1 /* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 * 24 * $FreeBSD$ 25 */ 26 27 #ifndef lint 28 static const char rcsid[] _U_ = 29 "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.61.2.4 2005/04/26 07:27:16 guy Exp $"; 30 #endif 31 32 #ifdef HAVE_CONFIG_H 33 #include "config.h" 34 #endif 35 36 #include <tcpdump-stdinc.h> 37 38 #include <stdio.h> 39 #include <string.h> 40 41 #include "interface.h" 42 #include "addrtoname.h" 43 #include "extract.h" /* must come after interface.h */ 44 45 #include "llc.h" 46 #include "ethertype.h" 47 #include "oui.h" 48 49 static struct tok llc_values[] = { 50 { LLCSAP_NULL, "Null" }, 51 { LLCSAP_GLOBAL, "Global" }, 52 { LLCSAP_8021B_I, "802.1B I" }, 53 { LLCSAP_8021B_G, "802.1B G" }, 54 { LLCSAP_IP, "IP" }, 55 { LLCSAP_PROWAYNM, "ProWay NM" }, 56 { LLCSAP_8021D, "STP" }, 57 { LLCSAP_RS511, "RS511" }, 58 { LLCSAP_ISO8208, "ISO8208" }, 59 { LLCSAP_PROWAY, "ProWay" }, 60 { LLCSAP_SNAP, "SNAP" }, 61 { LLCSAP_IPX, "IPX" }, 62 { LLCSAP_NETBEUI, "NetBeui" }, 63 { LLCSAP_ISONS, "OSI" }, 64 { 0, NULL }, 65 }; 66 67 static struct tok cmd2str[] = { 68 { LLC_UI, "ui" }, 69 { LLC_TEST, "test" }, 70 { LLC_XID, "xid" }, 71 { LLC_UA, "ua" }, 72 { LLC_DISC, "disc" }, 73 { LLC_DM, "dm" }, 74 { LLC_SABME, "sabme" }, 75 { LLC_FRMR, "frmr" }, 76 { 0, NULL } 77 }; 78 79 static const struct tok cisco_values[] = { 80 { PID_CISCO_CDP, "CDP" }, 81 { 0, NULL } 82 }; 83 84 static const struct tok bridged_values[] = { 85 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 86 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 87 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 88 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 89 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 90 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 91 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 92 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 93 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 94 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 95 { PID_RFC2684_BPDU, "BPDU" }, 96 { 0, NULL }, 97 }; 98 99 struct oui_tok { 100 u_int32_t oui; 101 const struct tok *tok; 102 }; 103 104 static const struct oui_tok oui_to_tok[] = { 105 { OUI_ENCAP_ETHER, ethertype_values }, 106 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 107 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 108 { OUI_CISCO, cisco_values }, 109 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 110 { 0, NULL } 111 }; 112 113 /* 114 * Returns non-zero IFF it succeeds in printing the header 115 */ 116 int 117 llc_print(const u_char *p, u_int length, u_int caplen, 118 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype) 119 { 120 u_int8_t dsap, ssap; 121 u_int16_t control; 122 int is_u; 123 register int ret; 124 125 if (caplen < 3) { 126 (void)printf("[|llc]"); 127 default_print((u_char *)p, caplen); 128 return(0); 129 } 130 131 dsap = *p; 132 ssap = *(p + 1); 133 134 /* 135 * OK, what type of LLC frame is this? The length 136 * of the control field depends on that - I frames 137 * have a two-byte control field, and U frames have 138 * a one-byte control field. 139 */ 140 control = *(p + 2); 141 if ((control & LLC_U_FMT) == LLC_U_FMT) { 142 /* 143 * U frame. 144 */ 145 is_u = 1; 146 } else { 147 /* 148 * The control field in I and S frames is 149 * 2 bytes... 150 */ 151 if (caplen < 4) { 152 (void)printf("[|llc]"); 153 default_print((u_char *)p, caplen); 154 return(0); 155 } 156 157 /* 158 * ...and is little-endian. 159 */ 160 control = EXTRACT_LE_16BITS(p + 2); 161 is_u = 0; 162 } 163 164 if (ssap == LLCSAP_GLOBAL && dsap == LLCSAP_GLOBAL) { 165 /* 166 * This is an Ethernet_802.3 IPX frame; it has an 167 * 802.3 header (i.e., an Ethernet header where the 168 * type/length field is <= ETHERMTU, i.e. it's a length 169 * field, not a type field), but has no 802.2 header - 170 * the IPX packet starts right after the Ethernet header, 171 * with a signature of two bytes of 0xFF (which is 172 * LLCSAP_GLOBAL). 173 * 174 * (It might also have been an Ethernet_802.3 IPX at 175 * one time, but got bridged onto another network, 176 * such as an 802.11 network; this has appeared in at 177 * least one capture file.) 178 */ 179 180 if (eflag) 181 printf("IPX-802.3: "); 182 183 ipx_print(p, length); 184 return (1); 185 } 186 187 if (eflag) { 188 if (is_u) { 189 printf("LLC, dsap %s (0x%02x), ssap %s (0x%02x), cmd 0x%02x: ", 190 tok2str(llc_values, "Unknown", dsap), 191 dsap, 192 tok2str(llc_values, "Unknown", ssap), 193 ssap, 194 control); 195 } else { 196 printf("LLC, dsap %s (0x%02x), ssap %s (0x%02x), cmd 0x%04x: ", 197 tok2str(llc_values, "Unknown", dsap), 198 dsap, 199 tok2str(llc_values, "Unknown", ssap), 200 ssap, 201 control); 202 } 203 } 204 205 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 206 control == LLC_UI) { 207 stp_print(p+3, length-3); 208 return (1); 209 } 210 211 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 212 control == LLC_UI) { 213 ip_print(gndo, p+4, length-4); 214 return (1); 215 } 216 217 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 218 control == LLC_UI) { 219 /* 220 * This is an Ethernet_802.2 IPX frame, with an 802.3 221 * header and an 802.2 LLC header with the source and 222 * destination SAPs being the IPX SAP. 223 * 224 * Skip DSAP, LSAP, and control field. 225 */ 226 printf("(NOV-802.2) "); 227 ipx_print(p+3, length-3); 228 return (1); 229 } 230 231 #ifdef TCPDUMP_DO_SMB 232 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 233 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 234 /* 235 * we don't actually have a full netbeui parser yet, but the 236 * smb parser can handle many smb-in-netbeui packets, which 237 * is very useful, so we call that 238 * 239 * We don't call it for S frames, however, just I frames 240 * (which are frames that don't have the low-order bit, 241 * LLC_S_FMT, set in the first byte of the control field) 242 * and UI frames (whose control field is just 3, LLC_U_FMT). 243 */ 244 245 /* 246 * Skip the LLC header. 247 */ 248 if (is_u) { 249 p += 3; 250 length -= 3; 251 caplen -= 3; 252 } else { 253 p += 4; 254 length -= 4; 255 caplen -= 4; 256 } 257 netbeui_print(control, p, length); 258 return (1); 259 } 260 #endif 261 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 262 && control == LLC_UI) { 263 isoclns_print(p + 3, length - 3, caplen - 3); 264 return (1); 265 } 266 267 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 268 && control == LLC_UI) { 269 /* 270 * XXX - what *is* the right bridge pad value here? 271 * Does anybody ever bridge one form of LAN traffic 272 * over a networking type that uses 802.2 LLC? 273 */ 274 ret = snap_print(p+3, length-3, caplen-3, extracted_ethertype, 275 2); 276 if (ret) 277 return (ret); 278 } 279 280 if (!eflag) { 281 if ((ssap & ~LLC_GSAP) == dsap) { 282 if (esrc == NULL || edst == NULL) 283 (void)printf("%s ", llcsap_string(dsap)); 284 else 285 (void)printf("%s > %s %s ", 286 etheraddr_string(esrc), 287 etheraddr_string(edst), 288 llcsap_string(dsap)); 289 } else { 290 if (esrc == NULL || edst == NULL) 291 (void)printf("%s > %s ", 292 llcsap_string(ssap & ~LLC_GSAP), 293 llcsap_string(dsap)); 294 else 295 (void)printf("%s %s > %s %s ", 296 etheraddr_string(esrc), 297 llcsap_string(ssap & ~LLC_GSAP), 298 etheraddr_string(edst), 299 llcsap_string(dsap)); 300 } 301 } 302 303 if (is_u) { 304 const char *m; 305 char f; 306 307 m = tok2str(cmd2str, "%02x", LLC_U_CMD(control)); 308 switch ((ssap & LLC_GSAP) | (control & LLC_U_POLL)) { 309 case 0: f = 'C'; break; 310 case LLC_GSAP: f = 'R'; break; 311 case LLC_U_POLL: f = 'P'; break; 312 case LLC_GSAP|LLC_U_POLL: f = 'F'; break; 313 default: f = '?'; break; 314 } 315 316 printf("%s/%c", m, f); 317 318 p += 3; 319 length -= 3; 320 caplen -= 3; 321 322 if ((control & ~LLC_U_POLL) == LLC_XID) { 323 if (*p == LLC_XID_FI) { 324 printf(": %02x %02x", p[1], p[2]); 325 p += 3; 326 length -= 3; 327 caplen -= 3; 328 } 329 } 330 } else { 331 char f; 332 333 switch ((ssap & LLC_GSAP) | (control & LLC_IS_POLL)) { 334 case 0: f = 'C'; break; 335 case LLC_GSAP: f = 'R'; break; 336 case LLC_IS_POLL: f = 'P'; break; 337 case LLC_GSAP|LLC_IS_POLL: f = 'F'; break; 338 default: f = '?'; break; 339 } 340 341 if ((control & LLC_S_FMT) == LLC_S_FMT) { 342 static const char *llc_s[] = { "rr", "rej", "rnr", "03" }; 343 (void)printf("%s (r=%d,%c)", 344 llc_s[LLC_S_CMD(control)], 345 LLC_IS_NR(control), 346 f); 347 } else { 348 (void)printf("I (s=%d,r=%d,%c)", 349 LLC_I_NS(control), 350 LLC_IS_NR(control), 351 f); 352 } 353 p += 4; 354 length -= 4; 355 caplen -= 4; 356 } 357 return(1); 358 } 359 360 int 361 snap_print(const u_char *p, u_int length, u_int caplen, 362 u_short *extracted_ethertype, u_int bridge_pad) 363 { 364 u_int32_t orgcode; 365 register u_short et; 366 register int ret; 367 368 TCHECK2(*p, 5); 369 orgcode = EXTRACT_24BITS(p); 370 et = EXTRACT_16BITS(p + 3); 371 372 if (eflag) { 373 const struct tok *tok = NULL; 374 const struct oui_tok *otp; 375 376 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 377 if (otp->oui == orgcode) { 378 tok = otp->tok; 379 break; 380 } 381 } 382 (void)printf("oui %s (0x%06x), %s %s (0x%04x): ", 383 tok2str(oui_values, "Unknown", orgcode), 384 orgcode, 385 (orgcode == 0x000000 ? "ethertype" : "pid"), 386 tok2str(tok, "Unknown", et), 387 et); 388 } 389 p += 5; 390 length -= 5; 391 caplen -= 5; 392 393 switch (orgcode) { 394 case OUI_ENCAP_ETHER: 395 case OUI_CISCO_90: 396 /* 397 * This is an encapsulated Ethernet packet, 398 * or a packet bridged by some piece of 399 * Cisco hardware; the protocol ID is 400 * an Ethernet protocol type. 401 */ 402 ret = ether_encap_print(et, p, length, caplen, 403 extracted_ethertype); 404 if (ret) 405 return (ret); 406 break; 407 408 case OUI_APPLETALK: 409 if (et == ETHERTYPE_ATALK) { 410 /* 411 * No, I have no idea why Apple used one 412 * of their own OUIs, rather than 413 * 0x000000, and an Ethernet packet 414 * type, for Appletalk data packets, 415 * but used 0x000000 and an Ethernet 416 * packet type for AARP packets. 417 */ 418 ret = ether_encap_print(et, p, length, caplen, 419 extracted_ethertype); 420 if (ret) 421 return (ret); 422 } 423 break; 424 425 case OUI_CISCO: 426 if (et == PID_CISCO_CDP) { 427 cdp_print(p, length, caplen); 428 return (1); 429 } 430 break; 431 432 case OUI_RFC2684: 433 switch (et) { 434 435 case PID_RFC2684_ETH_FCS: 436 case PID_RFC2684_ETH_NOFCS: 437 /* 438 * XXX - remove the last two bytes for 439 * PID_RFC2684_ETH_FCS? 440 */ 441 /* 442 * Skip the padding. 443 */ 444 TCHECK2(*p, bridge_pad); 445 caplen -= bridge_pad; 446 length -= bridge_pad; 447 p += bridge_pad; 448 449 /* 450 * What remains is an Ethernet packet. 451 */ 452 ether_print(p, length, caplen); 453 return (1); 454 455 case PID_RFC2684_802_5_FCS: 456 case PID_RFC2684_802_5_NOFCS: 457 /* 458 * XXX - remove the last two bytes for 459 * PID_RFC2684_ETH_FCS? 460 */ 461 /* 462 * Skip the padding, but not the Access 463 * Control field. 464 */ 465 TCHECK2(*p, bridge_pad); 466 caplen -= bridge_pad; 467 length -= bridge_pad; 468 p += bridge_pad; 469 470 /* 471 * What remains is an 802.5 Token Ring 472 * packet. 473 */ 474 token_print(p, length, caplen); 475 return (1); 476 477 case PID_RFC2684_FDDI_FCS: 478 case PID_RFC2684_FDDI_NOFCS: 479 /* 480 * XXX - remove the last two bytes for 481 * PID_RFC2684_ETH_FCS? 482 */ 483 /* 484 * Skip the padding. 485 */ 486 TCHECK2(*p, bridge_pad + 1); 487 caplen -= bridge_pad + 1; 488 length -= bridge_pad + 1; 489 p += bridge_pad + 1; 490 491 /* 492 * What remains is an FDDI packet. 493 */ 494 fddi_print(p, length, caplen); 495 return (1); 496 497 case PID_RFC2684_BPDU: 498 stp_print(p, length); 499 return (1); 500 } 501 } 502 return (0); 503 504 trunc: 505 (void)printf("[|snap]"); 506 return (1); 507 } 508 509 510 /* 511 * Local Variables: 512 * c-style: whitesmith 513 * c-basic-offset: 8 514 * End: 515 */ 516