search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
HACK: pinfo->private_data points to smb_info again
[wireshark-wip.git] / epan / dissectors / packet-eth.c
blob8a6fb6bc3f9e8ad5de151f65efd74f1303857fed
1 /* packet-eth.c
2 * Routines for ethernet packet disassembly
3 *
4 * $Id$
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 */
24
25 #include "config.h"
26
27 #include <glib.h>
28
29 #include <epan/packet.h>
30 #include <epan/exceptions.h>
31 #include <epan/prefs.h>
32 #include <epan/etypes.h>
33 #include <epan/addr_resolv.h>
34 #include <epan/expert.h>
35 #include <wsutil/pint.h>
36 #include "packet-eth.h"
37 #include "packet-ieee8023.h"
38 #include "packet-ipx.h"
39 #include "packet-isl.h"
40 #include "packet-llc.h"
41 #include "packet-sll.h"
42 #include "packet-usb.h"
43 #include <epan/crc32-tvb.h>
44 #include <epan/tap.h>
45
46 void proto_register_eth(void);
47 void proto_reg_handoff_eth(void);
48
49 /* Assume all packets have an FCS */
50 static gboolean eth_assume_padding = TRUE;
51 static guint eth_trailer_length = 0;
52 static gboolean eth_assume_fcs = FALSE;
53 static gboolean eth_check_fcs = TRUE;
54 /* Interpret packets as FW1 monitor file packets if they look as if they are */
55 static gboolean eth_interpret_as_fw1_monitor = FALSE;
56 /* Preference settings defining conditions for which the CCSDS dissector is called */
57 static gboolean ccsds_heuristic_length = FALSE;
58 static gboolean ccsds_heuristic_version = FALSE;
59 static gboolean ccsds_heuristic_header = FALSE;
60 static gboolean ccsds_heuristic_bit = FALSE;
61
62 /* protocols and header fields */
63 static int proto_eth = -1;
64 static int hf_eth_dst = -1;
65 static int hf_eth_dst_resolved = -1;
66 static int hf_eth_src = -1;
67 static int hf_eth_src_resolved = -1;
68 static int hf_eth_len = -1;
69 static int hf_eth_type = -1;
70 static int hf_eth_invalid_lentype = -1;
71 static int hf_eth_addr = -1;
72 static int hf_eth_addr_resolved = -1;
73 static int hf_eth_lg = -1;
74 static int hf_eth_ig = -1;
75 static int hf_eth_padding = -1;
76 static int hf_eth_trailer = -1;
77 static int hf_eth_fcs = -1;
78 static int hf_eth_fcs_good = -1;
79 static int hf_eth_fcs_bad = -1;
80
81 static gint ett_ieee8023 = -1;
82 static gint ett_ether2 = -1;
83 static gint ett_ether = -1;
84 static gint ett_addr = -1;
85 static gint ett_eth_fcs = -1;
86
87 static expert_field ei_eth_invalid_lentype = EI_INIT;
88 static expert_field ei_eth_src_not_group = EI_INIT;
89 static expert_field ei_eth_fcs_bad = EI_INIT;
90 static expert_field ei_eth_len = EI_INIT;
91
92 static dissector_handle_t fw1_handle;
93 static dissector_handle_t data_handle;
94 static heur_dissector_list_t heur_subdissector_list;
95 static heur_dissector_list_t eth_trailer_subdissector_list;
96
97 static int eth_tap = -1;
98
99 #define ETH_HEADER_SIZE 14
100
101 static const true_false_string ig_tfs = {
102 "Group address (multicast/broadcast)",
103 "Individual address (unicast)"
104 };
105 static const true_false_string lg_tfs = {
106 "Locally administered address (this is NOT the factory default)",
107 "Globally unique address (factory default)"
108 };
109
110 /* These are the Netware-ish names for the different Ethernet frame types.
111 EthernetII: The ethernet with a Type field instead of a length field
112 Ethernet802.2: An 802.3 header followed by an 802.2 header
113 Ethernet802.3: A raw 802.3 packet. IPX/SPX can be the only payload.
114 There's no 802.2 hdr in this.
115 EthernetSNAP: Basically 802.2, just with 802.2SNAP. For our purposes,
116 there's no difference between 802.2 and 802.2SNAP, since we just
117 pass it down to the LLC dissector. -- Gilbert
118 */
119 #define ETHERNET_II 0
120 #define ETHERNET_802_2 1
121 #define ETHERNET_802_3 2
122 #define ETHERNET_SNAP 3
123
124 void
125 capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
126 {
127 guint16 etype, length;
128 int ethhdr_type; /* the type of ethernet frame */
129
130 if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
131 ld->other++;
132 return;
133 }
134
135 etype = pntohs(&pd[offset+12]);
136
137 if (etype <= IEEE_802_3_MAX_LEN) {
138 /* Oh, yuck. Cisco ISL frames require special interpretation of the
139 destination address field; fortunately, they can be recognized by
140 checking the first 5 octets of the destination address, which are
141 01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */
142 if ((pd[offset] == 0x01 || pd[offset] == 0x0C) && pd[offset+1] == 0x00
143 && pd[offset+2] == 0x0C && pd[offset+3] == 0x00
144 && pd[offset+4] == 0x00) {
145 capture_isl(pd, offset, len, ld);
146 return;
147 }
148 }
149
150 /*
151 * If the type/length field is <= the maximum 802.3 length,
152 * and is not zero, this is an 802.3 frame, and it's a length
153 * field; it might be an Novell "raw 802.3" frame, with no
154 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
155 * header.
156 *
157 * If the type/length field is >= the minimum Ethernet II length,
158 * this is an Ethernet II frame, and it's a type field.
159 *
160 * If the type/length field is > maximum 802.3 length and < minimum
161 * Ethernet II length, then this is an invalid packet.
162 *
163 * If the type/length field is zero (ETHERTYPE_UNK), this is
164 * a frame used internally by the Cisco MDS switch to contain
165 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
166 * frame; the dissector for those frames registers itself with
167 * an ethernet type of ETHERTYPE_UNK.
168 */
169 if (etype > IEEE_802_3_MAX_LEN && etype < ETHERNET_II_MIN_LEN) {
170 ld->other++;
171 return;
172 }
173
174 if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
175 length = etype;
176
177 /* Is there an 802.2 layer? I can tell by looking at the first 2
178 bytes after the 802.3 header. If they are 0xffff, then what
179 follows the 802.3 header is an IPX payload, meaning no 802.2.
180 (IPX/SPX is they only thing that can be contained inside a
181 straight 802.3 packet). A non-0xffff value means that there's an
182 802.2 layer inside the 802.3 layer */
183 if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
184 ethhdr_type = ETHERNET_802_3;
185 }
186 else {
187 ethhdr_type = ETHERNET_802_2;
188 }
189
190 /* Convert the LLC length from the 802.3 header to a total
191 frame length, by adding in the size of any data that preceded
192 the Ethernet header, and adding in the Ethernet header size,
193 and set the payload and captured-payload lengths to the minima
194 of the total length and the frame lengths. */
195 length += offset + ETH_HEADER_SIZE;
196 if (len > length)
197 len = length;
198 } else {
199 ethhdr_type = ETHERNET_II;
200 }
201 offset += ETH_HEADER_SIZE;
202
203 switch (ethhdr_type) {
204 case ETHERNET_802_3:
205 capture_ipx(ld);
206 break;
207 case ETHERNET_802_2:
208 capture_llc(pd, offset, len, ld);
209 break;
210 case ETHERNET_II:
211 capture_ethertype(etype, pd, offset, len, ld);
212 break;
213 }
214 }
215
216 static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len);
217
218 static proto_tree *
219 dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree,
220 int fcs_len)
221 {
222 proto_item *ti = NULL;
223 eth_hdr *ehdr;
224 gboolean is_802_2;
225 proto_tree *fh_tree = NULL;
226 const guint8 *src_addr, *dst_addr;
227 static eth_hdr ehdrs[4];
228 static int ehdr_num=0;
229 proto_tree *tree;
230 proto_item *addr_item;
231 proto_tree *addr_tree=NULL;
232
233 ehdr_num++;
234 if(ehdr_num>=4){
235 ehdr_num=0;
236 }
237 ehdr=&ehdrs[ehdr_num];
238
239 tree=parent_tree;
240
241 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Ethernet");
242
243 src_addr=tvb_get_ptr(tvb, 6, 6);
244 SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src_addr);
245 SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src_addr);
246 SET_ADDRESS(&ehdr->src, AT_ETHER, 6, src_addr);
247 dst_addr=tvb_get_ptr(tvb, 0, 6);
248 SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst_addr);
249 SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst_addr);
250 SET_ADDRESS(&ehdr->dst, AT_ETHER, 6, dst_addr);
251
252 ehdr->type = tvb_get_ntohs(tvb, 12);
253
254 tap_queue_packet(eth_tap, pinfo, ehdr);
255
256 /*
257 * In case the packet is a non-Ethernet packet inside
258 * Ethernet framing, allow heuristic dissectors to take
259 * a first look before we assume that it's actually an
260 * Ethernet packet.
261 */
262 if (dissector_try_heuristic(heur_subdissector_list, tvb, pinfo, parent_tree, NULL))
263 return fh_tree;
264
265 if (ehdr->type <= IEEE_802_3_MAX_LEN) {
266 /* Oh, yuck. Cisco ISL frames require special interpretation of the
267 destination address field; fortunately, they can be recognized by
268 checking the first 5 octets of the destination address, which are
269 01-00-0C-00-00 for ISL frames. */
270 if ((tvb_get_guint8(tvb, 0) == 0x01 ||
271 tvb_get_guint8(tvb, 0) == 0x0C) &&
272 tvb_get_guint8(tvb, 1) == 0x00 &&
273 tvb_get_guint8(tvb, 2) == 0x0C &&
274 tvb_get_guint8(tvb, 3) == 0x00 &&
275 tvb_get_guint8(tvb, 4) == 0x00) {
276 dissect_isl(tvb, pinfo, parent_tree, fcs_len);
277 return fh_tree;
278 }
279 }
280
281 /*
282 * If the type/length field is <= the maximum 802.3 length,
283 * and is not zero, this is an 802.3 frame, and it's a length
284 * field; it might be an Novell "raw 802.3" frame, with no
285 * 802.2 LLC header, or it might be a frame with an 802.2 LLC
286 * header.
287 *
288 * If the type/length field is >= the minimum Ethernet II length,
289 * this is an Ethernet II frame, and it's a type field.
290 *
291 * If the type/length field is > maximum 802.3 length and < minimum
292 * Ethernet II length, then this is an invalid packet.
293 *
294 * If the type/length field is zero (ETHERTYPE_UNK), this is
295 * a frame used internally by the Cisco MDS switch to contain
296 * Fibre Channel ("Vegas"). We treat that as an Ethernet II
297 * frame; the dissector for those frames registers itself with
298 * an ethernet type of ETHERTYPE_UNK.
299 */
300 if (ehdr->type > IEEE_802_3_MAX_LEN && ehdr->type < ETHERNET_II_MIN_LEN) {
301 tvbuff_t *next_tvb;
302
303 col_add_fstr(pinfo->cinfo, COL_INFO,
304 "Ethernet Unknown: Invalid length/type: 0x%04x (%d)",
305 ehdr->type, ehdr->type);
306 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
307 "Ethernet Unknown, Src: %s (%s), Dst: %s (%s)",
308 get_ether_name(src_addr), ether_to_str(src_addr),
309 get_ether_name(dst_addr), ether_to_str(dst_addr));
310 fh_tree = proto_item_add_subtree(ti, ett_ether);
311 addr_item = proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
312 if (addr_item)
313 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
314 addr_item=proto_tree_add_string(addr_tree, hf_eth_dst_resolved, tvb, 0, 6,
315 get_ether_name(dst_addr));
316 PROTO_ITEM_SET_GENERATED(addr_item);
317 PROTO_ITEM_SET_HIDDEN(addr_item);
318 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
319 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 0, 6,
320 get_ether_name(dst_addr));
321 PROTO_ITEM_SET_GENERATED(addr_item);
322 PROTO_ITEM_SET_HIDDEN(addr_item);
323 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN);
324 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN);
325
326 addr_item = proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
327 if (addr_item)
328 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
329 addr_item=proto_tree_add_string(addr_tree, hf_eth_src_resolved, tvb, 6, 6,
330 get_ether_name(src_addr));
331 PROTO_ITEM_SET_GENERATED(addr_item);
332 PROTO_ITEM_SET_HIDDEN(addr_item);
333 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr);
334 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 6, 6,
335 get_ether_name(src_addr));
336 PROTO_ITEM_SET_GENERATED(addr_item);
337 PROTO_ITEM_SET_HIDDEN(addr_item);
338 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN);
339 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN);
340
341 ti = proto_tree_add_item(fh_tree, hf_eth_invalid_lentype, tvb, 12, 2, ENC_BIG_ENDIAN);
342 expert_add_info_format(pinfo, ti, &ei_eth_invalid_lentype,
343 "Invalid length/type: 0x%04x (%d)", ehdr->type, ehdr->type);
344 next_tvb = tvb_new_subset_remaining(tvb, 14);
345 call_dissector(data_handle, next_tvb, pinfo, parent_tree);
346 return fh_tree;
347 }
348
349 if (ehdr->type <= IEEE_802_3_MAX_LEN && ehdr->type != ETHERTYPE_UNK) {
350
351 is_802_2 = check_is_802_2(tvb, fcs_len);
352
353 col_add_fstr(pinfo->cinfo, COL_INFO, "IEEE 802.3 Ethernet %s",
354 (is_802_2 ? "" : "Raw "));
355 if (tree) {
356 ti = proto_tree_add_protocol_format(tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
357 "IEEE 802.3 Ethernet %s", (is_802_2 ? "" : "Raw "));
358
359 fh_tree = proto_item_add_subtree(ti, ett_ieee8023);
360 }
361
362 /* if IP is not referenced from any filters we dont need to worry about
363 generating any tree items. We must do this after we created the actual
364 protocol above so that proto hier stat still works though.
365 */
366 if(!proto_field_is_referenced(parent_tree, proto_eth)){
367 tree=NULL;
368 fh_tree=NULL;
369 }
370
371 addr_item=proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
372 if(addr_item){
373 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
374 }
375 addr_item=proto_tree_add_string(addr_tree, hf_eth_dst_resolved, tvb, 0, 6,
376 get_ether_name(dst_addr));
377 PROTO_ITEM_SET_GENERATED(addr_item);
378 PROTO_ITEM_SET_HIDDEN(addr_item);
379 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
380 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 0, 6,
381 get_ether_name(dst_addr));
382 PROTO_ITEM_SET_GENERATED(addr_item);
383 PROTO_ITEM_SET_HIDDEN(addr_item);
384 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN);
385 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN);
386
387 addr_item=proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
388 if(addr_item){
389 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
390 }
391 addr_item=proto_tree_add_string(addr_tree, hf_eth_src_resolved, tvb, 6, 6,
392 get_ether_name(src_addr));
393 PROTO_ITEM_SET_GENERATED(addr_item);
394 PROTO_ITEM_SET_HIDDEN(addr_item);
395 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr);
396 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 6, 6,
397 get_ether_name(src_addr));
398 PROTO_ITEM_SET_GENERATED(addr_item);
399 PROTO_ITEM_SET_HIDDEN(addr_item);
400 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN);
401 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN);
402
403 dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo,
404 parent_tree, fh_tree, hf_eth_len, hf_eth_trailer, &ei_eth_len, fcs_len);
405 } else {
406 if (eth_interpret_as_fw1_monitor) {
407 if ((dst_addr[0] == 'i') || (dst_addr[0] == 'I') ||
408 (dst_addr[0] == 'o') || (dst_addr[0] == 'O')) {
409 call_dissector(fw1_handle, tvb, pinfo, parent_tree);
410 return fh_tree;
411 }
412 }
413
414 col_set_str(pinfo->cinfo, COL_INFO, "Ethernet II");
415 if (parent_tree) {
416 if (PTREE_DATA(parent_tree)->visible) {
417 ti = proto_tree_add_protocol_format(parent_tree, proto_eth, tvb, 0, ETH_HEADER_SIZE,
418 "Ethernet II, Src: %s (%s), Dst: %s (%s)",
419 get_ether_name(src_addr), ether_to_str(src_addr),
420 get_ether_name(dst_addr), ether_to_str(dst_addr));
421 }
422 else {
423 ti = proto_tree_add_item(parent_tree, proto_eth, tvb, 0, ETH_HEADER_SIZE, ENC_NA);
424 }
425 fh_tree = proto_item_add_subtree(ti, ett_ether2);
426 }
427
428 addr_item=proto_tree_add_ether(fh_tree, hf_eth_dst, tvb, 0, 6, dst_addr);
429 if(addr_item){
430 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
431 }
432 addr_item=proto_tree_add_string(addr_tree, hf_eth_dst_resolved, tvb, 0, 6,
433 get_ether_name(dst_addr));
434 PROTO_ITEM_SET_GENERATED(addr_item);
435 PROTO_ITEM_SET_HIDDEN(addr_item);
436 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr);
437 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 0, 6,
438 get_ether_name(dst_addr));
439 PROTO_ITEM_SET_GENERATED(addr_item);
440 PROTO_ITEM_SET_HIDDEN(addr_item);
441 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN);
442 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN);
443
444 addr_item=proto_tree_add_ether(fh_tree, hf_eth_src, tvb, 6, 6, src_addr);
445 if(addr_item){
446 addr_tree = proto_item_add_subtree(addr_item, ett_addr);
447 if (tvb_get_guint8(tvb, 6) & 0x01) {
448 expert_add_info(pinfo, addr_item, &ei_eth_src_not_group);
449 }
450 }
451 addr_item=proto_tree_add_string(addr_tree, hf_eth_src_resolved, tvb, 6, 6,
452 get_ether_name(src_addr));
453 PROTO_ITEM_SET_GENERATED(addr_item);
454 PROTO_ITEM_SET_HIDDEN(addr_item);
455 proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr);
456 addr_item=proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 6, 6,
457 get_ether_name(src_addr));
458 PROTO_ITEM_SET_GENERATED(addr_item);
459 PROTO_ITEM_SET_HIDDEN(addr_item);
460 proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN);
461 proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN);
462
463 ethertype(ehdr->type, tvb, ETH_HEADER_SIZE, pinfo, parent_tree, fh_tree, hf_eth_type,
464 hf_eth_trailer, fcs_len);
465 }
466 return fh_tree;
467 }
468
469 /* -------------- */
470 static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len)
471 {
472 volatile gboolean is_802_2;
473 volatile int length;
474 gint captured_length, reported_length;
475
476 is_802_2 = TRUE;
477
478 /* Is there an 802.2 layer? I can tell by looking at the first 2
479 bytes after the 802.3 header. If they are 0xffff, then what
480 follows the 802.3 header is an IPX payload, meaning no 802.2.
481 A non-0xffff value means that there's an 802.2 layer or CCSDS
482 layer inside the 802.3 layer */
483
484 TRY {
485 if (tvb_get_ntohs(tvb, 14) == 0xffff) {
486 is_802_2 = FALSE;
487 }
488 /* Is this a CCSDS payload instead of an 802.2 (LLC)?
489 Check the conditions enabled by the user for CCSDS presence */
490 else if (ccsds_heuristic_length || ccsds_heuristic_version ||
491 ccsds_heuristic_header || ccsds_heuristic_bit) {
492 gboolean CCSDS_len = TRUE;
493 gboolean CCSDS_ver = TRUE;
494 gboolean CCSDS_head = TRUE;
495 gboolean CCSDS_bit = TRUE;
496 /* See if the reported payload size matches the
497 size contained in the CCSDS header. */
498 if (ccsds_heuristic_length) {
499 /* The following technique to account for FCS
500 is copied from packet-ieee8023.c dissect_802_3() */
501 length = tvb_get_ntohs(tvb, 12);
502 reported_length = tvb_reported_length_remaining(tvb, ETH_HEADER_SIZE);
503 if (fcs_len > 0) {
504 if (reported_length >= fcs_len)
505 reported_length -= fcs_len;
506 }
507 /* Make sure the length in the 802.3 header doesn't go past the end of
508 the payload. */
509 if (length > reported_length) {
510 length = reported_length;
511 }
512 /* Only allow inspection of 'length' number of bytes. */
513 captured_length = tvb_length_remaining(tvb, ETH_HEADER_SIZE);
514 if (captured_length > length)
515 captured_length = length;
516
517 /* Check if payload is large enough to contain a CCSDS header */
518 if (captured_length >= 6) {
519 /* Compare length to packet length contained in CCSDS header. */
520 if (length != 7 + tvb_get_ntohs(tvb, ETH_HEADER_SIZE + 4))
521 CCSDS_len = FALSE;
522 }
523 }
524 /* Check if CCSDS Version number (first 3 bits of payload) is zero */
525 if ((ccsds_heuristic_version) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE, 3)!=0))
526 CCSDS_ver = FALSE;
527 /* Check if Secondary Header Flag (4th bit of payload) is set to one. */
528 if ((ccsds_heuristic_header) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 4, 1)!=1))
529 CCSDS_head = FALSE;
530 /* Check if spare bit (1st bit of 7th word of payload) is zero. */
531 if ((ccsds_heuristic_bit) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 16*6, 1)!=0))
532 CCSDS_bit = FALSE;
533 /* If all the conditions are true, don't interpret payload as an 802.2 (LLC).
534 * Additional check in packet-802.3.c will distinguish between
535 * IPX and CCSDS packets*/
536 if (CCSDS_len && CCSDS_ver && CCSDS_head && CCSDS_bit)
537 is_802_2 = FALSE;
538 }
539 }
540 CATCH_BOUNDS_ERRORS {
541 ; /* do nothing */
542
543 }
544 ENDTRY;
545 return is_802_2;
546 }
547
548
549 /*
550 * Add an Ethernet trailer - which, for some captures, might be the FCS
551 * rather than a pad-to-60-bytes trailer.
552 *
553 * If fcs_len is 0, we assume the frame has no FCS; if it's 4, we assume
554 * it has an FCS; if it's anything else (such as -1, which means "maybe
555 * it does, maybe it doesn't"), we try to infer whether it has an FCS.
556 */
557 void
558 add_ethernet_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree,
559 int trailer_id, tvbuff_t *tvb, tvbuff_t *trailer_tvb, int fcs_len)
560 {
561 /* If there're some bytes left over, it could be a combination of:
562 - padding to meet the minimum 64 byte frame length
563 - an FCS, if present (if fcs_len is 0, we know it's not present;
564 if fcs_len is 4, we know it's present; if fcs_len is -1, we
565 need some heuristics to determine whether it's present)
566 - information inserted by TAPs or other network monitoring equipment.
567
568 If we don't know whether the FCS is present, then, if we don't have a
569 network monitoring trailer, and if the Ethernet frame was claimed to
570 have had 64 or more bytes - i.e., it was at least an FCS worth of data
571 longer than the minimum payload size - we could assume the last 4 bytes
572 of the trailer are an FCS. */
573 proto_item *item;
574 proto_tree *checksum_tree;
575
576 if (trailer_tvb) {
577 guint trailer_length, trailer_reported_length;
578 guint padding_length = 0;
579 gboolean has_fcs = FALSE;
580 tvbuff_t *real_trailer_tvb;
581
582 trailer_length = tvb_length(trailer_tvb);
583 trailer_reported_length = tvb_reported_length(trailer_tvb);
584
585 /* There can not have been padding when the length of the frame (including the
586 trailer) is less than 60 bytes. */
587 if (eth_assume_padding && pinfo->fd->pkt_len>=60) {
588 /* Calculate the amount of padding needed for a minimum sized frame */
589 if ( (pinfo->fd->pkt_len - trailer_reported_length) < 60 )
590 padding_length = 60 - (pinfo->fd->pkt_len - trailer_reported_length);
591
592 /* Add the padding to the tree, unless it should be treated as
593 part of the trailer and therefor be handed over to (one of)
594 the ethernet-trailer dissectors */
595 if (padding_length > 0) {
596 tvb_ensure_bytes_exist(tvb, 0, padding_length);
597 proto_tree_add_item(fh_tree, hf_eth_padding, trailer_tvb, 0,
598 padding_length, ENC_NA);
599 trailer_length -= padding_length;
600 trailer_reported_length -= padding_length;
601 }
602 }
603
604 if (fcs_len != 0) {
605 /* If fcs_len is 4, we assume we definitely have an FCS.
606 Otherwise, then, if the frame is big enough that, if we
607 have a trailer, it probably inclues an FCS, and we have
608 enough space in the trailer for the FCS, we assume we
609 have an FCS.
610
611 "Big enough" means 64 bytes or more; any frame that big
612 needs no trailer, as there's no need to pad an Ethernet
613 packet past 60 bytes.
614
615 The trailer must be at least 4 bytes long to have enough
616 space for an FCS. */
617
618 if (fcs_len == 4 || (tvb_reported_length(tvb) >= 64 &&
619 trailer_reported_length >= 4)) {
620 /* Either we know we have an FCS, or we believe we have an FCS. */
621 if (trailer_length < trailer_reported_length) {
622 /* The packet is claimed to have enough data for a 4-byte FCS,
623 but we didn't capture all of the packet.
624 Slice off the 4-byte FCS from the reported length, and
625 trim the captured length so it's no more than the reported
626 length; that will slice off what of the FCS, if any, is
627 in the captured packet. */
628 trailer_reported_length -= 4;
629 if (trailer_length > trailer_reported_length)
630 trailer_length = trailer_reported_length;
631 has_fcs = TRUE;
632 } else {
633 /* We captured all of the packet, including what appears to
634 be a 4-byte FCS. Slice it off. */
635 trailer_length -= 4;
636 trailer_reported_length -= 4;
637 has_fcs = TRUE;
638 }
639 }
640 }
641
642 /* Create a new tvb without the padding and/or the (assumed) fcs */
643 if (fcs_len==4)
644 real_trailer_tvb = tvb_new_subset(trailer_tvb, padding_length,
645 trailer_length, trailer_reported_length);
646 else
647 real_trailer_tvb = tvb_new_subset_remaining(trailer_tvb, padding_length);
648
649 /* Call all ethernet trailer dissectors to dissect the trailer if
650 we actually have a trailer. */
651 if (tvb_reported_length(real_trailer_tvb) != 0) {
652 if (dissector_try_heuristic(eth_trailer_subdissector_list,
653 real_trailer_tvb, pinfo, tree, NULL) ) {
654 /* If we're not sure that there is a FCS, all trailer data
655 has been given to the ethernet-trailer dissector, so
656 stop dissecting here */
657 if (fcs_len!=4)
658 return;
659 } else {
660 /* No luck with the trailer dissectors, so just display the
661 extra bytes as general trailer */
662 if (trailer_length != 0) {
663 tvb_ensure_bytes_exist(tvb, 0, trailer_length);
664 proto_tree_add_item(fh_tree, trailer_id, real_trailer_tvb, 0,
665 trailer_length, ENC_NA);
666 }
667 }
668 }
669
670 if (has_fcs) {
671 guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, padding_length+trailer_length);
672 if(eth_check_fcs){
673 guint32 fcs = crc32_802_tvb(tvb, tvb_length(tvb) - 4);
674 if (fcs == sent_fcs) {
675 item = proto_tree_add_uint_format_value(fh_tree, hf_eth_fcs, trailer_tvb,
676 padding_length+trailer_length, 4, sent_fcs,
677 "0x%08x [correct]", sent_fcs);
678 checksum_tree = proto_item_add_subtree(item, ett_eth_fcs);
679 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_good, trailer_tvb,
680 padding_length+trailer_length, 4, TRUE);
681 PROTO_ITEM_SET_GENERATED(item);
682 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_bad, trailer_tvb,
683 padding_length+trailer_length, 4, FALSE);
684 PROTO_ITEM_SET_GENERATED(item);
685 } else {
686 item = proto_tree_add_uint_format_value(fh_tree, hf_eth_fcs, trailer_tvb,
687 padding_length+trailer_length, 4, sent_fcs,
688 "0x%08x [incorrect, should be 0x%08x]",
689 sent_fcs, fcs);
690 checksum_tree = proto_item_add_subtree(item, ett_eth_fcs);
691 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_good, trailer_tvb,
692 padding_length+trailer_length, 4, FALSE);
693 PROTO_ITEM_SET_GENERATED(item);
694 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_bad, trailer_tvb,
695 padding_length+trailer_length, 4, TRUE);
696 PROTO_ITEM_SET_GENERATED(item);
697 expert_add_info(pinfo, item, &ei_eth_fcs_bad);
698 col_append_str(pinfo->cinfo, COL_INFO, " [ETHERNET FRAME CHECK SEQUENCE INCORRECT]");
699 }
700 }else{
701 item = proto_tree_add_uint_format_value(fh_tree, hf_eth_fcs, trailer_tvb,
702 padding_length+trailer_length, 4, sent_fcs,
703 "0x%08x [validiation disabled]", sent_fcs);
704 checksum_tree = proto_item_add_subtree(item, ett_eth_fcs);
705 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_good, trailer_tvb,
706 padding_length+trailer_length, 4, FALSE);
707 PROTO_ITEM_SET_GENERATED(item);
708 item = proto_tree_add_boolean(checksum_tree, hf_eth_fcs_bad, trailer_tvb,
709 padding_length+trailer_length, 4, FALSE);
710 PROTO_ITEM_SET_GENERATED(item);
711 }
712 trailer_length += 4;
713 }
714 proto_tree_set_appendix(fh_tree, tvb, tvb_length(tvb) - padding_length - trailer_length, padding_length + trailer_length);
715 }
716 }
717
718 /* Called for the Ethernet Wiretap encapsulation type; pass the FCS length
719 reported to us, or, if the "assume_fcs" preference is set, pass 4. */
720 static void
721 dissect_eth_maybefcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
722 {
723 proto_tree *fh_tree;
724
725 /* Some devices slice the packet and add their own trailer before
726 putting the frame on the network. Make sure these packets get
727 a proper trailer (even though the sliced frame might not
728 properly dissect. */
729 if ( (eth_trailer_length > 0) && (eth_trailer_length < tvb_length(tvb)) ) {
730 tvbuff_t *next_tvb;
731 guint total_trailer_length;
732
733 total_trailer_length = eth_trailer_length + (eth_assume_fcs ? 4 : 0);
734
735 /* Dissect the tvb up to, but not including the trailer */
736 next_tvb = tvb_new_subset(tvb, 0,
737 tvb_length(tvb) - total_trailer_length,
738 tvb_reported_length(tvb) - total_trailer_length);
739 fh_tree = dissect_eth_common(next_tvb, pinfo, tree, 0);
740
741 /* Now handle the ethernet trailer and optional FCS */
742 next_tvb = tvb_new_subset_remaining(tvb, tvb_length(tvb) - total_trailer_length);
743 add_ethernet_trailer(pinfo, tree, fh_tree, hf_eth_trailer, tvb, next_tvb,
744 eth_assume_fcs ? 4 : pinfo->pseudo_header->eth.fcs_len);
745 } else {
746 dissect_eth_common(tvb, pinfo, tree, eth_assume_fcs ? 4 : pinfo->pseudo_header->eth.fcs_len);
747 }
748 }
749
750 /* Called by other dissectors This one's for encapsulated Ethernet
751 packets that don't include an FCS. */
752 static void
753 dissect_eth_withoutfcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
754 {
755 dissect_eth_common(tvb, pinfo, tree, 0);
756 }
757
758 /* ...and this one's for encapsulated packets that do. */
759 static void
760 dissect_eth_withfcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
761 {
762 dissect_eth_common(tvb, pinfo, tree, 4);
763 }
764
765 void
766 proto_register_eth(void)
767 {
768 static hf_register_info hf[] = {
769
770 { &hf_eth_dst,
771 { "Destination", "eth.dst", FT_ETHER, BASE_NONE, NULL, 0x0,
772 "Destination Hardware Address", HFILL }},
773
774 { &hf_eth_dst_resolved,
775 { "Destination (resolved)", "eth.dst_resolved", FT_STRING, BASE_NONE,
776 NULL, 0x0, "Destination Hardware Address (resolved)", HFILL }},
777
778 { &hf_eth_src,
779 { "Source", "eth.src", FT_ETHER, BASE_NONE, NULL, 0x0,
780 "Source Hardware Address", HFILL }},
781
782 { &hf_eth_src_resolved,
783 { "Source (resolved)", "eth.src_resolved", FT_STRING, BASE_NONE,
784 NULL, 0x0, "Source Hardware Address (resolved)", HFILL }},
785
786 { &hf_eth_len,
787 { "Length", "eth.len", FT_UINT16, BASE_DEC, NULL, 0x0,
788 NULL, HFILL }},
789
790 /* registered here but handled in packet-ethertype.c */
791 { &hf_eth_type,
792 { "Type", "eth.type", FT_UINT16, BASE_HEX, VALS(etype_vals), 0x0,
793 NULL, HFILL }},
794
795 { &hf_eth_invalid_lentype,
796 { "Invalid length/type", "eth.invalid_lentype", FT_UINT16, BASE_HEX_DEC,
797 NULL, 0x0, NULL, HFILL }},
798
799 { &hf_eth_addr,
800 { "Address", "eth.addr", FT_ETHER, BASE_NONE, NULL, 0x0,
801 "Source or Destination Hardware Address", HFILL }},
802
803 { &hf_eth_addr_resolved,
804 { "Address (resolved)", "eth.addr_resolved", FT_STRING, BASE_NONE,
805 NULL, 0x0, "Source or Destination Hardware Address (resolved)",
806 HFILL }},
807
808 { &hf_eth_padding,
809 { "Padding", "eth.padding", FT_BYTES, BASE_NONE, NULL, 0x0,
810 "Ethernet Padding", HFILL }},
811
812 { &hf_eth_trailer,
813 { "Trailer", "eth.trailer", FT_BYTES, BASE_NONE, NULL, 0x0,
814 "Ethernet Trailer or Checksum", HFILL }},
815
816 { &hf_eth_fcs,
817 { "Frame check sequence", "eth.fcs", FT_UINT32, BASE_HEX, NULL, 0x0,
818 "Ethernet checksum", HFILL }},
819
820 { &hf_eth_fcs_good,
821 { "FCS Good", "eth.fcs_good", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
822 "True: checksum matches packet content; False: doesn't match content or not checked", HFILL }},
823
824 { &hf_eth_fcs_bad,
825 { "FCS Bad", "eth.fcs_bad", FT_BOOLEAN, BASE_NONE, NULL, 0x0,
826 "True: checksum doesn't matche packet content; False: does match content or not checked", HFILL }},
827
828 { &hf_eth_lg,
829 { "LG bit", "eth.lg", FT_BOOLEAN, 24,
830 TFS(&lg_tfs), 0x020000,
831 "Specifies if this is a locally administered or globally unique (IEEE assigned) address", HFILL }},
832
833 { &hf_eth_ig,
834 { "IG bit", "eth.ig", FT_BOOLEAN, 24,
835 TFS(&ig_tfs), 0x010000,
836 "Specifies if this is an individual (unicast) or group (broadcast/multicast) address", HFILL }}
837 };
838 static gint *ett[] = {
839 &ett_ieee8023,
840 &ett_ether2,
841 &ett_ether,
842 &ett_addr,
843 &ett_eth_fcs
844 };
845
846 static ei_register_info ei[] = {
847 { &ei_eth_invalid_lentype, { "eth.invalid_lentype", PI_PROTOCOL, PI_WARN, "Invalid length/type", EXPFILL }},
848 { &ei_eth_src_not_group, { "eth.src_not_group", PI_PROTOCOL, PI_WARN, "Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)", EXPFILL }},
849 { &ei_eth_fcs_bad, { "eth.fcs_bad.expert", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
850 { &ei_eth_len, { "eth.len.past_end", PI_MALFORMED, PI_ERROR, "Length field value goes past the end of the payload", EXPFILL }},
851 };
852
853 module_t *eth_module;
854 expert_module_t* expert_eth;
855
856 proto_eth = proto_register_protocol("Ethernet", "Ethernet", "eth");
857 proto_register_field_array(proto_eth, hf, array_length(hf));
858 proto_register_subtree_array(ett, array_length(ett));
859 expert_eth = expert_register_protocol(proto_eth);
860 expert_register_field_array(expert_eth, ei, array_length(ei));
861
862 /* subdissector code */
863 register_heur_dissector_list("eth", &heur_subdissector_list);
864 register_heur_dissector_list("eth.trailer", &eth_trailer_subdissector_list);
865
866 /* Register configuration preferences */
867 eth_module = prefs_register_protocol(proto_eth, NULL);
868
869 prefs_register_bool_preference(eth_module, "assume_padding",
870 "Assume short frames which include a trailer contain padding",
871 "Some devices add trailing data to frames. When this setting is checked "
872 "the Ethernet dissector will assume there has been added padding to the "
873 "frame before the trailer was added. Uncheck if a device added a trailer "
874 "before the frame was padded.",
875 &eth_assume_padding);
876
877 prefs_register_uint_preference(eth_module, "trailer_length",
878 "Fixed ethernet trailer length",
879 "Some TAPs add a fixed length ethernet trailer at the end "
880 "of the frame, but before the (optional) FCS. Make sure it "
881 "gets interpreted correctly.",
882 10, &eth_trailer_length);
883
884 prefs_register_bool_preference(eth_module, "assume_fcs",
885 "Assume packets have FCS",
886 "Some Ethernet adapters and drivers include the FCS at the end of a packet, others do not. "
887 "The Ethernet dissector attempts to guess whether a captured packet has an FCS, "
888 "but it cannot always guess correctly.",
889 &eth_assume_fcs);
890
891 prefs_register_bool_preference(eth_module, "check_fcs",
892 "Validate the Ethernet checksum if possible",
893 "Whether to validate the Frame Check Sequence",
894 &eth_check_fcs);
895
896 prefs_register_bool_preference(eth_module, "interpret_as_fw1_monitor",
897 "Attempt to interpret as FireWall-1 monitor file",
898 "Whether packets should be interpreted as coming from CheckPoint FireWall-1 monitor file if they look as if they do",
899 &eth_interpret_as_fw1_monitor);
900
901 prefs_register_static_text_preference(eth_module, "ccsds_heuristic",
902 "These are the conditions to match a payload against in order to determine if this\n"
903 "is a CCSDS (Consultative Committee for Space Data Systems) packet within\n"
904 "an 802.3 packet. A packet is considered as a possible CCSDS packet only if\n"
905 "one or more of the conditions are checked.",
906 "Describe the conditions that must be true for the CCSDS dissector to be called");
907
908 prefs_register_bool_preference(eth_module, "ccsds_heuristic_length",
909 "CCSDS Length in header matches payload size",
910 "Set the condition that must be true for the CCSDS dissector to be called",
911 &ccsds_heuristic_length);
912
913 prefs_register_bool_preference(eth_module, "ccsds_heuristic_version",
914 "CCSDS Version # is zero",
915 "Set the condition that must be true for the CCSDS dissector to be called",
916 &ccsds_heuristic_version);
917
918 prefs_register_bool_preference(eth_module, "ccsds_heuristic_header",
919 "CCSDS Secondary Header Flag is set",
920 "Set the condition that must be true for the CCSDS dissector to be called",
921 &ccsds_heuristic_header);
922
923 prefs_register_bool_preference(eth_module, "ccsds_heuristic_bit",
924 "CCSDS Spare bit is cleared",
925 "Set the condition that must be true for the CCSDS dissector to be called",
926 &ccsds_heuristic_bit);
927
928 register_dissector("eth_withoutfcs", dissect_eth_withoutfcs, proto_eth);
929 register_dissector("eth_withfcs", dissect_eth_withfcs, proto_eth);
930 register_dissector("eth", dissect_eth_maybefcs, proto_eth);
931 eth_tap = register_tap("eth");
932 }
933
934 void
935 proto_reg_handoff_eth(void)
936 {
937 dissector_handle_t eth_maybefcs_handle, eth_withoutfcs_handle;
938
939 /* Get a handle for the Firewall-1 dissector. */
940 fw1_handle = find_dissector("fw1");
941
942 /* Get a handle for the generic data dissector. */
943 data_handle = find_dissector("data");
944
945 eth_maybefcs_handle = find_dissector("eth");
946 dissector_add_uint("wtap_encap", WTAP_ENCAP_ETHERNET, eth_maybefcs_handle);
947
948 eth_withoutfcs_handle = find_dissector("eth_withoutfcs");
949 dissector_add_uint("ethertype", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
950 dissector_add_uint("chdlc.protocol", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
951 dissector_add_uint("gre.proto", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
952
953 dissector_add_uint("sll.ltype", LINUX_SLL_P_ETHERNET, eth_withoutfcs_handle);
954
955 /*
956 * This is to handle the output for the Cisco CMTS "cable intercept"
957 * command - it encapsulates Ethernet frames in UDP packets, but
958 * the UDP port is user-defined.
959 */
960 dissector_add_handle("udp.port", eth_withoutfcs_handle);
961 }