search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-pcap_pktdata.c
blob56b91db03b49046846d07e891a008047e9d406b0
1 /* packet-pcap_pktdata.c
2 * Dissect packet data from a pcap or pcapng file or from a "remote pcap"
3 * protocol.
4 *
5 * Copyright 2015, Michal Labedzki for Tieto Corporation
6 *
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
10 *
11 * SPDX-License-Identifier: GPL-2.0-or-later
12 */
13
14 #include "config.h"
15
16 #include <epan/packet.h>
17 #include <epan/expert.h>
18
19 #include <wiretap/pcap-encap.h>
20
21 #include "packet-pcap_pktdata.h"
22
23 void proto_register_pcap_pktdata(void);
24 void proto_reg_handoff_pcap_pktdata(void);
25
26 static int proto_pcap_pktdata;
27
28 static int hf_pcap_pktdata_pseudoheader;
29 static int hf_pcap_pktdata_pseudoheader_bluetooth_direction;
30 static int hf_pcap_pktdata_undecoded_data;
31
32 static int ett_pcap_pktdata_pseudoheader;
33
34 static expert_field ei_pcap_pktdata_linktype_unknown;
35 static expert_field ei_pcap_pktdata_cant_generate_phdr;
36
37 static dissector_table_t wtap_encap_table;
38
39 /*
40 * Link-layer header type values.
41 *
42 * Includes both the official documented values from
43 *
44 * http://www.tcpdump.org/linktypes.html
45 *
46 * and values not listed there. The names are, in most cases, the
47 * LINKTYPE_ names with LINKTYPE_ stripped off.
48 */
49 const value_string link_type_vals[] = {
50 { 0, "NULL" },
51 { 1, "ETHERNET" },
52 { 2, "EXP_ETHERNET" }, /* 3Mb experimental Ethernet */
53 { 3, "AX25" },
54 { 4, "PRONET" }, /* Proteon PRONET */
55 { 5, "CHAOS" }, /* MIT Chaosnet */
56 { 6, "IEEE802_5" },
57 { 7, "ARCNET_BSD" },
58 { 8, "SLIP" },
59 { 9, "PPP" },
60 { 10, "FDDI" },
61 { 32, "REDBACK" }, /* Redback SmartEdge 400/800 */
62 { 50, "PPP_HDLC" },
63 { 51, "PPP_ETHER" },
64 { 99, "SYMANTEC_FIREWALL" },
65 { 100, "ATM_RFC1483" },
66 { 101, "RAW" },
67 { 102, "BSD/OS SLIP" },
68 { 103, "BSD/OS PPP" },
69 { 104, "C_HDLC" },
70 { 105, "IEEE802_11" },
71 { 106, "LINUX_ATM_CLIP" },
72 { 107, "FRELAY" },
73 { 108, "LOOP" },
74 { 109, "ENC" },
75 { 110, "LANE8023" }, /* ATM LANE + 802.3 */
76 { 111, "HIPPI" }, /* NetBSD HIPPI */
77 { 112, "HDLC" }, /* NetBSD HDLC framing */
78 { 113, "LINUX_SLL" },
79 { 114, "LTALK" },
80 { 115, "ECONET" }, /* Acorn Econet */
81 { 116, "IPFILTER" }, /* Reserved for use with OpenBSD ipfilter */
82 { 117, "PFLOG" },
83 { 118, "CISCO_IOS" }, /* for Cisco-internal use */
84 { 119, "IEEE802_11_PRISM" },
85 { 120, "IEEE802_11_AIRONET" }, /* 802.11 plus FreeBSD Aironet drive metadata header */
86 { 121, "HHDLC" }, /* reserved for Siemens HiPath HDLC - never used */
87 { 122, "IP_OVER_FC" },
88 { 123, "SUNATM" },
89 { 124, "RIO" }, /* Private use for RapidIO */
90 { 125, "PCI_EXP" }, /* Private use for PCI Express */
91 { 126, "AURORA" }, /* Xilinx Aurora link layer */
92 { 127, "IEEE802_11_RADIOTAP" },
93 { 128, "TZSP" }, /* reserved for TZSP encapsulation - never used */
94 { 129, "ARCNET_LINUX" },
95 { 130, "JUNIPER_MLPPP" }, /* Juniper-private, but handled by tcpdump and Wireshark */
96 { 131, "JUNIPER_MLFR" }, /* Juniper-private, but handled by tcpdump and Wireshark */
97 { 132, "JUNIPER_ES" }, /* Juniper-private, but handled by tcpdump */
98 { 133, "JUNIPER_GGSN" }, /* Juniper-private, but handled by tcpdump and Wireshark */
99 { 134, "JUNIPER_MFR" }, /* Juniper-private, but handled by tcpdump and Wireshark */
100 { 135, "JUNIPER_ATM2" }, /* Juniper-private, but handled by tcpdump and Wireshark */
101 { 136, "JUNIPER_SVCS" }, /* Juniper-private, but handled by tcpdump and Wireshark */
102 { 137, "JUNIPER_ATM1" }, /* Juniper-private, but handled by tcpdump and Wireshark */
103 { 138, "APPLE_IP_OVER_IEEE1394" },
104 { 139, "MTP2_WITH_PHDR" },
105 { 140, "MTP2" },
106 { 141, "MTP3" },
107 { 142, "SCCP" },
108 { 143, "DOCSIS" },
109 { 144, "LINUX_IRDA" },
110 { 145, "IBM_SP" }, /* Reserved for IBM SP switch */
111 { 146, "IBM_SN" }, /* Reserved for IBM Next Federation switch */
112 { 147, "USER_0" },
113 { 148, "USER_1" },
114 { 149, "USER_2" },
115 { 150, "USER_3" },
116 { 151, "USER_4" },
117 { 152, "USER_5" },
118 { 153, "USER_6" },
119 { 154, "USER_7" },
120 { 155, "USER_8" },
121 { 156, "USER_9" },
122 { 157, "USER_10" },
123 { 158, "USER_11" },
124 { 159, "USER_12" },
125 { 160, "USER_13" },
126 { 161, "USER_14" },
127 { 162, "USER_15" },
128 { 163, "IEEE802_11_AVS" },
129 { 164, "JUNIPER_MONITOR" }, /* Juniper-private, but handled by tcpdump */
130 { 165, "BACNET_MS_TP" },
131 { 166, "PPP_PPPD" },
132 { 167, "JUNIPER_PPPOE" }, /* Juniper-private, but handled by tcpdump and Wireshark */
133 { 168, "JUNIPER_PPPOE_ATM" }, /* Juniper-private, but handled by tcpdump */
134 { 169, "GPRS_LLC" },
135 { 170, "GPF_T" }, /* GPF-T (ITU-T G.7041/Y.1303) */
136 { 171, "GPF_F" }, /* GPF-F (ITU-T G.7041/Y.1303) */
137 { 172, "GCOM_TIE1" }, /* Reserved for Gcom's T1/E1 line monitoring equipment */
138 { 173, "GCOM_SERIAL" }, /* Reserved for Gcom's T1/E1 line monitoring equipment */
139 { 174, "JUNIPER_PIC_PEER" }, /* Juniper-private */
140 { 175, "ERF_ETH" }, /* ERF header followed by Ethernet */
141 { 176, "ERF_POS" }, /* ERF header followed by Packet-over-SONET */
142 { 177, "LINUX_LAPD" },
143 { 178, "JUNIPER_ETHER" }, /* Juniper-private, but handled by tcpdump and Wireshark */
144 { 179, "JUNIPER_PPP" }, /* Juniper-private, but handled by tcpdump and Wireshark */
145 { 180, "JUNIPER_FRELAY" }, /* Juniper-private, but handled by tcpdump and Wireshark */
146 { 181, "JUNIPER_CHDLC" }, /* Juniper-private, but handled by tcpdump and Wireshark */
147 { 182, "MFR" }, /* Multi Link Frame Relay (FRF.16) */
148 { 183, "JUNIPER_VP" }, /* Juniper-private, but handled by tcpdump and Wireshark */
149 { 184, "A429" }, /* Arinc 429 frames */
150 { 185, "A653_ICM" }, /* Aricn 653 Interpartition Communication messages */
151 { 186, "USB" }, /* Older USB header */
152 { 187, "BLUETOOTH_HCI_H4" },
153 { 188, "IEEE802_16_MAC_CPS" }, /* IEEE 802.16 MAC Common Part Sublayer */
154 { 189, "USB_LINUX" },
155 { 190, "CAN20B" }, /* CAN v2.0B packets */
156 { 191, "IEEE802_15_4_LINUX" }, /* IEEE 802.15.4, with address fields padded, as is done by Linux drivers */
157 { 192, "PPI" },
158 { 193, "IEEE802_16_MAC_CPS_RADIO" }, /* 802.16 MAC Common Part Sublayer plus a radiotap radio header */
159 { 194, "JUNIPER_ISM" }, /* Juniper-private */
160 { 195, "IEEE802_15_4" },
161 { 196, "SITA" },
162 { 197, "ERF" },
163 { 198, "RAIF1" }, /* Special header prepended to Ethernet packets when capturing from a u10 Networks board */
164 { 199, "IPMB" }, /* IPMB packet for IPMI */
165 { 200, "JUNIPER_ST" }, /* Juniper-private */
166 { 201, "BLUETOOTH_HCI_H4_WITH_PHDR" },
167 { 202, "AX25_KISS" },
168 { 203, "LAPD" },
169 { 204, "PPP_WITH_DIR" },
170 { 205, "C_HDLC_WITH_DIR" },
171 { 206, "FRELAY_WITH_DIR" },
172 { 207, "LAPB_WITH_DIR" }, /* LAPB with direction pseudo-header */
173 { 209, "I2C_LINUX" },
174 { 210, "FLEXRAY" }, /* FlexRay automotive bus */
175 { 211, "MOST" }, /* Media Oriented Systems Transport */
176 { 212, "LIN" }, /* Local Interconnect Network */
177 { 213, "X2E_SERIAL" }, /* X2E-private for serial line capture */
178 { 214, "X2E_XORAYA" }, /* X2E-private for Xoraya data logger family */
179 { 215, "IEEE802_15_4_NONASK_PHY" },
180 { 216, "LINUX_EVDEV" }, /* Linux evdev messages */
181 { 217, "GSMTAP_UM" }, /* "gsmtap" header followed by GSM Um interface packets */
182 { 218, "GSMTAP_Abis" }, /* "gsmtap" header followed by GSM Abis interface packets */
183 { 219, "MPLS" }, /* MPLS label (stack?) as the link-layer header */
184 { 220, "USB_LINUX_MMAPPED" },
185 { 221, "DECT" }, /* DECT packets, with a pseudo-header */
186 { 222, "AOS" }, /* AOS Space Data Link Protocol */
187 { 223, "WIHART" }, /* Wireless HART */
188 { 224, "FC_2" },
189 { 225, "FC_2_WITH_FRAME_DELIMS" },
190 { 226, "IPNET" },
191 { 227, "CAN_SOCKETCAN" },
192 { 228, "IPV4" },
193 { 229, "IPV6" },
194 { 230, "IEEE802_15_4_NOFCS" },
195 { 231, "DBUS" },
196 { 232, "JUNIPER_VS" }, /* Juniper-private */
197 { 233, "JUNIPER_SRX_E2E" }, /* Juniper-private */
198 { 234, "JUNIPER_FIBRECHANNEL" }, /* Juniper-private */
199 { 235, "DVB_CI" },
200 { 236, "MUX27010" },
201 { 237, "STANAG_5066_D_PDU" },
202 { 238, "JUNIPER_ATM_CEMIC" }, /* Juniper-private */
203 { 239, "NFLOG" },
204 { 240, "NETANALYZER" },
205 { 241, "NETANALYZER_TRANSPARENT" },
206 { 242, "IPOIB" },
207 { 243, "MPEG_2_TS" },
208 { 244, "NG40" },
209 { 245, "NFC_LLCP" },
210 { 246, "PFSYNC" },
211 { 247, "INFINIBAND" },
212 { 248, "SCTP" },
213 { 249, "USBPCAP" },
214 { 250, "RTAC_SERIAL" },
215 { 251, "BLUETOOTH_LE_LL" },
216 { 252, "WIRESHARK_UPPER_PDU" }, /* Upper-layer protocol saves from Wireshark */
217 { 253, "NETLINK" },
218 { 254, "BLUETOOTH_LINUX_MONITOR" },
219 { 255, "BLUETOOTH_BREDR_BB" },
220 { 256, "BLUETOOTH_LE_LL_WITH_PHDR" },
221 { 257, "PROFIBUS_DL" },
222 { 258, "PKTAP" },
223 { 259, "EPON" },
224 { 260, "IPMI_HPM_2" },
225 { 261, "ZWAVE_R1_R2" },
226 { 262, "ZWAVE_R3" },
227 { 263, "WATTSTOPPER_DLM" },
228 { 264, "ISO_14443" },
229 { 265, "RDS" },
230 { 266, "USB_DARWIN" },
231 { 267, "OPENFLOW" },
232 { 268, "SDLC" },
233 { 269, "TI_LLN_SNIFFER" },
234 { 270, "LORATAP" },
235 { 271, "VSOCK" },
236 { 272, "NORDIC_BLE" },
237 { 273, "DOCSIS31_XRA31" },
238 { 274, "ETHERNET_MPACKET" },
239 { 275, "DISPLAYPORT_AUX" },
240 { 276, "LINUX_SLL2" },
241 { 277, "SERCOS_MONITOR" },
242 { 278, "OPENVIZSLA" },
243 { 279, "EBHSCR" },
244 { 280, "VPP_DISPATCH" },
245 { 281, "DSA_TAG_BRCM" },
246 { 282, "DSA_TAG_BRCM_PREPEND" },
247 { 283, "IEEE802_15_4_TAP" },
248 { 284, "DSA_TAG_DSA" },
249 { 285, "DSA_TAG_EDSA" },
250 { 286, "ELEE" },
251 { 288, "USB_2_0" },
252 { 289, "ATSC_ALP" },
253 { 290, "ETW" },
254 { 291, "NETANALYZER_NG" },
255 { 292, "ZBOSS_NCP" },
256 { 293, "USB_2_0_LOW_SPEED" },
257 { 294, "USB_2_0_FULL_SPEED" },
258 { 295, "USB_2_0_HIGH_SPEED" },
259 { 296, "AUERSWALD_LOG" },
260 { 297, "ZWAVE_TAP" },
261 { 298, "SILABS_DEBUG_CHANNEL" },
262 { 299, "FIRA_UCI" },
263 { 300, "MDB" },
264 { 301, "DECT_NR" },
265 { 0, NULL }
266 };
267
268 static const value_string pseudoheader_bluetooth_direction_vals[] = {
269 { 0, "Sent" },
270 { 1, "Recv" },
271 { 0, NULL }
272 };
273
274 static int
275 dissect_pcap_pktdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
276 {
277 int offset = 0;
278 uint32_t *link_type;
279 tvbuff_t *next_tvb;
280 proto_item *pseudoheader_item;
281 proto_tree *pseudoheader_tree = NULL;
282 proto_item *packet_item;
283 struct eth_phdr eth;
284 void *phdr;
285
286 DISSECTOR_ASSERT(data);
287
288 link_type = (uint32_t *) data;
289
290 /*
291 * We're passed a pointer to a LINKTYPE_ value.
292 * Find the Wiretap encapsulation for that value.
293 */
294 pinfo->rec->rec_header.packet_header.pkt_encap = wtap_pcap_encap_to_wtap_encap(*link_type);
295
296 /*
297 * Do we know that type?
298 */
299 if (pinfo->rec->rec_header.packet_header.pkt_encap == WTAP_ENCAP_UNKNOWN) {
300 /*
301 * Nothing we know.
302 * Just report that and give up.
303 */
304 packet_item = proto_tree_add_item(tree, hf_pcap_pktdata_undecoded_data, tvb, offset, tvb_reported_length(tvb), ENC_NA);
305 expert_add_info_format(pinfo, packet_item,
306 &ei_pcap_pktdata_linktype_unknown,
307 "Link-layer header type %u is not supported",
308 *link_type);
309 return tvb_captured_length(tvb);
310 }
311
312 /*
313 * You can't just call an arbitrary subdissector based on a
314 * WTAP_ENCAP_ value, because they may expect a particular
315 * pseudo-header to be passed to them, and may not accept
316 * a null pseudo-header pointer.
317 *
318 * First, check whether this WTAP_ENCAP_ value corresponds
319 * to a link-layer header type where Wiretap generates a
320 * pseudo-header from the bytes at the beginning of the
321 * packet data.
322 */
323 if (wtap_encap_requires_phdr(pinfo->rec->rec_header.packet_header.pkt_encap)) {
324 /*
325 * It does. Do we have code to do that?
326 */
327 switch (pinfo->rec->rec_header.packet_header.pkt_encap) {
328
329 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR:
330 pseudoheader_item = proto_tree_add_item(tree, hf_pcap_pktdata_pseudoheader, tvb, offset, 4, ENC_NA);
331 pseudoheader_tree = proto_item_add_subtree(pseudoheader_item, ett_pcap_pktdata_pseudoheader);
332 proto_tree_add_item(pseudoheader_tree, hf_pcap_pktdata_pseudoheader_bluetooth_direction, tvb, offset, 4, ENC_BIG_ENDIAN);
333 if (tvb_get_uint32(tvb, offset, ENC_BIG_ENDIAN) == 0)
334 pinfo->p2p_dir = P2P_DIR_SENT;
335 else if (tvb_get_uint32(tvb, offset, ENC_BIG_ENDIAN) == 1)
336 pinfo->p2p_dir = P2P_DIR_RECV;
337 else
338 pinfo->p2p_dir = P2P_DIR_UNKNOWN;
339 offset += 4;
340 phdr = NULL;
341 break;
342
343 case WTAP_ENCAP_ATM_PDUS:
344 /* TODO */
345 case WTAP_ENCAP_IRDA:
346 /* TODO */
347 case WTAP_ENCAP_MTP2_WITH_PHDR:
348 /* TODO no description for pseudoheader at http://www.tcpdump.org/linktypes.html */
349 case WTAP_ENCAP_LINUX_LAPD:
350 /* TODO */
351 case WTAP_ENCAP_SITA:
352 /* TODO */
353 case WTAP_ENCAP_BLUETOOTH_LINUX_MONITOR:
354 /* TODO */
355 case WTAP_ENCAP_NFC_LLCP:
356 /* TODO */
357 case WTAP_ENCAP_PPP_WITH_PHDR:
358 /* TODO */
359 case WTAP_ENCAP_ERF:
360 /* TODO no description for pseudoheader at http://www.tcpdump.org/linktypes.html */
361 case WTAP_ENCAP_I2C_LINUX:
362 /* TODO */
363 default:
364 /*
365 * No. Give up.
366 */
367 packet_item = proto_tree_add_item(tree, hf_pcap_pktdata_undecoded_data, tvb, offset, tvb_reported_length(tvb), ENC_NA);
368 expert_add_info_format(pinfo, packet_item,
369 &ei_pcap_pktdata_cant_generate_phdr,
370 "No pseudo-header can be generated for link-layer header type %u",
371 *link_type);
372 return tvb_captured_length(tvb);
373 }
374 } else {
375 /*
376 * These also require a pseudo-header, but it's not constructed
377 * from packet data.
378 */
379 switch (pinfo->rec->rec_header.packet_header.pkt_encap) {
380
381 case WTAP_ENCAP_ETHERNET:
382 eth.fcs_len = -1; /* Unknown whether we have an FCS */
383 phdr = &eth;
384 break;
385
386 default:
387 phdr = NULL;
388 break;
389 }
390 }
391
392 next_tvb = tvb_new_subset_remaining(tvb, offset);
393
394 offset = dissector_try_uint_with_data(wtap_encap_table, pinfo->rec->rec_header.packet_header.pkt_encap, next_tvb, pinfo, tree, true, phdr);
395
396 return offset;
397 }
398
399 void
400 proto_register_pcap_pktdata(void)
401 {
402 static hf_register_info hf[] = {
403 { &hf_pcap_pktdata_pseudoheader,
404 { "Pseudoheader", "pcap_pktdata.data.pseudoheader",
405 FT_NONE, BASE_NONE, NULL, 0x00,
406 NULL, HFILL }
407 },
408 { &hf_pcap_pktdata_pseudoheader_bluetooth_direction,
409 { "Direction", "pcap_pktdata.pseudoheader.bluetooth.direction",
410 FT_UINT32, BASE_HEX, VALS(pseudoheader_bluetooth_direction_vals), 0x00,
411 NULL, HFILL }
412 },
413 { &hf_pcap_pktdata_undecoded_data,
414 { "Undecoded data", "pcap_pktdata.undecoded_data",
415 FT_NONE, BASE_NONE, NULL, 0x00,
416 NULL, HFILL }
417 },
418 };
419
420 static int *ett[] = {
421 &ett_pcap_pktdata_pseudoheader,
422 };
423
424 static ei_register_info ei[] = {
425 { &ei_pcap_pktdata_linktype_unknown, { "pcap_pktdata.linktype_unknown", PI_UNDECODED, PI_NOTE, "That link-layer header type is not supported", EXPFILL }},
426 { &ei_pcap_pktdata_cant_generate_phdr, { "pcap_pktdata.cant_generate_phdr", PI_UNDECODED, PI_NOTE, "No pseudo-header can be generated for that link-layer header type", EXPFILL }},
427 };
428
429 expert_module_t *expert_pcap_pktdata;
430
431 proto_pcap_pktdata = proto_register_protocol("pcap/pcapng packet data", "pcap_pktdata", "pcap_pktdata");
432 proto_register_field_array(proto_pcap_pktdata, hf, array_length(hf));
433 proto_register_subtree_array(ett, array_length(ett));
434 expert_pcap_pktdata = expert_register_protocol(proto_pcap_pktdata);
435 expert_register_field_array(expert_pcap_pktdata, ei, array_length(ei));
436
437 register_dissector("pcap_pktdata", dissect_pcap_pktdata, proto_pcap_pktdata);
438 }
439
440 void
441 proto_reg_handoff_pcap_pktdata(void)
442 {
443 wtap_encap_table = find_dissector_table("wtap_encap");
444 }
Metzes wireshark repo