1 /* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 * 24 * $FreeBSD$ 25 */ 26 27 #ifndef lint 28 static const char rcsid[] _U_ = 29 "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.61.2.5 2005/09/29 07:40:13 hannes Exp $"; 30 #endif 31 32 #ifdef HAVE_CONFIG_H 33 #include "config.h" 34 #endif 35 36 #include <tcpdump-stdinc.h> 37 38 #include <stdio.h> 39 #include <string.h> 40 41 #include "interface.h" 42 #include "addrtoname.h" 43 #include "extract.h" /* must come after interface.h */ 44 45 #include "llc.h" 46 #include "ethertype.h" 47 #include "oui.h" 48 49 static struct tok llc_values[] = { 50 { LLCSAP_NULL, "Null" }, 51 { LLCSAP_GLOBAL, "Global" }, 52 { LLCSAP_8021B_I, "802.1B I" }, 53 { LLCSAP_8021B_G, "802.1B G" }, 54 { LLCSAP_IP, "IP" }, 55 { LLCSAP_SNA, "SNA" }, 56 { LLCSAP_PROWAYNM, "ProWay NM" }, 57 { LLCSAP_8021D, "STP" }, 58 { LLCSAP_RS511, "RS511" }, 59 { LLCSAP_ISO8208, "ISO8208" }, 60 { LLCSAP_PROWAY, "ProWay" }, 61 { LLCSAP_SNAP, "SNAP" }, 62 { LLCSAP_IPX, "IPX" }, 63 { LLCSAP_NETBEUI, "NetBeui" }, 64 { LLCSAP_ISONS, "OSI" }, 65 { 0, NULL }, 66 }; 67 68 static struct tok llc_cmd_values[] = { 69 { LLC_UI, "ui" }, 70 { LLC_TEST, "test" }, 71 { LLC_XID, "xid" }, 72 { LLC_UA, "ua" }, 73 { LLC_DISC, "disc" }, 74 { LLC_DM, "dm" }, 75 { LLC_SABME, "sabme" }, 76 { LLC_FRMR, "frmr" }, 77 { 0, NULL } 78 }; 79 80 static const struct tok llc_flag_values[] = { 81 { 0, "Command" }, 82 { LLC_GSAP, "Response" }, 83 { LLC_U_POLL, "Poll" }, 84 { LLC_GSAP|LLC_U_POLL, "Final" }, 85 { LLC_GSAP|LLC_IS_POLL, "Final" }, 86 { 0, NULL } 87 }; 88 89 static const struct tok llc_supervisory_values[] = { 90 { 0, "Receiver Ready" }, 91 { 1, "Reject" }, 92 { 2, "Receiver not Ready" }, 93 { 0, NULL } 94 }; 95 96 97 static const struct tok cisco_values[] = { 98 { PID_CISCO_CDP, "CDP" }, 99 { 0, NULL } 100 }; 101 102 static const struct tok bridged_values[] = { 103 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 104 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 105 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 106 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 107 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 108 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 109 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 110 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 111 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 112 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 113 { PID_RFC2684_BPDU, "BPDU" }, 114 { 0, NULL }, 115 }; 116 117 struct oui_tok { 118 u_int32_t oui; 119 const struct tok *tok; 120 }; 121 122 static const struct oui_tok oui_to_tok[] = { 123 { OUI_ENCAP_ETHER, ethertype_values }, 124 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 125 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 126 { OUI_CISCO, cisco_values }, 127 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 128 { 0, NULL } 129 }; 130 131 /* 132 * Returns non-zero IFF it succeeds in printing the header 133 */ 134 int 135 llc_print(const u_char *p, u_int length, u_int caplen, 136 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype) 137 { 138 u_int8_t dsap_field, dsap, ssap_field, ssap; 139 u_int16_t control; 140 int is_u; 141 register int ret; 142 143 if (caplen < 3) { 144 (void)printf("[|llc]"); 145 default_print((u_char *)p, caplen); 146 return(0); 147 } 148 149 dsap_field = *p; 150 dsap = dsap_field & ~LLC_IG; 151 ssap_field = *(p + 1); 152 ssap = ssap_field & ~LLC_GSAP; 153 154 /* 155 * OK, what type of LLC frame is this? The length 156 * of the control field depends on that - I frames 157 * have a two-byte control field, and U frames have 158 * a one-byte control field. 159 */ 160 control = *(p + 2); 161 if ((control & LLC_U_FMT) == LLC_U_FMT) { 162 /* 163 * U frame. 164 */ 165 is_u = 1; 166 } else { 167 /* 168 * The control field in I and S frames is 169 * 2 bytes... 170 */ 171 if (caplen < 4) { 172 (void)printf("[|llc]"); 173 default_print((u_char *)p, caplen); 174 return(0); 175 } 176 177 /* 178 * ...and is little-endian. 179 */ 180 control = EXTRACT_LE_16BITS(p + 2); 181 is_u = 0; 182 } 183 184 if (ssap == LLCSAP_GLOBAL && dsap == LLCSAP_GLOBAL) { 185 /* 186 * This is an Ethernet_802.3 IPX frame; it has an 187 * 802.3 header (i.e., an Ethernet header where the 188 * type/length field is <= ETHERMTU, i.e. it's a length 189 * field, not a type field), but has no 802.2 header - 190 * the IPX packet starts right after the Ethernet header, 191 * with a signature of two bytes of 0xFF (which is 192 * LLCSAP_GLOBAL). 193 * 194 * (It might also have been an Ethernet_802.3 IPX at 195 * one time, but got bridged onto another network, 196 * such as an 802.11 network; this has appeared in at 197 * least one capture file.) 198 */ 199 200 if (eflag) 201 printf("IPX 802.3: "); 202 203 ipx_print(p, length); 204 return (1); 205 } 206 207 if (eflag) { 208 printf("LLC, dsap %s (0x%02x), ssap %s (0x%02x)", 209 tok2str(llc_values, "Unknown", dsap), 210 dsap, 211 tok2str(llc_values, "Unknown", ssap), 212 ssap); 213 214 if (is_u) { 215 printf(", cmd 0x%02x: ", control); 216 } else { 217 printf(", cmd 0x%04x: ", control); 218 } 219 } 220 221 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 222 control == LLC_UI) { 223 stp_print(p+3, length-3); 224 return (1); 225 } 226 227 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 228 control == LLC_UI) { 229 ip_print(gndo, p+4, length-4); 230 return (1); 231 } 232 233 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 234 control == LLC_UI) { 235 /* 236 * This is an Ethernet_802.2 IPX frame, with an 802.3 237 * header and an 802.2 LLC header with the source and 238 * destination SAPs being the IPX SAP. 239 * 240 * Skip DSAP, LSAP, and control field. 241 */ 242 if (eflag) 243 printf("IPX 802.2: "); 244 245 ipx_print(p+3, length-3); 246 return (1); 247 } 248 249 #ifdef TCPDUMP_DO_SMB 250 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 251 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 252 /* 253 * we don't actually have a full netbeui parser yet, but the 254 * smb parser can handle many smb-in-netbeui packets, which 255 * is very useful, so we call that 256 * 257 * We don't call it for S frames, however, just I frames 258 * (which are frames that don't have the low-order bit, 259 * LLC_S_FMT, set in the first byte of the control field) 260 * and UI frames (whose control field is just 3, LLC_U_FMT). 261 */ 262 263 /* 264 * Skip the LLC header. 265 */ 266 if (is_u) { 267 p += 3; 268 length -= 3; 269 caplen -= 3; 270 } else { 271 p += 4; 272 length -= 4; 273 caplen -= 4; 274 } 275 netbeui_print(control, p, length); 276 return (1); 277 } 278 #endif 279 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 280 && control == LLC_UI) { 281 isoclns_print(p + 3, length - 3, caplen - 3); 282 return (1); 283 } 284 285 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 286 && control == LLC_UI) { 287 /* 288 * XXX - what *is* the right bridge pad value here? 289 * Does anybody ever bridge one form of LAN traffic 290 * over a networking type that uses 802.2 LLC? 291 */ 292 ret = snap_print(p+3, length-3, caplen-3, extracted_ethertype, 293 2); 294 if (ret) 295 return (ret); 296 } 297 298 if (!eflag) { 299 if (ssap == dsap) { 300 if (esrc == NULL || edst == NULL) 301 (void)printf("%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 302 else 303 (void)printf("%s > %s %s ", 304 etheraddr_string(esrc), 305 etheraddr_string(edst), 306 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 307 } else { 308 if (esrc == NULL || edst == NULL) 309 (void)printf("%s > %s ", 310 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 311 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 312 else 313 (void)printf("%s %s > %s %s ", 314 etheraddr_string(esrc), 315 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 316 etheraddr_string(edst), 317 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 318 } 319 } 320 321 if (is_u) { 322 printf("Unnumbered, %s, Flags [%s], length %u", 323 tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), 324 bittok2str(llc_flag_values,"?",(ssap) | (control & LLC_U_POLL)), 325 length); 326 327 p += 3; 328 length -= 3; 329 caplen -= 3; 330 331 if ((control & ~LLC_U_POLL) == LLC_XID) { 332 if (*p == LLC_XID_FI) { 333 printf(": %02x %02x", p[1], p[2]); 334 p += 3; 335 length -= 3; 336 caplen -= 3; 337 } 338 } 339 } else { 340 341 if ((control & LLC_S_FMT) == LLC_S_FMT) { 342 (void)printf("Supervisory, %s, rcv seq %u, Flags [%s], length %u", 343 tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), 344 LLC_IS_NR(control), 345 bittok2str(llc_flag_values,"?",(ssap) | (control & LLC_IS_POLL)), 346 length); 347 } else { 348 (void)printf("Information, send seq %u, rcv seq %u, Flags [%s], length %u", 349 LLC_I_NS(control), 350 LLC_IS_NR(control), 351 bittok2str(llc_flag_values,"?",(ssap) | (control & LLC_IS_POLL)), 352 length); 353 } 354 p += 4; 355 length -= 4; 356 caplen -= 4; 357 } 358 return(1); 359 } 360 361 int 362 snap_print(const u_char *p, u_int length, u_int caplen, 363 u_short *extracted_ethertype, u_int bridge_pad) 364 { 365 u_int32_t orgcode; 366 register u_short et; 367 register int ret; 368 369 TCHECK2(*p, 5); 370 orgcode = EXTRACT_24BITS(p); 371 et = EXTRACT_16BITS(p + 3); 372 373 if (eflag) { 374 const struct tok *tok = NULL; 375 const struct oui_tok *otp; 376 377 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 378 if (otp->oui == orgcode) { 379 tok = otp->tok; 380 break; 381 } 382 } 383 (void)printf("oui %s (0x%06x), %s %s (0x%04x): ", 384 tok2str(oui_values, "Unknown", orgcode), 385 orgcode, 386 (orgcode == 0x000000 ? "ethertype" : "pid"), 387 tok2str(tok, "Unknown", et), 388 et); 389 } 390 p += 5; 391 length -= 5; 392 caplen -= 5; 393 394 switch (orgcode) { 395 case OUI_ENCAP_ETHER: 396 case OUI_CISCO_90: 397 /* 398 * This is an encapsulated Ethernet packet, 399 * or a packet bridged by some piece of 400 * Cisco hardware; the protocol ID is 401 * an Ethernet protocol type. 402 */ 403 ret = ether_encap_print(et, p, length, caplen, 404 extracted_ethertype); 405 if (ret) 406 return (ret); 407 break; 408 409 case OUI_APPLETALK: 410 if (et == ETHERTYPE_ATALK) { 411 /* 412 * No, I have no idea why Apple used one 413 * of their own OUIs, rather than 414 * 0x000000, and an Ethernet packet 415 * type, for Appletalk data packets, 416 * but used 0x000000 and an Ethernet 417 * packet type for AARP packets. 418 */ 419 ret = ether_encap_print(et, p, length, caplen, 420 extracted_ethertype); 421 if (ret) 422 return (ret); 423 } 424 break; 425 426 case OUI_CISCO: 427 if (et == PID_CISCO_CDP) { 428 cdp_print(p, length, caplen); 429 return (1); 430 } 431 break; 432 433 case OUI_RFC2684: 434 switch (et) { 435 436 case PID_RFC2684_ETH_FCS: 437 case PID_RFC2684_ETH_NOFCS: 438 /* 439 * XXX - remove the last two bytes for 440 * PID_RFC2684_ETH_FCS? 441 */ 442 /* 443 * Skip the padding. 444 */ 445 TCHECK2(*p, bridge_pad); 446 caplen -= bridge_pad; 447 length -= bridge_pad; 448 p += bridge_pad; 449 450 /* 451 * What remains is an Ethernet packet. 452 */ 453 ether_print(p, length, caplen); 454 return (1); 455 456 case PID_RFC2684_802_5_FCS: 457 case PID_RFC2684_802_5_NOFCS: 458 /* 459 * XXX - remove the last two bytes for 460 * PID_RFC2684_ETH_FCS? 461 */ 462 /* 463 * Skip the padding, but not the Access 464 * Control field. 465 */ 466 TCHECK2(*p, bridge_pad); 467 caplen -= bridge_pad; 468 length -= bridge_pad; 469 p += bridge_pad; 470 471 /* 472 * What remains is an 802.5 Token Ring 473 * packet. 474 */ 475 token_print(p, length, caplen); 476 return (1); 477 478 case PID_RFC2684_FDDI_FCS: 479 case PID_RFC2684_FDDI_NOFCS: 480 /* 481 * XXX - remove the last two bytes for 482 * PID_RFC2684_ETH_FCS? 483 */ 484 /* 485 * Skip the padding. 486 */ 487 TCHECK2(*p, bridge_pad + 1); 488 caplen -= bridge_pad + 1; 489 length -= bridge_pad + 1; 490 p += bridge_pad + 1; 491 492 /* 493 * What remains is an FDDI packet. 494 */ 495 fddi_print(p, length, caplen); 496 return (1); 497 498 case PID_RFC2684_BPDU: 499 stp_print(p, length); 500 return (1); 501 } 502 } 503 return (0); 504 505 trunc: 506 (void)printf("[|snap]"); 507 return (1); 508 } 509 510 511 /* 512 * Local Variables: 513 * c-style: whitesmith 514 * c-basic-offset: 8 515 * End: 516 */ 517