II length, then this is an invalid packet.
496 *
497 * If the type/length field is zero (ETHERTYPE_UNK), this is
498 * a frame used internally by the Cisco MDS switch to contain
499 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
500 * frame; the dissector for those frames registers itself with
501 * an ethernet type of ETHERTYPE_UNK.
502 */
523 }
536 }
538 /* if IP is not referenced from any filters we don't need to worry about
539 generating any tree items. We must do this after we created the actual
540 protocol above so that proto hier stat still works though.
541 */
545 }
560 }
561 }
570 }
573 }
575 }
588 }
590 /* if we still did not leave the dissection, try identifying any ETH conversation
591 * When deinterlacing was asked and an interface is known, create an _IN conv,
592 * otherwise create an ordinary _NN one.
593 *
594 */
597 /* deinterlacing is requested */
606 }
609 }
611 // identify an existing conversation or create a new one
612 conversation_t *conv_deint = find_conversation_deinterlacer(pinfo->num, &pinfo->src, &pinfo->dst, conv_type,
617 }
618 }
620 conversation_t *conv = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, conv_type, 0, 0, NO_PORT_X);
624 }
626 /*
627 * while not strictly necessary because there is only 1
628 * conversation between 2 IPs, we still move the last frame
629 * indicator as being a usual practice.
630 */
634 }
635 }
636 }
644 }
645 }
649 }
652 }
654 static void
656 {
658 }
660 /* -------------- */
662 {
669 /* Is there an 802.2 layer? I can tell by looking at the first 2
670 bytes after the 802.3 header. If they are 0xffff, then what
671 follows the 802.3 header is an IPX payload, meaning no 802.2.
672 A non-0xffff value means that there's an 802.2 layer or CCSDS
673 layer inside the 802.3 layer */
675 TRY {
678 }
679 /* Is this a CCSDS payload instead of an 802.2 (LLC)?
680 Check the conditions enabled by the user for CCSDS presence */
687 /* See if the reported payload size matches the
688 size contained in the CCSDS header. */
690 /* The following technique to account for FCS
691 is copied from packet-ieee8023.c dissect_802_3() */
697 }
698 /* Make sure the length in the 802.3 header doesn't go past the end of
699 the payload. */
702 }
703 /* Only allow inspection of 'length' number of bytes. */
708 /* Check if payload is large enough to contain a CCSDS header */
710 /* Compare length to packet length contained in CCSDS header. */
713 }
714 }
715 /* Check if CCSDS Version number (first 3 bits of payload) is zero */
718 /* Check if Secondary Header Flag (4th bit of payload) is set to one. */
721 /* Check if spare bit (1st bit of 7th word of payload) is zero. */
724 /* If all the conditions are true, don't interpret payload as an 802.2 (LLC).
725 * Additional check in packet-802.3.c will distinguish between
726 * IPX and CCSDS packets*/
729 }
730 }
731 CATCH_BOUNDS_ERRORS {
734 }
735 ENDTRY;
737 }
739 /*
740 * Add an Ethernet trailer - which, for some captures, might be the FCS
741 * rather than a pad-to-60-bytes trailer.
742 *
743 * If fcs_len is 0, we assume the frame has no FCS; if it's 4, we assume
744 * it has an FCS; if it's anything else (such as -1, which means "maybe
745 * it does, maybe it doesn't"), we try to infer whether it has an FCS.
746 */
747 void
751 {
752 /* If there're some bytes left over, it could be a combination of:
753 - padding to meet the minimum 64 byte frame length
754 - an FCS, if present (if fcs_len is 0, we know it's not present;
755 if fcs_len is 4, we know it's present; if fcs_len is -1, we
756 need some heuristics to determine whether it's present)
757 - information inserted by TAPs or other network monitoring equipment.
759 If we don't know whether the FCS is present, then, if we don't have a
760 network monitoring trailer, and if the Ethernet frame was claimed to
761 have had 64 or more bytes - i.e., it was at least an FCS worth of data
762 longer than the minimum payload size - we could assume the last 4 bytes
763 of the trailer are an FCS. */
776 /* Theoretically padding is added if the frame length without the FCS is
777 * less than 60 bytes, starting from the addresses. In practice, frames
778 * are often padded so that the length is 60 bytes not counting any tags
779 * before the final Ethertype. (I.e., padding so that the payload portion
780 * is 46.)
781 *
782 * Padding might be added to a frame at one point in a network, and then a
783 * tag or trailer added later without removing the padding. Conversely, a
784 * frame might have padding and a tag and trailer, and then the tag removed,
785 * dropping the frame below 60 octets, leading to more padding at the end,
786 * after the trailer. https://gitlab.com/wireshark/wireshark/-/wikis/PRP
787 * has useful illustrations of both situations. The heuristic trailer
788 * dissectors can try to deal with both situations (though looping through
789 * the trailer bytes increases false positives.)
790 *
791 * By increasing the minimum frame size (padding payload to 46) the former
792 * situation always occurs, and trailers appear at the end. IEEE Std
793 * 802.1Q-2014 G.2.1 "Treatment of PAD fields in IEEE 802.3 frames"
794 * and G.2.3 "Minimum PDU size" specifically state it is permissible for a
795 * Bridge to to adopt a minimum tagged frame length of 68 bytes (64 without
796 * FCS) when 802.1Q is used. Other specs don't directly address this, but
797 * we often see padding on frames that are more than 60 octets without FCS.
798 */
801 /* This is a size at which there definitely should be padding,
802 * which we use with PADDING_ANY to be conservative so we don't
803 * mark any possible trailer as padding. Fo certain cases (tags,
804 * trailers, especially encapsulation like ISL, GSE Bridged Frames)
805 * some padding will be classified as trailer.
806 */
809 /* This is the size up to which there might be padding, if padding
810 * was added before adding tags after the first ethertype.
811 * Use this if we're testing PADDING_ZERO, which is strict.
812 * Consecutive zeroes up to this point will be padding,
813 * anything starting with the first non-zero will be trailer.
814 */
816 }
820 /* XXX: There could be another 4 bytes of padding if a Bridge extends
821 * the minimum frame size of 68 on untagged fraomes, see discussion
822 * above of IEEE 802.1Q Annex G. If we require padding to be zeros,
823 * we could possibly use 64 instead of 60. (Too many false positives
824 * with PADDING_ANY.)
825 */
827 /* Require padding to be zeros */
833 }
834 }
835 }
836 /* If it was determined that we have padding, add it to the tree. */
843 }
844 }
850 /* Try trailer dissection without an FCS */
852 /* Call all ethernet trailer dissectors to dissect the trailer if
853 we actually have a trailer. The PRP trailer dissector wants
854 to know about the payload (LSDU) length. */
859 }
860 }
863 /* If fcs_len is 4, we assume we definitely have an FCS.
864 If fcs_len is -1, if the frame is big enough that, if we
865 have a trailer, it probably includes an FCS, and we have
866 enough space in the trailer for the FCS, and we didn't
867 have a heuristic trailer dissector successfully dissect
868 without an FCS, we assume we have an FCS.
870 "Big enough" means 64 bytes or more; any frame that big
871 needs no trailer, as there's no need to pad an Ethernet
872 packet past 60 bytes.
874 XXX: This is not quite true. See IEEE Std 802.1Q-2014
875 G.2.1 "Treatment of PAD fields in IEEE 802.3 frames" and
876 G.2.3 "Minimum PDU size" and the discussion above.
878 The trailer must be at least 4 bytes long to have enough
879 space for an FCS. */
883 /* Either we know we have an FCS, or we believe we have an FCS. */
885 /* The packet is claimed to have enough data for a 4-byte FCS,
886 but we didn't capture all of the packet.
887 Slice off the 4-byte FCS from the reported length, and
888 trim the captured length so it's no more than the reported
889 length; that will slice off what of the FCS, if any, is
890 in the captured packet. */
895 }
898 /* We captured all of the packet, including what appears to
899 be a 4-byte FCS. Slice it off. */
904 }
909 /* Call all ethernet trailer dissectors to dissect the trailer if
910 we actually have a trailer. */
915 }
916 }
917 }
920 /* No luck with the trailer dissectors, so just display the
921 extra bytes as general trailer */
929 "Padding was assumed, and an undecoded trailer exists. Some of the trailer may have been consumed by padding.");
930 }
933 "Didn't find padding of zeros, and an undecoded trailer exists. There may be padding of non-zeros.");
934 }
935 }
936 }
937 }
941 /* If we don't have the entire header, we can't actually check the FCS.
942 * Dissectors that don't have the entire header (say, a tag) probably
943 * should have set fcs_len to zero in the ethertype_data struct.
944 * XXX: Maybe add an expert info saying why we aren't checking the FCS? */
947 proto_tree_add_checksum(fh_tree, trailer_tvb, padding_length+trailer_length, hf_eth_fcs, hf_eth_fcs_status, &ei_eth_fcs_bad, pinfo, fcs, ENC_BIG_ENDIAN, PROTO_CHECKSUM_VERIFY);
951 }
953 proto_tree_add_checksum(fh_tree, trailer_tvb, padding_length+trailer_length, hf_eth_fcs, hf_eth_fcs_status, &ei_eth_fcs_bad, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
954 }
956 }
957 proto_tree_set_appendix(fh_tree, tvb, tvb_captured_length(tvb) - padding_length - trailer_length, padding_length + trailer_length);
958 }
959 }
961 /* Called for the Ethernet Wiretap encapsulation type; pass the FCS length
962 reported to us, if known, otherwise falling back to the "fcs" preference. */
963 static int
965 {
972 /* Use the value reported from Wiretap, if known. */
976 }
978 /* When capturing on a Cisco FEX, some frames (most likely all frames
979 captured without a vntag) have an extra destination mac prepended. */
986 }
988 /* Some devices slice the packet and add their own trailer before
989 putting the frame on the network. Make sure these packets get
990 a proper trailer (even though the sliced frame might not
991 properly dissect. */
996 /* If we have to guess if the trailer includes the FCS, assume not; the
997 * user probably set the "eth_trailer_length" preference to the total
998 * trailer length. The user has already set the preference, so should
999 * have little difficulty changing it or the "fcs" preference if need be.
1000 */
1003 /* Dissect the tvb up to, but not including the trailer */
1009 /* Now handle the ethernet trailer and optional FCS */
1010 next_tvb = tvb_new_subset_remaining(real_tvb, tvb_captured_length(real_tvb) - total_trailer_length);
1015 }
1017 }
1019 /* Called by other dissectors This one's for encapsulated Ethernet
1020 packets that don't include an FCS. */
1021 static int
1023 {
1026 }
1028 /* ...and this one's for encapsulated packets that do. */
1029 static int
1031 {
1034 }
1036 /* ...and this one's for encapsulated packets that might or might not. */
1037 static int
1039 {
1042 }
1044 void
1046 {
1088 /* registered here but handled in packet-ethertype.c */
1104 HFILL }},
1133 "Specifies if this is a locally administered or globally unique (IEEE assigned) address", HFILL }},
1138 "Specifies if this is an individual (unicast) or group (broadcast/multicast) address", HFILL }},
1143 "Specifies if this is a locally administered or globally unique (IEEE assigned) address", HFILL }},
1148 "Specifies if this is an individual (unicast) or group (broadcast/multicast) address", HFILL }},
1153 "Specifies if this is a locally administered or globally unique (IEEE assigned) address", HFILL }},
1158 "Specifies if this is an individual (unicast) or group (broadcast/multicast) address", HFILL }},
1163 };
1169 };
1172 { &ei_eth_invalid_lentype, { "eth.invalid_lentype.expert", PI_PROTOCOL, PI_WARN, "Invalid length/type", EXPFILL }},
1173 { &ei_eth_src_not_group, { "eth.src_not_group", PI_PROTOCOL, PI_WARN, "Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)", EXPFILL }},
1175 { &ei_eth_len, { "eth.len.past_end", PI_MALFORMED, PI_ERROR, "Length field value goes past the end of the payload", EXPFILL }},
1176 { &ei_eth_padding_bad, {"eth.padding_bad", PI_PROTOCOL, PI_NOTE, "Padding identification may be inaccurate and impact trailer dissector", EXPFILL }},
1177 };
1188 /* subdissector code */
1189 heur_subdissector_list = register_heur_dissector_list_with_description("eth", "Ethernet framed non-Ethernet data", proto_eth);
1190 eth_trailer_subdissector_list = register_heur_dissector_list_with_description("eth.trailer", "Ethernet trailer", proto_eth);
1192 /* Register configuration preferences */
1198 "Some devices add trailing data to frames. Depending on where this "
1199 "device exists in the network, padding could be added to short "
1200 "frames before the additional trailer. This option determines how "
1202 "Never - Don't detect any padding. Any bytes after the ethernet "
1204 "Zeros (default) - Consecutive bytes of zeros up to the minimum "
1205 "ethernet frame size will be treated as padding. Additional bytes will "
1207 "Any - Any bytes after the payload up to the minimum ethernet frame "
1208 "size will be treated as padding. Additional bytes will be considered "
1214 "Some TAPs add a fixed length ethernet trailer at the end "
1215 "of the frame, but before the (optional) FCS. Make sure it "
1222 "Some Ethernet adapters and drivers include the FCS at the end of a packet, others do not. "
1223 "Some capture file formats and protocols do not indicate whether or not the FCS is included. "
1224 "The Ethernet dissector then attempts to guess whether a captured packet has an FCS, "
1225 "but it cannot always guess correctly. This option can override that heuristic "
1236 "Whether packets should be interpreted as coming from CheckPoint FireWall-1 monitor file if they look as if they do",
1271 eth_withoutfcs_handle = register_dissector("eth_withoutfcs", dissect_eth_withoutfcs, proto_eth);
1280 }
1282 void
1284 {
1285 dissector_handle_t eth_handle;
1286 capture_dissector_handle_t eth_cap_handle;
1288 /* Get a handle for the Firewall-1 dissector. */
1291 /* Get a handle for the ethertype dissector. */
1296 /* This needs a different (& more user-friendly) name than the other tap */
1312 dissector_add_uint("sflow_245.header_protocol", SFLOW_245_HEADER_ETHERNET, eth_withoutfcs_handle);
1322 /*
1323 * This is to handle the output for the Cisco CMTS "cable intercept"
1324 * command - it encapsulates Ethernet frames in UDP packets, but
1325 * the UDP port is user-defined.
1326 */
1341 }
1343 /*
1344 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1345 *
1346 * Local Variables:
1347 * c-basic-offset: 2
1348 * tab-width: 8
1349 * indent-tabs-mode: nil
1350 * End:
1351 *
1352 * ex: set shiftwidth=2 tabstop=8 expandtab:
1353 * :indentSize=2:tabSize=8:noTabs=true:
1354 */