1 /* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 * 24 * $FreeBSD$ 25 */ 26 27 #define NETDISSECT_REWORKED 28 #ifdef HAVE_CONFIG_H 29 #include "config.h" 30 #endif 31 32 #include <tcpdump-stdinc.h> 33 34 #include "interface.h" 35 #include "addrtoname.h" 36 #include "extract.h" /* must come after interface.h */ 37 38 #include "llc.h" 39 #include "ethertype.h" 40 #include "oui.h" 41 42 static const struct tok llc_values[] = { 43 { LLCSAP_NULL, "Null" }, 44 { LLCSAP_GLOBAL, "Global" }, 45 { LLCSAP_8021B_I, "802.1B I" }, 46 { LLCSAP_8021B_G, "802.1B G" }, 47 { LLCSAP_IP, "IP" }, 48 { LLCSAP_SNA, "SNA" }, 49 { LLCSAP_PROWAYNM, "ProWay NM" }, 50 { LLCSAP_8021D, "STP" }, 51 { LLCSAP_RS511, "RS511" }, 52 { LLCSAP_ISO8208, "ISO8208" }, 53 { LLCSAP_PROWAY, "ProWay" }, 54 { LLCSAP_SNAP, "SNAP" }, 55 { LLCSAP_IPX, "IPX" }, 56 { LLCSAP_NETBEUI, "NetBeui" }, 57 { LLCSAP_ISONS, "OSI" }, 58 { 0, NULL }, 59 }; 60 61 static const struct tok llc_cmd_values[] = { 62 { LLC_UI, "ui" }, 63 { LLC_TEST, "test" }, 64 { LLC_XID, "xid" }, 65 { LLC_UA, "ua" }, 66 { LLC_DISC, "disc" }, 67 { LLC_DM, "dm" }, 68 { LLC_SABME, "sabme" }, 69 { LLC_FRMR, "frmr" }, 70 { 0, NULL } 71 }; 72 73 static const struct tok llc_flag_values[] = { 74 { 0, "Command" }, 75 { LLC_GSAP, "Response" }, 76 { LLC_U_POLL, "Poll" }, 77 { LLC_GSAP|LLC_U_POLL, "Final" }, 78 { LLC_IS_POLL, "Poll" }, 79 { LLC_GSAP|LLC_IS_POLL, "Final" }, 80 { 0, NULL } 81 }; 82 83 84 static const struct tok llc_ig_flag_values[] = { 85 { 0, "Individual" }, 86 { LLC_IG, "Group" }, 87 { 0, NULL } 88 }; 89 90 91 static const struct tok llc_supervisory_values[] = { 92 { 0, "Receiver Ready" }, 93 { 1, "Receiver not Ready" }, 94 { 2, "Reject" }, 95 { 0, NULL } 96 }; 97 98 99 static const struct tok cisco_values[] = { 100 { PID_CISCO_CDP, "CDP" }, 101 { PID_CISCO_VTP, "VTP" }, 102 { PID_CISCO_DTP, "DTP" }, 103 { PID_CISCO_UDLD, "UDLD" }, 104 { PID_CISCO_PVST, "PVST" }, 105 { PID_CISCO_VLANBRIDGE, "VLAN Bridge" }, 106 { 0, NULL } 107 }; 108 109 static const struct tok bridged_values[] = { 110 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 111 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 112 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 113 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 114 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 115 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 116 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 117 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 118 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 119 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 120 { PID_RFC2684_BPDU, "BPDU" }, 121 { 0, NULL }, 122 }; 123 124 static const struct tok null_values[] = { 125 { 0, NULL } 126 }; 127 128 struct oui_tok { 129 uint32_t oui; 130 const struct tok *tok; 131 }; 132 133 static const struct oui_tok oui_to_tok[] = { 134 { OUI_ENCAP_ETHER, ethertype_values }, 135 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 136 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 137 { OUI_CISCO, cisco_values }, 138 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 139 { 0, NULL } 140 }; 141 142 /* 143 * Returns non-zero IFF it succeeds in printing the header 144 */ 145 int 146 llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, 147 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype) 148 { 149 uint8_t dsap_field, dsap, ssap_field, ssap; 150 uint16_t control; 151 int is_u; 152 register int ret; 153 154 *extracted_ethertype = 0; 155 156 if (caplen < 3 || length < 3) { 157 ND_PRINT((ndo, "[|llc]")); 158 ND_DEFAULTPRINT((u_char *)p, caplen); 159 return (1); 160 } 161 162 dsap_field = *p; 163 ssap_field = *(p + 1); 164 165 /* 166 * OK, what type of LLC frame is this? The length 167 * of the control field depends on that - I frames 168 * have a two-byte control field, and U frames have 169 * a one-byte control field. 170 */ 171 control = *(p + 2); 172 if ((control & LLC_U_FMT) == LLC_U_FMT) { 173 /* 174 * U frame. 175 */ 176 is_u = 1; 177 } else { 178 /* 179 * The control field in I and S frames is 180 * 2 bytes... 181 */ 182 if (caplen < 4 || length < 4) { 183 ND_PRINT((ndo, "[|llc]")); 184 ND_DEFAULTPRINT((u_char *)p, caplen); 185 return (1); 186 } 187 188 /* 189 * ...and is little-endian. 190 */ 191 control = EXTRACT_LE_16BITS(p + 2); 192 is_u = 0; 193 } 194 195 if (ssap_field == LLCSAP_GLOBAL && dsap_field == LLCSAP_GLOBAL) { 196 /* 197 * This is an Ethernet_802.3 IPX frame; it has an 198 * 802.3 header (i.e., an Ethernet header where the 199 * type/length field is <= ETHERMTU, i.e. it's a length 200 * field, not a type field), but has no 802.2 header - 201 * the IPX packet starts right after the Ethernet header, 202 * with a signature of two bytes of 0xFF (which is 203 * LLCSAP_GLOBAL). 204 * 205 * (It might also have been an Ethernet_802.3 IPX at 206 * one time, but got bridged onto another network, 207 * such as an 802.11 network; this has appeared in at 208 * least one capture file.) 209 */ 210 211 if (ndo->ndo_eflag) 212 ND_PRINT((ndo, "IPX 802.3: ")); 213 214 ipx_print(ndo, p, length); 215 return (1); 216 } 217 218 dsap = dsap_field & ~LLC_IG; 219 ssap = ssap_field & ~LLC_GSAP; 220 221 if (ndo->ndo_eflag) { 222 ND_PRINT((ndo, "LLC, dsap %s (0x%02x) %s, ssap %s (0x%02x) %s", 223 tok2str(llc_values, "Unknown", dsap), 224 dsap, 225 tok2str(llc_ig_flag_values, "Unknown", dsap_field & LLC_IG), 226 tok2str(llc_values, "Unknown", ssap), 227 ssap, 228 tok2str(llc_flag_values, "Unknown", ssap_field & LLC_GSAP))); 229 230 if (is_u) { 231 ND_PRINT((ndo, ", ctrl 0x%02x: ", control)); 232 } else { 233 ND_PRINT((ndo, ", ctrl 0x%04x: ", control)); 234 } 235 } 236 237 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 238 control == LLC_UI) { 239 stp_print(ndo, p+3, length-3); 240 return (1); 241 } 242 243 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 244 control == LLC_UI) { 245 if (caplen < 4 || length < 4) { 246 ND_PRINT((ndo, "[|llc]")); 247 ND_DEFAULTPRINT((u_char *)p, caplen); 248 return (1); 249 } 250 ip_print(ndo, p+4, length-4); 251 return (1); 252 } 253 254 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 255 control == LLC_UI) { 256 /* 257 * This is an Ethernet_802.2 IPX frame, with an 802.3 258 * header and an 802.2 LLC header with the source and 259 * destination SAPs being the IPX SAP. 260 * 261 * Skip DSAP, LSAP, and control field. 262 */ 263 if (ndo->ndo_eflag) 264 ND_PRINT((ndo, "IPX 802.2: ")); 265 266 ipx_print(ndo, p+3, length-3); 267 return (1); 268 } 269 270 #ifdef TCPDUMP_DO_SMB 271 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 272 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 273 /* 274 * we don't actually have a full netbeui parser yet, but the 275 * smb parser can handle many smb-in-netbeui packets, which 276 * is very useful, so we call that 277 * 278 * We don't call it for S frames, however, just I frames 279 * (which are frames that don't have the low-order bit, 280 * LLC_S_FMT, set in the first byte of the control field) 281 * and UI frames (whose control field is just 3, LLC_U_FMT). 282 */ 283 284 /* 285 * Skip the LLC header. 286 */ 287 if (is_u) { 288 p += 3; 289 length -= 3; 290 } else { 291 p += 4; 292 length -= 4; 293 } 294 netbeui_print(ndo, control, p, length); 295 return (1); 296 } 297 #endif 298 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 299 && control == LLC_UI) { 300 isoclns_print(ndo, p + 3, length - 3, caplen - 3); 301 return (1); 302 } 303 304 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 305 && control == LLC_UI) { 306 /* 307 * XXX - what *is* the right bridge pad value here? 308 * Does anybody ever bridge one form of LAN traffic 309 * over a networking type that uses 802.2 LLC? 310 */ 311 ret = snap_print(ndo, p+3, length-3, caplen-3, 2); 312 if (ret) 313 return (ret); 314 } 315 316 if (!ndo->ndo_eflag) { 317 if (ssap == dsap) { 318 if (esrc == NULL || edst == NULL) 319 ND_PRINT((ndo, "%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); 320 else 321 ND_PRINT((ndo, "%s > %s %s ", 322 etheraddr_string(ndo, esrc), 323 etheraddr_string(ndo, edst), 324 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); 325 } else { 326 if (esrc == NULL || edst == NULL) 327 ND_PRINT((ndo, "%s > %s ", 328 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 329 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); 330 else 331 ND_PRINT((ndo, "%s %s > %s %s ", 332 etheraddr_string(ndo, esrc), 333 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 334 etheraddr_string(ndo, edst), 335 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap))); 336 } 337 } 338 339 if (is_u) { 340 ND_PRINT((ndo, "Unnumbered, %s, Flags [%s], length %u", 341 tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), 342 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)), 343 length)); 344 345 p += 3; 346 347 if ((control & ~LLC_U_POLL) == LLC_XID) { 348 if (*p == LLC_XID_FI) { 349 ND_PRINT((ndo, ": %02x %02x", p[1], p[2])); 350 } 351 } 352 } else { 353 if ((control & LLC_S_FMT) == LLC_S_FMT) { 354 ND_PRINT((ndo, "Supervisory, %s, rcv seq %u, Flags [%s], length %u", 355 tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), 356 LLC_IS_NR(control), 357 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 358 length)); 359 } else { 360 ND_PRINT((ndo, "Information, send seq %u, rcv seq %u, Flags [%s], length %u", 361 LLC_I_NS(control), 362 LLC_IS_NR(control), 363 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 364 length)); 365 } 366 } 367 return(1); 368 } 369 370 int 371 snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, u_int bridge_pad) 372 { 373 uint32_t orgcode; 374 register u_short et; 375 register int ret; 376 377 ND_TCHECK2(*p, 5); 378 if (caplen < 5 || length < 5) 379 goto trunc; 380 orgcode = EXTRACT_24BITS(p); 381 et = EXTRACT_16BITS(p + 3); 382 383 if (ndo->ndo_eflag) { 384 const struct tok *tok = null_values; 385 const struct oui_tok *otp; 386 387 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 388 if (otp->oui == orgcode) { 389 tok = otp->tok; 390 break; 391 } 392 } 393 ND_PRINT((ndo, "oui %s (0x%06x), %s %s (0x%04x): ", 394 tok2str(oui_values, "Unknown", orgcode), 395 orgcode, 396 (orgcode == 0x000000 ? "ethertype" : "pid"), 397 tok2str(tok, "Unknown", et), 398 et)); 399 } 400 p += 5; 401 length -= 5; 402 caplen -= 5; 403 404 switch (orgcode) { 405 case OUI_ENCAP_ETHER: 406 case OUI_CISCO_90: 407 /* 408 * This is an encapsulated Ethernet packet, 409 * or a packet bridged by some piece of 410 * Cisco hardware; the protocol ID is 411 * an Ethernet protocol type. 412 */ 413 ret = ethertype_print(ndo, et, p, length, caplen); 414 if (ret) 415 return (ret); 416 break; 417 418 case OUI_APPLETALK: 419 if (et == ETHERTYPE_ATALK) { 420 /* 421 * No, I have no idea why Apple used one 422 * of their own OUIs, rather than 423 * 0x000000, and an Ethernet packet 424 * type, for Appletalk data packets, 425 * but used 0x000000 and an Ethernet 426 * packet type for AARP packets. 427 */ 428 ret = ethertype_print(ndo, et, p, length, caplen); 429 if (ret) 430 return (ret); 431 } 432 break; 433 434 case OUI_CISCO: 435 switch (et) { 436 case PID_CISCO_CDP: 437 cdp_print(ndo, p, length, caplen); 438 return (1); 439 case PID_CISCO_DTP: 440 dtp_print(ndo, p, length); 441 return (1); 442 case PID_CISCO_UDLD: 443 udld_print(ndo, p, length); 444 return (1); 445 case PID_CISCO_VTP: 446 vtp_print(ndo, p, length); 447 return (1); 448 case PID_CISCO_PVST: 449 case PID_CISCO_VLANBRIDGE: 450 stp_print(ndo, p, length); 451 return (1); 452 default: 453 break; 454 } 455 break; 456 457 case OUI_RFC2684: 458 switch (et) { 459 460 case PID_RFC2684_ETH_FCS: 461 case PID_RFC2684_ETH_NOFCS: 462 /* 463 * XXX - remove the last two bytes for 464 * PID_RFC2684_ETH_FCS? 465 */ 466 /* 467 * Skip the padding. 468 */ 469 ND_TCHECK2(*p, bridge_pad); 470 caplen -= bridge_pad; 471 length -= bridge_pad; 472 p += bridge_pad; 473 474 /* 475 * What remains is an Ethernet packet. 476 */ 477 ether_print(ndo, p, length, caplen, NULL, NULL); 478 return (1); 479 480 case PID_RFC2684_802_5_FCS: 481 case PID_RFC2684_802_5_NOFCS: 482 /* 483 * XXX - remove the last two bytes for 484 * PID_RFC2684_ETH_FCS? 485 */ 486 /* 487 * Skip the padding, but not the Access 488 * Control field. 489 */ 490 ND_TCHECK2(*p, bridge_pad); 491 caplen -= bridge_pad; 492 length -= bridge_pad; 493 p += bridge_pad; 494 495 /* 496 * What remains is an 802.5 Token Ring 497 * packet. 498 */ 499 token_print(ndo, p, length, caplen); 500 return (1); 501 502 case PID_RFC2684_FDDI_FCS: 503 case PID_RFC2684_FDDI_NOFCS: 504 /* 505 * XXX - remove the last two bytes for 506 * PID_RFC2684_ETH_FCS? 507 */ 508 /* 509 * Skip the padding. 510 */ 511 ND_TCHECK2(*p, bridge_pad + 1); 512 caplen -= bridge_pad + 1; 513 length -= bridge_pad + 1; 514 p += bridge_pad + 1; 515 516 /* 517 * What remains is an FDDI packet. 518 */ 519 fddi_print(ndo, p, length, caplen); 520 return (1); 521 522 case PID_RFC2684_BPDU: 523 stp_print(ndo, p, length); 524 return (1); 525 } 526 } 527 return (0); 528 529 trunc: 530 ND_PRINT((ndo, "[|snap]")); 531 return (1); 532 } 533 534 535 /* 536 * Local Variables: 537 * c-style: whitesmith 538 * c-basic-offset: 8 539 * End: 540 */ 541