1 /* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 */ 24 25 #include <sys/cdefs.h> 26 #ifndef lint 27 __RCSID("$NetBSD: print-llc.c,v 1.11 2024/09/02 16:15:31 christos Exp $"); 28 #endif 29 30 /* \summary: IEEE 802.2 LLC printer */ 31 32 #include <config.h> 33 34 #include "netdissect-stdinc.h" 35 36 #include "netdissect.h" 37 #include "addrtoname.h" 38 #include "extract.h" 39 40 #include "llc.h" 41 #include "ethertype.h" 42 #include "oui.h" 43 44 static const struct tok llc_values[] = { 45 { LLCSAP_NULL, "Null" }, 46 { LLCSAP_GLOBAL, "Global" }, 47 { LLCSAP_8021B_I, "802.1B I" }, 48 { LLCSAP_8021B_G, "802.1B G" }, 49 { LLCSAP_IP, "IP" }, 50 { LLCSAP_SNA, "SNA" }, 51 { LLCSAP_PROWAYNM, "ProWay NM" }, 52 { LLCSAP_8021D, "STP" }, 53 { LLCSAP_RS511, "RS511" }, 54 { LLCSAP_ISO8208, "ISO8208" }, 55 { LLCSAP_PROWAY, "ProWay" }, 56 { LLCSAP_SNAP, "SNAP" }, 57 { LLCSAP_IPX, "IPX" }, 58 { LLCSAP_NETBEUI, "NetBeui" }, 59 { LLCSAP_ISONS, "OSI" }, 60 { 0, NULL }, 61 }; 62 63 static const struct tok llc_cmd_values[] = { 64 { LLC_UI, "ui" }, 65 { LLC_TEST, "test" }, 66 { LLC_XID, "xid" }, 67 { LLC_UA, "ua" }, 68 { LLC_DISC, "disc" }, 69 { LLC_DM, "dm" }, 70 { LLC_SABME, "sabme" }, 71 { LLC_FRMR, "frmr" }, 72 { 0, NULL } 73 }; 74 75 static const struct tok llc_flag_values[] = { 76 { 0, "Command" }, 77 { LLC_GSAP, "Response" }, 78 { LLC_U_POLL, "Poll" }, 79 { LLC_GSAP|LLC_U_POLL, "Final" }, 80 { LLC_IS_POLL, "Poll" }, 81 { LLC_GSAP|LLC_IS_POLL, "Final" }, 82 { 0, NULL } 83 }; 84 85 86 static const struct tok llc_ig_flag_values[] = { 87 { 0, "Individual" }, 88 { LLC_IG, "Group" }, 89 { 0, NULL } 90 }; 91 92 93 static const struct tok llc_supervisory_values[] = { 94 { 0, "Receiver Ready" }, 95 { 1, "Receiver not Ready" }, 96 { 2, "Reject" }, 97 { 0, NULL } 98 }; 99 100 101 static const struct tok cisco_values[] = { 102 { PID_CISCO_CDP, "CDP" }, 103 { PID_CISCO_VTP, "VTP" }, 104 { PID_CISCO_DTP, "DTP" }, 105 { PID_CISCO_UDLD, "UDLD" }, 106 { PID_CISCO_PVST, "PVST" }, 107 { PID_CISCO_VLANBRIDGE, "VLAN Bridge" }, 108 { 0, NULL } 109 }; 110 111 static const struct tok bridged_values[] = { 112 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 113 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 114 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 115 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 116 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 117 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 118 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 119 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 120 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 121 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 122 { PID_RFC2684_BPDU, "BPDU" }, 123 { 0, NULL }, 124 }; 125 126 static const struct tok null_values[] = { 127 { 0, NULL } 128 }; 129 130 struct oui_tok { 131 uint32_t oui; 132 const struct tok *tok; 133 }; 134 135 static const struct oui_tok oui_to_tok[] = { 136 { OUI_ENCAP_ETHER, ethertype_values }, 137 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 138 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 139 { OUI_CISCO, cisco_values }, 140 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 141 { 0, NULL } 142 }; 143 144 /* 145 * If we printed information about the payload, returns the length of the LLC 146 * header, plus the length of any SNAP header following it. 147 * 148 * Otherwise (for example, if the packet has unknown SAPs or has a SNAP 149 * header with an unknown OUI/PID combination), returns the *negative* 150 * of that value. 151 */ 152 int 153 llc_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, 154 const struct lladdr_info *src, const struct lladdr_info *dst) 155 { 156 uint8_t dsap_field, dsap, ssap_field, ssap; 157 uint16_t control; 158 int hdrlen; 159 int is_u; 160 161 ndo->ndo_protocol = "llc"; 162 if (caplen < 3) { 163 nd_print_trunc(ndo); 164 ND_DEFAULTPRINT((const u_char *)p, caplen); 165 return (caplen); 166 } 167 if (length < 3) { 168 nd_print_trunc(ndo); 169 ND_DEFAULTPRINT((const u_char *)p, caplen); 170 return (length); 171 } 172 173 dsap_field = GET_U_1(p); 174 ssap_field = GET_U_1(p + 1); 175 176 /* 177 * OK, what type of LLC frame is this? The length 178 * of the control field depends on that - I frames 179 * have a two-byte control field, and U frames have 180 * a one-byte control field. 181 */ 182 control = GET_U_1(p + 2); 183 if ((control & LLC_U_FMT) == LLC_U_FMT) { 184 /* 185 * U frame. 186 */ 187 is_u = 1; 188 hdrlen = 3; /* DSAP, SSAP, 1-byte control field */ 189 } else { 190 /* 191 * The control field in I and S frames is 192 * 2 bytes... 193 */ 194 if (caplen < 4) { 195 nd_print_trunc(ndo); 196 ND_DEFAULTPRINT((const u_char *)p, caplen); 197 return (caplen); 198 } 199 if (length < 4) { 200 nd_print_trunc(ndo); 201 ND_DEFAULTPRINT((const u_char *)p, caplen); 202 return (length); 203 } 204 205 /* 206 * ...and is little-endian. 207 */ 208 control = GET_LE_U_2(p + 2); 209 is_u = 0; 210 hdrlen = 4; /* DSAP, SSAP, 2-byte control field */ 211 } 212 213 if (ssap_field == LLCSAP_GLOBAL && dsap_field == LLCSAP_GLOBAL) { 214 /* 215 * This is an Ethernet_802.3 IPX frame; it has an 216 * 802.3 header (i.e., an Ethernet header where the 217 * type/length field is <= MAX_ETHERNET_LENGTH_VAL, 218 * i.e. it's a length field, not a type field), but 219 * has no 802.2 header - the IPX packet starts right 220 * after the Ethernet header, with a signature of two 221 * bytes of 0xFF (which is LLCSAP_GLOBAL). 222 * 223 * (It might also have been an Ethernet_802.3 IPX at 224 * one time, but got bridged onto another network, 225 * such as an 802.11 network; this has appeared in at 226 * least one capture file.) 227 */ 228 229 if (ndo->ndo_eflag) 230 ND_PRINT("IPX 802.3: "); 231 232 ipx_print(ndo, p, length); 233 return (0); /* no LLC header */ 234 } 235 236 dsap = dsap_field & ~LLC_IG; 237 ssap = ssap_field & ~LLC_GSAP; 238 239 if (ndo->ndo_eflag) { 240 ND_PRINT("LLC, dsap %s (0x%02x) %s, ssap %s (0x%02x) %s", 241 tok2str(llc_values, "Unknown", dsap), 242 dsap, 243 tok2str(llc_ig_flag_values, "Unknown", dsap_field & LLC_IG), 244 tok2str(llc_values, "Unknown", ssap), 245 ssap, 246 tok2str(llc_flag_values, "Unknown", ssap_field & LLC_GSAP)); 247 248 if (is_u) { 249 ND_PRINT(", ctrl 0x%02x: ", control); 250 } else { 251 ND_PRINT(", ctrl 0x%04x: ", control); 252 } 253 } 254 255 /* 256 * Skip LLC header. 257 */ 258 p += hdrlen; 259 length -= hdrlen; 260 caplen -= hdrlen; 261 262 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 263 && control == LLC_UI) { 264 /* 265 * XXX - what *is* the right bridge pad value here? 266 * Does anybody ever bridge one form of LAN traffic 267 * over a networking type that uses 802.2 LLC? 268 */ 269 if (!snap_print(ndo, p, length, caplen, src, dst, 2)) { 270 /* 271 * Unknown packet type; tell our caller, by 272 * returning a negative value, so they 273 * can print the raw packet. 274 */ 275 return (-(hdrlen + 5)); /* include LLC and SNAP header */ 276 } else 277 return (hdrlen + 5); /* include LLC and SNAP header */ 278 } 279 280 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 281 control == LLC_UI) { 282 stp_print(ndo, p, length); 283 return (hdrlen); 284 } 285 286 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 287 control == LLC_UI) { 288 /* 289 * This is an RFC 948-style IP packet, with 290 * an 802.3 header and an 802.2 LLC header 291 * with the source and destination SAPs being 292 * the IP SAP. 293 */ 294 ip_print(ndo, p, length); 295 return (hdrlen); 296 } 297 298 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 299 control == LLC_UI) { 300 /* 301 * This is an Ethernet_802.2 IPX frame, with an 802.3 302 * header and an 802.2 LLC header with the source and 303 * destination SAPs being the IPX SAP. 304 */ 305 if (ndo->ndo_eflag) 306 ND_PRINT("IPX 802.2: "); 307 308 ipx_print(ndo, p, length); 309 return (hdrlen); 310 } 311 312 #ifdef ENABLE_SMB 313 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 314 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 315 /* 316 * we don't actually have a full netbeui parser yet, but the 317 * smb parser can handle many smb-in-netbeui packets, which 318 * is very useful, so we call that 319 * 320 * We don't call it for S frames, however, just I frames 321 * (which are frames that don't have the low-order bit, 322 * LLC_S_FMT, set in the first byte of the control field) 323 * and UI frames (whose control field is just 3, LLC_U_FMT). 324 */ 325 netbeui_print(ndo, control, p, length); 326 return (hdrlen); 327 } 328 #endif 329 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 330 && control == LLC_UI) { 331 isoclns_print(ndo, p, length); 332 return (hdrlen); 333 } 334 335 if (!ndo->ndo_eflag) { 336 if (ssap == dsap) { 337 if (src == NULL || dst == NULL) 338 ND_PRINT("%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 339 else 340 ND_PRINT("%s > %s %s ", 341 (src->addr_string)(ndo, src->addr), 342 (dst->addr_string)(ndo, dst->addr), 343 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 344 } else { 345 if (src == NULL || dst == NULL) 346 ND_PRINT("%s > %s ", 347 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 348 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 349 else 350 ND_PRINT("%s %s > %s %s ", 351 (src->addr_string)(ndo, src->addr), 352 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 353 (dst->addr_string)(ndo, dst->addr), 354 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 355 } 356 } 357 358 if (is_u) { 359 ND_PRINT("Unnumbered, %s, Flags [%s], length %u", 360 tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), 361 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)), 362 length + hdrlen); 363 364 if ((control & ~LLC_U_POLL) == LLC_XID) { 365 if (length == 0) { 366 /* 367 * XID with no payload. 368 * This could, for example, be an SNA 369 * "short form" XID. 370 */ 371 return (hdrlen); 372 } 373 if (caplen < 1) { 374 nd_print_trunc(ndo); 375 if (caplen > 0) 376 ND_DEFAULTPRINT((const u_char *)p, caplen); 377 return (hdrlen); 378 } 379 if (GET_U_1(p) == LLC_XID_FI) { 380 if (caplen < 3 || length < 3) { 381 nd_print_trunc(ndo); 382 if (caplen > 0) 383 ND_DEFAULTPRINT((const u_char *)p, caplen); 384 } else 385 ND_PRINT(": %02x %02x", 386 GET_U_1(p + 1), 387 GET_U_1(p + 2)); 388 return (hdrlen); 389 } 390 } 391 } else { 392 if ((control & LLC_S_FMT) == LLC_S_FMT) { 393 ND_PRINT("Supervisory, %s, rcv seq %u, Flags [%s], length %u", 394 tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), 395 LLC_IS_NR(control), 396 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 397 length + hdrlen); 398 return (hdrlen); /* no payload to print */ 399 } else { 400 ND_PRINT("Information, send seq %u, rcv seq %u, Flags [%s], length %u", 401 LLC_I_NS(control), 402 LLC_IS_NR(control), 403 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 404 length + hdrlen); 405 } 406 } 407 return (-hdrlen); 408 } 409 410 static const struct tok * 411 oui_to_struct_tok(uint32_t orgcode) 412 { 413 const struct tok *tok = null_values; 414 const struct oui_tok *otp; 415 416 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 417 if (otp->oui == orgcode) { 418 tok = otp->tok; 419 break; 420 } 421 } 422 return (tok); 423 } 424 425 int 426 snap_print(netdissect_options *ndo, const u_char *p, u_int length, u_int caplen, 427 const struct lladdr_info *src, const struct lladdr_info *dst, 428 u_int bridge_pad) 429 { 430 uint32_t orgcode; 431 u_short et; 432 int ret; 433 434 ndo->ndo_protocol = "snap"; 435 ND_TCHECK_5(p); 436 if (caplen < 5 || length < 5) 437 goto trunc; 438 orgcode = GET_BE_U_3(p); 439 et = GET_BE_U_2(p + 3); 440 441 if (ndo->ndo_eflag) { 442 /* 443 * Somebody's already printed the MAC addresses, if there 444 * are any, so just print the SNAP header, not the MAC 445 * addresses. 446 */ 447 ND_PRINT("oui %s (0x%06x), %s %s (0x%04x), length %u: ", 448 tok2str(oui_values, "Unknown", orgcode), 449 orgcode, 450 (orgcode == 0x000000 ? "ethertype" : "pid"), 451 tok2str(oui_to_struct_tok(orgcode), "Unknown", et), 452 et, length - 5); 453 } 454 p += 5; 455 length -= 5; 456 caplen -= 5; 457 458 switch (orgcode) { 459 case OUI_ENCAP_ETHER: 460 case OUI_CISCO_90: 461 /* 462 * This is an encapsulated Ethernet packet, 463 * or a packet bridged by some piece of 464 * Cisco hardware; the protocol ID is 465 * an Ethernet protocol type. 466 */ 467 ret = ethertype_print(ndo, et, p, length, caplen, src, dst); 468 if (ret) 469 return (ret); 470 break; 471 472 case OUI_APPLETALK: 473 if (et == ETHERTYPE_ATALK) { 474 /* 475 * No, I have no idea why Apple used one 476 * of their own OUIs, rather than 477 * 0x000000, and an Ethernet packet 478 * type, for Appletalk data packets, 479 * but used 0x000000 and an Ethernet 480 * packet type for AARP packets. 481 */ 482 ret = ethertype_print(ndo, et, p, length, caplen, src, dst); 483 if (ret) 484 return (ret); 485 } 486 break; 487 488 case OUI_CISCO: 489 switch (et) { 490 case PID_CISCO_CDP: 491 cdp_print(ndo, p, length); 492 return (1); 493 case PID_CISCO_DTP: 494 dtp_print(ndo, p, length); 495 return (1); 496 case PID_CISCO_UDLD: 497 udld_print(ndo, p, length); 498 return (1); 499 case PID_CISCO_VTP: 500 vtp_print(ndo, p, length); 501 return (1); 502 case PID_CISCO_PVST: 503 case PID_CISCO_VLANBRIDGE: 504 stp_print(ndo, p, length); 505 return (1); 506 default: 507 break; 508 } 509 break; 510 511 case OUI_RFC2684: 512 switch (et) { 513 514 case PID_RFC2684_ETH_FCS: 515 case PID_RFC2684_ETH_NOFCS: 516 /* 517 * XXX - remove the last two bytes for 518 * PID_RFC2684_ETH_FCS? 519 */ 520 /* 521 * Skip the padding. 522 */ 523 ND_TCHECK_LEN(p, bridge_pad); 524 caplen -= bridge_pad; 525 length -= bridge_pad; 526 p += bridge_pad; 527 528 /* 529 * What remains is an Ethernet packet. 530 */ 531 ether_print(ndo, p, length, caplen, NULL, NULL); 532 return (1); 533 534 case PID_RFC2684_802_5_FCS: 535 case PID_RFC2684_802_5_NOFCS: 536 /* 537 * XXX - remove the last two bytes for 538 * PID_RFC2684_ETH_FCS? 539 */ 540 /* 541 * Skip the padding, but not the Access 542 * Control field. 543 */ 544 ND_TCHECK_LEN(p, bridge_pad); 545 caplen -= bridge_pad; 546 length -= bridge_pad; 547 p += bridge_pad; 548 549 /* 550 * What remains is an 802.5 Token Ring 551 * packet. 552 */ 553 token_print(ndo, p, length, caplen); 554 return (1); 555 556 case PID_RFC2684_FDDI_FCS: 557 case PID_RFC2684_FDDI_NOFCS: 558 /* 559 * XXX - remove the last two bytes for 560 * PID_RFC2684_ETH_FCS? 561 */ 562 /* 563 * Skip the padding. 564 */ 565 ND_TCHECK_LEN(p, bridge_pad + 1); 566 caplen -= bridge_pad + 1; 567 length -= bridge_pad + 1; 568 p += bridge_pad + 1; 569 570 /* 571 * What remains is an FDDI packet. 572 */ 573 fddi_print(ndo, p, length, caplen); 574 return (1); 575 576 case PID_RFC2684_BPDU: 577 stp_print(ndo, p, length); 578 return (1); 579 } 580 } 581 if (!ndo->ndo_eflag) { 582 /* 583 * Nobody printed the link-layer addresses, so print them, if 584 * we have any. 585 */ 586 if (src != NULL && dst != NULL) { 587 ND_PRINT("%s > %s ", 588 (src->addr_string)(ndo, src->addr), 589 (dst->addr_string)(ndo, dst->addr)); 590 } 591 /* 592 * Print the SNAP header, but if the OUI is 000000, don't 593 * bother printing it, and report the PID as being an 594 * ethertype. 595 */ 596 if (orgcode == 0x000000) { 597 ND_PRINT("SNAP, ethertype %s (0x%04x), length %u: ", 598 tok2str(ethertype_values, "Unknown", et), 599 et, length); 600 } else { 601 ND_PRINT("SNAP, oui %s (0x%06x), pid %s (0x%04x), length %u: ", 602 tok2str(oui_values, "Unknown", orgcode), 603 orgcode, 604 tok2str(oui_to_struct_tok(orgcode), "Unknown", et), 605 et, length); 606 } 607 } 608 return (0); 609 610 trunc: 611 nd_print_trunc(ndo); 612 return (1); 613 } 614