X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/80c07e2a8b50dc71033d6a88e3236298be8e5b0b..HEAD:/print-macsec.c diff --git a/print-macsec.c b/print-macsec.c index 892f2c33..5fca3922 100644 --- a/print-macsec.c +++ b/print-macsec.c @@ -21,17 +21,12 @@ /* \summary: MACsec printer */ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif +#include -#include - -#include +#include "netdissect-stdinc.h" #include "netdissect.h" #include "addrtoname.h" -#include "ethertype.h" #include "extract.h" #define MACSEC_DEFAULT_ICV_LEN 16 @@ -89,9 +84,31 @@ static const struct tok macsec_flag_values[] = { { 0, NULL } }; +static void +macsec_print_header(netdissect_options *ndo, + const struct macsec_sectag *sectag, + u_int short_length) +{ + ND_PRINT("an %u, pn %u, flags %s", + GET_U_1(sectag->tci_an) & MACSEC_AN_MASK, + GET_BE_U_4(sectag->packet_number), + bittok2str_nosep(macsec_flag_values, "none", + GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS)); + + if (short_length != 0) + ND_PRINT(", sl %u", short_length); + + if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) + ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id)); + + ND_PRINT(", "); +} + /* returns < 0 iff the packet can be decoded completely */ -int macsec_print(netdissect_options *ndo, const u_char **bp, - u_int *lengthp, u_int *caplenp, u_int *hdrlenp) +int +macsec_print(netdissect_options *ndo, const u_char **bp, + u_int *lengthp, u_int *caplenp, u_int *hdrlenp, + const struct lladdr_info *src, const struct lladdr_info *dst) { const char *save_protocol; const u_char *p = *bp; @@ -103,7 +120,7 @@ int macsec_print(netdissect_options *ndo, const u_char **bp, u_int short_length; save_protocol = ndo->ndo_protocol; - ndo->ndo_protocol = "MACsec"; + ndo->ndo_protocol = "macsec"; /* we need the full MACsec header in the capture */ if (caplen < MACSEC_SECTAG_LEN_NOSCI) { @@ -132,7 +149,7 @@ int macsec_print(netdissect_options *ndo, const u_char **bp, } else sectag_len = MACSEC_SECTAG_LEN_NOSCI; - if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 || + if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 || GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) { nd_print_invalid(ndo); ndo->ndo_protocol = save_protocol; @@ -140,21 +157,8 @@ int macsec_print(netdissect_options *ndo, const u_char **bp, } short_length = GET_U_1(sectag->short_length) & MACSEC_SL_MASK; - if (ndo->ndo_eflag) { - ND_PRINT("an %u, pn %u, flags %s", - GET_U_1(sectag->tci_an) & MACSEC_AN_MASK, - GET_BE_U_4(sectag->packet_number), - bittok2str_nosep(macsec_flag_values, "none", - GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS)); - - if (short_length != 0) - ND_PRINT(", sl %u", short_length); - - if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) - ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id)); - - ND_PRINT(", "); - } + if (ndo->ndo_eflag) + macsec_print_header(ndo, sectag, short_length); /* Skip the MACsec header. */ *bp += sectag_len; @@ -166,8 +170,30 @@ int macsec_print(netdissect_options *ndo, const u_char **bp, if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) { /* - * The payload is encrypted. Tell our - * caller it can't be dissected. + * The payload is encrypted. Print link-layer + * information, if it hasn't already been printed. + */ + if (!ndo->ndo_eflag) { + /* + * Nobody printed the link-layer addresses, + * so print them, if we have any. + */ + if (src != NULL && dst != NULL) { + ND_PRINT("%s > %s ", + (src->addr_string)(ndo, src->addr), + (dst->addr_string)(ndo, dst->addr)); + } + + ND_PRINT("802.1AE MACsec, "); + + /* + * Print the MACsec header. + */ + macsec_print_header(ndo, sectag, short_length); + } + + /* + * Tell our caller it can't be dissected. */ ndo->ndo_protocol = save_protocol; return 0; @@ -190,6 +216,13 @@ int macsec_print(netdissect_options *ndo, const u_char **bp, } *lengthp -= MACSEC_DEFAULT_ICV_LEN; *caplenp -= MACSEC_DEFAULT_ICV_LEN; + /* + * Update the snapend thus the ICV field is not in the payload for + * the caller. + * The ICV (Integrity Check Value) is at the end of the frame, after + * the secure data. + */ + ndo->ndo_snapend -= MACSEC_DEFAULT_ICV_LEN; /* * If the SL field is non-zero, then it's the length of the @@ -216,7 +249,7 @@ int macsec_print(netdissect_options *ndo, const u_char **bp, if (*caplenp > short_length) *caplenp = short_length; } - + ndo->ndo_protocol = save_protocol; return -1; }