1 /* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 * 24 * $FreeBSD$ 25 */ 26 27 #ifndef lint 28 static const char rcsid[] _U_ = 29 "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.75 2007-04-13 09:43:11 hannes Exp $"; 30 #endif 31 32 #ifdef HAVE_CONFIG_H 33 #include "config.h" 34 #endif 35 36 #include <tcpdump-stdinc.h> 37 38 #include <stdio.h> 39 #include <string.h> 40 41 #include "interface.h" 42 #include "addrtoname.h" 43 #include "extract.h" /* must come after interface.h */ 44 45 #include "llc.h" 46 #include "ethertype.h" 47 #include "oui.h" 48 49 static struct tok llc_values[] = { 50 { LLCSAP_NULL, "Null" }, 51 { LLCSAP_GLOBAL, "Global" }, 52 { LLCSAP_8021B_I, "802.1B I" }, 53 { LLCSAP_8021B_G, "802.1B G" }, 54 { LLCSAP_IP, "IP" }, 55 { LLCSAP_SNA, "SNA" }, 56 { LLCSAP_PROWAYNM, "ProWay NM" }, 57 { LLCSAP_8021D, "STP" }, 58 { LLCSAP_RS511, "RS511" }, 59 { LLCSAP_ISO8208, "ISO8208" }, 60 { LLCSAP_PROWAY, "ProWay" }, 61 { LLCSAP_SNAP, "SNAP" }, 62 { LLCSAP_IPX, "IPX" }, 63 { LLCSAP_NETBEUI, "NetBeui" }, 64 { LLCSAP_ISONS, "OSI" }, 65 { 0, NULL }, 66 }; 67 68 static struct tok llc_cmd_values[] = { 69 { LLC_UI, "ui" }, 70 { LLC_TEST, "test" }, 71 { LLC_XID, "xid" }, 72 { LLC_UA, "ua" }, 73 { LLC_DISC, "disc" }, 74 { LLC_DM, "dm" }, 75 { LLC_SABME, "sabme" }, 76 { LLC_FRMR, "frmr" }, 77 { 0, NULL } 78 }; 79 80 static const struct tok llc_flag_values[] = { 81 { 0, "Command" }, 82 { LLC_GSAP, "Response" }, 83 { LLC_U_POLL, "Poll" }, 84 { LLC_GSAP|LLC_U_POLL, "Final" }, 85 { LLC_IS_POLL, "Poll" }, 86 { LLC_GSAP|LLC_IS_POLL, "Final" }, 87 { 0, NULL } 88 }; 89 90 91 static const struct tok llc_ig_flag_values[] = { 92 { 0, "Individual" }, 93 { LLC_IG, "Group" }, 94 { 0, NULL } 95 }; 96 97 98 static const struct tok llc_supervisory_values[] = { 99 { 0, "Receiver Ready" }, 100 { 1, "Receiver not Ready" }, 101 { 2, "Reject" }, 102 { 0, NULL } 103 }; 104 105 106 static const struct tok cisco_values[] = { 107 { PID_CISCO_CDP, "CDP" }, 108 { PID_CISCO_VTP, "VTP" }, 109 { PID_CISCO_DTP, "DTP" }, 110 { PID_CISCO_UDLD, "UDLD" }, 111 { PID_CISCO_PVST, "PVST" }, 112 { 0, NULL } 113 }; 114 115 static const struct tok bridged_values[] = { 116 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 117 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 118 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 119 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 120 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 121 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 122 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 123 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 124 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 125 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 126 { PID_RFC2684_BPDU, "BPDU" }, 127 { 0, NULL }, 128 }; 129 130 static const struct tok null_values[] = { 131 { 0, NULL } 132 }; 133 134 struct oui_tok { 135 u_int32_t oui; 136 const struct tok *tok; 137 }; 138 139 static const struct oui_tok oui_to_tok[] = { 140 { OUI_ENCAP_ETHER, ethertype_values }, 141 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 142 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 143 { OUI_CISCO, cisco_values }, 144 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 145 { 0, NULL } 146 }; 147 148 /* 149 * Returns non-zero IFF it succeeds in printing the header 150 */ 151 int 152 llc_print(const u_char *p, u_int length, u_int caplen, 153 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype) 154 { 155 u_int8_t dsap_field, dsap, ssap_field, ssap; 156 u_int16_t control; 157 int is_u; 158 register int ret; 159 160 *extracted_ethertype = 0; 161 162 if (caplen < 3) { 163 (void)printf("[|llc]"); 164 default_print((u_char *)p, caplen); 165 return(0); 166 } 167 168 dsap_field = *p; 169 ssap_field = *(p + 1); 170 171 /* 172 * OK, what type of LLC frame is this? The length 173 * of the control field depends on that - I frames 174 * have a two-byte control field, and U frames have 175 * a one-byte control field. 176 */ 177 control = *(p + 2); 178 if ((control & LLC_U_FMT) == LLC_U_FMT) { 179 /* 180 * U frame. 181 */ 182 is_u = 1; 183 } else { 184 /* 185 * The control field in I and S frames is 186 * 2 bytes... 187 */ 188 if (caplen < 4) { 189 (void)printf("[|llc]"); 190 default_print((u_char *)p, caplen); 191 return(0); 192 } 193 194 /* 195 * ...and is little-endian. 196 */ 197 control = EXTRACT_LE_16BITS(p + 2); 198 is_u = 0; 199 } 200 201 if (ssap_field == LLCSAP_GLOBAL && dsap_field == LLCSAP_GLOBAL) { 202 /* 203 * This is an Ethernet_802.3 IPX frame; it has an 204 * 802.3 header (i.e., an Ethernet header where the 205 * type/length field is <= ETHERMTU, i.e. it's a length 206 * field, not a type field), but has no 802.2 header - 207 * the IPX packet starts right after the Ethernet header, 208 * with a signature of two bytes of 0xFF (which is 209 * LLCSAP_GLOBAL). 210 * 211 * (It might also have been an Ethernet_802.3 IPX at 212 * one time, but got bridged onto another network, 213 * such as an 802.11 network; this has appeared in at 214 * least one capture file.) 215 */ 216 217 if (eflag) 218 printf("IPX 802.3: "); 219 220 ipx_print(p, length); 221 return (1); 222 } 223 224 dsap = dsap_field & ~LLC_IG; 225 ssap = ssap_field & ~LLC_GSAP; 226 227 if (eflag) { 228 printf("LLC, dsap %s (0x%02x) %s, ssap %s (0x%02x) %s", 229 tok2str(llc_values, "Unknown", dsap), 230 dsap, 231 tok2str(llc_ig_flag_values, "Unknown", dsap_field & LLC_IG), 232 tok2str(llc_values, "Unknown", ssap), 233 ssap, 234 tok2str(llc_flag_values, "Unknown", ssap_field & LLC_GSAP)); 235 236 if (is_u) { 237 printf(", ctrl 0x%02x: ", control); 238 } else { 239 printf(", ctrl 0x%04x: ", control); 240 } 241 } 242 243 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 244 control == LLC_UI) { 245 stp_print(p+3, length-3); 246 return (1); 247 } 248 249 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 250 control == LLC_UI) { 251 ip_print(gndo, p+4, length-4); 252 return (1); 253 } 254 255 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 256 control == LLC_UI) { 257 /* 258 * This is an Ethernet_802.2 IPX frame, with an 802.3 259 * header and an 802.2 LLC header with the source and 260 * destination SAPs being the IPX SAP. 261 * 262 * Skip DSAP, LSAP, and control field. 263 */ 264 if (eflag) 265 printf("IPX 802.2: "); 266 267 ipx_print(p+3, length-3); 268 return (1); 269 } 270 271 #ifdef TCPDUMP_DO_SMB 272 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 273 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 274 /* 275 * we don't actually have a full netbeui parser yet, but the 276 * smb parser can handle many smb-in-netbeui packets, which 277 * is very useful, so we call that 278 * 279 * We don't call it for S frames, however, just I frames 280 * (which are frames that don't have the low-order bit, 281 * LLC_S_FMT, set in the first byte of the control field) 282 * and UI frames (whose control field is just 3, LLC_U_FMT). 283 */ 284 285 /* 286 * Skip the LLC header. 287 */ 288 if (is_u) { 289 p += 3; 290 length -= 3; 291 caplen -= 3; 292 } else { 293 p += 4; 294 length -= 4; 295 caplen -= 4; 296 } 297 netbeui_print(control, p, length); 298 return (1); 299 } 300 #endif 301 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 302 && control == LLC_UI) { 303 isoclns_print(p + 3, length - 3, caplen - 3); 304 return (1); 305 } 306 307 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 308 && control == LLC_UI) { 309 /* 310 * XXX - what *is* the right bridge pad value here? 311 * Does anybody ever bridge one form of LAN traffic 312 * over a networking type that uses 802.2 LLC? 313 */ 314 ret = snap_print(p+3, length-3, caplen-3, extracted_ethertype, 315 2); 316 if (ret) 317 return (ret); 318 } 319 320 if (!eflag) { 321 if (ssap == dsap) { 322 if (esrc == NULL || edst == NULL) 323 (void)printf("%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 324 else 325 (void)printf("%s > %s %s ", 326 etheraddr_string(esrc), 327 etheraddr_string(edst), 328 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 329 } else { 330 if (esrc == NULL || edst == NULL) 331 (void)printf("%s > %s ", 332 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 333 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 334 else 335 (void)printf("%s %s > %s %s ", 336 etheraddr_string(esrc), 337 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 338 etheraddr_string(edst), 339 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 340 } 341 } 342 343 if (is_u) { 344 printf("Unnumbered, %s, Flags [%s], length %u", 345 tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), 346 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)), 347 length); 348 349 p += 3; 350 length -= 3; 351 caplen -= 3; 352 353 if ((control & ~LLC_U_POLL) == LLC_XID) { 354 if (*p == LLC_XID_FI) { 355 printf(": %02x %02x", p[1], p[2]); 356 p += 3; 357 length -= 3; 358 caplen -= 3; 359 } 360 } 361 } else { 362 if ((control & LLC_S_FMT) == LLC_S_FMT) { 363 (void)printf("Supervisory, %s, rcv seq %u, Flags [%s], length %u", 364 tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), 365 LLC_IS_NR(control), 366 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 367 length); 368 } else { 369 (void)printf("Information, send seq %u, rcv seq %u, Flags [%s], length %u", 370 LLC_I_NS(control), 371 LLC_IS_NR(control), 372 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 373 length); 374 } 375 p += 4; 376 length -= 4; 377 caplen -= 4; 378 } 379 return(1); 380 } 381 382 int 383 snap_print(const u_char *p, u_int length, u_int caplen, 384 u_short *extracted_ethertype, u_int bridge_pad) 385 { 386 u_int32_t orgcode; 387 register u_short et; 388 register int ret; 389 390 TCHECK2(*p, 5); 391 orgcode = EXTRACT_24BITS(p); 392 et = EXTRACT_16BITS(p + 3); 393 394 if (eflag) { 395 const struct tok *tok = null_values; 396 const struct oui_tok *otp; 397 398 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 399 if (otp->oui == orgcode) { 400 tok = otp->tok; 401 break; 402 } 403 } 404 (void)printf("oui %s (0x%06x), %s %s (0x%04x): ", 405 tok2str(oui_values, "Unknown", orgcode), 406 orgcode, 407 (orgcode == 0x000000 ? "ethertype" : "pid"), 408 tok2str(tok, "Unknown", et), 409 et); 410 } 411 p += 5; 412 length -= 5; 413 caplen -= 5; 414 415 switch (orgcode) { 416 case OUI_ENCAP_ETHER: 417 case OUI_CISCO_90: 418 /* 419 * This is an encapsulated Ethernet packet, 420 * or a packet bridged by some piece of 421 * Cisco hardware; the protocol ID is 422 * an Ethernet protocol type. 423 */ 424 ret = ether_encap_print(et, p, length, caplen, 425 extracted_ethertype); 426 if (ret) 427 return (ret); 428 break; 429 430 case OUI_APPLETALK: 431 if (et == ETHERTYPE_ATALK) { 432 /* 433 * No, I have no idea why Apple used one 434 * of their own OUIs, rather than 435 * 0x000000, and an Ethernet packet 436 * type, for Appletalk data packets, 437 * but used 0x000000 and an Ethernet 438 * packet type for AARP packets. 439 */ 440 ret = ether_encap_print(et, p, length, caplen, 441 extracted_ethertype); 442 if (ret) 443 return (ret); 444 } 445 break; 446 447 case OUI_CISCO: 448 switch (et) { 449 case PID_CISCO_CDP: 450 cdp_print(p, length, caplen); 451 return (1); 452 case PID_CISCO_DTP: 453 dtp_print(p, length); 454 return (1); 455 case PID_CISCO_UDLD: 456 udld_print(p, length); 457 return (1); 458 case PID_CISCO_VTP: 459 vtp_print(p, length); 460 return (1); 461 case PID_CISCO_PVST: 462 stp_print(p, length); 463 return (1); 464 default: 465 break; 466 } 467 468 case OUI_RFC2684: 469 switch (et) { 470 471 case PID_RFC2684_ETH_FCS: 472 case PID_RFC2684_ETH_NOFCS: 473 /* 474 * XXX - remove the last two bytes for 475 * PID_RFC2684_ETH_FCS? 476 */ 477 /* 478 * Skip the padding. 479 */ 480 TCHECK2(*p, bridge_pad); 481 caplen -= bridge_pad; 482 length -= bridge_pad; 483 p += bridge_pad; 484 485 /* 486 * What remains is an Ethernet packet. 487 */ 488 ether_print(p, length, caplen); 489 return (1); 490 491 case PID_RFC2684_802_5_FCS: 492 case PID_RFC2684_802_5_NOFCS: 493 /* 494 * XXX - remove the last two bytes for 495 * PID_RFC2684_ETH_FCS? 496 */ 497 /* 498 * Skip the padding, but not the Access 499 * Control field. 500 */ 501 TCHECK2(*p, bridge_pad); 502 caplen -= bridge_pad; 503 length -= bridge_pad; 504 p += bridge_pad; 505 506 /* 507 * What remains is an 802.5 Token Ring 508 * packet. 509 */ 510 token_print(p, length, caplen); 511 return (1); 512 513 case PID_RFC2684_FDDI_FCS: 514 case PID_RFC2684_FDDI_NOFCS: 515 /* 516 * XXX - remove the last two bytes for 517 * PID_RFC2684_ETH_FCS? 518 */ 519 /* 520 * Skip the padding. 521 */ 522 TCHECK2(*p, bridge_pad + 1); 523 caplen -= bridge_pad + 1; 524 length -= bridge_pad + 1; 525 p += bridge_pad + 1; 526 527 /* 528 * What remains is an FDDI packet. 529 */ 530 fddi_print(p, length, caplen); 531 return (1); 532 533 case PID_RFC2684_BPDU: 534 stp_print(p, length); 535 return (1); 536 } 537 } 538 return (0); 539 540 trunc: 541 (void)printf("[|snap]"); 542 return (1); 543 } 544 545 546 /* 547 * Local Variables: 548 * c-style: whitesmith 549 * c-basic-offset: 8 550 * End: 551 */ 552