epan/dissectors/packet-symantec.c

   1 /* packet-symantec.c
   2  * Routines for dissection of packets from the Axent Raptor firewall/
   3  * Symantec Enterprise Firewall/Symantec Gateway Security appliance
   4  * v2/Symantec Gateway Security appliance v3.
   5  *
   6  * Wireshark - Network traffic analyzer
   7  * By Gerald Combs <gerald@wireshark.org>
   8  *
   9  * SPDX-License-Identifier: GPL-2.0-or-later
  10  */
  11
  12 #include "config.h"
  13
  14 #include <epan/packet.h>
  15 #include <wiretap/wtap.h>
  16 #include <epan/etypes.h>
  17
  18 void proto_register_symantec(void);
  19 void proto_reg_handoff_symantec(void);
  20
  21 static dissector_handle_t symantec_handle;
  22
  23 static dissector_table_t ethertype_dissector_table;
  24
  25 /* protocols and header fields */
  26 static int proto_symantec;
  27 static int hf_symantec_if;
  28 static int hf_symantec_etype;
  29
  30 static int ett_symantec;
  31
  32 static int
  33 dissect_symantec(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
  34 {
  35    proto_item *ti;
  36    proto_tree *symantec_tree;
  37    uint16_t etypev2, etypev3;
  38    tvbuff_t *next_tvb;
  39
  40    /*
  41     * Symantec records come in two variants:
  42     *
  43     * The older variant, dating from Axent days and continuing until
  44     * the SGS v2.0.1 code level, is 44 bytes long.
  45     * The first 4 bytes are the IPv4 address of the interface that
  46     * captured the data, followed by 2 bytes of 0, then an Ethernet
  47     * type, followed by 36 bytes of 0.
  48     *
  49     * The newer variant, introduced either in SGS v3.0 or v3.0.1
  50     * (possibly in concert with VLAN support), is 56 bytes long.
  51     * The first 4 bytes are the IPv4 address of the interface that
  52     * captured the data, followed by 6 bytes of 0, then an Ethernet
  53     * type, followed by 44 bytes of 0.
  54     *
  55     * Unfortunately, there is no flag to distiguish between the two
  56     * flavours.  The only indication of which flavour you have is the
  57     * offset of the ETHERTYPE field.  Fortunately, Symantec didn't
  58     * use ETHERTYPE_UNK as a valid value.
  59     */
  60
  61    etypev2 = tvb_get_ntohs(tvb, 6);
  62    etypev3 = tvb_get_ntohs(tvb, 10);
  63
  64    /* a valid packet can't be both v2 and v3 or neither v2 nor v3, */
  65    if ((etypev2 == 0) == (etypev3 == 0))
  66       return 12;
  67
  68    col_set_str(pinfo->cinfo, COL_PROTOCOL, "Symantec");
  69
  70    if (etypev3 == 0) {    /* SEF and SGS v2 processing */
  71       col_set_str(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
  72
  73       ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
  74             0, 44, "Symantec firewall");
  75       symantec_tree = proto_item_add_subtree(ti, ett_symantec);
  76       proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
  77             0, 4, ENC_BIG_ENDIAN);
  78       proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
  79             6, 2, etypev2);
  80
  81       next_tvb = tvb_new_subset_remaining(tvb, 44);
  82       dissector_try_uint(ethertype_dissector_table, etypev2, next_tvb, pinfo,
  83             tree);
  84    }
  85
  86    if (etypev2 == 0) {    /* SGS v3 processing */
  87       col_set_str(pinfo->cinfo, COL_INFO, "Symantec SGS v3");
  88
  89       ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
  90             0, 56, "Symantec SGSv3");
  91       symantec_tree = proto_item_add_subtree(ti, ett_symantec);
  92       proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
  93             0, 4, ENC_BIG_ENDIAN);
  94       proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
  95             10, 2, etypev3);
  96
  97       /*
  98        * Dissection of VLAN information will have to wait until
  99        * availability of a capture file from an SGSv3 box using VLAN
 100        * tagging.
 101        */
 102       next_tvb = tvb_new_subset_remaining(tvb, 56);
 103       dissector_try_uint(ethertype_dissector_table, etypev3, next_tvb, pinfo,
 104             tree);
 105    }
 106    return tvb_captured_length(tvb);
 107 }
 108
 109 void
 110 proto_register_symantec(void)
 111 {
 112    static hf_register_info hf[] = {
 113       { &hf_symantec_if,
 114          { "Interface", "symantec.if", FT_IPv4,  BASE_NONE, NULL, 0x0,
 115             NULL, HFILL }},
 116       { &hf_symantec_etype,
 117          { "Type",    "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
 118             NULL, HFILL }},
 119    };
 120    static int *ett[] = {
 121       &ett_symantec,
 122    };
 123
 124    proto_symantec = proto_register_protocol("Symantec Enterprise Firewall",
 125          "Symantec", "symantec");
 126    symantec_handle = register_dissector("symantec", dissect_symantec,
 127          proto_symantec);
 128    proto_register_field_array(proto_symantec, hf, array_length(hf));
 129    proto_register_subtree_array(ett, array_length(ett));
 130 }
 131
 132 void
 133 proto_reg_handoff_symantec(void)
 134 {
 135    ethertype_dissector_table = find_dissector_table("ethertype");
 136    dissector_add_uint("wtap_encap", WTAP_ENCAP_SYMANTEC, symantec_handle);
 137 }
 138
 139 /*
 140  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 141  *
 142  * Local variables:
 143  * c-basic-offset: 4
 144  * tab-width: 8
 145  * indent-tabs-mode: nil
 146  * End:
 147  *
 148  * vi: set shiftwidth=4 tabstop=8 expandtab:
 149  * :indentSize=4:tabSize=8:noTabs=true:
 150  */