epan/dissectors/packet-sll.c

   1 /* packet-sll.c
   2  * Routines for disassembly of packets from Linux "cooked mode" captures
   3  *
   4  * $Id$
   5  *
   6  * Wireshark - Network traffic analyzer
   7  * By Gerald Combs <gerald@wireshark.org>
   8  * Copyright 1998 Gerald Combs
   9  *
  10  * This program is free software; you can redistribute it and/or
  11  * modify it under the terms of the GNU General Public License
  12  * as published by the Free Software Foundation; either version 2
  13  * of the License, or (at your option) any later version.
  14  *
  15  * This program is distributed in the hope that it will be useful,
  16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18  * GNU General Public License for more details.
  19  *
  20  * You should have received a copy of the GNU General Public License
  21  * along with this program; if not, write to the Free Software
  22  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  23  */
  24
  25 #define NEW_PROTO_TREE_API
  26
  27 #include "config.h"
  28
  29 #include <glib.h>
  30 #include <epan/arptypes.h>
  31 #include <epan/prefs.h>
  32 #include <epan/packet.h>
  33 #include <wsutil/pint.h>
  34 #include "packet-sll.h"
  35 #include "packet-ipx.h"
  36 #include "packet-llc.h"
  37 #include "packet-eth.h"
  38 #include "packet-ppp.h"
  39 #include "packet-gre.h"
  40 #include <epan/addr_resolv.h>
  41 #include <epan/etypes.h>
  42
  43 /*
  44  * A DLT_LINUX_SLL fake link-layer header.
  45  */
  46 #define SLL_HEADER_SIZE 16              /* total header length */
  47 #define SLL_ADDRLEN     8               /* length of address field */
  48
  49 /*
  50  * The LINUX_SLL_ values for "sll_pkttype".
  51  */
  52 #define LINUX_SLL_HOST          0
  53 #define LINUX_SLL_BROADCAST     1
  54 #define LINUX_SLL_MULTICAST     2
  55 #define LINUX_SLL_OTHERHOST     3
  56 #define LINUX_SLL_OUTGOING      4
  57
  58 static const value_string packet_type_vals[] = {
  59         { LINUX_SLL_HOST,       "Unicast to us" },
  60         { LINUX_SLL_BROADCAST,  "Broadcast" },
  61         { LINUX_SLL_MULTICAST,  "Multicast" },
  62         { LINUX_SLL_OTHERHOST,  "Unicast to another host" },
  63         { LINUX_SLL_OUTGOING,   "Sent by us" },
  64         { 0,                    NULL }
  65 };
  66
  67 static const value_string ltype_vals[] = {
  68         { LINUX_SLL_P_802_3,    "Raw 802.3" },
  69         { LINUX_SLL_P_ETHERNET, "Ethernet" },
  70         { LINUX_SLL_P_802_2,    "802.2 LLC" },
  71         { LINUX_SLL_P_PPPHDLC,  "PPP (HDLC)" },
  72         { LINUX_SLL_P_CAN,      "CAN" },
  73         { LINUX_SLL_P_IRDA_LAP, "IrDA LAP" },
  74         { LINUX_SLL_P_IEEE802154,       "IEEE 802.15.4" },
  75         { 0,                    NULL }
  76 };
  77
  78
  79 static dissector_handle_t sll_handle;
  80
  81 static header_field_info *hfi_sll = NULL;
  82
  83 #define SLL_HFI_INIT HFI_INIT(proto_sll)
  84
  85 static header_field_info hfi_sll_pkttype SLL_HFI_INIT =
  86         { "Packet type",        "sll.pkttype", FT_UINT16, BASE_DEC,
  87           VALS(packet_type_vals), 0x0, NULL, HFILL };
  88
  89 /* ARP hardware type?  With Linux extensions? */
  90 static header_field_info hfi_sll_hatype SLL_HFI_INIT =
  91         { "Link-layer address type",    "sll.hatype", FT_UINT16, BASE_DEC,
  92           NULL, 0x0, NULL, HFILL };
  93
  94 static header_field_info hfi_sll_halen SLL_HFI_INIT =
  95         { "Link-layer address length",  "sll.halen", FT_UINT16, BASE_DEC,
  96           NULL, 0x0, NULL, HFILL };
  97
  98 /* Source address if it's an Ethernet-type address */
  99 static header_field_info hfi_sll_src_eth SLL_HFI_INIT =
 100         { "Source",     "sll.src.eth", FT_ETHER, BASE_NONE,
 101           NULL, 0x0, "Source link-layer address", HFILL };
 102
 103 /* Source address if it's an IPv4 address */
 104 static header_field_info hfi_sll_src_ipv4 SLL_HFI_INIT =
 105         { "Source",     "sll.src.ipv4", FT_IPv4, BASE_NONE,
 106           NULL, 0x0, "Source link-layer address", HFILL };
 107
 108 /* Source address if it's not an Ethernet-type address */
 109 static header_field_info hfi_sll_src_other SLL_HFI_INIT =
 110         { "Source",     "sll.src.other", FT_BYTES, BASE_NONE,
 111           NULL, 0x0, "Source link-layer address", HFILL };
 112
 113 /* if the protocol field is an internal Linux protocol type */
 114 static header_field_info hfi_sll_ltype SLL_HFI_INIT =
 115         { "Protocol",   "sll.ltype", FT_UINT16, BASE_HEX,
 116           VALS(ltype_vals), 0x0, "Linux protocol type", HFILL };
 117
 118 /* if the protocol field is a GRE protocol type */
 119 static header_field_info hfi_sll_gretype SLL_HFI_INIT =
 120         { "Protocol",   "sll.gretype", FT_UINT16, BASE_HEX,
 121           VALS(gre_typevals), 0x0, "GRE protocol type", HFILL };
 122
 123 /* registered here but handled in ethertype.c */
 124 static header_field_info hfi_sll_etype SLL_HFI_INIT =
 125         { "Protocol",   "sll.etype", FT_UINT16, BASE_HEX,
 126           VALS(etype_vals), 0x0, "Ethernet protocol type", HFILL };
 127
 128 static header_field_info hfi_sll_trailer SLL_HFI_INIT =
 129         { "Trailer", "sll.trailer", FT_BYTES, BASE_NONE,
 130           NULL, 0x0, NULL, HFILL };
 131
 132
 133 static gint ett_sll = -1;
 134
 135 static dissector_table_t sll_linux_dissector_table;
 136 static dissector_table_t gre_dissector_table;
 137 static dissector_handle_t data_handle;
 138
 139 void
 140 capture_sll(const guchar *pd, int len, packet_counts *ld)
 141 {
 142         guint16 protocol;
 143
 144         if (!BYTES_ARE_IN_FRAME(0, len, SLL_HEADER_SIZE)) {
 145                 ld->other++;
 146                 return;
 147         }
 148         protocol = pntohs(&pd[14]);
 149         if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
 150                 /*
 151                  * "proto" is *not* a length field, it's a Linux internal
 152                  * protocol type.
 153                  */
 154                 switch (protocol) {
 155
 156                 case LINUX_SLL_P_802_2:
 157                         /*
 158                          * 802.2 LLC.
 159                          */
 160                         capture_llc(pd, len, SLL_HEADER_SIZE, ld);
 161                         break;
 162
 163                 case LINUX_SLL_P_ETHERNET:
 164                         /*
 165                          * Ethernet.
 166                          */
 167                         capture_eth(pd, SLL_HEADER_SIZE, len, ld);
 168                         break;
 169
 170                 case LINUX_SLL_P_802_3:
 171                         /*
 172                          * Novell IPX inside 802.3 with no 802.2 LLC
 173                          * header.
 174                          */
 175                         capture_ipx(ld);
 176                         break;
 177
 178                 case LINUX_SLL_P_PPPHDLC:
 179                         /*
 180                          * PPP HDLC.
 181                          */
 182                         capture_ppp_hdlc(pd, len, SLL_HEADER_SIZE, ld);
 183                         break;
 184
 185                 default:
 186                         ld->other++;
 187                         break;
 188                 }
 189         } else
 190                 capture_ethertype(protocol, pd, SLL_HEADER_SIZE, len, ld);
 191 }
 192
 193 static void
 194 dissect_sll(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 195 {
 196         guint16 pkttype;
 197         guint16 protocol;
 198         guint16 hatype, halen;
 199         const guint8 *src;
 200         proto_item *ti;
 201         tvbuff_t *next_tvb;
 202         proto_tree *fh_tree = NULL;
 203
 204         col_set_str(pinfo->cinfo, COL_PROTOCOL, "SLL");
 205         col_clear(pinfo->cinfo, COL_INFO);
 206
 207         pkttype = tvb_get_ntohs(tvb, 0);
 208
 209         /*
 210          * Set "pinfo->p2p_dir" if the packet wasn't received
 211          * promiscuously.
 212          */
 213         switch (pkttype) {
 214
 215         case LINUX_SLL_HOST:
 216         case LINUX_SLL_BROADCAST:
 217         case LINUX_SLL_MULTICAST:
 218                 pinfo->p2p_dir = P2P_DIR_RECV;
 219                 break;
 220
 221         case LINUX_SLL_OUTGOING:
 222                 pinfo->p2p_dir = P2P_DIR_SENT;
 223                 break;
 224         }
 225
 226         col_add_str(pinfo->cinfo, COL_INFO,
 227                     val_to_str(pkttype, packet_type_vals, "Unknown (%u)"));
 228
 229         if (tree) {
 230                 ti = proto_tree_add_protocol_format(tree, hfi_sll->id, tvb, 0,
 231                     SLL_HEADER_SIZE, "Linux cooked capture");
 232                 fh_tree = proto_item_add_subtree(ti, ett_sll);
 233                 proto_tree_add_item(fh_tree, &hfi_sll_pkttype, tvb, 0, 2, ENC_BIG_ENDIAN);
 234         }
 235
 236         /*
 237          * XXX - check the link-layer address type value?
 238          * For now, we just assume 6 means Ethernet.
 239          */
 240         hatype = tvb_get_ntohs(tvb, 2);
 241         halen = tvb_get_ntohs(tvb, 4);
 242         if (tree) {
 243                 proto_tree_add_uint(fh_tree, &hfi_sll_hatype, tvb, 2, 2, hatype);
 244                 proto_tree_add_uint(fh_tree, &hfi_sll_halen, tvb, 4, 2, halen);
 245         }
 246         switch (halen) {
 247         case 4:
 248                 src = tvb_get_ptr(tvb, 6, 4);
 249                 SET_ADDRESS(&pinfo->dl_src, AT_IPv4, 4, src);
 250                 SET_ADDRESS(&pinfo->src, AT_IPv4, 4, src);
 251                 if (tree) {
 252                         proto_tree_add_item(fh_tree, &hfi_sll_src_ipv4, tvb,
 253                             6, 4, ENC_BIG_ENDIAN);
 254                 }
 255                 break;
 256         case 6:
 257                 src = tvb_get_ptr(tvb, 6, 6);
 258                 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
 259                 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src);
 260                 if (tree) {
 261                         proto_tree_add_ether(fh_tree, hfi_sll_src_eth.id, tvb,
 262                             6, 6, src);
 263                 }
 264                 break;
 265         case 0:
 266                 break;
 267         default:
 268                 if (tree) {
 269                         proto_tree_add_item(fh_tree, &hfi_sll_src_other, tvb,
 270                             6, halen > 8 ? 8 : halen, ENC_NA);
 271                 }
 272                 break;
 273         }
 274
 275         protocol = tvb_get_ntohs(tvb, 14);
 276         next_tvb = tvb_new_subset_remaining(tvb, SLL_HEADER_SIZE);
 277         if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
 278                 /*
 279                  * "proto" is *not* a length field, it's a Linux internal
 280                  * protocol type.
 281                  * We therefore cannot say how much of the packet will
 282                  * be trailer data.
 283                  * XXX - do the same thing we do for packets with Ethertypes?
 284                  */
 285                 proto_tree_add_uint(fh_tree, &hfi_sll_ltype, tvb, 14, 2,
 286                     protocol);
 287
 288                 if(!dissector_try_uint(sll_linux_dissector_table, protocol,
 289                         next_tvb, pinfo, tree)) {
 290                         call_dissector(data_handle, next_tvb, pinfo, tree);
 291                 }
 292         } else {
 293                 switch (hatype) {
 294                 case ARPHRD_IPGRE:
 295                         proto_tree_add_uint(fh_tree, &hfi_sll_gretype, tvb, 14, 2,
 296                             protocol);
 297                         dissector_try_uint(gre_dissector_table,
 298                                            protocol, next_tvb, pinfo, tree);
 299                         break;
 300                 default:
 301                         ethertype(protocol, tvb, SLL_HEADER_SIZE, pinfo, tree,
 302                                   fh_tree, hfi_sll_etype.id, hfi_sll_trailer.id, 0);
 303                         break;
 304                 }
 305         }
 306 }
 307
 308 void
 309 proto_register_sll(void)
 310 {
 311 #ifndef HAVE_HFI_SECTION_INIT
 312         static header_field_info *hfi[] = {
 313                 &hfi_sll_pkttype,
 314                 /* ARP hardware type?  With Linux extensions? */
 315                 &hfi_sll_hatype,
 316                 &hfi_sll_halen,
 317                 &hfi_sll_src_eth,
 318                 &hfi_sll_src_ipv4,
 319                 &hfi_sll_src_other,
 320                 &hfi_sll_ltype,
 321                 &hfi_sll_gretype,
 322                 /* registered here but handled in ethertype.c */
 323                 &hfi_sll_etype,
 324                 &hfi_sll_trailer,
 325         };
 326 #endif
 327
 328         static gint *ett[] = {
 329                 &ett_sll
 330         };
 331
 332         int proto_sll;
 333
 334         proto_sll = proto_register_protocol("Linux cooked-mode capture",
 335             "SLL", "sll" );
 336         hfi_sll = proto_registrar_get_nth(proto_sll);
 337
 338         proto_register_fields(proto_sll, hfi, array_length(hfi));
 339         proto_register_subtree_array(ett, array_length(ett));
 340
 341         sll_handle = create_dissector_handle(dissect_sll, proto_sll);
 342
 343         sll_linux_dissector_table = register_dissector_table (
 344                 "sll.ltype",
 345                 "Linux SLL protocol type",
 346                 FT_UINT16,
 347                 BASE_HEX
 348         );
 349 }
 350
 351 void
 352 proto_reg_handoff_sll(void)
 353 {
 354         /*
 355          * Get handles for the IPX and LLC dissectors.
 356          */
 357         gre_dissector_table = find_dissector_table("gre.proto");
 358         data_handle = find_dissector("data");
 359
 360         dissector_add_uint("wtap_encap", WTAP_ENCAP_SLL, sll_handle);
 361 }