]> The Tcpdump Group git mirrors - tcpdump/blob - print-llc.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Make "snap_print()" take an argument specifying the padding for bridged
[tcpdump] / print-llc.c
1 /*
2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * Code by Matt Thomas, Digital Equipment Corporation
22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL
23 */
24
25 #ifndef lint
26 static const char rcsid[] =
27 "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.47 2002-07-11 08:27:03 guy Exp $";
28 #endif
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33
34 #include <sys/param.h>
35 #include <sys/time.h>
36
37 #include <netinet/in.h>
38
39 #include <ctype.h>
40 #include <netdb.h>
41 #include <stdio.h>
42 #include <string.h>
43
44 #include "interface.h"
45 #include "addrtoname.h"
46 #include "extract.h" /* must come after interface.h */
47
48 #include "llc.h"
49 #include "ethertype.h"
50
51 static struct tok cmd2str[] = {
52 { LLC_UI, "ui" },
53 { LLC_TEST, "test" },
54 { LLC_XID, "xid" },
55 { LLC_UA, "ua" },
56 { LLC_DISC, "disc" },
57 { LLC_DM, "dm" },
58 { LLC_SABME, "sabme" },
59 { LLC_FRMR, "frmr" },
60 { 0, NULL }
61 };
62
63 /*
64 * Returns non-zero IFF it succeeds in printing the header
65 */
66 int
67 llc_print(const u_char *p, u_int length, u_int caplen,
68 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype)
69 {
70 struct llc llc;
71 register u_short et;
72 u_int16_t control;
73 register int ret;
74
75 if (caplen < 3) {
76 (void)printf("[|llc]");
77 default_print((u_char *)p, caplen);
78 return(0);
79 }
80
81 /* Watch out for possible alignment problems */
82 memcpy((char *)&llc, (char *)p, min(caplen, sizeof(llc)));
83
84 if (llc.ssap == LLCSAP_GLOBAL && llc.dsap == LLCSAP_GLOBAL) {
85 /*
86 * This is an Ethernet_802.3 IPX frame; it has an
87 * 802.3 header (i.e., an Ethernet header where the
88 * type/length field is <= ETHERMTU, i.e. it's a length
89 * field, not a type field), but has no 802.2 header -
90 * the IPX packet starts right after the Ethernet header,
91 * with a signature of two bytes of 0xFF (which is
92 * LLCSAP_GLOBAL).
93 *
94 * (It might also have been an Ethernet_802.3 IPX at
95 * one time, but got bridged onto another network,
96 * such as an 802.11 network; this has appeared in at
97 * least one capture file.)
98 */
99 printf("(NOV-802.3) ");
100 ipx_print(p, length);
101 return (1);
102 }
103
104 if (llc.ssap == LLCSAP_8021D && llc.dsap == LLCSAP_8021D) {
105 stp_print(p, length);
106 return (1);
107 }
108
109 if (llc.ssap == LLCSAP_IPX && llc.dsap == LLCSAP_IPX &&
110 llc.llcui == LLC_UI) {
111 /*
112 * This is an Ethernet_802.2 IPX frame, with an 802.3
113 * header and an 802.2 LLC header with the source and
114 * destination SAPs being the IPX SAP.
115 *
116 * Skip DSAP, LSAP, and control field.
117 */
118 printf("(NOV-802.2) ");
119 p += 3;
120 length -= 3;
121 caplen -= 3;
122 ipx_print(p, length);
123 return (1);
124 }
125
126 #ifdef TCPDUMP_DO_SMB
127 if (llc.ssap == LLCSAP_NETBEUI && llc.dsap == LLCSAP_NETBEUI
128 && (!(llc.llcu & LLC_S_FMT) || llc.llcu == LLC_U_FMT)) {
129 /*
130 * we don't actually have a full netbeui parser yet, but the
131 * smb parser can handle many smb-in-netbeui packets, which
132 * is very useful, so we call that
133 *
134 * We don't call it for S frames, however, just I frames
135 * (which are frames that don't have the low-order bit,
136 * LLC_S_FMT, set in the first byte of the control field)
137 * and UI frames (whose control field is just 3, LLC_U_FMT).
138 */
139
140 /*
141 * Skip the DSAP and LSAP.
142 */
143 p += 2;
144 length -= 2;
145 caplen -= 2;
146
147 /*
148 * OK, what type of LLC frame is this? The length
149 * of the control field depends on that - I frames
150 * have a two-byte control field, and U frames have
151 * a one-byte control field.
152 */
153 if (llc.llcu == LLC_U_FMT) {
154 control = llc.llcu;
155 p += 1;
156 length -= 1;
157 caplen -= 1;
158 } else {
159 /*
160 * The control field in I and S frames is
161 * little-endian.
162 */
163 control = EXTRACT_LE_16BITS(&llc.llcu);
164 p += 2;
165 length -= 2;
166 caplen -= 2;
167 }
168 netbeui_print(control, p, length);
169 return (1);
170 }
171 #endif
172 if (llc.ssap == LLCSAP_ISONS && llc.dsap == LLCSAP_ISONS
173 && llc.llcui == LLC_UI) {
174 isoclns_print(p + 3, length - 3, caplen - 3, esrc, edst);
175 return (1);
176 }
177
178 if (llc.ssap == LLCSAP_SNAP && llc.dsap == LLCSAP_SNAP
179 && llc.llcui == LLC_UI) {
180 u_int32_t orgcode;
181
182 if (caplen < sizeof(llc)) {
183 (void)printf("[|llc-snap]");
184 default_print((u_char *)p, caplen);
185 return (0);
186 }
187 if (vflag)
188 (void)printf("snap %s ", protoid_string(llc.llcpi));
189
190 caplen -= sizeof(llc);
191 length -= sizeof(llc);
192 p += sizeof(llc);
193
194 orgcode = EXTRACT_24BITS(&llc.llc_orgcode[0]);
195 et = EXTRACT_16BITS(&llc.llc_ethertype[0]);
196 /*
197 * XXX - what *is* the right bridge pad value here?
198 * Does anybody ever bridge one form of LAN traffic
199 * over a networking type that uses 802.2 LLC?
200 */
201 ret = snap_print(p, length, caplen, esrc, edst,
202 extracted_ethertype, orgcode, et, 2);
203 if (ret)
204 return (ret);
205 }
206
207 if ((llc.ssap & ~LLC_GSAP) == llc.dsap) {
208 if (eflag || esrc == NULL || edst == NULL)
209 (void)printf("%s ", llcsap_string(llc.dsap));
210 else
211 (void)printf("%s > %s %s ",
212 etheraddr_string(esrc),
213 etheraddr_string(edst),
214 llcsap_string(llc.dsap));
215 } else {
216 if (eflag || esrc == NULL || edst == NULL)
217 (void)printf("%s > %s ",
218 llcsap_string(llc.ssap & ~LLC_GSAP),
219 llcsap_string(llc.dsap));
220 else
221 (void)printf("%s %s > %s %s ",
222 etheraddr_string(esrc),
223 llcsap_string(llc.ssap & ~LLC_GSAP),
224 etheraddr_string(edst),
225 llcsap_string(llc.dsap));
226 }
227
228 if ((llc.llcu & LLC_U_FMT) == LLC_U_FMT) {
229 u_int16_t cmd;
230 const char *m;
231 char f;
232
233 cmd = LLC_U_CMD(llc.llcu);
234 m = tok2str(cmd2str, "%02x", cmd);
235 switch ((llc.ssap & LLC_GSAP) | (llc.llcu & LLC_U_POLL)) {
236 case 0: f = 'C'; break;
237 case LLC_GSAP: f = 'R'; break;
238 case LLC_U_POLL: f = 'P'; break;
239 case LLC_GSAP|LLC_U_POLL: f = 'F'; break;
240 default: f = '?'; break;
241 }
242
243 printf("%s/%c", m, f);
244
245 p += 3;
246 length -= 3;
247 caplen -= 3;
248
249 if ((llc.llcu & ~LLC_U_POLL) == LLC_XID) {
250 if (*p == LLC_XID_FI) {
251 printf(": %02x %02x", p[1], p[2]);
252 p += 3;
253 length -= 3;
254 caplen -= 3;
255 }
256 }
257 } else {
258 char f;
259
260 /*
261 * The control field in I and S frames is little-endian.
262 */
263 control = EXTRACT_LE_16BITS(&llc.llcu);
264 switch ((llc.ssap & LLC_GSAP) | (control & LLC_IS_POLL)) {
265 case 0: f = 'C'; break;
266 case LLC_GSAP: f = 'R'; break;
267 case LLC_IS_POLL: f = 'P'; break;
268 case LLC_GSAP|LLC_IS_POLL: f = 'F'; break;
269 default: f = '?'; break;
270 }
271
272 if ((control & LLC_S_FMT) == LLC_S_FMT) {
273 static char *llc_s[] = { "rr", "rej", "rnr", "03" };
274 (void)printf("%s (r=%d,%c)",
275 llc_s[LLC_S_CMD(control)],
276 LLC_IS_NR(control),
277 f);
278 } else {
279 (void)printf("I (s=%d,r=%d,%c)",
280 LLC_I_NS(control),
281 LLC_IS_NR(control),
282 f);
283 }
284 p += 4;
285 length -= 4;
286 caplen -= 4;
287 }
288 (void)printf(" len=%d", length);
289 return(1);
290 }
291
292 int
293 snap_print(const u_char *p, u_int length, u_int caplen,
294 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype,
295 u_int32_t orgcode, u_short et, u_int bridge_pad)
296 {
297 register int ret;
298
299 switch (orgcode) {
300 case OUI_ENCAP_ETHER:
301 case OUI_CISCO_90:
302 /*
303 * This is an encapsulated Ethernet packet,
304 * or a packet bridged by some piece of
305 * Cisco hardware; the protocol ID is
306 * an Ethernet protocol type.
307 */
308 ret = ether_encap_print(et, p, length, caplen,
309 extracted_ethertype);
310 if (ret)
311 return (ret);
312 break;
313
314 case OUI_APPLETALK:
315 if (et == ETHERTYPE_ATALK) {
316 /*
317 * No, I have no idea why Apple used one
318 * of their own OUIs, rather than
319 * 0x000000, and an Ethernet packet
320 * type, for Appletalk data packets,
321 * but used 0x000000 and an Ethernet
322 * packet type for AARP packets.
323 */
324 ret = ether_encap_print(et, p, length, caplen,
325 extracted_ethertype);
326 if (ret)
327 return (ret);
328 }
329 break;
330
331 case OUI_CISCO:
332 if (et == PID_CISCO_CDP) {
333 cdp_print(p, length, caplen, esrc, edst);
334 return (1);
335 }
336 break;
337
338 case OUI_RFC2684:
339 switch (et) {
340
341 case PID_RFC2684_ETH_FCS:
342 case PID_RFC2684_ETH_NOFCS:
343 /*
344 * XXX - remove the last two bytes for
345 * PID_RFC2684_ETH_FCS?
346 */
347 /*
348 * Skip the padding.
349 */
350 caplen -= bridge_pad;
351 length -= bridge_pad;
352 p += bridge_pad;
353
354 /*
355 * What remains is an Ethernet packet.
356 */
357 ether_print(p, length, caplen);
358 return (1);
359
360 case PID_RFC2684_802_5_FCS:
361 case PID_RFC2684_802_5_NOFCS:
362 /*
363 * XXX - remove the last two bytes for
364 * PID_RFC2684_ETH_FCS?
365 */
366 /*
367 * Skip the padding, but not the Access
368 * Control field.
369 */
370 caplen -= bridge_pad;
371 length -= bridge_pad;
372 p += bridge_pad;
373
374 /*
375 * What remains is an 802.5 Token Ring
376 * packet.
377 */
378 token_print(p, length, caplen);
379 return (1);
380
381 case PID_RFC2684_FDDI_FCS:
382 case PID_RFC2684_FDDI_NOFCS:
383 /*
384 * XXX - remove the last two bytes for
385 * PID_RFC2684_ETH_FCS?
386 */
387 /*
388 * Skip the padding.
389 */
390 caplen -= bridge_pad + 1;
391 length -= bridge_pad + 1;
392 p += bridge_pad + 1;
393
394 /*
395 * What remains is an FDDI packet.
396 */
397 fddi_print(p, length, caplen);
398 return (1);
399
400 case PID_RFC2684_BPDU:
401 stp_print(p, length);
402 return (1);
403 }
404 }
405 return (0);
406 }
[mirror] the TCPdump network dissector