1 /*
2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 /* \summary: Linux cooked sockets capture printer */
23
24 #include <config.h>
25
26 #ifdef HAVE_NET_IF_H
27 /*
28 * Include diag-control.h before <net/if.h>, which too defines a macro
29 * named ND_UNREACHABLE.
30 */
31 #include "diag-control.h"
32 #include <net/if.h>
33 #endif
34
35 #include "netdissect-stdinc.h"
36
37 #define ND_LONGJMP_FROM_TCHECK
38 #include "netdissect.h"
39 #include "addrtoname.h"
40 #include "ethertype.h"
41 #include "extract.h"
42
43 /*
44 * For captures on Linux cooked sockets, we construct a fake header
45 * that includes:
46 *
47 * a 2-byte "packet type" which is one of:
48 *
49 * LINUX_SLL_HOST packet was sent to us
50 * LINUX_SLL_BROADCAST packet was broadcast
51 * LINUX_SLL_MULTICAST packet was multicast
52 * LINUX_SLL_OTHERHOST packet was sent to somebody else
53 * LINUX_SLL_OUTGOING packet was sent *by* us;
54 *
55 * a 2-byte Ethernet protocol field;
56 *
57 * a 2-byte link-layer type;
58 *
59 * a 2-byte link-layer address length;
60 *
61 * an 8-byte source link-layer address, whose actual length is
62 * specified by the previous value.
63 *
64 * All fields except for the link-layer address are in network byte order.
65 *
66 * DO NOT change the layout of this structure, or change any of the
67 * LINUX_SLL_ values below. If you must change the link-layer header
68 * for a "cooked" Linux capture, introduce a new DLT_ type (ask
69 * "tcpdump-workers@lists.tcpdump.org" for one, so that you don't give it
70 * a value that collides with a value already being used), and use the
71 * new header in captures of that type, so that programs that can
72 * handle DLT_LINUX_SLL captures will continue to handle them correctly
73 * without any change, and so that capture files with different headers
74 * can be told apart and programs that read them can dissect the
75 * packets in them.
76 *
77 * This structure, and the #defines below, must be the same in the
78 * libpcap and tcpdump versions of "sll.h".
79 */
80
81 /*
82 * A DLT_LINUX_SLL fake link-layer header.
83 */
84 #define SLL_HDR_LEN 16 /* total header length */
85 #define SLL_ADDRLEN 8 /* length of address field */
86
87 struct sll_header {
88 nd_uint16_t sll_pkttype; /* packet type */
89 nd_uint16_t sll_hatype; /* link-layer address type */
90 nd_uint16_t sll_halen; /* link-layer address length */
91 nd_byte sll_addr[SLL_ADDRLEN]; /* link-layer address */
92 nd_uint16_t sll_protocol; /* protocol */
93 };
94
95 /*
96 * A DLT_LINUX_SLL2 fake link-layer header.
97 */
98 #define SLL2_HDR_LEN 20 /* total header length */
99
100 struct sll2_header {
101 nd_uint16_t sll2_protocol; /* protocol */
102 nd_uint16_t sll2_reserved_mbz; /* reserved - must be zero */
103 nd_uint32_t sll2_if_index; /* 1-based interface index */
104 nd_uint16_t sll2_hatype; /* link-layer address type */
105 nd_uint8_t sll2_pkttype; /* packet type */
106 nd_uint8_t sll2_halen; /* link-layer address length */
107 nd_byte sll2_addr[SLL_ADDRLEN]; /* link-layer address */
108 };
109
110 /*
111 * The LINUX_SLL_ values for "sll_pkttype"; these correspond to the
112 * PACKET_ values on Linux, but are defined here so that they're
113 * available even on systems other than Linux, and so that they
114 * don't change even if the PACKET_ values change.
115 */
116 #define LINUX_SLL_HOST 0
117 #define LINUX_SLL_BROADCAST 1
118 #define LINUX_SLL_MULTICAST 2
119 #define LINUX_SLL_OTHERHOST 3
120 #define LINUX_SLL_OUTGOING 4
121
122 /*
123 * The LINUX_SLL_ values for "sll_protocol"; these correspond to the
124 * ETH_P_ values on Linux, but are defined here so that they're
125 * available even on systems other than Linux. We assume, for now,
126 * that the ETH_P_ values won't change in Linux; if they do, then:
127 *
128 * if we don't translate them in "pcap-linux.c", capture files
129 * won't necessarily be readable if captured on a system that
130 * defines ETH_P_ values that don't match these values;
131 *
132 * if we do translate them in "pcap-linux.c", that makes life
133 * unpleasant for the BPF code generator, as the values you test
134 * for in the kernel aren't the values that you test for when
135 * reading a capture file, so the fixup code run on BPF programs
136 * handed to the kernel ends up having to do more work.
137 *
138 * Add other values here as necessary, for handling packet types that
139 * might show up on non-Ethernet, non-802.x networks. (Not all the ones
140 * in the Linux "if_ether.h" will, I suspect, actually show up in
141 * captures.)
142 */
143 #define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */
144 #define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */
145
146 static const struct tok sll_pkttype_values[] = {
147 { LINUX_SLL_HOST, "In" },
148 { LINUX_SLL_BROADCAST, "B" },
149 { LINUX_SLL_MULTICAST, "M" },
150 { LINUX_SLL_OTHERHOST, "P" },
151 { LINUX_SLL_OUTGOING, "Out" },
152 { 0, NULL}
153 };
154
155 static void
sll_print(netdissect_options * ndo,const struct sll_header * sllp,u_int length)156 sll_print(netdissect_options *ndo, const struct sll_header *sllp, u_int length)
157 {
158 u_short ether_type;
159
160 ndo->ndo_protocol = "sll";
161 ND_PRINT("%3s ",
162 tok2str(sll_pkttype_values,"?",GET_BE_U_2(sllp->sll_pkttype)));
163
164 /*
165 * XXX - check the link-layer address type value?
166 * For now, we just assume 6 means Ethernet.
167 * XXX - print others as strings of hex?
168 */
169 if (GET_BE_U_2(sllp->sll_halen) == MAC_ADDR_LEN)
170 ND_PRINT("%s ", GET_ETHERADDR_STRING(sllp->sll_addr));
171
172 if (!ndo->ndo_qflag) {
173 ether_type = GET_BE_U_2(sllp->sll_protocol);
174
175 if (ether_type <= MAX_ETHERNET_LENGTH_VAL) {
176 /*
177 * Not an Ethernet type; what type is it?
178 */
179 switch (ether_type) {
180
181 case LINUX_SLL_P_802_3:
182 /*
183 * Ethernet_802.3 IPX frame.
184 */
185 ND_PRINT("802.3");
186 break;
187
188 case LINUX_SLL_P_802_2:
189 /*
190 * 802.2.
191 */
192 ND_PRINT("802.2");
193 break;
194
195 default:
196 /*
197 * What is it?
198 */
199 ND_PRINT("ethertype Unknown (0x%04x)",
200 ether_type);
201 break;
202 }
203 } else {
204 ND_PRINT("ethertype %s (0x%04x)",
205 tok2str(ethertype_values, "Unknown", ether_type),
206 ether_type);
207 }
208 ND_PRINT(", length %u: ", length);
209 }
210 }
211
212 /*
213 * This is the top level routine of the printer. 'p' points to the
214 * Linux "cooked capture" header of the packet, 'h->ts' is the timestamp,
215 * 'h->len' is the length of the packet off the wire, and 'h->caplen'
216 * is the number of bytes actually captured.
217 */
218 void
sll_if_print(netdissect_options * ndo,const struct pcap_pkthdr * h,const u_char * p)219 sll_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p)
220 {
221 u_int caplen = h->caplen;
222 u_int length = h->len;
223 const struct sll_header *sllp;
224 u_short hatype;
225 u_short ether_type;
226 int llc_hdrlen;
227 u_int hdrlen;
228
229 ndo->ndo_protocol = "sll";
230 ND_TCHECK_LEN(p, SLL_HDR_LEN);
231
232 sllp = (const struct sll_header *)p;
233
234 if (ndo->ndo_eflag)
235 sll_print(ndo, sllp, length);
236
237 /*
238 * Go past the cooked-mode header.
239 */
240 length -= SLL_HDR_LEN;
241 caplen -= SLL_HDR_LEN;
242 p += SLL_HDR_LEN;
243 hdrlen = SLL_HDR_LEN;
244
245 hatype = GET_BE_U_2(sllp->sll_hatype);
246 switch (hatype) {
247
248 case 803:
249 /*
250 * This is an packet with a radiotap header;
251 * just dissect the payload as such.
252 */
253 ndo->ndo_ll_hdr_len += SLL_HDR_LEN;
254 ndo->ndo_ll_hdr_len += ieee802_11_radio_print(ndo, p, length, caplen);
255 return;
256 }
257 ether_type = GET_BE_U_2(sllp->sll_protocol);
258
259 recurse:
260 /*
261 * Is it (gag) an 802.3 encapsulation, or some non-Ethernet
262 * packet type?
263 */
264 if (ether_type <= MAX_ETHERNET_LENGTH_VAL) {
265 /*
266 * Yes - what type is it?
267 */
268 switch (ether_type) {
269
270 case LINUX_SLL_P_802_3:
271 /*
272 * Ethernet_802.3 IPX frame.
273 */
274 ipx_print(ndo, p, length);
275 break;
276
277 case LINUX_SLL_P_802_2:
278 /*
279 * 802.2.
280 * Try to print the LLC-layer header & higher layers.
281 */
282 llc_hdrlen = llc_print(ndo, p, length, caplen, NULL, NULL);
283 if (llc_hdrlen < 0)
284 goto unknown; /* unknown LLC type */
285 hdrlen += llc_hdrlen;
286 break;
287
288 default:
289 /*FALLTHROUGH*/
290
291 unknown:
292 /* packet type not known, print raw packet */
293 if (!ndo->ndo_suppress_default_print)
294 ND_DEFAULTPRINT(p, caplen);
295 break;
296 }
297 } else if (ether_type == ETHERTYPE_8021Q) {
298 /*
299 * Print VLAN information, and then go back and process
300 * the enclosed type field.
301 */
302 if (caplen < 4) {
303 ndo->ndo_protocol = "vlan";
304 nd_print_trunc(ndo);
305 ndo->ndo_ll_hdr_len += hdrlen + caplen;
306 return;
307 }
308 if (ndo->ndo_eflag) {
309 uint16_t tag = GET_BE_U_2(p);
310
311 ND_PRINT("%s, ", ieee8021q_tci_string(tag));
312 }
313
314 ether_type = GET_BE_U_2(p + 2);
315 if (ether_type <= MAX_ETHERNET_LENGTH_VAL)
316 ether_type = LINUX_SLL_P_802_2;
317 if (!ndo->ndo_qflag) {
318 ND_PRINT("ethertype %s, ",
319 tok2str(ethertype_values, "Unknown", ether_type));
320 }
321 p += 4;
322 length -= 4;
323 caplen -= 4;
324 hdrlen += 4;
325 goto recurse;
326 } else {
327 if (ethertype_print(ndo, ether_type, p, length, caplen, NULL, NULL) == 0) {
328 /* ether_type not known, print raw packet */
329 if (!ndo->ndo_eflag)
330 sll_print(ndo, sllp, length + SLL_HDR_LEN);
331 if (!ndo->ndo_suppress_default_print)
332 ND_DEFAULTPRINT(p, caplen);
333 }
334 }
335
336 ndo->ndo_ll_hdr_len += hdrlen;
337 }
338
339 static void
sll2_print(netdissect_options * ndo,const struct sll2_header * sllp,u_int length)340 sll2_print(netdissect_options *ndo, const struct sll2_header *sllp, u_int length)
341 {
342 u_short ether_type;
343
344 ndo->ndo_protocol = "sll2";
345 ND_PRINT("ifindex %u ", GET_BE_U_4(sllp->sll2_if_index));
346
347 /*
348 * XXX - check the link-layer address type value?
349 * For now, we just assume 6 means Ethernet.
350 * XXX - print others as strings of hex?
351 */
352 if (GET_U_1(sllp->sll2_halen) == MAC_ADDR_LEN)
353 ND_PRINT("%s ", GET_ETHERADDR_STRING(sllp->sll2_addr));
354
355 if (!ndo->ndo_qflag) {
356 ether_type = GET_BE_U_2(sllp->sll2_protocol);
357
358 if (ether_type <= MAX_ETHERNET_LENGTH_VAL) {
359 /*
360 * Not an Ethernet type; what type is it?
361 */
362 switch (ether_type) {
363
364 case LINUX_SLL_P_802_3:
365 /*
366 * Ethernet_802.3 IPX frame.
367 */
368 ND_PRINT("802.3");
369 break;
370
371 case LINUX_SLL_P_802_2:
372 /*
373 * 802.2.
374 */
375 ND_PRINT("802.2");
376 break;
377
378 default:
379 /*
380 * What is it?
381 */
382 ND_PRINT("ethertype Unknown (0x%04x)",
383 ether_type);
384 break;
385 }
386 } else {
387 ND_PRINT("ethertype %s (0x%04x)",
388 tok2str(ethertype_values, "Unknown", ether_type),
389 ether_type);
390 }
391 ND_PRINT(", length %u: ", length);
392 }
393 }
394
395 /*
396 * This is the top level routine of the printer. 'p' points to the
397 * Linux "cooked capture" header of the packet, 'h->ts' is the timestamp,
398 * 'h->len' is the length of the packet off the wire, and 'h->caplen'
399 * is the number of bytes actually captured.
400 */
401 void
sll2_if_print(netdissect_options * ndo,const struct pcap_pkthdr * h,const u_char * p)402 sll2_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p)
403 {
404 u_int caplen = h->caplen;
405 u_int length = h->len;
406 const struct sll2_header *sllp;
407 u_short hatype;
408 u_short ether_type;
409 int llc_hdrlen;
410 u_int hdrlen;
411 #ifdef HAVE_NET_IF_H
412 uint32_t if_index;
413 char ifname[IF_NAMESIZE];
414 #endif
415
416 ndo->ndo_protocol = "sll2";
417 ND_TCHECK_LEN(p, SLL2_HDR_LEN);
418
419 sllp = (const struct sll2_header *)p;
420 #ifdef HAVE_NET_IF_H
421 if_index = GET_BE_U_4(sllp->sll2_if_index);
422 if (!if_indextoname(if_index, ifname))
423 strncpy(ifname, "?", 2);
424 ND_PRINT("%-5s ", ifname);
425 #endif
426
427 ND_PRINT("%-3s ",
428 tok2str(sll_pkttype_values, "?", GET_U_1(sllp->sll2_pkttype)));
429
430 if (ndo->ndo_eflag)
431 sll2_print(ndo, sllp, length);
432
433 /*
434 * Go past the cooked-mode header.
435 */
436 length -= SLL2_HDR_LEN;
437 caplen -= SLL2_HDR_LEN;
438 p += SLL2_HDR_LEN;
439 hdrlen = SLL2_HDR_LEN;
440
441 hatype = GET_BE_U_2(sllp->sll2_hatype);
442 switch (hatype) {
443
444 case 803:
445 /*
446 * This is an packet with a radiotap header;
447 * just dissect the payload as such.
448 */
449 ndo->ndo_ll_hdr_len += SLL2_HDR_LEN;
450 ndo->ndo_ll_hdr_len += ieee802_11_radio_print(ndo, p, length, caplen);
451 return;
452 }
453 ether_type = GET_BE_U_2(sllp->sll2_protocol);
454
455 recurse:
456 /*
457 * Is it (gag) an 802.3 encapsulation, or some non-Ethernet
458 * packet type?
459 */
460 if (ether_type <= MAX_ETHERNET_LENGTH_VAL) {
461 /*
462 * Yes - what type is it?
463 */
464 switch (ether_type) {
465
466 case LINUX_SLL_P_802_3:
467 /*
468 * Ethernet_802.3 IPX frame.
469 */
470 ipx_print(ndo, p, length);
471 break;
472
473 case LINUX_SLL_P_802_2:
474 /*
475 * 802.2.
476 * Try to print the LLC-layer header & higher layers.
477 */
478 llc_hdrlen = llc_print(ndo, p, length, caplen, NULL, NULL);
479 if (llc_hdrlen < 0)
480 goto unknown; /* unknown LLC type */
481 hdrlen += llc_hdrlen;
482 break;
483
484 default:
485 /*FALLTHROUGH*/
486
487 unknown:
488 /* packet type not known, print raw packet */
489 if (!ndo->ndo_suppress_default_print)
490 ND_DEFAULTPRINT(p, caplen);
491 break;
492 }
493 } else if (ether_type == ETHERTYPE_8021Q) {
494 /*
495 * Print VLAN information, and then go back and process
496 * the enclosed type field.
497 */
498 if (caplen < 4) {
499 ndo->ndo_protocol = "vlan";
500 nd_print_trunc(ndo);
501 ndo->ndo_ll_hdr_len += hdrlen + caplen;
502 return;
503 }
504 if (ndo->ndo_eflag) {
505 uint16_t tag = GET_BE_U_2(p);
506
507 ND_PRINT("%s, ", ieee8021q_tci_string(tag));
508 }
509
510 ether_type = GET_BE_U_2(p + 2);
511 if (ether_type <= MAX_ETHERNET_LENGTH_VAL)
512 ether_type = LINUX_SLL_P_802_2;
513 if (!ndo->ndo_qflag) {
514 ND_PRINT("ethertype %s, ",
515 tok2str(ethertype_values, "Unknown", ether_type));
516 }
517 p += 4;
518 length -= 4;
519 caplen -= 4;
520 hdrlen += 4;
521 goto recurse;
522 } else {
523 if (ethertype_print(ndo, ether_type, p, length, caplen, NULL, NULL) == 0) {
524 /* ether_type not known, print raw packet */
525 if (!ndo->ndo_eflag)
526 sll2_print(ndo, sllp, length + SLL2_HDR_LEN);
527 if (!ndo->ndo_suppress_default_print)
528 ND_DEFAULTPRINT(p, caplen);
529 }
530 }
531
532 ndo->ndo_ll_hdr_len += hdrlen;
533 }
534