1*b636d99dSDavid van Moolenbroek /*
2*b636d99dSDavid van Moolenbroek * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
3*b636d99dSDavid van Moolenbroek * The Regents of the University of California. All rights reserved.
4*b636d99dSDavid van Moolenbroek *
5*b636d99dSDavid van Moolenbroek * Redistribution and use in source and binary forms, with or without
6*b636d99dSDavid van Moolenbroek * modification, are permitted provided that: (1) source code distributions
7*b636d99dSDavid van Moolenbroek * retain the above copyright notice and this paragraph in its entirety, (2)
8*b636d99dSDavid van Moolenbroek * distributions including binary code include the above copyright notice and
9*b636d99dSDavid van Moolenbroek * this paragraph in its entirety in the documentation or other materials
10*b636d99dSDavid van Moolenbroek * provided with the distribution, and (3) all advertising materials mentioning
11*b636d99dSDavid van Moolenbroek * features or use of this software display the following acknowledgement:
12*b636d99dSDavid van Moolenbroek * ``This product includes software developed by the University of California,
13*b636d99dSDavid van Moolenbroek * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14*b636d99dSDavid van Moolenbroek * the University nor the names of its contributors may be used to endorse
15*b636d99dSDavid van Moolenbroek * or promote products derived from this software without specific prior
16*b636d99dSDavid van Moolenbroek * written permission.
17*b636d99dSDavid van Moolenbroek * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18*b636d99dSDavid van Moolenbroek * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19*b636d99dSDavid van Moolenbroek * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20*b636d99dSDavid van Moolenbroek */
21*b636d99dSDavid van Moolenbroek
22*b636d99dSDavid van Moolenbroek #include <sys/cdefs.h>
23*b636d99dSDavid van Moolenbroek #ifndef lint
24*b636d99dSDavid van Moolenbroek __RCSID("$NetBSD: print-sll.c,v 1.6 2015/03/31 21:59:35 christos Exp $");
25*b636d99dSDavid van Moolenbroek #endif
26*b636d99dSDavid van Moolenbroek
27*b636d99dSDavid van Moolenbroek #define NETDISSECT_REWORKED
28*b636d99dSDavid van Moolenbroek #ifdef HAVE_CONFIG_H
29*b636d99dSDavid van Moolenbroek #include "config.h"
30*b636d99dSDavid van Moolenbroek #endif
31*b636d99dSDavid van Moolenbroek
32*b636d99dSDavid van Moolenbroek #include <tcpdump-stdinc.h>
33*b636d99dSDavid van Moolenbroek
34*b636d99dSDavid van Moolenbroek #include "interface.h"
35*b636d99dSDavid van Moolenbroek #include "addrtoname.h"
36*b636d99dSDavid van Moolenbroek #include "ethertype.h"
37*b636d99dSDavid van Moolenbroek #include "extract.h"
38*b636d99dSDavid van Moolenbroek
39*b636d99dSDavid van Moolenbroek #include "ether.h"
40*b636d99dSDavid van Moolenbroek
41*b636d99dSDavid van Moolenbroek /*
42*b636d99dSDavid van Moolenbroek * For captures on Linux cooked sockets, we construct a fake header
43*b636d99dSDavid van Moolenbroek * that includes:
44*b636d99dSDavid van Moolenbroek *
45*b636d99dSDavid van Moolenbroek * a 2-byte "packet type" which is one of:
46*b636d99dSDavid van Moolenbroek *
47*b636d99dSDavid van Moolenbroek * LINUX_SLL_HOST packet was sent to us
48*b636d99dSDavid van Moolenbroek * LINUX_SLL_BROADCAST packet was broadcast
49*b636d99dSDavid van Moolenbroek * LINUX_SLL_MULTICAST packet was multicast
50*b636d99dSDavid van Moolenbroek * LINUX_SLL_OTHERHOST packet was sent to somebody else
51*b636d99dSDavid van Moolenbroek * LINUX_SLL_OUTGOING packet was sent *by* us;
52*b636d99dSDavid van Moolenbroek *
53*b636d99dSDavid van Moolenbroek * a 2-byte Ethernet protocol field;
54*b636d99dSDavid van Moolenbroek *
55*b636d99dSDavid van Moolenbroek * a 2-byte link-layer type;
56*b636d99dSDavid van Moolenbroek *
57*b636d99dSDavid van Moolenbroek * a 2-byte link-layer address length;
58*b636d99dSDavid van Moolenbroek *
59*b636d99dSDavid van Moolenbroek * an 8-byte source link-layer address, whose actual length is
60*b636d99dSDavid van Moolenbroek * specified by the previous value.
61*b636d99dSDavid van Moolenbroek *
62*b636d99dSDavid van Moolenbroek * All fields except for the link-layer address are in network byte order.
63*b636d99dSDavid van Moolenbroek *
64*b636d99dSDavid van Moolenbroek * DO NOT change the layout of this structure, or change any of the
65*b636d99dSDavid van Moolenbroek * LINUX_SLL_ values below. If you must change the link-layer header
66*b636d99dSDavid van Moolenbroek * for a "cooked" Linux capture, introduce a new DLT_ type (ask
67*b636d99dSDavid van Moolenbroek * "tcpdump-workers@lists.tcpdump.org" for one, so that you don't give it
68*b636d99dSDavid van Moolenbroek * a value that collides with a value already being used), and use the
69*b636d99dSDavid van Moolenbroek * new header in captures of that type, so that programs that can
70*b636d99dSDavid van Moolenbroek * handle DLT_LINUX_SLL captures will continue to handle them correctly
71*b636d99dSDavid van Moolenbroek * without any change, and so that capture files with different headers
72*b636d99dSDavid van Moolenbroek * can be told apart and programs that read them can dissect the
73*b636d99dSDavid van Moolenbroek * packets in them.
74*b636d99dSDavid van Moolenbroek *
75*b636d99dSDavid van Moolenbroek * This structure, and the #defines below, must be the same in the
76*b636d99dSDavid van Moolenbroek * libpcap and tcpdump versions of "sll.h".
77*b636d99dSDavid van Moolenbroek */
78*b636d99dSDavid van Moolenbroek
79*b636d99dSDavid van Moolenbroek /*
80*b636d99dSDavid van Moolenbroek * A DLT_LINUX_SLL fake link-layer header.
81*b636d99dSDavid van Moolenbroek */
82*b636d99dSDavid van Moolenbroek #define SLL_HDR_LEN 16 /* total header length */
83*b636d99dSDavid van Moolenbroek #define SLL_ADDRLEN 8 /* length of address field */
84*b636d99dSDavid van Moolenbroek
85*b636d99dSDavid van Moolenbroek struct sll_header {
86*b636d99dSDavid van Moolenbroek uint16_t sll_pkttype; /* packet type */
87*b636d99dSDavid van Moolenbroek uint16_t sll_hatype; /* link-layer address type */
88*b636d99dSDavid van Moolenbroek uint16_t sll_halen; /* link-layer address length */
89*b636d99dSDavid van Moolenbroek uint8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
90*b636d99dSDavid van Moolenbroek uint16_t sll_protocol; /* protocol */
91*b636d99dSDavid van Moolenbroek };
92*b636d99dSDavid van Moolenbroek
93*b636d99dSDavid van Moolenbroek /*
94*b636d99dSDavid van Moolenbroek * The LINUX_SLL_ values for "sll_pkttype"; these correspond to the
95*b636d99dSDavid van Moolenbroek * PACKET_ values on Linux, but are defined here so that they're
96*b636d99dSDavid van Moolenbroek * available even on systems other than Linux, and so that they
97*b636d99dSDavid van Moolenbroek * don't change even if the PACKET_ values change.
98*b636d99dSDavid van Moolenbroek */
99*b636d99dSDavid van Moolenbroek #define LINUX_SLL_HOST 0
100*b636d99dSDavid van Moolenbroek #define LINUX_SLL_BROADCAST 1
101*b636d99dSDavid van Moolenbroek #define LINUX_SLL_MULTICAST 2
102*b636d99dSDavid van Moolenbroek #define LINUX_SLL_OTHERHOST 3
103*b636d99dSDavid van Moolenbroek #define LINUX_SLL_OUTGOING 4
104*b636d99dSDavid van Moolenbroek
105*b636d99dSDavid van Moolenbroek /*
106*b636d99dSDavid van Moolenbroek * The LINUX_SLL_ values for "sll_protocol"; these correspond to the
107*b636d99dSDavid van Moolenbroek * ETH_P_ values on Linux, but are defined here so that they're
108*b636d99dSDavid van Moolenbroek * available even on systems other than Linux. We assume, for now,
109*b636d99dSDavid van Moolenbroek * that the ETH_P_ values won't change in Linux; if they do, then:
110*b636d99dSDavid van Moolenbroek *
111*b636d99dSDavid van Moolenbroek * if we don't translate them in "pcap-linux.c", capture files
112*b636d99dSDavid van Moolenbroek * won't necessarily be readable if captured on a system that
113*b636d99dSDavid van Moolenbroek * defines ETH_P_ values that don't match these values;
114*b636d99dSDavid van Moolenbroek *
115*b636d99dSDavid van Moolenbroek * if we do translate them in "pcap-linux.c", that makes life
116*b636d99dSDavid van Moolenbroek * unpleasant for the BPF code generator, as the values you test
117*b636d99dSDavid van Moolenbroek * for in the kernel aren't the values that you test for when
118*b636d99dSDavid van Moolenbroek * reading a capture file, so the fixup code run on BPF programs
119*b636d99dSDavid van Moolenbroek * handed to the kernel ends up having to do more work.
120*b636d99dSDavid van Moolenbroek *
121*b636d99dSDavid van Moolenbroek * Add other values here as necessary, for handling packet types that
122*b636d99dSDavid van Moolenbroek * might show up on non-Ethernet, non-802.x networks. (Not all the ones
123*b636d99dSDavid van Moolenbroek * in the Linux "if_ether.h" will, I suspect, actually show up in
124*b636d99dSDavid van Moolenbroek * captures.)
125*b636d99dSDavid van Moolenbroek */
126*b636d99dSDavid van Moolenbroek #define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */
127*b636d99dSDavid van Moolenbroek #define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */
128*b636d99dSDavid van Moolenbroek
129*b636d99dSDavid van Moolenbroek static const struct tok sll_pkttype_values[] = {
130*b636d99dSDavid van Moolenbroek { LINUX_SLL_HOST, "In" },
131*b636d99dSDavid van Moolenbroek { LINUX_SLL_BROADCAST, "B" },
132*b636d99dSDavid van Moolenbroek { LINUX_SLL_MULTICAST, "M" },
133*b636d99dSDavid van Moolenbroek { LINUX_SLL_OTHERHOST, "P" },
134*b636d99dSDavid van Moolenbroek { LINUX_SLL_OUTGOING, "Out" },
135*b636d99dSDavid van Moolenbroek { 0, NULL}
136*b636d99dSDavid van Moolenbroek };
137*b636d99dSDavid van Moolenbroek
138*b636d99dSDavid van Moolenbroek static inline void
sll_print(netdissect_options * ndo,register const struct sll_header * sllp,u_int length)139*b636d99dSDavid van Moolenbroek sll_print(netdissect_options *ndo, register const struct sll_header *sllp, u_int length)
140*b636d99dSDavid van Moolenbroek {
141*b636d99dSDavid van Moolenbroek u_short ether_type;
142*b636d99dSDavid van Moolenbroek
143*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "%3s ",tok2str(sll_pkttype_values,"?",EXTRACT_16BITS(&sllp->sll_pkttype))));
144*b636d99dSDavid van Moolenbroek
145*b636d99dSDavid van Moolenbroek /*
146*b636d99dSDavid van Moolenbroek * XXX - check the link-layer address type value?
147*b636d99dSDavid van Moolenbroek * For now, we just assume 6 means Ethernet.
148*b636d99dSDavid van Moolenbroek * XXX - print others as strings of hex?
149*b636d99dSDavid van Moolenbroek */
150*b636d99dSDavid van Moolenbroek if (EXTRACT_16BITS(&sllp->sll_halen) == 6)
151*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "%s ", etheraddr_string(ndo, sllp->sll_addr)));
152*b636d99dSDavid van Moolenbroek
153*b636d99dSDavid van Moolenbroek if (!ndo->ndo_qflag) {
154*b636d99dSDavid van Moolenbroek ether_type = EXTRACT_16BITS(&sllp->sll_protocol);
155*b636d99dSDavid van Moolenbroek
156*b636d99dSDavid van Moolenbroek if (ether_type <= ETHERMTU) {
157*b636d99dSDavid van Moolenbroek /*
158*b636d99dSDavid van Moolenbroek * Not an Ethernet type; what type is it?
159*b636d99dSDavid van Moolenbroek */
160*b636d99dSDavid van Moolenbroek switch (ether_type) {
161*b636d99dSDavid van Moolenbroek
162*b636d99dSDavid van Moolenbroek case LINUX_SLL_P_802_3:
163*b636d99dSDavid van Moolenbroek /*
164*b636d99dSDavid van Moolenbroek * Ethernet_802.3 IPX frame.
165*b636d99dSDavid van Moolenbroek */
166*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "802.3"));
167*b636d99dSDavid van Moolenbroek break;
168*b636d99dSDavid van Moolenbroek
169*b636d99dSDavid van Moolenbroek case LINUX_SLL_P_802_2:
170*b636d99dSDavid van Moolenbroek /*
171*b636d99dSDavid van Moolenbroek * 802.2.
172*b636d99dSDavid van Moolenbroek */
173*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "802.2"));
174*b636d99dSDavid van Moolenbroek break;
175*b636d99dSDavid van Moolenbroek
176*b636d99dSDavid van Moolenbroek default:
177*b636d99dSDavid van Moolenbroek /*
178*b636d99dSDavid van Moolenbroek * What is it?
179*b636d99dSDavid van Moolenbroek */
180*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "ethertype Unknown (0x%04x)",
181*b636d99dSDavid van Moolenbroek ether_type));
182*b636d99dSDavid van Moolenbroek break;
183*b636d99dSDavid van Moolenbroek }
184*b636d99dSDavid van Moolenbroek } else {
185*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "ethertype %s (0x%04x)",
186*b636d99dSDavid van Moolenbroek tok2str(ethertype_values, "Unknown", ether_type),
187*b636d99dSDavid van Moolenbroek ether_type));
188*b636d99dSDavid van Moolenbroek }
189*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, ", length %u: ", length));
190*b636d99dSDavid van Moolenbroek }
191*b636d99dSDavid van Moolenbroek }
192*b636d99dSDavid van Moolenbroek
193*b636d99dSDavid van Moolenbroek /*
194*b636d99dSDavid van Moolenbroek * This is the top level routine of the printer. 'p' points to the
195*b636d99dSDavid van Moolenbroek * Linux "cooked capture" header of the packet, 'h->ts' is the timestamp,
196*b636d99dSDavid van Moolenbroek * 'h->len' is the length of the packet off the wire, and 'h->caplen'
197*b636d99dSDavid van Moolenbroek * is the number of bytes actually captured.
198*b636d99dSDavid van Moolenbroek */
199*b636d99dSDavid van Moolenbroek u_int
sll_if_print(netdissect_options * ndo,const struct pcap_pkthdr * h,const u_char * p)200*b636d99dSDavid van Moolenbroek sll_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p)
201*b636d99dSDavid van Moolenbroek {
202*b636d99dSDavid van Moolenbroek u_int caplen = h->caplen;
203*b636d99dSDavid van Moolenbroek u_int length = h->len;
204*b636d99dSDavid van Moolenbroek register const struct sll_header *sllp;
205*b636d99dSDavid van Moolenbroek u_short ether_type;
206*b636d99dSDavid van Moolenbroek u_short extracted_ethertype;
207*b636d99dSDavid van Moolenbroek
208*b636d99dSDavid van Moolenbroek if (caplen < SLL_HDR_LEN) {
209*b636d99dSDavid van Moolenbroek /*
210*b636d99dSDavid van Moolenbroek * XXX - this "can't happen" because "pcap-linux.c" always
211*b636d99dSDavid van Moolenbroek * adds this many bytes of header to every packet in a
212*b636d99dSDavid van Moolenbroek * cooked socket capture.
213*b636d99dSDavid van Moolenbroek */
214*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "[|sll]"));
215*b636d99dSDavid van Moolenbroek return (caplen);
216*b636d99dSDavid van Moolenbroek }
217*b636d99dSDavid van Moolenbroek
218*b636d99dSDavid van Moolenbroek sllp = (const struct sll_header *)p;
219*b636d99dSDavid van Moolenbroek
220*b636d99dSDavid van Moolenbroek if (ndo->ndo_eflag)
221*b636d99dSDavid van Moolenbroek sll_print(ndo, sllp, length);
222*b636d99dSDavid van Moolenbroek
223*b636d99dSDavid van Moolenbroek /*
224*b636d99dSDavid van Moolenbroek * Go past the cooked-mode header.
225*b636d99dSDavid van Moolenbroek */
226*b636d99dSDavid van Moolenbroek length -= SLL_HDR_LEN;
227*b636d99dSDavid van Moolenbroek caplen -= SLL_HDR_LEN;
228*b636d99dSDavid van Moolenbroek p += SLL_HDR_LEN;
229*b636d99dSDavid van Moolenbroek
230*b636d99dSDavid van Moolenbroek ether_type = EXTRACT_16BITS(&sllp->sll_protocol);
231*b636d99dSDavid van Moolenbroek
232*b636d99dSDavid van Moolenbroek recurse:
233*b636d99dSDavid van Moolenbroek /*
234*b636d99dSDavid van Moolenbroek * Is it (gag) an 802.3 encapsulation, or some non-Ethernet
235*b636d99dSDavid van Moolenbroek * packet type?
236*b636d99dSDavid van Moolenbroek */
237*b636d99dSDavid van Moolenbroek if (ether_type <= ETHERMTU) {
238*b636d99dSDavid van Moolenbroek /*
239*b636d99dSDavid van Moolenbroek * Yes - what type is it?
240*b636d99dSDavid van Moolenbroek */
241*b636d99dSDavid van Moolenbroek switch (ether_type) {
242*b636d99dSDavid van Moolenbroek
243*b636d99dSDavid van Moolenbroek case LINUX_SLL_P_802_3:
244*b636d99dSDavid van Moolenbroek /*
245*b636d99dSDavid van Moolenbroek * Ethernet_802.3 IPX frame.
246*b636d99dSDavid van Moolenbroek */
247*b636d99dSDavid van Moolenbroek ipx_print(ndo, p, length);
248*b636d99dSDavid van Moolenbroek break;
249*b636d99dSDavid van Moolenbroek
250*b636d99dSDavid van Moolenbroek case LINUX_SLL_P_802_2:
251*b636d99dSDavid van Moolenbroek /*
252*b636d99dSDavid van Moolenbroek * 802.2.
253*b636d99dSDavid van Moolenbroek * Try to print the LLC-layer header & higher layers.
254*b636d99dSDavid van Moolenbroek */
255*b636d99dSDavid van Moolenbroek if (llc_print(ndo, p, length, caplen, NULL, NULL,
256*b636d99dSDavid van Moolenbroek &extracted_ethertype) == 0)
257*b636d99dSDavid van Moolenbroek goto unknown; /* unknown LLC type */
258*b636d99dSDavid van Moolenbroek break;
259*b636d99dSDavid van Moolenbroek
260*b636d99dSDavid van Moolenbroek default:
261*b636d99dSDavid van Moolenbroek extracted_ethertype = 0;
262*b636d99dSDavid van Moolenbroek /*FALLTHROUGH*/
263*b636d99dSDavid van Moolenbroek
264*b636d99dSDavid van Moolenbroek unknown:
265*b636d99dSDavid van Moolenbroek /* ether_type not known, print raw packet */
266*b636d99dSDavid van Moolenbroek if (!ndo->ndo_eflag)
267*b636d99dSDavid van Moolenbroek sll_print(ndo, sllp, length + SLL_HDR_LEN);
268*b636d99dSDavid van Moolenbroek if (extracted_ethertype) {
269*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "(LLC %s) ",
270*b636d99dSDavid van Moolenbroek etherproto_string(htons(extracted_ethertype))));
271*b636d99dSDavid van Moolenbroek }
272*b636d99dSDavid van Moolenbroek if (!ndo->ndo_suppress_default_print)
273*b636d99dSDavid van Moolenbroek ND_DEFAULTPRINT(p, caplen);
274*b636d99dSDavid van Moolenbroek break;
275*b636d99dSDavid van Moolenbroek }
276*b636d99dSDavid van Moolenbroek } else if (ether_type == ETHERTYPE_8021Q) {
277*b636d99dSDavid van Moolenbroek /*
278*b636d99dSDavid van Moolenbroek * Print VLAN information, and then go back and process
279*b636d99dSDavid van Moolenbroek * the enclosed type field.
280*b636d99dSDavid van Moolenbroek */
281*b636d99dSDavid van Moolenbroek if (caplen < 4 || length < 4) {
282*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "[|vlan]"));
283*b636d99dSDavid van Moolenbroek return (SLL_HDR_LEN);
284*b636d99dSDavid van Moolenbroek }
285*b636d99dSDavid van Moolenbroek if (ndo->ndo_eflag) {
286*b636d99dSDavid van Moolenbroek uint16_t tag = EXTRACT_16BITS(p);
287*b636d99dSDavid van Moolenbroek
288*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "%s, ", ieee8021q_tci_string(tag)));
289*b636d99dSDavid van Moolenbroek }
290*b636d99dSDavid van Moolenbroek
291*b636d99dSDavid van Moolenbroek ether_type = EXTRACT_16BITS(p + 2);
292*b636d99dSDavid van Moolenbroek if (ether_type <= ETHERMTU)
293*b636d99dSDavid van Moolenbroek ether_type = LINUX_SLL_P_802_2;
294*b636d99dSDavid van Moolenbroek if (!ndo->ndo_qflag) {
295*b636d99dSDavid van Moolenbroek ND_PRINT((ndo, "ethertype %s, ",
296*b636d99dSDavid van Moolenbroek tok2str(ethertype_values, "Unknown", ether_type)));
297*b636d99dSDavid van Moolenbroek }
298*b636d99dSDavid van Moolenbroek p += 4;
299*b636d99dSDavid van Moolenbroek length -= 4;
300*b636d99dSDavid van Moolenbroek caplen -= 4;
301*b636d99dSDavid van Moolenbroek goto recurse;
302*b636d99dSDavid van Moolenbroek } else {
303*b636d99dSDavid van Moolenbroek if (ethertype_print(ndo, ether_type, p, length, caplen) == 0) {
304*b636d99dSDavid van Moolenbroek /* ether_type not known, print raw packet */
305*b636d99dSDavid van Moolenbroek if (!ndo->ndo_eflag)
306*b636d99dSDavid van Moolenbroek sll_print(ndo, sllp, length + SLL_HDR_LEN);
307*b636d99dSDavid van Moolenbroek if (!ndo->ndo_suppress_default_print)
308*b636d99dSDavid van Moolenbroek ND_DEFAULTPRINT(p, caplen);
309*b636d99dSDavid van Moolenbroek }
310*b636d99dSDavid van Moolenbroek }
311*b636d99dSDavid van Moolenbroek
312*b636d99dSDavid van Moolenbroek return (SLL_HDR_LEN);
313*b636d99dSDavid van Moolenbroek }
314