1 /* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 */ 24 25 /* \summary: IEEE 802.2 LLC printer */ 26 27 #include <config.h> 28 29 #include "netdissect-stdinc.h" 30 31 #include "netdissect.h" 32 #include "addrtoname.h" 33 #include "extract.h" 34 35 #include "llc.h" 36 #include "ethertype.h" 37 #include "oui.h" 38 39 static const struct tok llc_values[] = { 40 { LLCSAP_NULL, "Null" }, 41 { LLCSAP_GLOBAL, "Global" }, 42 { LLCSAP_8021B_I, "802.1B I" }, 43 { LLCSAP_8021B_G, "802.1B G" }, 44 { LLCSAP_IP, "IP" }, 45 { LLCSAP_SNA, "SNA" }, 46 { LLCSAP_PROWAYNM, "ProWay NM" }, 47 { LLCSAP_8021D, "STP" }, 48 { LLCSAP_RS511, "RS511" }, 49 { LLCSAP_ISO8208, "ISO8208" }, 50 { LLCSAP_PROWAY, "ProWay" }, 51 { LLCSAP_SNAP, "SNAP" }, 52 { LLCSAP_IPX, "IPX" }, 53 { LLCSAP_NETBEUI, "NetBeui" }, 54 { LLCSAP_ISONS, "OSI" }, 55 { 0, NULL }, 56 }; 57 58 static const struct tok llc_cmd_values[] = { 59 { LLC_UI, "ui" }, 60 { LLC_TEST, "test" }, 61 { LLC_XID, "xid" }, 62 { LLC_UA, "ua" }, 63 { LLC_DISC, "disc" }, 64 { LLC_DM, "dm" }, 65 { LLC_SABME, "sabme" }, 66 { LLC_FRMR, "frmr" }, 67 { 0, NULL } 68 }; 69 70 static const struct tok llc_flag_values[] = { 71 { 0, "Command" }, 72 { LLC_GSAP, "Response" }, 73 { LLC_U_POLL, "Poll" }, 74 { LLC_GSAP|LLC_U_POLL, "Final" }, 75 { LLC_IS_POLL, "Poll" }, 76 { LLC_GSAP|LLC_IS_POLL, "Final" }, 77 { 0, NULL } 78 }; 79 80 81 static const struct tok llc_ig_flag_values[] = { 82 { 0, "Individual" }, 83 { LLC_IG, "Group" }, 84 { 0, NULL } 85 }; 86 87 88 static const struct tok llc_supervisory_values[] = { 89 { 0, "Receiver Ready" }, 90 { 1, "Receiver not Ready" }, 91 { 2, "Reject" }, 92 { 0, NULL } 93 }; 94 95 96 static const struct tok cisco_values[] = { 97 { PID_CISCO_CDP, "CDP" }, 98 { PID_CISCO_VTP, "VTP" }, 99 { PID_CISCO_DTP, "DTP" }, 100 { PID_CISCO_UDLD, "UDLD" }, 101 { PID_CISCO_PVST, "PVST" }, 102 { PID_CISCO_VLANBRIDGE, "VLAN Bridge" }, 103 { 0, NULL } 104 }; 105 106 static const struct tok bridged_values[] = { 107 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 108 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 109 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 110 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 111 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 112 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 113 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 114 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 115 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 116 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 117 { PID_RFC2684_BPDU, "BPDU" }, 118 { 0, NULL }, 119 }; 120 121 static const struct tok null_values[] = { 122 { 0, NULL } 123 }; 124 125 struct oui_tok { 126 uint32_t oui; 127 const struct tok *tok; 128 }; 129 130 static const struct oui_tok oui_to_tok[] = { 131 { OUI_ENCAP_ETHER, ethertype_values }, 132 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 133 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 134 { OUI_CISCO, cisco_values }, 135 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 136 { 0, NULL } 137 }; 138 139 /* 140 * If we printed information about the payload, returns the length of the LLC 141 * header, plus the length of any SNAP header following it. 142 * 143 * Otherwise (for example, if the packet has unknown SAPs or has a SNAP 144 * header with an unknown OUI/PID combination), returns the *negative* 145 * of that value. 146 */ 147 int 148 llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, 149 const struct lladdr_info *src, const struct lladdr_info *dst) 150 { 151 uint8_t dsap_field, dsap, ssap_field, ssap; 152 uint16_t control; 153 int hdrlen; 154 int is_u; 155 156 ndo->ndo_protocol = "llc"; 157 if (caplen < 3) { 158 nd_print_trunc(ndo); 159 ND_DEFAULTPRINT((const u_char *)p, caplen); 160 return (caplen); 161 } 162 if (length < 3) { 163 nd_print_trunc(ndo); 164 ND_DEFAULTPRINT((const u_char *)p, caplen); 165 return (length); 166 } 167 168 dsap_field = GET_U_1(p); 169 ssap_field = GET_U_1(p + 1); 170 171 /* 172 * OK, what type of LLC frame is this? The length 173 * of the control field depends on that - I frames 174 * have a two-byte control field, and U frames have 175 * a one-byte control field. 176 */ 177 control = GET_U_1(p + 2); 178 if ((control & LLC_U_FMT) == LLC_U_FMT) { 179 /* 180 * U frame. 181 */ 182 is_u = 1; 183 hdrlen = 3; /* DSAP, SSAP, 1-byte control field */ 184 } else { 185 /* 186 * The control field in I and S frames is 187 * 2 bytes... 188 */ 189 if (caplen < 4) { 190 nd_print_trunc(ndo); 191 ND_DEFAULTPRINT((const u_char *)p, caplen); 192 return (caplen); 193 } 194 if (length < 4) { 195 nd_print_trunc(ndo); 196 ND_DEFAULTPRINT((const u_char *)p, caplen); 197 return (length); 198 } 199 200 /* 201 * ...and is little-endian. 202 */ 203 control = GET_LE_U_2(p + 2); 204 is_u = 0; 205 hdrlen = 4; /* DSAP, SSAP, 2-byte control field */ 206 } 207 208 if (ssap_field == LLCSAP_GLOBAL && dsap_field == LLCSAP_GLOBAL) { 209 /* 210 * This is an Ethernet_802.3 IPX frame; it has an 211 * 802.3 header (i.e., an Ethernet header where the 212 * type/length field is <= MAX_ETHERNET_LENGTH_VAL, 213 * i.e. it's a length field, not a type field), but 214 * has no 802.2 header - the IPX packet starts right 215 * after the Ethernet header, with a signature of two 216 * bytes of 0xFF (which is LLCSAP_GLOBAL). 217 * 218 * (It might also have been an Ethernet_802.3 IPX at 219 * one time, but got bridged onto another network, 220 * such as an 802.11 network; this has appeared in at 221 * least one capture file.) 222 */ 223 224 if (ndo->ndo_eflag) 225 ND_PRINT("IPX 802.3: "); 226 227 ipx_print(ndo, p, length); 228 return (0); /* no LLC header */ 229 } 230 231 dsap = dsap_field & ~LLC_IG; 232 ssap = ssap_field & ~LLC_GSAP; 233 234 if (ndo->ndo_eflag) { 235 ND_PRINT("LLC, dsap %s (0x%02x) %s, ssap %s (0x%02x) %s", 236 tok2str(llc_values, "Unknown", dsap), 237 dsap, 238 tok2str(llc_ig_flag_values, "Unknown", dsap_field & LLC_IG), 239 tok2str(llc_values, "Unknown", ssap), 240 ssap, 241 tok2str(llc_flag_values, "Unknown", ssap_field & LLC_GSAP)); 242 243 if (is_u) { 244 ND_PRINT(", ctrl 0x%02x: ", control); 245 } else { 246 ND_PRINT(", ctrl 0x%04x: ", control); 247 } 248 } 249 250 /* 251 * Skip LLC header. 252 */ 253 p += hdrlen; 254 length -= hdrlen; 255 caplen -= hdrlen; 256 257 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 258 && control == LLC_UI) { 259 /* 260 * XXX - what *is* the right bridge pad value here? 261 * Does anybody ever bridge one form of LAN traffic 262 * over a networking type that uses 802.2 LLC? 263 */ 264 if (!snap_print(ndo, p, length, caplen, src, dst, 2)) { 265 /* 266 * Unknown packet type; tell our caller, by 267 * returning a negative value, so they 268 * can print the raw packet. 269 */ 270 return (-(hdrlen + 5)); /* include LLC and SNAP header */ 271 } else 272 return (hdrlen + 5); /* include LLC and SNAP header */ 273 } 274 275 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 276 control == LLC_UI) { 277 stp_print(ndo, p, length); 278 return (hdrlen); 279 } 280 281 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 282 control == LLC_UI) { 283 /* 284 * This is an RFC 948-style IP packet, with 285 * an 802.3 header and an 802.2 LLC header 286 * with the source and destination SAPs being 287 * the IP SAP. 288 */ 289 ip_print(ndo, p, length); 290 return (hdrlen); 291 } 292 293 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 294 control == LLC_UI) { 295 /* 296 * This is an Ethernet_802.2 IPX frame, with an 802.3 297 * header and an 802.2 LLC header with the source and 298 * destination SAPs being the IPX SAP. 299 */ 300 if (ndo->ndo_eflag) 301 ND_PRINT("IPX 802.2: "); 302 303 ipx_print(ndo, p, length); 304 return (hdrlen); 305 } 306 307 #ifdef ENABLE_SMB 308 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 309 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 310 /* 311 * we don't actually have a full netbeui parser yet, but the 312 * smb parser can handle many smb-in-netbeui packets, which 313 * is very useful, so we call that 314 * 315 * We don't call it for S frames, however, just I frames 316 * (which are frames that don't have the low-order bit, 317 * LLC_S_FMT, set in the first byte of the control field) 318 * and UI frames (whose control field is just 3, LLC_U_FMT). 319 */ 320 netbeui_print(ndo, control, p, length); 321 return (hdrlen); 322 } 323 #endif 324 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 325 && control == LLC_UI) { 326 isoclns_print(ndo, p, length); 327 return (hdrlen); 328 } 329 330 if (!ndo->ndo_eflag) { 331 if (ssap == dsap) { 332 if (src == NULL || dst == NULL) 333 ND_PRINT("%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 334 else 335 ND_PRINT("%s > %s %s ", 336 (src->addr_string)(ndo, src->addr), 337 (dst->addr_string)(ndo, dst->addr), 338 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 339 } else { 340 if (src == NULL || dst == NULL) 341 ND_PRINT("%s > %s ", 342 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 343 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 344 else 345 ND_PRINT("%s %s > %s %s ", 346 (src->addr_string)(ndo, src->addr), 347 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 348 (dst->addr_string)(ndo, dst->addr), 349 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 350 } 351 } 352 353 if (is_u) { 354 ND_PRINT("Unnumbered, %s, Flags [%s], length %u", 355 tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), 356 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)), 357 length + hdrlen); 358 359 if ((control & ~LLC_U_POLL) == LLC_XID) { 360 if (length == 0) { 361 /* 362 * XID with no payload. 363 * This could, for example, be an SNA 364 * "short form" XID. 365 */ 366 return (hdrlen); 367 } 368 if (caplen < 1) { 369 nd_print_trunc(ndo); 370 if (caplen > 0) 371 ND_DEFAULTPRINT((const u_char *)p, caplen); 372 return (hdrlen); 373 } 374 if (GET_U_1(p) == LLC_XID_FI) { 375 if (caplen < 3 || length < 3) { 376 nd_print_trunc(ndo); 377 if (caplen > 0) 378 ND_DEFAULTPRINT((const u_char *)p, caplen); 379 } else 380 ND_PRINT(": %02x %02x", 381 GET_U_1(p + 1), 382 GET_U_1(p + 2)); 383 return (hdrlen); 384 } 385 } 386 } else { 387 if ((control & LLC_S_FMT) == LLC_S_FMT) { 388 ND_PRINT("Supervisory, %s, rcv seq %u, Flags [%s], length %u", 389 tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), 390 LLC_IS_NR(control), 391 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 392 length + hdrlen); 393 return (hdrlen); /* no payload to print */ 394 } else { 395 ND_PRINT("Information, send seq %u, rcv seq %u, Flags [%s], length %u", 396 LLC_I_NS(control), 397 LLC_IS_NR(control), 398 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 399 length + hdrlen); 400 } 401 } 402 return (-hdrlen); 403 } 404 405 static const struct tok * 406 oui_to_struct_tok(uint32_t orgcode) 407 { 408 const struct tok *tok = null_values; 409 const struct oui_tok *otp; 410 411 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 412 if (otp->oui == orgcode) { 413 tok = otp->tok; 414 break; 415 } 416 } 417 return (tok); 418 } 419 420 int 421 snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, 422 const struct lladdr_info *src, const struct lladdr_info *dst, 423 u_int bridge_pad) 424 { 425 uint32_t orgcode; 426 u_short et; 427 int ret; 428 429 ndo->ndo_protocol = "snap"; 430 ND_TCHECK_5(p); 431 if (caplen < 5 || length < 5) 432 goto trunc; 433 orgcode = GET_BE_U_3(p); 434 et = GET_BE_U_2(p + 3); 435 436 if (ndo->ndo_eflag) { 437 /* 438 * Somebody's already printed the MAC addresses, if there 439 * are any, so just print the SNAP header, not the MAC 440 * addresses. 441 */ 442 ND_PRINT("oui %s (0x%06x), %s %s (0x%04x), length %u: ", 443 tok2str(oui_values, "Unknown", orgcode), 444 orgcode, 445 (orgcode == 0x000000 ? "ethertype" : "pid"), 446 tok2str(oui_to_struct_tok(orgcode), "Unknown", et), 447 et, length - 5); 448 } 449 p += 5; 450 length -= 5; 451 caplen -= 5; 452 453 switch (orgcode) { 454 case OUI_ENCAP_ETHER: 455 case OUI_CISCO_90: 456 /* 457 * This is an encapsulated Ethernet packet, 458 * or a packet bridged by some piece of 459 * Cisco hardware; the protocol ID is 460 * an Ethernet protocol type. 461 */ 462 ret = ethertype_print(ndo, et, p, length, caplen, src, dst); 463 if (ret) 464 return (ret); 465 break; 466 467 case OUI_APPLETALK: 468 if (et == ETHERTYPE_ATALK) { 469 /* 470 * No, I have no idea why Apple used one 471 * of their own OUIs, rather than 472 * 0x000000, and an Ethernet packet 473 * type, for Appletalk data packets, 474 * but used 0x000000 and an Ethernet 475 * packet type for AARP packets. 476 */ 477 ret = ethertype_print(ndo, et, p, length, caplen, src, dst); 478 if (ret) 479 return (ret); 480 } 481 break; 482 483 case OUI_CISCO: 484 switch (et) { 485 case PID_CISCO_CDP: 486 cdp_print(ndo, p, length); 487 return (1); 488 case PID_CISCO_DTP: 489 dtp_print(ndo, p, length); 490 return (1); 491 case PID_CISCO_UDLD: 492 udld_print(ndo, p, length); 493 return (1); 494 case PID_CISCO_VTP: 495 vtp_print(ndo, p, length); 496 return (1); 497 case PID_CISCO_PVST: 498 case PID_CISCO_VLANBRIDGE: 499 stp_print(ndo, p, length); 500 return (1); 501 default: 502 break; 503 } 504 break; 505 506 case OUI_RFC2684: 507 switch (et) { 508 509 case PID_RFC2684_ETH_FCS: 510 case PID_RFC2684_ETH_NOFCS: 511 /* 512 * XXX - remove the last two bytes for 513 * PID_RFC2684_ETH_FCS? 514 */ 515 /* 516 * Skip the padding. 517 */ 518 ND_TCHECK_LEN(p, bridge_pad); 519 caplen -= bridge_pad; 520 length -= bridge_pad; 521 p += bridge_pad; 522 523 /* 524 * What remains is an Ethernet packet. 525 */ 526 ether_print(ndo, p, length, caplen, NULL, NULL); 527 return (1); 528 529 case PID_RFC2684_802_5_FCS: 530 case PID_RFC2684_802_5_NOFCS: 531 /* 532 * XXX - remove the last two bytes for 533 * PID_RFC2684_ETH_FCS? 534 */ 535 /* 536 * Skip the padding, but not the Access 537 * Control field. 538 */ 539 ND_TCHECK_LEN(p, bridge_pad); 540 caplen -= bridge_pad; 541 length -= bridge_pad; 542 p += bridge_pad; 543 544 /* 545 * What remains is an 802.5 Token Ring 546 * packet. 547 */ 548 token_print(ndo, p, length, caplen); 549 return (1); 550 551 case PID_RFC2684_FDDI_FCS: 552 case PID_RFC2684_FDDI_NOFCS: 553 /* 554 * XXX - remove the last two bytes for 555 * PID_RFC2684_ETH_FCS? 556 */ 557 /* 558 * Skip the padding. 559 */ 560 ND_TCHECK_LEN(p, bridge_pad + 1); 561 caplen -= bridge_pad + 1; 562 length -= bridge_pad + 1; 563 p += bridge_pad + 1; 564 565 /* 566 * What remains is an FDDI packet. 567 */ 568 fddi_print(ndo, p, length, caplen); 569 return (1); 570 571 case PID_RFC2684_BPDU: 572 stp_print(ndo, p, length); 573 return (1); 574 } 575 } 576 if (!ndo->ndo_eflag) { 577 /* 578 * Nobody printed the link-layer addresses, so print them, if 579 * we have any. 580 */ 581 if (src != NULL && dst != NULL) { 582 ND_PRINT("%s > %s ", 583 (src->addr_string)(ndo, src->addr), 584 (dst->addr_string)(ndo, dst->addr)); 585 } 586 /* 587 * Print the SNAP header, but if the OUI is 000000, don't 588 * bother printing it, and report the PID as being an 589 * ethertype. 590 */ 591 if (orgcode == 0x000000) { 592 ND_PRINT("SNAP, ethertype %s (0x%04x), length %u: ", 593 tok2str(ethertype_values, "Unknown", et), 594 et, length); 595 } else { 596 ND_PRINT("SNAP, oui %s (0x%06x), pid %s (0x%04x), length %u: ", 597 tok2str(oui_values, "Unknown", orgcode), 598 orgcode, 599 tok2str(oui_to_struct_tok(orgcode), "Unknown", et), 600 et, length); 601 } 602 } 603 return (0); 604 605 trunc: 606 nd_print_trunc(ndo); 607 return (1); 608 } 609