search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
epan/dissectors/pidl/samr/samr.cnf cnf_dissect_lsa_BinaryString => lsarpc_dissect_str...
[wireshark-sm.git] / epan / dissectors / packet-nflog.c
blobcfaafa284878a9d6693dae8f1bc663b9be620247
1 /* packet-nflog.c
2 * Copyright 2011,2012 Jakub Zawadzki <darkjames-ws@darkjames.pl>
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
10 #include "config.h"
11
12 #include <epan/etypes.h>
13 #include <epan/packet.h>
14 #include <wiretap/wtap.h>
15 #include <wsutil/ws_roundup.h>
16
17 #include "packet-netlink.h"
18
19 void proto_register_nflog(void);
20 void proto_reg_handoff_nflog(void);
21
22 /* nfulnl_attr_type enum from <linux/netfilter/nfnetlink_log.h> */
23 enum ws_nfulnl_attr_type {
24 WS_NFULA_UNSPEC,
25 WS_NFULA_PACKET_HDR,
26 WS_NFULA_MARK, /* __u32 nfmark */
27 WS_NFULA_TIMESTAMP, /* nfulnl_msg_packet_timestamp */
28 WS_NFULA_IFINDEX_INDEV, /* __u32 ifindex */
29 WS_NFULA_IFINDEX_OUTDEV, /* __u32 ifindex */
30 WS_NFULA_IFINDEX_PHYSINDEV, /* __u32 ifindex */
31 WS_NFULA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */
32 WS_NFULA_HWADDR, /* nfulnl_msg_packet_hw */
33 WS_NFULA_PAYLOAD, /* opaque data payload */
34 WS_NFULA_PREFIX, /* string prefix */
35 WS_NFULA_UID, /* user id of socket */
36 WS_NFULA_SEQ, /* instance-local sequence number */
37 WS_NFULA_SEQ_GLOBAL, /* global sequence number */
38 WS_NFULA_GID, /* group id of socket */
39 WS_NFULA_HWTYPE, /* hardware type */
40 WS_NFULA_HWHEADER, /* hardware header */
41 WS_NFULA_HWLEN /* hardware header length */
42 };
43
44 static const value_string nflog_tlv_vals[] = {
45 { WS_NFULA_UNSPEC, "NFULA_UNSPEC" },
46 { WS_NFULA_PACKET_HDR, "NFULA_PACKET_HDR" },
47 { WS_NFULA_MARK, "NFULA_MARK" },
48 { WS_NFULA_TIMESTAMP, "NFULA_TIMESTAMP" },
49 { WS_NFULA_IFINDEX_INDEV, "NFULA_IFINDEX_INDEV" },
50 { WS_NFULA_IFINDEX_OUTDEV, "NFULA_IFINDEX_OUTDEV" },
51 { WS_NFULA_IFINDEX_PHYSINDEV, "NFULA_IFINDEX_PHYSINDEV" },
52 { WS_NFULA_IFINDEX_PHYSOUTDEV, "NFULA_IFINDEX_PHYSOUTDEV" },
53 { WS_NFULA_HWADDR, "NFULA_HWADDR" },
54 { WS_NFULA_PAYLOAD, "NFULA_PAYLOAD" },
55 { WS_NFULA_PREFIX, "NFULA_PREFIX" },
56 { WS_NFULA_UID, "NFULA_UID" },
57 { WS_NFULA_SEQ, "NFULA_SEQ" },
58 { WS_NFULA_SEQ_GLOBAL, "NFULA_SEQ_GLOBAL" },
59 { WS_NFULA_GID, "NFULA_GID" },
60 { WS_NFULA_HWTYPE, "NFULA_HWTYPE" },
61 { WS_NFULA_HWHEADER, "NFULA_HWHEADER" },
62 { WS_NFULA_HWLEN, "NFULA_HWLEN" },
63 { 0, NULL }
64 };
65
66 static int proto_nflog;
67
68 static int hf_nflog_family;
69 static int hf_nflog_resid;
70 static int hf_nflog_tlv;
71 static int hf_nflog_tlv_gid;
72 static int hf_nflog_tlv_hook;
73 static int hf_nflog_tlv_hwprotocol;
74 static int hf_nflog_tlv_ifindex_indev;
75 static int hf_nflog_tlv_ifindex_outdev;
76 static int hf_nflog_tlv_ifindex_physindev;
77 static int hf_nflog_tlv_ifindex_physoutdev;
78 static int hf_nflog_tlv_length;
79 static int hf_nflog_tlv_prefix;
80 static int hf_nflog_tlv_timestamp;
81 static int hf_nflog_tlv_type;
82 static int hf_nflog_tlv_uid;
83 static int hf_nflog_tlv_unknown;
84 static int hf_nflog_version;
85
86 static int ett_nflog;
87 static int ett_nflog_tlv;
88
89 static dissector_handle_t ip_handle;
90 static dissector_handle_t ip6_handle;
91 static dissector_table_t ethertype_table;
92 static dissector_handle_t nflog_handle;
93
94 static int
95 dissect_nflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
96 {
97 const int start_tlv_offset = 4;
98
99 proto_tree *nflog_tree = NULL;
100 proto_item *ti;
101
102 int offset = 0;
103
104 tvbuff_t *next_tvb = NULL;
105 int pf;
106 uint16_t hw_protocol = 0;
107
108 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NFLOG");
109 col_clear(pinfo->cinfo, COL_INFO);
110
111 pf = tvb_get_uint8(tvb, 0);
112
113 /* Header */
114 if (proto_field_is_referenced(tree, proto_nflog)) {
115 ti = proto_tree_add_item(tree, proto_nflog, tvb, 0, -1, ENC_NA);
116 nflog_tree = proto_item_add_subtree(ti, ett_nflog);
117
118 proto_tree_add_item(nflog_tree, hf_nflog_family, tvb, offset, 1, ENC_NA);
119 offset += 1;
120
121 proto_tree_add_item(nflog_tree, hf_nflog_version, tvb, offset, 1, ENC_NA);
122 offset += 1;
123
124 proto_tree_add_item(nflog_tree, hf_nflog_resid, tvb, offset, 2, ENC_BIG_ENDIAN);
125 /*offset += 2;*/
126 }
127
128 offset = start_tlv_offset;
129 /* TLVs */
130 while (tvb_reported_length_remaining(tvb, offset) >= 4) {
131 uint16_t tlv_len = tvb_get_h_uint16(tvb, offset + 0);
132 uint16_t tlv_type;
133 uint16_t value_len;
134
135 proto_tree *tlv_tree;
136
137 /* malformed */
138 if (tlv_len < 4)
139 return offset;
140
141 value_len = tlv_len - 4;
142 tlv_type = (tvb_get_h_uint16(tvb, offset + 2) & 0x7fff);
143
144 if (nflog_tree) {
145 bool handled = false;
146
147 ti = proto_tree_add_bytes_format(nflog_tree, hf_nflog_tlv,
148 tvb, offset, tlv_len, NULL,
149 "TLV Type: %s (%u), Length: %u",
150 val_to_str_const(tlv_type, nflog_tlv_vals, "Unknown"),
151 tlv_type, tlv_len);
152 tlv_tree = proto_item_add_subtree(ti, ett_nflog_tlv);
153
154 proto_tree_add_item(tlv_tree, hf_nflog_tlv_length, tvb, offset + 0, 2, ENC_HOST_ENDIAN);
155 proto_tree_add_item(tlv_tree, hf_nflog_tlv_type, tvb, offset + 2, 2, ENC_HOST_ENDIAN);
156 switch (tlv_type) {
157 case WS_NFULA_PACKET_HDR:
158 if (value_len == 4) {
159 proto_tree_add_item(tlv_tree, hf_nflog_tlv_hwprotocol,
160 tvb, offset + 4, 2, ENC_BIG_ENDIAN);
161 proto_tree_add_item(tlv_tree, hf_nflog_tlv_hook,
162 tvb, offset + 6, 1, ENC_NA);
163 handled = true;
164 }
165 break;
166
167 case WS_NFULA_IFINDEX_INDEV:
168 if (value_len == 4) {
169 proto_tree_add_item(tlv_tree, hf_nflog_tlv_ifindex_indev, tvb, offset + 4, value_len, ENC_BIG_ENDIAN);
170 handled = true;
171 }
172 break;
173
174 case WS_NFULA_IFINDEX_OUTDEV:
175 if (value_len == 4) {
176 proto_tree_add_item(tlv_tree, hf_nflog_tlv_ifindex_outdev, tvb, offset + 4, value_len, ENC_BIG_ENDIAN);
177 handled = true;
178 }
179 break;
180
181 case WS_NFULA_IFINDEX_PHYSINDEV:
182 if (value_len == 4) {
183 proto_tree_add_item(tlv_tree, hf_nflog_tlv_ifindex_physindev, tvb, offset + 4, value_len, ENC_BIG_ENDIAN);
184 handled = true;
185 }
186 break;
187
188 case WS_NFULA_IFINDEX_PHYSOUTDEV:
189 if (value_len == 4) {
190 proto_tree_add_item(tlv_tree, hf_nflog_tlv_ifindex_physoutdev, tvb, offset + 4, value_len, ENC_BIG_ENDIAN);
191 handled = true;
192 }
193 break;
194
195 case WS_NFULA_PAYLOAD:
196 handled = true;
197 break;
198
199 case WS_NFULA_PREFIX:
200 if (value_len >= 1) {
201 proto_tree_add_item(tlv_tree, hf_nflog_tlv_prefix,
202 tvb, offset + 4, value_len, ENC_ASCII);
203 handled = true;
204 }
205 break;
206
207 case WS_NFULA_UID:
208 if (value_len == 4) {
209 proto_tree_add_item(tlv_tree, hf_nflog_tlv_uid,
210 tvb, offset + 4, value_len, ENC_BIG_ENDIAN);
211 handled = true;
212 }
213 break;
214
215 case WS_NFULA_GID:
216 if (value_len == 4) {
217 proto_tree_add_item(tlv_tree, hf_nflog_tlv_gid,
218 tvb, offset + 4, value_len, ENC_BIG_ENDIAN);
219 handled = true;
220 }
221 break;
222
223 case WS_NFULA_TIMESTAMP:
224 if (value_len == 16) {
225 /*
226 * 64-bit seconds and 64-bit microseconds.
227 *
228 * XXX - add an "expert info" warning if the
229 * microseconds are >= 10^6?
230 */
231 proto_tree_add_item(tlv_tree, hf_nflog_tlv_timestamp,
232 tvb, offset + 4, value_len,
233 ENC_TIME_SECS_USECS|ENC_BIG_ENDIAN);
234 handled = true;
235 }
236 break;
237 }
238
239 if (!handled)
240 proto_tree_add_item(tlv_tree, hf_nflog_tlv_unknown,
241 tvb, offset + 4, value_len, ENC_NA);
242 }
243
244 if (tlv_type == WS_NFULA_PACKET_HDR && value_len == 4)
245 hw_protocol = tvb_get_ntohs(tvb, offset + 4);
246 if (tlv_type == WS_NFULA_PAYLOAD)
247 next_tvb = tvb_new_subset_length(tvb, offset + 4, value_len);
248
249 offset += WS_ROUNDUP_4(tlv_len); /* next TLV aligned to 4B */
250 }
251
252 if (next_tvb && hw_protocol) {
253 if (!dissector_try_uint(ethertype_table, hw_protocol, next_tvb, pinfo, tree))
254 call_data_dissector(next_tvb, pinfo, tree);
255 } else if (next_tvb) {
256 switch (pf) {
257 /* Note: NFPROTO_INET is not supposed to appear here, it is mapped
258 * to NFPROTO_IPV4 or NFPROTO_IPV6 */
259 case WS_NFPROTO_IPV4:
260 call_dissector(ip_handle, next_tvb, pinfo, tree);
261 break;
262 case WS_NFPROTO_IPV6:
263 call_dissector(ip6_handle, next_tvb, pinfo, tree);
264 break;
265 default:
266 call_data_dissector(next_tvb, pinfo, tree);
267 break;
268 }
269 }
270 return tvb_captured_length(tvb);
271 }
272
273 void
274 proto_register_nflog(void)
275 {
276 static hf_register_info hf[] = {
277 { &hf_nflog_family,
278 { "Family", "nflog.family",
279 FT_UINT8, BASE_DEC, VALS(nfproto_family_vals), 0x00,
280 NULL, HFILL }
281 },
282 { &hf_nflog_version,
283 { "Version", "nflog.version",
284 FT_UINT8, BASE_DEC, NULL, 0x00,
285 NULL, HFILL }
286 },
287 { &hf_nflog_resid,
288 { "Resource id", "nflog.res_id",
289 FT_UINT16, BASE_DEC, NULL, 0x00,
290 NULL, HFILL }
291 },
292 { &hf_nflog_tlv,
293 { "TLV", "nflog.tlv",
294 FT_BYTES, BASE_NONE, NULL, 0x00,
295 NULL, HFILL }
296 },
297 { &hf_nflog_tlv_length,
298 { "Length", "nflog.tlv_length",
299 FT_UINT16, BASE_DEC, NULL, 0x00,
300 "TLV Length", HFILL }
301 },
302 { &hf_nflog_tlv_type,
303 { "Type", "nflog.tlv_type",
304 FT_UINT16, BASE_DEC, VALS(nflog_tlv_vals), 0x7fff,
305 "TLV Type", HFILL }
306 },
307 { &hf_nflog_tlv_hwprotocol,
308 { "HW protocol", "nflog.protocol",
309 FT_UINT16, BASE_HEX, VALS(etype_vals), 0x00,
310 NULL, HFILL }
311 },
312 { &hf_nflog_tlv_hook,
313 { "Netfilter hook", "nflog.hook",
314 FT_UINT8, BASE_DEC, VALS(netfilter_hooks_vals), 0x00,
315 NULL, HFILL }
316 },
317 { &hf_nflog_tlv_ifindex_indev,
318 { "IFINDEX_INDEV", "nflog.ifindex_indev",
319 FT_UINT32, BASE_DEC, NULL, 0x00,
320 NULL, HFILL }
321 },
322 { &hf_nflog_tlv_ifindex_outdev,
323 { "IFINDEX_OUTDEV", "nflog.ifindex_outdev",
324 FT_UINT32, BASE_DEC, NULL, 0x00,
325 NULL, HFILL }
326 },
327 { &hf_nflog_tlv_ifindex_physindev,
328 { "IFINDEX_PHYSINDEV", "nflog.ifindex_physindev",
329 FT_UINT32, BASE_DEC, NULL, 0x00,
330 NULL, HFILL }
331 },
332 { &hf_nflog_tlv_ifindex_physoutdev,
333 { "IFINDEX_PHYSOUTDEV", "nflog.ifindex_physoutdev",
334 FT_UINT32, BASE_DEC, NULL, 0x00,
335 NULL, HFILL }
336 },
337 { &hf_nflog_tlv_prefix,
338 { "Prefix", "nflog.prefix",
339 FT_STRINGZ, BASE_NONE, NULL, 0x00,
340 "TLV Prefix Value", HFILL }
341 },
342 { &hf_nflog_tlv_uid,
343 { "UID", "nflog.uid",
344 FT_INT32, BASE_DEC, NULL, 0x00,
345 "TLV UID Value", HFILL }
346 },
347 { &hf_nflog_tlv_gid,
348 { "GID", "nflog.gid",
349 FT_INT32, BASE_DEC, NULL, 0x00,
350 "TLV GID Value", HFILL }
351 },
352 { &hf_nflog_tlv_timestamp,
353 { "Timestamp", "nflog.timestamp",
354 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x00,
355 "TLV Timestamp Value", HFILL }
356 },
357 { &hf_nflog_tlv_unknown,
358 { "Value", "nflog.tlv_value",
359 FT_BYTES, BASE_NONE, NULL, 0x00,
360 "TLV Value", HFILL }
361 },
362 };
363
364 static int *ett[] = {
365 &ett_nflog,
366 &ett_nflog_tlv
367 };
368
369 proto_nflog = proto_register_protocol("Linux Netfilter NFLOG", "NFLOG", "nflog");
370
371 nflog_handle = register_dissector("nflog", dissect_nflog, proto_nflog);
372
373 proto_register_field_array(proto_nflog, hf, array_length(hf));
374 proto_register_subtree_array(ett, array_length(ett));
375
376 }
377
378 void
379 proto_reg_handoff_nflog(void)
380 {
381 ip_handle = find_dissector_add_dependency("ip", proto_nflog);
382 ip6_handle = find_dissector_add_dependency("ipv6", proto_nflog);
383
384 dissector_add_uint("wtap_encap", WTAP_ENCAP_NFLOG, nflog_handle);
385 ethertype_table = find_dissector_table("ethertype");
386 }
387
388 /*
389 * Editor modelines
390 *
391 * Local Variables:
392 * c-basic-offset: 4
393 * tab-width: 8
394 * indent-tabs-mode: nil
395 * End:
396 *
397 * ex: set shiftwidth=4 tabstop=8 expandtab:
398 * :indentSize=4:tabSize=8:noTabs=true:
399 */
Metzes wireshark repo