epan/dissectors/packet-raw.c

   1 /* packet-raw.c
   2  * Routines for raw packet disassembly
   3  *
   4  * Wireshark - Network traffic analyzer
   5  * By Gerald Combs <gerald@wireshark.org>
   6  *
   7  * This file created and by Mike Hall <mlh@io.com>
   8  * Copyright 1998
   9  *
  10  * SPDX-License-Identifier: GPL-2.0-or-later
  11  */
  12
  13 #include "config.h"
  14
  15 #include <epan/packet.h>
  16 #include <epan/capture_dissectors.h>
  17 #include "packet-ip.h"
  18 #include "packet-ppp.h"
  19
  20 void proto_register_raw(void);
  21 void proto_reg_handoff_raw(void);
  22
  23 static int proto_raw;
  24 static int ett_raw;
  25
  26 static const unsigned char zeroes[10] = {0,0,0,0,0,0,0,0,0,0};
  27
  28 static dissector_handle_t raw_handle;
  29 static dissector_handle_t ip_handle;
  30 static dissector_handle_t ipv6_handle;
  31 static dissector_handle_t ppp_hdlc_handle;
  32
  33 static capture_dissector_handle_t ip_cap_handle;
  34 static capture_dissector_handle_t ipv6_cap_handle;
  35 static capture_dissector_handle_t ppp_hdlc_cap_handle;
  36
  37 static bool
  38 capture_raw(const unsigned char *pd, int offset _U_, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header _U_)
  39 {
  40   /* So far, the only time we get raw connection types are with Linux and
  41    * Irix PPP connections.  We can't tell what type of data is coming down
  42    * the line, so our safest bet is IP. - GCC
  43    */
  44
  45   /* Currently, the Linux 2.1.xxx PPP driver passes back some of the header
  46    * sometimes.  This check should be removed when 2.2 is out.
  47    */
  48   if (BYTES_ARE_IN_FRAME(0,len,2) && pd[0] == 0xff && pd[1] == 0x03) {
  49     return call_capture_dissector(ppp_hdlc_cap_handle, pd, 0, len, cpinfo, pseudo_header);
  50   }
  51   /* The Linux ISDN driver sends a fake MAC address before the PPP header
  52    * on its ippp interfaces... */
  53   else if (BYTES_ARE_IN_FRAME(0,len,8) && pd[6] == 0xff && pd[7] == 0x03) {
  54     return call_capture_dissector(ppp_hdlc_cap_handle, pd, 6, len, cpinfo, pseudo_header);
  55   }
  56   /* ...except when it just puts out one byte before the PPP header... */
  57   else if (BYTES_ARE_IN_FRAME(0,len,3) && pd[1] == 0xff && pd[2] == 0x03) {
  58     return call_capture_dissector(ppp_hdlc_cap_handle, pd, 1, len, cpinfo, pseudo_header);
  59   }
  60   /* ...and if the connection is currently down, it sends 10 bytes of zeroes
  61    * instead of a fake MAC address and PPP header. */
  62   else if (BYTES_ARE_IN_FRAME(0,len,10) && memcmp(pd, zeroes, 10) == 0) {
  63     return call_capture_dissector(ip_cap_handle, pd, 10, len, cpinfo, pseudo_header);
  64   }
  65   else {
  66     /*
  67      * OK, is this IPv4 or IPv6?
  68      */
  69     if (BYTES_ARE_IN_FRAME(0,len,1)) {
  70       switch (pd[0] & 0xF0) {
  71
  72       case 0x40:
  73         /* IPv4 */
  74         return call_capture_dissector(ip_cap_handle, pd, 0, len, cpinfo, pseudo_header);
  75
  76 #if 0
  77       case 0x60:
  78         /* IPv6 */
  79         return call_capture_dissector(ipv6_cap_handle, pd, 0, len, cpinfo, pseudo_header);
  80 #endif
  81       }
  82     }
  83   }
  84
  85   return false;
  86 }
  87
  88 static int
  89 dissect_raw(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
  90 {
  91   tvbuff_t      *next_tvb;
  92
  93   /* load the top pane info. This should be overwritten by
  94      the next protocol in the stack */
  95   col_set_str(pinfo->cinfo, COL_RES_DL_SRC, "N/A");
  96   col_set_str(pinfo->cinfo, COL_RES_DL_DST, "N/A");
  97   col_set_str(pinfo->cinfo, COL_PROTOCOL, "N/A");
  98   col_set_str(pinfo->cinfo, COL_INFO, "Raw packet data");
  99
 100   /* populate a tree in the second pane with the status of the link
 101      layer (ie none) */
 102   proto_tree_add_item(tree, proto_raw, tvb, 0, tvb_captured_length(tvb), ENC_NA);
 103
 104   /* So far, the only time we get raw connection types are with Linux and
 105    * Irix PPP connections.  We can't tell what type of data is coming down
 106    * the line, so our safest bet is IP. - GCC
 107    */
 108
 109   /* Currently, the Linux 2.1.xxx PPP driver passes back some of the header
 110    * sometimes.  This check should be removed when 2.2 is out.
 111    */
 112   if (tvb_get_ntohs(tvb, 0) == 0xff03) {
 113     call_dissector(ppp_hdlc_handle, tvb, pinfo, tree);
 114   }
 115   /* The Linux ISDN driver sends a fake MAC address before the PPP header
 116    * on its ippp interfaces... */
 117   else if (tvb_get_ntohs(tvb, 6) == 0xff03) {
 118     next_tvb = tvb_new_subset_remaining(tvb, 6);
 119     call_dissector(ppp_hdlc_handle, next_tvb, pinfo, tree);
 120   }
 121   /* ...except when it just puts out one byte before the PPP header... */
 122   else if (tvb_get_ntohs(tvb, 1) == 0xff03) {
 123     next_tvb = tvb_new_subset_remaining(tvb, 1);
 124     call_dissector(ppp_hdlc_handle, next_tvb, pinfo, tree);
 125   }
 126   /* ...and if the connection is currently down, it sends 10 bytes of zeroes
 127    * instead of a fake MAC address and PPP header. */
 128   else if (tvb_memeql(tvb, 0, zeroes,10) == 0) {
 129     next_tvb = tvb_new_subset_remaining(tvb, 10);
 130     call_dissector(ip_handle, next_tvb, pinfo, tree);
 131   }
 132   else {
 133     /*
 134      * OK, is this IPv4 or IPv6?
 135      */
 136     switch (tvb_get_uint8(tvb, 0) & 0xF0) {
 137
 138     case 0x40:
 139       /* IPv4 */
 140       call_dissector(ip_handle, tvb, pinfo, tree);
 141       break;
 142
 143     case 0x60:
 144       /* IPv6 */
 145       call_dissector(ipv6_handle, tvb, pinfo, tree);
 146       break;
 147
 148     default:
 149       /* None of the above. */
 150       call_data_dissector(tvb, pinfo, tree);
 151       break;
 152     }
 153   }
 154   return tvb_captured_length(tvb);
 155 }
 156
 157 void
 158 proto_register_raw(void)
 159 {
 160   static int *ett[] = {
 161     &ett_raw,
 162   };
 163
 164   proto_raw = proto_register_protocol("Raw packet data", "Raw", "raw");
 165   proto_register_subtree_array(ett, array_length(ett));
 166
 167   raw_handle = register_dissector("raw_ip", dissect_raw, proto_raw);
 168 }
 169
 170 void
 171 proto_reg_handoff_raw(void)
 172 {
 173   capture_dissector_handle_t raw_cap_handle;
 174
 175   /*
 176    * Get handles for the IP, IPv6, undissected-data, and
 177    * PPP-in-HDLC-like-framing dissectors.
 178    */
 179   ip_handle = find_dissector_add_dependency("ip", proto_raw);
 180   ipv6_handle = find_dissector_add_dependency("ipv6", proto_raw);
 181   ppp_hdlc_handle = find_dissector_add_dependency("ppp_hdlc", proto_raw);
 182   dissector_add_uint("wtap_encap", WTAP_ENCAP_RAW_IP, raw_handle);
 183   raw_cap_handle = create_capture_dissector_handle(capture_raw, proto_raw);
 184   capture_dissector_add_uint("wtap_encap", WTAP_ENCAP_RAW_IP, raw_cap_handle);
 185
 186   ip_cap_handle = find_capture_dissector("ip");
 187   ipv6_cap_handle = find_capture_dissector("ipv6");
 188   ppp_hdlc_cap_handle = find_capture_dissector("ppp_hdlc");
 189 }
 190
 191 /*
 192  * Editor modelines
 193  *
 194  * Local Variables:
 195  * c-basic-offset: 2
 196  * tab-width: 8
 197  * indent-tabs-mode: nil
 198  * End:
 199  *
 200  * ex: set shiftwidth=2 tabstop=8 expandtab:
 201  * :indentSize=2:tabSize=8:noTabs=true:
 202  */