1 /* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 */ 24 25 /* \summary: IEEE 802.2 LLC printer */ 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #include <netdissect-stdinc.h> 32 33 #include "netdissect.h" 34 #include "addrtoname.h" 35 #include "extract.h" 36 37 #include "llc.h" 38 #include "ethertype.h" 39 #include "oui.h" 40 41 static const struct tok llc_values[] = { 42 { LLCSAP_NULL, "Null" }, 43 { LLCSAP_GLOBAL, "Global" }, 44 { LLCSAP_8021B_I, "802.1B I" }, 45 { LLCSAP_8021B_G, "802.1B G" }, 46 { LLCSAP_IP, "IP" }, 47 { LLCSAP_SNA, "SNA" }, 48 { LLCSAP_PROWAYNM, "ProWay NM" }, 49 { LLCSAP_8021D, "STP" }, 50 { LLCSAP_RS511, "RS511" }, 51 { LLCSAP_ISO8208, "ISO8208" }, 52 { LLCSAP_PROWAY, "ProWay" }, 53 { LLCSAP_SNAP, "SNAP" }, 54 { LLCSAP_IPX, "IPX" }, 55 { LLCSAP_NETBEUI, "NetBeui" }, 56 { LLCSAP_ISONS, "OSI" }, 57 { 0, NULL }, 58 }; 59 60 static const struct tok llc_cmd_values[] = { 61 { LLC_UI, "ui" }, 62 { LLC_TEST, "test" }, 63 { LLC_XID, "xid" }, 64 { LLC_UA, "ua" }, 65 { LLC_DISC, "disc" }, 66 { LLC_DM, "dm" }, 67 { LLC_SABME, "sabme" }, 68 { LLC_FRMR, "frmr" }, 69 { 0, NULL } 70 }; 71 72 static const struct tok llc_flag_values[] = { 73 { 0, "Command" }, 74 { LLC_GSAP, "Response" }, 75 { LLC_U_POLL, "Poll" }, 76 { LLC_GSAP|LLC_U_POLL, "Final" }, 77 { LLC_IS_POLL, "Poll" }, 78 { LLC_GSAP|LLC_IS_POLL, "Final" }, 79 { 0, NULL } 80 }; 81 82 83 static const struct tok llc_ig_flag_values[] = { 84 { 0, "Individual" }, 85 { LLC_IG, "Group" }, 86 { 0, NULL } 87 }; 88 89 90 static const struct tok llc_supervisory_values[] = { 91 { 0, "Receiver Ready" }, 92 { 1, "Receiver not Ready" }, 93 { 2, "Reject" }, 94 { 0, NULL } 95 }; 96 97 98 static const struct tok cisco_values[] = { 99 { PID_CISCO_CDP, "CDP" }, 100 { PID_CISCO_VTP, "VTP" }, 101 { PID_CISCO_DTP, "DTP" }, 102 { PID_CISCO_UDLD, "UDLD" }, 103 { PID_CISCO_PVST, "PVST" }, 104 { PID_CISCO_VLANBRIDGE, "VLAN Bridge" }, 105 { 0, NULL } 106 }; 107 108 static const struct tok bridged_values[] = { 109 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 110 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 111 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 112 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 113 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 114 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 115 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 116 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 117 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 118 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 119 { PID_RFC2684_BPDU, "BPDU" }, 120 { 0, NULL }, 121 }; 122 123 static const struct tok null_values[] = { 124 { 0, NULL } 125 }; 126 127 struct oui_tok { 128 uint32_t oui; 129 const struct tok *tok; 130 }; 131 132 static const struct oui_tok oui_to_tok[] = { 133 { OUI_ENCAP_ETHER, ethertype_values }, 134 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 135 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 136 { OUI_CISCO, cisco_values }, 137 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 138 { 0, NULL } 139 }; 140 141 /* 142 * If we printed information about the payload, returns the length of the LLC 143 * header, plus the length of any SNAP header following it. 144 * 145 * Otherwise (for example, if the packet has unknown SAPs or has a SNAP 146 * header with an unknown OUI/PID combination), returns the *negative* 147 * of that value. 148 */ 149 int 150 llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, 151 const struct lladdr_info *src, const struct lladdr_info *dst) 152 { 153 uint8_t dsap_field, dsap, ssap_field, ssap; 154 uint16_t control; 155 int hdrlen; 156 int is_u; 157 158 if (caplen < 3) { 159 ND_PRINT((ndo, "[|llc]")); 160 ND_DEFAULTPRINT((const u_char *)p, caplen); 161 return (caplen); 162 } 163 if (length < 3) { 164 ND_PRINT((ndo, "[|llc]")); 165 ND_DEFAULTPRINT((const u_char *)p, caplen); 166 return (length); 167 } 168 169 dsap_field = *p; 170 ssap_field = *(p + 1); 171 172 /* 173 * OK, what type of LLC frame is this? The length 174 * of the control field depends on that - I frames 175 * have a two-byte control field, and U frames have 176 * a one-byte control field. 177 */ 178 control = *(p + 2); 179 if ((control & LLC_U_FMT) == LLC_U_FMT) { 180 /* 181 * U frame. 182 */ 183 is_u = 1; 184 hdrlen = 3; /* DSAP, SSAP, 1-byte control field */ 185 } else { 186 /* 187 * The control field in I and S frames is 188 * 2 bytes... 189 */ 190 if (caplen < 4) { 191 ND_PRINT((ndo, "[|llc]")); 192 ND_DEFAULTPRINT((const u_char *)p, caplen); 193 return (caplen); 194 } 195 if (length < 4) { 196 ND_PRINT((ndo, "[|llc]")); 197 ND_DEFAULTPRINT((const u_char *)p, caplen); 198 return (length); 199 } 200 201 /* 202 * ...and is little-endian. 203 */ 204 control = EXTRACT_LE_16BITS(p + 2); 205 is_u = 0; 206 hdrlen = 4; /* DSAP, SSAP, 2-byte control field */ 207 } 208 209 if (ssap_field == LLCSAP_GLOBAL && dsap_field == LLCSAP_GLOBAL) { 210 /* 211 * This is an Ethernet_802.3 IPX frame; it has an 212 * 802.3 header (i.e., an Ethernet header where the 213 * type/length field is <= ETHERMTU, i.e. it's a length 214 * field, not a type field), but has no 802.2 header - 215 * the IPX packet starts right after the Ethernet header, 216 * with a signature of two bytes of 0xFF (which is 217 * LLCSAP_GLOBAL). 218 * 219 * (It might also have been an Ethernet_802.3 IPX at 220 * one time, but got bridged onto another network, 221 * such as an 802.11 network; this has appeared in at 222 * least one capture file.) 223 */ 224 225 if (ndo->ndo_eflag) 226 ND_PRINT((ndo, "IPX 802.3: ")); 227 228 ipx_print(ndo, p, length); 229 return (0); /* no LLC header */ 230 } 231 232 dsap = dsap_field & ~LLC_IG; 233 ssap = ssap_field & ~LLC_GSAP; 234 235 if (ndo->ndo_eflag) { 236 ND_PRINT((ndo, "LLC, dsap %s (0x%02x) %s, ssap %s (0x%02x) %s", 237 tok2str(llc_values, "Unknown", dsap), 238 dsap, 239 tok2str(llc_ig_flag_values, "Unknown", dsap_field & LLC_IG), 240 tok2str(llc_values, "Unknown", ssap), 241 ssap, 242 tok2str(llc_flag_values, "Unknown", ssap_field & LLC_GSAP))); 243 244 if (is_u) { 245 ND_PRINT((ndo, ", ctrl 0x%02x: ", control)); 246 } else { 247 ND_PRINT((ndo, ", ctrl 0x%04x: ", control)); 248 } 249 } 250 251 /* 252 * Skip LLC header. 253 */ 254 p += hdrlen; 255 length -= hdrlen; 256 caplen -= hdrlen; 257 258 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 259 && control == LLC_UI) { 260 /* 261 * XXX - what *is* the right bridge pad value here? 262 * Does anybody ever bridge one form of LAN traffic 263 * over a networking type that uses 802.2 LLC? 264 */ 265 if (!snap_print(ndo, p, length, caplen, src, dst, 2)) { 266 /* 267 * Unknown packet type; tell our caller, by 268 * returning a negative value, so they 269 * can print the raw packet. 270 */ 271 return (-(hdrlen + 5)); /* include LLC and SNAP header */ 272 } else 273 return (hdrlen + 5); /* include LLC and SNAP header */ 274 } 275 276 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 277 control == LLC_UI) { 278 stp_print(ndo, p, length); 279 return (hdrlen); 280 } 281 282 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 283 control == LLC_UI) { 284 /* 285 * This is an RFC 948-style IP packet, with 286 * an 802.3 header and an 802.2 LLC header 287 * with the source and destination SAPs being 288 * the IP SAP. 289 */ 290 ip_print(ndo, p, length); 291 return (hdrlen); 292 } 293 294 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 295 control == LLC_UI) { 296 /* 297 * This is an Ethernet_802.2 IPX frame, with an 802.3 298 * header and an 802.2 LLC header with the source and 299 * destination SAPs being the IPX SAP. 300 */ 301 if (ndo->ndo_eflag) 302 ND_PRINT((ndo, "IPX 802.2: ")); 303 304 ipx_print(ndo, p, length); 305 return (hdrlen); 306 } 307 308 #ifdef ENABLE_SMB 309 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 310 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 311 /* 312 * we don't actually have a full netbeui parser yet, but the 313 * smb parser can handle many smb-in-netbeui packets, which 314 * is very useful, so we call that 315 * 316 * We don't call it for S frames, however, just I frames 317 * (which are frames that don't have the low-order bit, 318 * LLC_S_FMT, set in the first byte of the control field) 319 * and UI frames (whose control field is just 3, LLC_U_FMT). 320 */ 321 netbeui_print(ndo, control, p, length); 322 return (hdrlen); 323 } 324 #endif 325 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 326 && control == LLC_UI) { 327 isoclns_print(ndo, p, length); 328 return (hdrlen); 329 } 330 331 if (!ndo->ndo_eflag) { 332 if (ssap == dsap) { 333 if (src == NULL || dst == NULL) 334 ND_PRINT((ndo, "%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); 335 else 336 ND_PRINT((ndo, "%s > %s %s ", 337 (src->addr_string)(ndo, src->addr), 338 (dst->addr_string)(ndo, dst->addr), 339 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); 340 } else { 341 if (src == NULL || dst == NULL) 342 ND_PRINT((ndo, "%s > %s ", 343 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 344 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); 345 else 346 ND_PRINT((ndo, "%s %s > %s %s ", 347 (src->addr_string)(ndo, src->addr), 348 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 349 (dst->addr_string)(ndo, dst->addr), 350 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); 351 } 352 } 353 354 if (is_u) { 355 ND_PRINT((ndo, "Unnumbered, %s, Flags [%s], length %u", 356 tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), 357 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)), 358 length + hdrlen)); 359 360 if ((control & ~LLC_U_POLL) == LLC_XID) { 361 if (length == 0) { 362 /* 363 * XID with no payload. 364 * This could, for example, be an SNA 365 * "short form" XID. 366 */ 367 return (hdrlen); 368 } 369 if (caplen < 1) { 370 ND_PRINT((ndo, "[|llc]")); 371 if (caplen > 0) 372 ND_DEFAULTPRINT((const u_char *)p, caplen); 373 return (hdrlen); 374 } 375 if (*p == LLC_XID_FI) { 376 if (caplen < 3 || length < 3) { 377 ND_PRINT((ndo, "[|llc]")); 378 if (caplen > 0) 379 ND_DEFAULTPRINT((const u_char *)p, caplen); 380 } else 381 ND_PRINT((ndo, ": %02x %02x", p[1], p[2])); 382 return (hdrlen); 383 } 384 } 385 } else { 386 if ((control & LLC_S_FMT) == LLC_S_FMT) { 387 ND_PRINT((ndo, "Supervisory, %s, rcv seq %u, Flags [%s], length %u", 388 tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), 389 LLC_IS_NR(control), 390 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 391 length + hdrlen)); 392 return (hdrlen); /* no payload to print */ 393 } else { 394 ND_PRINT((ndo, "Information, send seq %u, rcv seq %u, Flags [%s], length %u", 395 LLC_I_NS(control), 396 LLC_IS_NR(control), 397 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 398 length + hdrlen)); 399 } 400 } 401 return (-hdrlen); 402 } 403 404 static const struct tok * 405 oui_to_struct_tok(uint32_t orgcode) 406 { 407 const struct tok *tok = null_values; 408 const struct oui_tok *otp; 409 410 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 411 if (otp->oui == orgcode) { 412 tok = otp->tok; 413 break; 414 } 415 } 416 return (tok); 417 } 418 419 int 420 snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, 421 const struct lladdr_info *src, const struct lladdr_info *dst, 422 u_int bridge_pad) 423 { 424 uint32_t orgcode; 425 register u_short et; 426 register int ret; 427 428 ND_TCHECK2(*p, 5); 429 if (caplen < 5 || length < 5) 430 goto trunc; 431 orgcode = EXTRACT_24BITS(p); 432 et = EXTRACT_16BITS(p + 3); 433 434 if (ndo->ndo_eflag) { 435 /* 436 * Somebody's already printed the MAC addresses, if there 437 * are any, so just print the SNAP header, not the MAC 438 * addresses. 439 */ 440 ND_PRINT((ndo, "oui %s (0x%06x), %s %s (0x%04x), length %u: ", 441 tok2str(oui_values, "Unknown", orgcode), 442 orgcode, 443 (orgcode == 0x000000 ? "ethertype" : "pid"), 444 tok2str(oui_to_struct_tok(orgcode), "Unknown", et), 445 et, length - 5)); 446 } 447 p += 5; 448 length -= 5; 449 caplen -= 5; 450 451 switch (orgcode) { 452 case OUI_ENCAP_ETHER: 453 case OUI_CISCO_90: 454 /* 455 * This is an encapsulated Ethernet packet, 456 * or a packet bridged by some piece of 457 * Cisco hardware; the protocol ID is 458 * an Ethernet protocol type. 459 */ 460 ret = ethertype_print(ndo, et, p, length, caplen, src, dst); 461 if (ret) 462 return (ret); 463 break; 464 465 case OUI_APPLETALK: 466 if (et == ETHERTYPE_ATALK) { 467 /* 468 * No, I have no idea why Apple used one 469 * of their own OUIs, rather than 470 * 0x000000, and an Ethernet packet 471 * type, for Appletalk data packets, 472 * but used 0x000000 and an Ethernet 473 * packet type for AARP packets. 474 */ 475 ret = ethertype_print(ndo, et, p, length, caplen, src, dst); 476 if (ret) 477 return (ret); 478 } 479 break; 480 481 case OUI_CISCO: 482 switch (et) { 483 case PID_CISCO_CDP: 484 cdp_print(ndo, p, length, caplen); 485 return (1); 486 case PID_CISCO_DTP: 487 dtp_print(ndo, p, length); 488 return (1); 489 case PID_CISCO_UDLD: 490 udld_print(ndo, p, length); 491 return (1); 492 case PID_CISCO_VTP: 493 vtp_print(ndo, p, length); 494 return (1); 495 case PID_CISCO_PVST: 496 case PID_CISCO_VLANBRIDGE: 497 stp_print(ndo, p, length); 498 return (1); 499 default: 500 break; 501 } 502 break; 503 504 case OUI_RFC2684: 505 switch (et) { 506 507 case PID_RFC2684_ETH_FCS: 508 case PID_RFC2684_ETH_NOFCS: 509 /* 510 * XXX - remove the last two bytes for 511 * PID_RFC2684_ETH_FCS? 512 */ 513 /* 514 * Skip the padding. 515 */ 516 ND_TCHECK2(*p, bridge_pad); 517 caplen -= bridge_pad; 518 length -= bridge_pad; 519 p += bridge_pad; 520 521 /* 522 * What remains is an Ethernet packet. 523 */ 524 ether_print(ndo, p, length, caplen, NULL, NULL); 525 return (1); 526 527 case PID_RFC2684_802_5_FCS: 528 case PID_RFC2684_802_5_NOFCS: 529 /* 530 * XXX - remove the last two bytes for 531 * PID_RFC2684_ETH_FCS? 532 */ 533 /* 534 * Skip the padding, but not the Access 535 * Control field. 536 */ 537 ND_TCHECK2(*p, bridge_pad); 538 caplen -= bridge_pad; 539 length -= bridge_pad; 540 p += bridge_pad; 541 542 /* 543 * What remains is an 802.5 Token Ring 544 * packet. 545 */ 546 token_print(ndo, p, length, caplen); 547 return (1); 548 549 case PID_RFC2684_FDDI_FCS: 550 case PID_RFC2684_FDDI_NOFCS: 551 /* 552 * XXX - remove the last two bytes for 553 * PID_RFC2684_ETH_FCS? 554 */ 555 /* 556 * Skip the padding. 557 */ 558 ND_TCHECK2(*p, bridge_pad + 1); 559 caplen -= bridge_pad + 1; 560 length -= bridge_pad + 1; 561 p += bridge_pad + 1; 562 563 /* 564 * What remains is an FDDI packet. 565 */ 566 fddi_print(ndo, p, length, caplen); 567 return (1); 568 569 case PID_RFC2684_BPDU: 570 stp_print(ndo, p, length); 571 return (1); 572 } 573 } 574 if (!ndo->ndo_eflag) { 575 /* 576 * Nobody printed the link-layer addresses, so print them, if 577 * we have any. 578 */ 579 if (src != NULL && dst != NULL) { 580 ND_PRINT((ndo, "%s > %s ", 581 (src->addr_string)(ndo, src->addr), 582 (dst->addr_string)(ndo, dst->addr))); 583 } 584 /* 585 * Print the SNAP header, but if the OUI is 000000, don't 586 * bother printing it, and report the PID as being an 587 * ethertype. 588 */ 589 if (orgcode == 0x000000) { 590 ND_PRINT((ndo, "SNAP, ethertype %s (0x%04x), length %u: ", 591 tok2str(ethertype_values, "Unknown", et), 592 et, length)); 593 } else { 594 ND_PRINT((ndo, "SNAP, oui %s (0x%06x), pid %s (0x%04x), length %u: ", 595 tok2str(oui_values, "Unknown", orgcode), 596 orgcode, 597 tok2str(oui_to_struct_tok(orgcode), "Unknown", et), 598 et, length)); 599 } 600 } 601 return (0); 602 603 trunc: 604 ND_PRINT((ndo, "[|snap]")); 605 return (1); 606 } 607 608 609 /* 610 * Local Variables: 611 * c-style: whitesmith 612 * c-basic-offset: 8 613 * End: 614 */ 615