search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MSWSP: add two more Property Sets
[wireshark-wip.git] / epan / dissectors / packet-symantec.c
blobc463d471abfb5dd05b9e5cd4225b99a569651bae
1 /* packet-symantec.c
2 * Routines for dissection of packets from the Axent Raptor firewall/
3 * Symantec Enterprise Firewall/Symantec Gateway Security appliance
4 * v2/Symantec Gateway Security appliance v3.
5 *
6 * $Id$
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 *
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
26 #include "config.h"
27
28 #include <glib.h>
29
30 #include <epan/packet.h>
31
32 #include <epan/etypes.h>
33
34 static dissector_table_t ethertype_dissector_table;
35
36 /* protocols and header fields */
37 static int proto_symantec = -1;
38 static int hf_symantec_if = -1;
39 static int hf_symantec_etype = -1;
40
41 static gint ett_symantec = -1;
42
43 static void
44 dissect_symantec(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
45 {
46 proto_item *ti;
47 proto_tree *symantec_tree = NULL;
48 guint16 etypev2, etypev3;
49 tvbuff_t *next_tvb;
50
51 /*
52 * Symantec records come in two variants:
53 *
54 * The older variant, dating from Axent days and continuing until
55 * the SGS v2.0.1 code level, is 44 bytes long.
56 * The first 4 bytes are the IPv4 address of the interface that
57 * captured the data, followed by 2 bytes of 0, then an Ethernet
58 * type, followed by 36 bytes of 0.
59 *
60 * The newer variant, introduced either in SGS v3.0 or v3.0.1
61 * (possibly in concert with VLAN support), is 56 bytes long.
62 * The first 4 bytes are the IPv4 address of the interface that
63 * captured the data, followed by 6 bytes of 0, then an Ethernet
64 * type, followed by 44 bytes of 0.
65 *
66 * Unfortunately, there is no flag to distiguish between the two
67 * flavours. The only indication of which flavour you have is the
68 * offset of the ETHERTYPE field. Fortunately, Symantec didn't
69 * use ETHERTYPE_UNK as a valid value.
70 */
71
72 etypev2 = tvb_get_ntohs(tvb, 6);
73 etypev3 = tvb_get_ntohs(tvb, 10);
74
75 /* a valid packet can't be both v2 and v3 or neither v2 nor v3, */
76 if ((etypev2 == 0) == (etypev3 == 0))
77 return;
78
79 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Symantec");
80
81 if (etypev3 == 0) { /* SEF and SGS v2 processing */
82 col_set_str(pinfo->cinfo, COL_INFO, "Symantec Enterprise Firewall");
83 if (tree) {
84 ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
85 0, 44, "Symantec firewall");
86 symantec_tree = proto_item_add_subtree(ti, ett_symantec);
87 }
88 if (tree) {
89 proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
90 0, 4, ENC_BIG_ENDIAN);
91 proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
92 6, 2, etypev2);
93 }
94 next_tvb = tvb_new_subset_remaining(tvb, 44);
95 dissector_try_uint(ethertype_dissector_table, etypev2, next_tvb, pinfo,
96 tree);
97 }
98
99 if (etypev2 == 0) { /* SGS v3 processing */
100 col_set_str(pinfo->cinfo, COL_INFO, "Symantec SGS v3");
101 if (tree) {
102 ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
103 0, 56, "Symantec SGSv3");
104 symantec_tree = proto_item_add_subtree(ti, ett_symantec);
105 }
106 if (tree) {
107 proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
108 0, 4, ENC_BIG_ENDIAN);
109 proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
110 10, 2, etypev3);
111 }
112 /*
113 * Dissection of VLAN information will have to wait until
114 * availability of a capture file from an SGSv3 box using VLAN
115 * tagging.
116 */
117 next_tvb = tvb_new_subset_remaining(tvb, 56);
118 dissector_try_uint(ethertype_dissector_table, etypev3, next_tvb, pinfo,
119 tree);
120 }
121 }
122
123 void
124 proto_register_symantec(void)
125 {
126 static hf_register_info hf[] = {
127 { &hf_symantec_if,
128 { "Interface", "symantec.if", FT_IPv4, BASE_NONE, NULL, 0x0,
129 NULL, HFILL }},
130 { &hf_symantec_etype,
131 { "Type", "symantec.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
132 NULL, HFILL }},
133 };
134 static gint *ett[] = {
135 &ett_symantec,
136 };
137
138 proto_symantec = proto_register_protocol("Symantec Enterprise Firewall",
139 "Symantec", "symantec");
140 proto_register_field_array(proto_symantec, hf, array_length(hf));
141 proto_register_subtree_array(ett, array_length(ett));
142 }
143
144 void
145 proto_reg_handoff_symantec(void)
146 {
147 dissector_handle_t symantec_handle;
148
149 ethertype_dissector_table = find_dissector_table("ethertype");
150
151 symantec_handle = create_dissector_handle(dissect_symantec,
152 proto_symantec);
153 dissector_add_uint("wtap_encap", WTAP_ENCAP_SYMANTEC, symantec_handle);
154 }