diff options
Diffstat (limited to 'epan/dissectors/packet-eth.c')
| -rw-r--r-- | epan/dissectors/packet-eth.c | 626 |
1 files changed, 368 insertions, 258 deletions
diff --git a/epan/dissectors/packet-eth.c b/epan/dissectors/packet-eth.c index d6be0925..07246616 100644 --- a/epan/dissectors/packet-eth.c +++ b/epan/dissectors/packet-eth.c @@ -21,6 +21,7 @@ #include <epan/conversation_filter.h> #include <epan/capture_dissectors.h> #include <epan/exported_pdu.h> +#include <epan/tfs.h> #include <wsutil/pint.h> #include "packet-eth.h" #include "packet-gre.h" @@ -46,59 +47,60 @@ void proto_reg_handoff_eth(void); #define PADDING_ZEROS 1 #define PADDING_ANY 2 -static gint eth_padding = PADDING_ZEROS; -static guint eth_trailer_length = 0; +static int eth_padding = PADDING_ZEROS; +static unsigned eth_trailer_length; /* By default, try to autodetect FCS */ -static gint eth_fcs = -1; -static gboolean eth_check_fcs = FALSE; +static int eth_fcs = -1; +static bool eth_check_fcs; /* Interpret packets as FW1 monitor file packets if they look as if they are */ -static gboolean eth_interpret_as_fw1_monitor = FALSE; +static bool eth_interpret_as_fw1_monitor; /* When capturing on a Cisco FEX some frames start with an extra destination mac */ -static gboolean eth_deduplicate_dmac = FALSE; +static bool eth_deduplicate_dmac; /* Preference settings defining conditions for which the CCSDS dissector is called */ -static gboolean ccsds_heuristic_length = FALSE; -static gboolean ccsds_heuristic_version = FALSE; -static gboolean ccsds_heuristic_header = FALSE; -static gboolean ccsds_heuristic_bit = FALSE; +static bool ccsds_heuristic_length; +static bool ccsds_heuristic_version; +static bool ccsds_heuristic_header; +static bool ccsds_heuristic_bit; /* protocols and header fields */ -static int proto_eth = -1; -static int hf_eth_dst = -1; -static int hf_eth_dst_resolved = -1; -static int hf_eth_dst_oui = -1; -static int hf_eth_dst_oui_resolved = -1; -static int hf_eth_src = -1; -static int hf_eth_src_resolved = -1; -static int hf_eth_src_oui = -1; -static int hf_eth_src_oui_resolved = -1; -static int hf_eth_len = -1; -static int hf_eth_type = -1; -static int hf_eth_invalid_lentype = -1; -static int hf_eth_addr = -1; -static int hf_eth_addr_resolved = -1; -static int hf_eth_addr_oui = -1; -static int hf_eth_addr_oui_resolved = -1; -static int hf_eth_dst_lg = -1; -static int hf_eth_dst_ig = -1; -static int hf_eth_src_lg = -1; -static int hf_eth_src_ig = -1; -static int hf_eth_lg = -1; -static int hf_eth_ig = -1; -static int hf_eth_padding = -1; -static int hf_eth_trailer = -1; -static int hf_eth_fcs = -1; -static int hf_eth_fcs_status = -1; - -static gint ett_ieee8023 = -1; -static gint ett_ether2 = -1; -static gint ett_ether = -1; -static gint ett_addr = -1; - -static expert_field ei_eth_invalid_lentype = EI_INIT; -static expert_field ei_eth_src_not_group = EI_INIT; -static expert_field ei_eth_fcs_bad = EI_INIT; -static expert_field ei_eth_len = EI_INIT; -static expert_field ei_eth_padding_bad = EI_INIT; +static int proto_eth; +static int hf_eth_dst; +static int hf_eth_dst_resolved; +static int hf_eth_dst_oui; +static int hf_eth_dst_oui_resolved; +static int hf_eth_src; +static int hf_eth_src_resolved; +static int hf_eth_src_oui; +static int hf_eth_src_oui_resolved; +static int hf_eth_len; +static int hf_eth_type; +static int hf_eth_invalid_lentype; +static int hf_eth_addr; +static int hf_eth_addr_resolved; +static int hf_eth_addr_oui; +static int hf_eth_addr_oui_resolved; +static int hf_eth_dst_lg; +static int hf_eth_dst_ig; +static int hf_eth_src_lg; +static int hf_eth_src_ig; +static int hf_eth_lg; +static int hf_eth_ig; +static int hf_eth_padding; +static int hf_eth_trailer; +static int hf_eth_fcs; +static int hf_eth_fcs_status; +static int hf_eth_stream; + +static int ett_ieee8023; +static int ett_ether2; +static int ett_ether; +static int ett_addr; + +static expert_field ei_eth_invalid_lentype; +static expert_field ei_eth_src_not_group; +static expert_field ei_eth_fcs_bad; +static expert_field ei_eth_len; +static expert_field ei_eth_padding_bad; static dissector_handle_t fw1_handle; static dissector_handle_t ethertype_handle; @@ -111,9 +113,10 @@ static dissector_handle_t eth_withoutfcs_handle; static dissector_handle_t eth_maybefcs_handle; -static int eth_tap = -1; +static int eth_tap; +static uint32_t eth_stream_count; -static gint exported_pdu_tap = -1; +static int exported_pdu_tap = -1; #define ETH_HEADER_SIZE 14 @@ -163,7 +166,8 @@ eth_conversation_packet(void *pct, packet_info *pinfo, epan_dissect_t *edt _U_, hash->flags = flags; const eth_hdr *ehdr=(const eth_hdr *)vip; - add_conversation_table_data(hash, &ehdr->src, &ehdr->dst, 0, 0, 1, pinfo->fd->pkt_len, &pinfo->rel_ts, &pinfo->abs_ts, ð_ct_dissector_info, CONVERSATION_NONE); + add_conversation_table_data_with_conv_id(hash, &ehdr->src, &ehdr->dst, 0, 0, (conv_id_t)ehdr->stream, 1, pinfo->fd->pkt_len, + &pinfo->rel_ts, &pinfo->abs_ts, ð_ct_dissector_info, CONVERSATION_ETH); return TAP_PACKET_REDRAW; } @@ -188,19 +192,19 @@ eth_endpoint_packet(void *pit, packet_info *pinfo, epan_dissect_t *edt _U_, cons /* Take two "add" passes per packet, adding for each direction, ensures that all packets are counted properly (even if address is sending to itself) XXX - this could probably be done more efficiently inside endpoint_table */ - add_endpoint_table_data(hash, &ehdr->src, 0, TRUE, 1, pinfo->fd->pkt_len, ð_endpoint_dissector_info, ENDPOINT_NONE); - add_endpoint_table_data(hash, &ehdr->dst, 0, FALSE, 1, pinfo->fd->pkt_len, ð_endpoint_dissector_info, ENDPOINT_NONE); + add_endpoint_table_data(hash, &ehdr->src, 0, true, 1, pinfo->fd->pkt_len, ð_endpoint_dissector_info, ENDPOINT_NONE); + add_endpoint_table_data(hash, &ehdr->dst, 0, false, 1, pinfo->fd->pkt_len, ð_endpoint_dissector_info, ENDPOINT_NONE); return TAP_PACKET_REDRAW; } -static gboolean +static bool eth_filter_valid(packet_info *pinfo, void *user_data _U_) { return (pinfo->dl_src.type == AT_ETHER); } -static gchar* +static char* eth_build_filter(packet_info *pinfo, void *user_data _U_) { return ws_strdup_printf("eth.addr eq %s and eth.addr eq %s", @@ -223,14 +227,14 @@ eth_build_filter(packet_info *pinfo, void *user_data _U_) #define ETHERNET_802_3 2 #define ETHERNET_SNAP 3 -static gboolean -capture_eth(const guchar *pd, int offset, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header) +static bool +capture_eth(const unsigned char *pd, int offset, int len, capture_packet_info_t *cpinfo, const union wtap_pseudo_header *pseudo_header) { - guint16 etype, length; + uint16_t etype, length; int ethhdr_type; /* the type of ethernet frame */ if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) - return FALSE; + return false; etype = pntoh16(&pd[offset+12]); @@ -266,7 +270,7 @@ capture_eth(const guchar *pd, int offset, int len, capture_packet_info_t *cpinfo * an ethernet type of ETHERTYPE_UNK. */ if (etype > IEEE_802_3_MAX_LEN && etype < ETHERNET_II_MIN_LEN) - return FALSE; + return false; if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) { length = etype; @@ -306,113 +310,48 @@ capture_eth(const guchar *pd, int offset, int len, capture_packet_info_t *cpinfo return try_capture_dissector("ethertype", etype, pd, offset, len, cpinfo, pseudo_header); } - return FALSE; + return false; } -static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len); +static bool check_is_802_2(tvbuff_t *tvb, int fcs_len); static void -dissect_address_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean check_group) +dissect_address_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, bool check_group) { - const guint8 *src_addr, *dst_addr; - const char *src_addr_name, *dst_addr_name; - const gchar *src_oui_name, *dst_oui_name; - proto_item *addr_item; - proto_tree *addr_tree; - - dst_addr = (const guint8*)pinfo->dst.data; - dst_addr_name = get_ether_name(dst_addr); - - src_addr = (const guint8*)pinfo->src.data; - src_addr_name = get_ether_name(src_addr); - - addr_item = proto_tree_add_ether(tree, hf_eth_dst, tvb, 0, 6, dst_addr); - addr_tree = proto_item_add_subtree(addr_item, ett_addr); - - addr_item = proto_tree_add_string(addr_tree, hf_eth_dst_resolved, tvb, 0, 6, - dst_addr_name); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - - addr_item = proto_tree_add_item(addr_tree, hf_eth_dst_oui, tvb, 0, 3, ENC_NA); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - - dst_oui_name = tvb_get_manuf_name_if_known(tvb, 0); - if (dst_oui_name != NULL) { - addr_item = proto_tree_add_string(addr_tree, hf_eth_dst_oui_resolved, tvb, 0, 6, dst_oui_name); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - } - - proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 0, 6, dst_addr); - addr_item = proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 0, 6, - dst_addr_name); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - - addr_item = proto_tree_add_item(addr_tree, hf_eth_addr_oui, tvb, 0, 3, ENC_NA); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - - if (dst_oui_name != NULL) { - addr_item = proto_tree_add_string(addr_tree, hf_eth_addr_oui_resolved, tvb, 0, 6, dst_oui_name); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - } + static const mac_hf_list_t eth_dst = { + &hf_eth_dst, + &hf_eth_dst_resolved, + &hf_eth_dst_oui, + &hf_eth_dst_oui_resolved, + &hf_eth_dst_lg, + &hf_eth_dst_ig, + }; + static const mac_hf_list_t eth_src = { + &hf_eth_src, + &hf_eth_src_resolved, + &hf_eth_src_oui, + &hf_eth_src_oui_resolved, + &hf_eth_src_lg, + &hf_eth_src_ig, + }; + static const mac_hf_list_t eth_addr = { + &hf_eth_addr, + &hf_eth_addr_resolved, + &hf_eth_addr_oui, + &hf_eth_addr_oui_resolved, + &hf_eth_lg, + &hf_eth_ig, + }; + proto_item *addr_item; - proto_tree_add_item(addr_tree, hf_eth_dst_lg, tvb, 0, 3, ENC_BIG_ENDIAN); - addr_item = proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 0, 3, ENC_BIG_ENDIAN); - proto_item_set_hidden(addr_item); - proto_tree_add_item(addr_tree, hf_eth_dst_ig, tvb, 0, 3, ENC_BIG_ENDIAN); - addr_item = proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 0, 3, ENC_BIG_ENDIAN); - proto_item_set_hidden(addr_item); + proto_tree_add_mac48_detail(ð_dst, ð_addr, ett_addr, tvb, tree, 0); - addr_item = proto_tree_add_ether(tree, hf_eth_src, tvb, 6, 6, src_addr); - addr_tree = proto_item_add_subtree(addr_item, ett_addr); + addr_item = proto_tree_add_mac48_detail(ð_src, ð_addr, ett_addr, tvb, tree, 6); if (check_group) { - if (tvb_get_guint8(tvb, 6) & 0x01) { + if (tvb_get_uint8(tvb, 6) & 0x01) { expert_add_info(pinfo, addr_item, &ei_eth_src_not_group); } } - addr_item = proto_tree_add_string(addr_tree, hf_eth_src_resolved, tvb, 6, 6, - src_addr_name); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - - addr_item = proto_tree_add_item(addr_tree, hf_eth_src_oui, tvb, 6, 3, ENC_NA); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - - src_oui_name = tvb_get_manuf_name_if_known(tvb, 6); - if (src_oui_name != NULL) { - addr_item = proto_tree_add_string(addr_tree, hf_eth_src_oui_resolved, tvb, 6, 6, src_oui_name); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - } - - proto_tree_add_ether(addr_tree, hf_eth_addr, tvb, 6, 6, src_addr); - addr_item = proto_tree_add_string(addr_tree, hf_eth_addr_resolved, tvb, 6, 6, - src_addr_name); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - - addr_item = proto_tree_add_item(addr_tree, hf_eth_addr_oui, tvb, 6, 3, ENC_NA); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - - if (src_oui_name != NULL) { - addr_item = proto_tree_add_string(addr_tree, hf_eth_addr_oui_resolved, tvb, 6, 6, src_oui_name); - proto_item_set_generated(addr_item); - proto_item_set_hidden(addr_item); - } - - proto_tree_add_item(addr_tree, hf_eth_src_lg, tvb, 6, 3, ENC_BIG_ENDIAN); - addr_item = proto_tree_add_item(addr_tree, hf_eth_lg, tvb, 6, 3, ENC_BIG_ENDIAN); - proto_item_set_hidden(addr_item); - proto_tree_add_item(addr_tree, hf_eth_src_ig, tvb, 6, 3, ENC_BIG_ENDIAN); - addr_item = proto_tree_add_item(addr_tree, hf_eth_ig, tvb, 6, 3, ENC_BIG_ENDIAN); - proto_item_set_hidden(addr_item); } static void @@ -428,20 +367,64 @@ export_pdu(tvbuff_t *tvb, packet_info *pinfo) } } +static struct eth_analysis * +init_eth_conversation_data(packet_info *pinfo) +{ + struct eth_analysis *ethd; + + /* Initialize the eth protocol data structure to add to the ip conversation */ + ethd=wmem_new0(wmem_file_scope(), struct eth_analysis); + + ethd->initial_frame = pinfo->num; + ethd->stream = 0; + ethd->stream = eth_stream_count++; + + return ethd; +} + +struct eth_analysis * +get_eth_conversation_data(conversation_t *conv, packet_info *pinfo) +{ + struct eth_analysis *ethd; + + /* Did the caller supply the conversation pointer? */ + if( conv==NULL ) { + return NULL; + } + + /* Get the data for this conversation */ + ethd=(struct eth_analysis *)conversation_get_proto_data(conv, proto_eth); + + if (!ethd) { + ethd = init_eth_conversation_data(pinfo); + conversation_add_proto_data(conv, proto_eth, ethd); + } + + if (!ethd) { + return NULL; + } + + return ethd; +} + static proto_tree * dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, int fcs_len) { proto_item *ti = NULL; eth_hdr *ehdr; - gboolean is_802_2; + bool is_802_2; proto_tree *fh_tree = NULL; static eth_hdr ehdrs[4]; static int ehdr_num=0; proto_tree *tree; ethertype_data_t ethertype_data; heur_dtbl_entry_t *hdtbl_entry = NULL; + struct eth_analysis *ethd=NULL; + /* a facility for not duplicating long code */ + bool needs_dissector_with_data = false; + /* Rotating buffer */ ehdr_num++; if(ehdr_num>=4){ ehdr_num=0; @@ -479,12 +462,12 @@ dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, destination address field; fortunately, they can be recognized by checking the first 5 octets of the destination address, which are 01-00-0C-00-00 for ISL frames. */ - if ((tvb_get_guint8(tvb, 0) == 0x01 || - tvb_get_guint8(tvb, 0) == 0x0C) && - tvb_get_guint8(tvb, 1) == 0x00 && - tvb_get_guint8(tvb, 2) == 0x0C && - tvb_get_guint8(tvb, 3) == 0x00 && - tvb_get_guint8(tvb, 4) == 0x00) { + if ((tvb_get_uint8(tvb, 0) == 0x01 || + tvb_get_uint8(tvb, 0) == 0x0C) && + tvb_get_uint8(tvb, 1) == 0x00 && + tvb_get_uint8(tvb, 2) == 0x0C && + tvb_get_uint8(tvb, 3) == 0x00 && + tvb_get_uint8(tvb, 4) == 0x00) { dissect_isl(tvb, pinfo, parent_tree, fcs_len); return fh_tree; } @@ -521,7 +504,7 @@ dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, address_with_resolution_to_str(pinfo->pool, &pinfo->dst)); fh_tree = proto_item_add_subtree(ti, ett_ether); - dissect_address_data(tvb, pinfo, fh_tree, FALSE); + dissect_address_data(tvb, pinfo, fh_tree, false); ti = proto_tree_add_item(fh_tree, hf_eth_invalid_lentype, tvb, 12, 2, ENC_BIG_ENDIAN); expert_add_info_format(pinfo, ti, &ei_eth_invalid_lentype, @@ -553,13 +536,13 @@ dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, fh_tree=NULL; } - dissect_address_data(tvb, pinfo, fh_tree, FALSE); + dissect_address_data(tvb, pinfo, fh_tree, false); dissect_802_3(ehdr->type, is_802_2, tvb, ETH_HEADER_SIZE, pinfo, parent_tree, fh_tree, hf_eth_len, hf_eth_trailer, &ei_eth_len, fcs_len); } else { if (eth_interpret_as_fw1_monitor) { - const guint8 *dst_addr = (const guint8*)pinfo->dst.data; + const uint8_t *dst_addr = (const uint8_t*)pinfo->dst.data; if ((dst_addr[0] == 'i') || (dst_addr[0] == 'I') || (dst_addr[0] == 'o') || (dst_addr[0] == 'O') || @@ -583,7 +566,7 @@ dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, fh_tree = proto_item_add_subtree(ti, ett_ether2); } - dissect_address_data(tvb, pinfo, fh_tree, TRUE); + dissect_address_data(tvb, pinfo, fh_tree, true); proto_tree_add_uint(fh_tree, hf_eth_type, tvb, 12, 2, ehdr->type); @@ -593,19 +576,87 @@ dissect_eth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, ethertype_data.trailer_id = hf_eth_trailer; ethertype_data.fcs_len = fcs_len; + needs_dissector_with_data = true; + } + + /* if we still did not leave the dissection, try identifying any ETH conversation + * When deinterlacing was asked and an interface is known, create an _IN conv, + * otherwise create an ordinary _NN one. + * + */ + + unsigned conv_type = CONVERSATION_ETH_NN; + /* deinterlacing is requested */ + if(prefs.conversation_deinterlacing_key>0) { + uint32_t dtlc_iface = 0; + + if(prefs.conversation_deinterlacing_key&CONV_DEINT_KEY_INTERFACE && + pinfo->rec->presence_flags & WTAP_HAS_INTERFACE_ID) { + + conv_type = CONVERSATION_ETH_IN; + dtlc_iface = pinfo->rec->rec_header.packet_header.interface_id; + } + else { + conv_type = CONVERSATION_ETH_NN; + } + + // identify an existing conversation or create a new one + conversation_t *conv_deint = find_conversation_deinterlacer(pinfo->num, &pinfo->src, &pinfo->dst, conv_type, + dtlc_iface, 0, 0); + if(!conv_deint) { + conversation_new_deinterlacer(pinfo->num, &pinfo->src, &pinfo->dst, + conv_type, dtlc_iface, 0, 0); + } + } + + conversation_t *conv = find_conversation(pinfo->num, &pinfo->src, &pinfo->dst, conv_type, 0, 0, NO_PORT_X); + + if(!conv) { + conv = conversation_new(pinfo->num, &pinfo->src, &pinfo->dst, conv_type, 0, 0, NO_PORTS); + } + else { + /* + * while not strictly necessary because there is only 1 + * conversation between 2 IPs, we still move the last frame + * indicator as being a usual practice. + */ + if (!(pinfo->fd->visited)) { + if (pinfo->num > conv->last_frame) { + conv->last_frame = pinfo->num; + } + } + } + + ethd = get_eth_conversation_data(conv, pinfo); + if(ethd) { + ehdr->stream = ethd->stream; + if(tree) { + ti = proto_tree_add_uint(fh_tree, hf_eth_stream, tvb, 0, 0, ethd->stream); + proto_item_set_generated(ti); + } + } + + if(needs_dissector_with_data) { call_dissector_with_data(ethertype_handle, tvb, pinfo, parent_tree, ðertype_data); } + return fh_tree; } +static void +eth_init(void) +{ + eth_stream_count = 0; +} + /* -------------- */ -static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len) +static bool check_is_802_2(tvbuff_t *tvb, int fcs_len) { - volatile gboolean is_802_2; + volatile bool is_802_2; volatile int length; - gint captured_length, reported_length; + int captured_length, reported_length; - is_802_2 = TRUE; + is_802_2 = true; /* Is there an 802.2 layer? I can tell by looking at the first 2 bytes after the 802.3 header. If they are 0xffff, then what @@ -615,16 +666,16 @@ static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len) TRY { if (tvb_get_ntohs(tvb, 14) == 0xffff) { - is_802_2 = FALSE; + is_802_2 = false; } /* Is this a CCSDS payload instead of an 802.2 (LLC)? Check the conditions enabled by the user for CCSDS presence */ else if (ccsds_heuristic_length || ccsds_heuristic_version || ccsds_heuristic_header || ccsds_heuristic_bit) { - gboolean CCSDS_len = TRUE; - gboolean CCSDS_ver = TRUE; - gboolean CCSDS_head = TRUE; - gboolean CCSDS_bit = TRUE; + bool CCSDS_len = true; + bool CCSDS_ver = true; + bool CCSDS_head = true; + bool CCSDS_bit = true; /* See if the reported payload size matches the size contained in the CCSDS header. */ if (ccsds_heuristic_length) { @@ -650,23 +701,23 @@ static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len) if (captured_length >= 6) { /* Compare length to packet length contained in CCSDS header. */ if (length != 7 + tvb_get_ntohs(tvb, ETH_HEADER_SIZE + 4)) - CCSDS_len = FALSE; + CCSDS_len = false; } } /* Check if CCSDS Version number (first 3 bits of payload) is zero */ if ((ccsds_heuristic_version) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE, 3)!=0)) - CCSDS_ver = FALSE; + CCSDS_ver = false; /* Check if Secondary Header Flag (4th bit of payload) is set to one. */ if ((ccsds_heuristic_header) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 4, 1)!=1)) - CCSDS_head = FALSE; + CCSDS_head = false; /* Check if spare bit (1st bit of 7th word of payload) is zero. */ if ((ccsds_heuristic_bit) && (tvb_get_bits8(tvb, 8*ETH_HEADER_SIZE + 16*6, 1)!=0)) - CCSDS_bit = FALSE; + CCSDS_bit = false; /* If all the conditions are true, don't interpret payload as an 802.2 (LLC). * Additional check in packet-802.3.c will distinguish between * IPX and CCSDS packets*/ if (CCSDS_len && CCSDS_ver && CCSDS_head && CCSDS_bit) - is_802_2 = FALSE; + is_802_2 = false; } } CATCH_BOUNDS_ERRORS { @@ -677,7 +728,6 @@ static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len) return is_802_2; } - /* * Add an Ethernet trailer - which, for some captures, might be the FCS * rather than a pad-to-60-bytes trailer. @@ -688,7 +738,8 @@ static gboolean check_is_802_2(tvbuff_t *tvb, int fcs_len) */ void add_ethernet_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree, - int trailer_id, tvbuff_t *tvb, tvbuff_t *trailer_tvb, int fcs_len) + int trailer_id, tvbuff_t *tvb, tvbuff_t *trailer_tvb, int fcs_len, + int payload_offset) { /* If there're some bytes left over, it could be a combination of: - padding to meet the minimum 64 byte frame length @@ -705,26 +756,71 @@ add_ethernet_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree, heur_dtbl_entry_t *hdtbl_entry; if (trailer_tvb) { - guint trailer_length, trailer_reported_length; - guint padding_length = 0; - gboolean has_fcs = FALSE; - gboolean maybe_padded = FALSE; + unsigned trailer_length, trailer_reported_length; + unsigned padding_length = 0; + bool has_fcs = false; + bool maybe_padded = false; tvbuff_t *real_trailer_tvb; trailer_length = tvb_captured_length(trailer_tvb); trailer_reported_length = tvb_reported_length(trailer_tvb); - /* There couldn't be a padding if the length of the frame (including the trailer) is still - less than 60 bytes. */ - maybe_padded = (pinfo->fd->pkt_len >= 60 && (pinfo->fd->pkt_len - trailer_reported_length) < 60); + /* Theoretically padding is added if the frame length without the FCS is + * less than 60 bytes, starting from the addresses. In practice, frames + * are often padded so that the length is 60 bytes not counting any tags + * before the final Ethertype. (I.e., padding so that the payload portion + * is 46.) + * + * Padding might be added to a frame at one point in a network, and then a + * tag or trailer added later without removing the padding. Conversely, a + * frame might have padding and a tag and trailer, and then the tag removed, + * dropping the frame below 60 octets, leading to more padding at the end, + * after the trailer. https://gitlab.com/wireshark/wireshark/-/wikis/PRP + * has useful illustrations of both situations. The heuristic trailer + * dissectors can try to deal with both situations (though looping through + * the trailer bytes increases false positives.) + * + * By increasing the minimum frame size (padding payload to 46) the former + * situation always occurs, and trailers appear at the end. IEEE Std + * 802.1Q-2014 G.2.1 "Treatment of PAD fields in IEEE 802.3 frames" + * and G.2.3 "Minimum PDU size" specifically state it is permissible for a + * Bridge to to adopt a minimum tagged frame length of 68 bytes (64 without + * FCS) when 802.1Q is used. Other specs don't directly address this, but + * we often see padding on frames that are more than 60 octets without FCS. + */ + int frame_len; + if (eth_padding == PADDING_ANY) { + /* This is a size at which there definitely should be padding, + * which we use with PADDING_ANY to be conservative so we don't + * mark any possible trailer as padding. Fo certain cases (tags, + * trailers, especially encapsulation like ISL, GSE Bridged Frames) + * some padding will be classified as trailer. + */ + frame_len = pinfo->fd->pkt_len; + } else { + /* This is the size up to which there might be padding, if padding + * was added before adding tags after the first ethertype. + * Use this if we're testing PADDING_ZERO, which is strict. + * Consecutive zeroes up to this point will be padding, + * anything starting with the first non-zero will be trailer. + */ + frame_len = tvb_reported_length(tvb) + (14 - payload_offset); + } + maybe_padded = (frame_len >= 60 && (frame_len - trailer_reported_length) < 60); if (eth_padding != PADDING_NONE && maybe_padded) { - padding_length = 60 - (pinfo->fd->pkt_len - trailer_reported_length); + /* XXX: There could be another 4 bytes of padding if a Bridge extends + * the minimum frame size of 68 on untagged fraomes, see discussion + * above of IEEE 802.1Q Annex G. If we require padding to be zeros, + * we could possibly use 64 instead of 60. (Too many false positives + * with PADDING_ANY.) + */ + padding_length = 60 - (frame_len - trailer_reported_length); /* Require padding to be zeros */ if (eth_padding == PADDING_ZEROS) { - for (guint i = 0; i < padding_length; i++) { - if (tvb_get_gint8(trailer_tvb, i) != 0) { - padding_length = 0; + for (unsigned i = 0; i < padding_length; i++) { + if (tvb_get_int8(trailer_tvb, i) != 0) { + padding_length = i; break; } } @@ -739,12 +835,29 @@ add_ethernet_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree, } } + int payload_length = tvb_reported_length(tvb) - payload_offset; + bool dissected = false; + + if (fcs_len != 4) { + /* Try trailer dissection without an FCS */ + real_trailer_tvb = tvb_new_subset_remaining(trailer_tvb, padding_length); + /* Call all ethernet trailer dissectors to dissect the trailer if + we actually have a trailer. The PRP trailer dissector wants + to know about the payload (LSDU) length. */ + if (tvb_reported_length(real_trailer_tvb) != 0) { + dissected = dissector_try_heuristic(eth_trailer_subdissector_list, + real_trailer_tvb, pinfo, tree, + &hdtbl_entry, &payload_length); + } + } + if (fcs_len != 0) { /* If fcs_len is 4, we assume we definitely have an FCS. - Otherwise, then, if the frame is big enough that, if we + If fcs_len is -1, if the frame is big enough that, if we have a trailer, it probably includes an FCS, and we have - enough space in the trailer for the FCS, we assume we - have an FCS. + enough space in the trailer for the FCS, and we didn't + have a heuristic trailer dissector successfully dissect + without an FCS, we assume we have an FCS. "Big enough" means 64 bytes or more; any frame that big needs no trailer, as there's no need to pad an Ethernet @@ -752,22 +865,13 @@ add_ethernet_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree, XXX: This is not quite true. See IEEE Std 802.1Q-2014 G.2.1 "Treatment of PAD fields in IEEE 802.3 frames" and - G.2.3 "Minimum PDU size." It is permissible for a Bridge - to adopt a minimum tagged frame length of 68 bytes (64 - without counting FCS) to avoid having to remove up to 4 - octets of padding when receiving an untagged padded IEEE - 802.3 frame and adding tagging to it, it being easier to - add extra padding than to remove it. (Illustrated at - https://gitlab.com/wireshark/wireshark/-/wikis/PRP ) - The same calculation with 4 more octets can apply to 802.1ad - QinQ. These cases are hard to deal with, though, especially - if PADDING_ANY is set. + G.2.3 "Minimum PDU size" and the discussion above. The trailer must be at least 4 bytes long to have enough space for an FCS. */ - if (fcs_len == 4 || (tvb_reported_length(tvb) >= 64 && - trailer_reported_length >= 4)) { + if (fcs_len == 4 || (fcs_len == -1 && !dissected && + frame_len >= 64 && trailer_reported_length >= 4)) { /* Either we know we have an FCS, or we believe we have an FCS. */ if (trailer_length < trailer_reported_length) { /* The packet is claimed to have enough data for a 4-byte FCS, @@ -777,61 +881,61 @@ add_ethernet_trailer(packet_info *pinfo, proto_tree *tree, proto_tree *fh_tree, length; that will slice off what of the FCS, if any, is in the captured packet. */ trailer_reported_length -= 4; - if (trailer_length > trailer_reported_length) + if (trailer_length > trailer_reported_length) { + payload_length -= (trailer_length - trailer_reported_length); trailer_length = trailer_reported_length; - has_fcs = TRUE; + } + has_fcs = true; } else { /* We captured all of the packet, including what appears to be a 4-byte FCS. Slice it off. */ trailer_length -= 4; trailer_reported_length -= 4; - has_fcs = TRUE; + payload_length -= 4; + has_fcs = true; + } + + real_trailer_tvb = tvb_new_subset_length_caplen(trailer_tvb, padding_length, + trailer_length, trailer_reported_length); + + /* Call all ethernet trailer dissectors to dissect the trailer if + we actually have a trailer. */ + if (tvb_reported_length(real_trailer_tvb) != 0) { + dissected = dissector_try_heuristic(eth_trailer_subdissector_list, + real_trailer_tvb, pinfo, tree, + &hdtbl_entry, &payload_length); } } } - /* Create a new tvb without the padding and/or the (assumed) fcs */ - if (fcs_len==4) - real_trailer_tvb = tvb_new_subset_length_caplen(trailer_tvb, padding_length, - trailer_length, trailer_reported_length); - else - real_trailer_tvb = tvb_new_subset_remaining(trailer_tvb, padding_length); - - /* Call all ethernet trailer dissectors to dissect the trailer if - we actually have a trailer. */ - if (tvb_reported_length(real_trailer_tvb) != 0) { - if (dissector_try_heuristic(eth_trailer_subdissector_list, - real_trailer_tvb, pinfo, tree, &hdtbl_entry, NULL) ) { - /* If we're not sure that there is a FCS, all trailer data - has been given to the ethernet-trailer dissector, so - stop dissecting here */ - if (fcs_len!=4) - return; - } else { - /* No luck with the trailer dissectors, so just display the - extra bytes as general trailer */ - if (trailer_length != 0) { - tvb_ensure_bytes_exist(tvb, 0, trailer_length); - proto_item *pi = proto_tree_add_item(fh_tree, trailer_id, real_trailer_tvb, 0, - trailer_length, ENC_NA); - if (maybe_padded) { - if (eth_padding == PADDING_ANY && padding_length > 0) { - expert_add_info_format(pinfo, pi, &ei_eth_padding_bad, - "Padding was assumed, and an undecoded trailer exists. Some of the trailer may have been consumed by padding."); - } - else if (eth_padding == PADDING_ZEROS && padding_length == 0) { - expert_add_info_format(pinfo, pi, &ei_eth_padding_bad, - "Didn't find padding of zeros, and an undecoded trailer exists. There may be padding of non-zeros."); - } + if (!dissected) { + /* No luck with the trailer dissectors, so just display the + extra bytes as general trailer */ + if (trailer_length != 0) { + tvb_ensure_bytes_exist(real_trailer_tvb, 0, trailer_length); + proto_item *pi = proto_tree_add_item(fh_tree, trailer_id, real_trailer_tvb, 0, + trailer_length, ENC_NA); + if (maybe_padded) { + if (eth_padding == PADDING_ANY && padding_length > 0) { + expert_add_info_format(pinfo, pi, &ei_eth_padding_bad, + "Padding was assumed, and an undecoded trailer exists. Some of the trailer may have been consumed by padding."); + } + else if (eth_padding == PADDING_ZEROS && padding_length == 0) { + expert_add_info_format(pinfo, pi, &ei_eth_padding_bad, + "Didn't find padding of zeros, and an undecoded trailer exists. There may be padding of non-zeros."); } } } } if (has_fcs) { - guint32 sent_fcs = tvb_get_ntohl(trailer_tvb, padding_length+trailer_length); - if(eth_check_fcs){ - guint32 fcs = crc32_802_tvb(tvb, tvb_captured_length(tvb) - 4); + uint32_t sent_fcs = tvb_get_ntohl(trailer_tvb, padding_length+trailer_length); + /* If we don't have the entire header, we can't actually check the FCS. + * Dissectors that don't have the entire header (say, a tag) probably + * should have set fcs_len to zero in the ethertype_data struct. + * XXX: Maybe add an expert info saying why we aren't checking the FCS? */ + if (eth_check_fcs && payload_offset == ETH_HEADER_SIZE) { + uint32_t fcs = crc32_802_tvb(tvb, tvb_captured_length(tvb) - 4); proto_tree_add_checksum(fh_tree, trailer_tvb, padding_length+trailer_length, hf_eth_fcs, hf_eth_fcs_status, &ei_eth_fcs_bad, pinfo, fcs, ENC_BIG_ENDIAN, PROTO_CHECKSUM_VERIFY); if (fcs != sent_fcs) { @@ -854,7 +958,7 @@ dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) struct eth_phdr *eth = (struct eth_phdr *)data; proto_tree *fh_tree; tvbuff_t *real_tvb; - gint fcs_len; + int fcs_len; if (eth && eth->fcs_len != -1) { /* Use the value reported from Wiretap, if known. */ @@ -879,14 +983,14 @@ dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) properly dissect. */ if ( (eth_trailer_length > 0) && (eth_trailer_length < tvb_captured_length(real_tvb)) ) { tvbuff_t *next_tvb; - guint total_trailer_length = eth_trailer_length; + unsigned total_trailer_length = eth_trailer_length; /* If we have to guess if the trailer includes the FCS, assume not; the * user probably set the "eth_trailer_length" preference to the total * trailer length. The user has already set the preference, so should * have little difficulty changing it or the "fcs" preference if need be. */ - total_trailer_length += (fcs_len < 0 ? 0 : (guint)fcs_len); + total_trailer_length += (fcs_len < 0 ? 0 : (unsigned)fcs_len); /* Dissect the tvb up to, but not including the trailer */ next_tvb = tvb_new_subset_length_caplen(real_tvb, 0, @@ -897,7 +1001,7 @@ dissect_eth(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) /* Now handle the ethernet trailer and optional FCS */ next_tvb = tvb_new_subset_remaining(real_tvb, tvb_captured_length(real_tvb) - total_trailer_length); add_ethernet_trailer(pinfo, tree, fh_tree, hf_eth_trailer, real_tvb, next_tvb, - fcs_len); + fcs_len, ETH_HEADER_SIZE); } else { dissect_eth_common(real_tvb, pinfo, tree, fcs_len); } @@ -932,6 +1036,8 @@ dissect_eth_maybefcs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* void proto_register_eth(void) { + register_init_routine(eth_init); + static hf_register_info hf[] = { { &hf_eth_dst, @@ -1041,9 +1147,13 @@ proto_register_eth(void) { &hf_eth_ig, { "IG bit", "eth.ig", FT_BOOLEAN, 24, TFS(&ig_tfs), 0x010000, - "Specifies if this is an individual (unicast) or group (broadcast/multicast) address", HFILL }} + "Specifies if this is an individual (unicast) or group (broadcast/multicast) address", HFILL }}, + + { &hf_eth_stream, + { "Stream index", "eth.stream", FT_UINT32, BASE_DEC, NULL, 0x0, + NULL, HFILL }} }; - static gint *ett[] = { + static int *ett[] = { &ett_ieee8023, &ett_ether2, &ett_ether, @@ -1068,8 +1178,8 @@ proto_register_eth(void) expert_register_field_array(expert_eth, ei, array_length(ei)); /* subdissector code */ - heur_subdissector_list = register_heur_dissector_list("eth", proto_eth); - eth_trailer_subdissector_list = register_heur_dissector_list("eth.trailer", proto_eth); + heur_subdissector_list = register_heur_dissector_list_with_description("eth", "Ethernet framed non-Ethernet data", proto_eth); + eth_trailer_subdissector_list = register_heur_dissector_list_with_description("eth.trailer", "Ethernet trailer", proto_eth); /* Register configuration preferences */ eth_module = prefs_register_protocol(proto_eth, NULL); @@ -1089,7 +1199,7 @@ proto_register_eth(void) "Any - Any bytes after the payload up to the minimum ethernet frame " "size will be treated as padding. Additional bytes will be considered " "trailer.", - ð_padding, eth_padding_vals, FALSE); + ð_padding, eth_padding_vals, false); prefs_register_uint_preference(eth_module, "trailer_length", "Fixed ethernet trailer length", @@ -1106,7 +1216,7 @@ proto_register_eth(void) "The Ethernet dissector then attempts to guess whether a captured packet has an FCS, " "but it cannot always guess correctly. This option can override that heuristic " "and assume that the FCS is either never or always present in such cases.", - ð_fcs, eth_fcs_vals, FALSE); + ð_fcs, eth_fcs_vals, false); prefs_register_bool_preference(eth_module, "check_fcs", "Validate the Ethernet checksum if possible", @@ -1155,7 +1265,7 @@ proto_register_eth(void) eth_maybefcs_handle = register_dissector("eth_maybefcs", dissect_eth_maybefcs, proto_eth); eth_tap = register_tap("eth"); - register_conversation_table(proto_eth, TRUE, eth_conversation_packet, eth_endpoint_packet); + register_conversation_table(proto_eth, true, eth_conversation_packet, eth_endpoint_packet); register_conversation_filter("eth", "Ethernet", eth_filter_valid, eth_build_filter, NULL); register_capture_dissector("eth", capture_eth, proto_eth); |