1 /* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 */ 24 25 #include <sys/cdefs.h> 26 #ifndef lint 27 #if 0 28 static const char rcsid[] _U_ = 29 "@(#) Header: /tcpdump/master/tcpdump/print-llc.c,v 1.75 2007-04-13 09:43:11 hannes Exp "; 30 #else 31 __RCSID("$NetBSD: print-llc.c,v 1.4 2013/12/31 17:33:31 christos Exp $"); 32 #endif 33 #endif 34 35 #ifdef HAVE_CONFIG_H 36 #include "config.h" 37 #endif 38 39 #include <tcpdump-stdinc.h> 40 41 #include <stdio.h> 42 #include <string.h> 43 44 #include "interface.h" 45 #include "addrtoname.h" 46 #include "extract.h" /* must come after interface.h */ 47 48 #include "llc.h" 49 #include "ethertype.h" 50 #include "oui.h" 51 52 static const struct tok llc_values[] = { 53 { LLCSAP_NULL, "Null" }, 54 { LLCSAP_GLOBAL, "Global" }, 55 { LLCSAP_8021B_I, "802.1B I" }, 56 { LLCSAP_8021B_G, "802.1B G" }, 57 { LLCSAP_IP, "IP" }, 58 { LLCSAP_SNA, "SNA" }, 59 { LLCSAP_PROWAYNM, "ProWay NM" }, 60 { LLCSAP_8021D, "STP" }, 61 { LLCSAP_RS511, "RS511" }, 62 { LLCSAP_ISO8208, "ISO8208" }, 63 { LLCSAP_PROWAY, "ProWay" }, 64 { LLCSAP_SNAP, "SNAP" }, 65 { LLCSAP_IPX, "IPX" }, 66 { LLCSAP_NETBEUI, "NetBeui" }, 67 { LLCSAP_ISONS, "OSI" }, 68 { 0, NULL }, 69 }; 70 71 static const struct tok llc_cmd_values[] = { 72 { LLC_UI, "ui" }, 73 { LLC_TEST, "test" }, 74 { LLC_XID, "xid" }, 75 { LLC_UA, "ua" }, 76 { LLC_DISC, "disc" }, 77 { LLC_DM, "dm" }, 78 { LLC_SABME, "sabme" }, 79 { LLC_FRMR, "frmr" }, 80 { 0, NULL } 81 }; 82 83 static const struct tok llc_flag_values[] = { 84 { 0, "Command" }, 85 { LLC_GSAP, "Response" }, 86 { LLC_U_POLL, "Poll" }, 87 { LLC_GSAP|LLC_U_POLL, "Final" }, 88 { LLC_IS_POLL, "Poll" }, 89 { LLC_GSAP|LLC_IS_POLL, "Final" }, 90 { 0, NULL } 91 }; 92 93 94 static const struct tok llc_ig_flag_values[] = { 95 { 0, "Individual" }, 96 { LLC_IG, "Group" }, 97 { 0, NULL } 98 }; 99 100 101 static const struct tok llc_supervisory_values[] = { 102 { 0, "Receiver Ready" }, 103 { 1, "Receiver not Ready" }, 104 { 2, "Reject" }, 105 { 0, NULL } 106 }; 107 108 109 static const struct tok cisco_values[] = { 110 { PID_CISCO_CDP, "CDP" }, 111 { PID_CISCO_VTP, "VTP" }, 112 { PID_CISCO_DTP, "DTP" }, 113 { PID_CISCO_UDLD, "UDLD" }, 114 { PID_CISCO_PVST, "PVST" }, 115 { PID_CISCO_VLANBRIDGE, "VLAN Bridge" }, 116 { 0, NULL } 117 }; 118 119 static const struct tok bridged_values[] = { 120 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 121 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 122 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 123 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 124 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 125 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 126 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 127 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 128 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 129 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 130 { PID_RFC2684_BPDU, "BPDU" }, 131 { 0, NULL }, 132 }; 133 134 static const struct tok null_values[] = { 135 { 0, NULL } 136 }; 137 138 struct oui_tok { 139 u_int32_t oui; 140 const struct tok *tok; 141 }; 142 143 static const struct oui_tok oui_to_tok[] = { 144 { OUI_ENCAP_ETHER, ethertype_values }, 145 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 146 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 147 { OUI_CISCO, cisco_values }, 148 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 149 { 0, NULL } 150 }; 151 152 /* 153 * Returns non-zero IFF it succeeds in printing the header 154 */ 155 int 156 llc_print(const u_char *p, u_int length, u_int caplen, 157 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype) 158 { 159 u_int8_t dsap_field, dsap, ssap_field, ssap; 160 u_int16_t control; 161 int is_u; 162 register int ret; 163 164 *extracted_ethertype = 0; 165 166 if (caplen < 3) { 167 (void)printf("[|llc]"); 168 default_print((u_char *)p, caplen); 169 return(0); 170 } 171 172 dsap_field = *p; 173 ssap_field = *(p + 1); 174 175 /* 176 * OK, what type of LLC frame is this? The length 177 * of the control field depends on that - I frames 178 * have a two-byte control field, and U frames have 179 * a one-byte control field. 180 */ 181 control = *(p + 2); 182 if ((control & LLC_U_FMT) == LLC_U_FMT) { 183 /* 184 * U frame. 185 */ 186 is_u = 1; 187 } else { 188 /* 189 * The control field in I and S frames is 190 * 2 bytes... 191 */ 192 if (caplen < 4) { 193 (void)printf("[|llc]"); 194 default_print((u_char *)p, caplen); 195 return(0); 196 } 197 198 /* 199 * ...and is little-endian. 200 */ 201 control = EXTRACT_LE_16BITS(p + 2); 202 is_u = 0; 203 } 204 205 if (ssap_field == LLCSAP_GLOBAL && dsap_field == LLCSAP_GLOBAL) { 206 /* 207 * This is an Ethernet_802.3 IPX frame; it has an 208 * 802.3 header (i.e., an Ethernet header where the 209 * type/length field is <= ETHERMTU, i.e. it's a length 210 * field, not a type field), but has no 802.2 header - 211 * the IPX packet starts right after the Ethernet header, 212 * with a signature of two bytes of 0xFF (which is 213 * LLCSAP_GLOBAL). 214 * 215 * (It might also have been an Ethernet_802.3 IPX at 216 * one time, but got bridged onto another network, 217 * such as an 802.11 network; this has appeared in at 218 * least one capture file.) 219 */ 220 221 if (eflag) 222 printf("IPX 802.3: "); 223 224 ipx_print(p, length); 225 return (1); 226 } 227 228 dsap = dsap_field & ~LLC_IG; 229 ssap = ssap_field & ~LLC_GSAP; 230 231 if (eflag) { 232 printf("LLC, dsap %s (0x%02x) %s, ssap %s (0x%02x) %s", 233 tok2str(llc_values, "Unknown", dsap), 234 dsap, 235 tok2str(llc_ig_flag_values, "Unknown", dsap_field & LLC_IG), 236 tok2str(llc_values, "Unknown", ssap), 237 ssap, 238 tok2str(llc_flag_values, "Unknown", ssap_field & LLC_GSAP)); 239 240 if (is_u) { 241 printf(", ctrl 0x%02x: ", control); 242 } else { 243 printf(", ctrl 0x%04x: ", control); 244 } 245 } 246 247 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 248 control == LLC_UI) { 249 stp_print(p+3, length-3); 250 return (1); 251 } 252 253 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 254 control == LLC_UI) { 255 ip_print(gndo, p+4, length-4); 256 return (1); 257 } 258 259 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 260 control == LLC_UI) { 261 /* 262 * This is an Ethernet_802.2 IPX frame, with an 802.3 263 * header and an 802.2 LLC header with the source and 264 * destination SAPs being the IPX SAP. 265 * 266 * Skip DSAP, LSAP, and control field. 267 */ 268 if (eflag) 269 printf("IPX 802.2: "); 270 271 ipx_print(p+3, length-3); 272 return (1); 273 } 274 275 #ifdef TCPDUMP_DO_SMB 276 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 277 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 278 /* 279 * we don't actually have a full netbeui parser yet, but the 280 * smb parser can handle many smb-in-netbeui packets, which 281 * is very useful, so we call that 282 * 283 * We don't call it for S frames, however, just I frames 284 * (which are frames that don't have the low-order bit, 285 * LLC_S_FMT, set in the first byte of the control field) 286 * and UI frames (whose control field is just 3, LLC_U_FMT). 287 */ 288 289 /* 290 * Skip the LLC header. 291 */ 292 if (is_u) { 293 p += 3; 294 length -= 3; 295 caplen -= 3; 296 } else { 297 p += 4; 298 length -= 4; 299 caplen -= 4; 300 } 301 netbeui_print(control, p, length); 302 return (1); 303 } 304 #endif 305 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 306 && control == LLC_UI) { 307 isoclns_print(p + 3, length - 3, caplen - 3); 308 return (1); 309 } 310 311 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 312 && control == LLC_UI) { 313 /* 314 * XXX - what *is* the right bridge pad value here? 315 * Does anybody ever bridge one form of LAN traffic 316 * over a networking type that uses 802.2 LLC? 317 */ 318 ret = snap_print(p+3, length-3, caplen-3, 2); 319 if (ret) 320 return (ret); 321 } 322 323 if (!eflag) { 324 if (ssap == dsap) { 325 if (esrc == NULL || edst == NULL) 326 (void)printf("%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 327 else 328 (void)printf("%s > %s %s ", 329 etheraddr_string(esrc), 330 etheraddr_string(edst), 331 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 332 } else { 333 if (esrc == NULL || edst == NULL) 334 (void)printf("%s > %s ", 335 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 336 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 337 else 338 (void)printf("%s %s > %s %s ", 339 etheraddr_string(esrc), 340 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 341 etheraddr_string(edst), 342 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 343 } 344 } 345 346 if (is_u) { 347 printf("Unnumbered, %s, Flags [%s], length %u", 348 tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), 349 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)), 350 length); 351 352 p += 3; 353 length -= 3; 354 caplen -= 3; 355 356 if ((control & ~LLC_U_POLL) == LLC_XID) { 357 if (*p == LLC_XID_FI) { 358 printf(": %02x %02x", p[1], p[2]); 359 p += 3; 360 length -= 3; 361 caplen -= 3; 362 } 363 } 364 } else { 365 if ((control & LLC_S_FMT) == LLC_S_FMT) { 366 (void)printf("Supervisory, %s, rcv seq %u, Flags [%s], length %u", 367 tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), 368 LLC_IS_NR(control), 369 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 370 length); 371 } else { 372 (void)printf("Information, send seq %u, rcv seq %u, Flags [%s], length %u", 373 LLC_I_NS(control), 374 LLC_IS_NR(control), 375 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 376 length); 377 } 378 p += 4; 379 length -= 4; 380 caplen -= 4; 381 } 382 return(1); 383 } 384 385 int 386 snap_print(const u_char *p, u_int length, u_int caplen, u_int bridge_pad) 387 { 388 u_int32_t orgcode; 389 register u_short et; 390 register int ret; 391 392 TCHECK2(*p, 5); 393 orgcode = EXTRACT_24BITS(p); 394 et = EXTRACT_16BITS(p + 3); 395 396 if (eflag) { 397 const struct tok *tok = null_values; 398 const struct oui_tok *otp; 399 400 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 401 if (otp->oui == orgcode) { 402 tok = otp->tok; 403 break; 404 } 405 } 406 (void)printf("oui %s (0x%06x), %s %s (0x%04x): ", 407 tok2str(oui_values, "Unknown", orgcode), 408 orgcode, 409 (orgcode == 0x000000 ? "ethertype" : "pid"), 410 tok2str(tok, "Unknown", et), 411 et); 412 } 413 p += 5; 414 length -= 5; 415 caplen -= 5; 416 417 switch (orgcode) { 418 case OUI_ENCAP_ETHER: 419 case OUI_CISCO_90: 420 /* 421 * This is an encapsulated Ethernet packet, 422 * or a packet bridged by some piece of 423 * Cisco hardware; the protocol ID is 424 * an Ethernet protocol type. 425 */ 426 ret = ethertype_print(gndo, et, p, length, caplen); 427 if (ret) 428 return (ret); 429 break; 430 431 case OUI_APPLETALK: 432 if (et == ETHERTYPE_ATALK) { 433 /* 434 * No, I have no idea why Apple used one 435 * of their own OUIs, rather than 436 * 0x000000, and an Ethernet packet 437 * type, for Appletalk data packets, 438 * but used 0x000000 and an Ethernet 439 * packet type for AARP packets. 440 */ 441 ret = ethertype_print(gndo, et, p, length, caplen); 442 if (ret) 443 return (ret); 444 } 445 break; 446 447 case OUI_CISCO: 448 switch (et) { 449 case PID_CISCO_CDP: 450 cdp_print(p, length, caplen); 451 return (1); 452 case PID_CISCO_DTP: 453 dtp_print(p, length); 454 return (1); 455 case PID_CISCO_UDLD: 456 udld_print(p, length); 457 return (1); 458 case PID_CISCO_VTP: 459 vtp_print(p, length); 460 return (1); 461 case PID_CISCO_PVST: 462 case PID_CISCO_VLANBRIDGE: 463 stp_print(p, length); 464 return (1); 465 default: 466 break; 467 } 468 469 case OUI_RFC2684: 470 switch (et) { 471 472 case PID_RFC2684_ETH_FCS: 473 case PID_RFC2684_ETH_NOFCS: 474 /* 475 * XXX - remove the last two bytes for 476 * PID_RFC2684_ETH_FCS? 477 */ 478 /* 479 * Skip the padding. 480 */ 481 TCHECK2(*p, bridge_pad); 482 caplen -= bridge_pad; 483 length -= bridge_pad; 484 p += bridge_pad; 485 486 /* 487 * What remains is an Ethernet packet. 488 */ 489 ether_print(gndo, p, length, caplen, NULL, NULL); 490 return (1); 491 492 case PID_RFC2684_802_5_FCS: 493 case PID_RFC2684_802_5_NOFCS: 494 /* 495 * XXX - remove the last two bytes for 496 * PID_RFC2684_ETH_FCS? 497 */ 498 /* 499 * Skip the padding, but not the Access 500 * Control field. 501 */ 502 TCHECK2(*p, bridge_pad); 503 caplen -= bridge_pad; 504 length -= bridge_pad; 505 p += bridge_pad; 506 507 /* 508 * What remains is an 802.5 Token Ring 509 * packet. 510 */ 511 token_print(p, length, caplen); 512 return (1); 513 514 case PID_RFC2684_FDDI_FCS: 515 case PID_RFC2684_FDDI_NOFCS: 516 /* 517 * XXX - remove the last two bytes for 518 * PID_RFC2684_ETH_FCS? 519 */ 520 /* 521 * Skip the padding. 522 */ 523 TCHECK2(*p, bridge_pad + 1); 524 caplen -= bridge_pad + 1; 525 length -= bridge_pad + 1; 526 p += bridge_pad + 1; 527 528 /* 529 * What remains is an FDDI packet. 530 */ 531 fddi_print(p, length, caplen); 532 return (1); 533 534 case PID_RFC2684_BPDU: 535 stp_print(p, length); 536 return (1); 537 } 538 } 539 return (0); 540 541 trunc: 542 (void)printf("[|snap]"); 543 return (1); 544 } 545 546 547 /* 548 * Local Variables: 549 * c-style: whitesmith 550 * c-basic-offset: 8 551 * End: 552 */ 553