1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
|
/* packet-ixiatrailer.c
* Routines for Ixia trailer parsing
*
* Dissector for Ixia Network Visibility Solutions trailer
* Copyright Ixia 2012
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "config.h"
#include <epan/packet.h>
#include <wsutil/pint.h>
#include <epan/prefs.h>
#include <epan/in_cksum.h>
#include <epan/expert.h>
void proto_register_ixiatrailer(void);
void proto_reg_handoff_ixiatrailer(void);
/* Trailer "magic number". */
#define IXIA_PATTERN 0xAF12
/* Trailer TLV types.
TODO: which of these typestamp types are currently supported?
Should lose the rest!! */
#define IXIATRAILER_FTYPE_ORIGINAL_PACKET_SIZE 1
#define IXIATRAILER_FTYPE_TIMESTAMP_LOCAL 3
#define IXIATRAILER_FTYPE_TIMESTAMP_NTP 4
#define IXIATRAILER_FTYPE_TIMESTAMP_GPS 5
#define IXIATRAILER_FTYPE_TIMESTAMP_1588 6 /* PTP */
#define IXIATRAILER_FTYPE_TIMESTAMP_HOLDOVER 7
static const value_string ixiatrailer_ftype_timestamp[] = {
{ IXIATRAILER_FTYPE_TIMESTAMP_LOCAL, "Local" },
{ IXIATRAILER_FTYPE_TIMESTAMP_NTP, "NTP" },
{ IXIATRAILER_FTYPE_TIMESTAMP_GPS, "GPS" },
{ IXIATRAILER_FTYPE_TIMESTAMP_1588, "PTP" },
{ IXIATRAILER_FTYPE_TIMESTAMP_HOLDOVER, "Holdover" },
{ 0, NULL }
};
/* Preference settings */
static gboolean ixiatrailer_summary_in_tree = TRUE;
static int proto_ixiatrailer = -1;
static gint ett_ixiatrailer = -1;
static int hf_ixiatrailer_packetlen = -1;
static int hf_ixiatrailer_timestamp = -1;
static int hf_ixiatrailer_generic = -1;
static expert_field ei_ixiatrailer_field_length_invalid = EI_INIT;
/* The trailer begins with a sequence of TLVs, each of which has a
1-byte type, a 1-byte value length (not TLV length, so the TLV
length is the value length + 2), and a variable-length value.
Following the sequence of TLVs is:
a 1-byte field giving the length of the sequence of TLVs;
a 2-byte big-endian signature field with the value 0xAF12;
a 2-byte big-endian checksum field, covering the sequence
of TLVs, the sequence length, and the signature.
*/
static int
dissect_ixiatrailer(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *data _U_)
{
proto_tree *ti;
guint tvblen, trailer_length, field_length;
gboolean matched_without_fcs, matched_with_fcs;
proto_tree *ixiatrailer_tree = NULL;
guint offset = 0;
guint16 cksum, comp_cksum;
vec_t vec;
guint8 field_type;
/* A trailer must, at minimum, include:
a "original packet size" TLV, with 1 byte of type, 1 byte of
value length, and 2 bytes of original packet ize;
1 byte of trailer length;
2 bytes of signature;
2 bytes of trailer checksum;
for a total of 9 bytes. */
tvblen = tvb_reported_length(tvb);
if (tvblen != tvb_captured_length(tvb)) {
/* The heuristic check includes a checksum check, so we need the
*entire* trailer to have been captured; if it wasn't, we don't
try to check it. */
return 0;
}
if (tvblen < 9) {
/* This is too short, so it cannot be a valid Ixia trailer. */
return 0;
}
/* Depending upon the ethernet preference "Assume packets have FCS", we
may be given those 4 bytes too.
Try checking two locations for our pattern. */
if (tvblen == 23) {
tvblen = 19;
}
/* 3rd & 4th bytes from the end must match our pattern.
First, try under the assumption that the tvbuff doesn't include
the FCS. */
matched_without_fcs = (tvb_get_ntohs(tvb, tvblen-4) == IXIA_PATTERN);
/* If that didn't match, is the tvbuff big enough to include an Ixia
trailer *and* an FCS? If so, try under that assumption. */
if (!matched_without_fcs && tvblen >= 13)
matched_with_fcs = (tvb_get_ntohs(tvb, tvblen-(4+4)) == IXIA_PATTERN);
else
matched_with_fcs = FALSE;
if (!matched_without_fcs) {
if (!matched_with_fcs) {
/* Neither matched, so no Ixia trailer. */
return 0;
}
/* Matched under the assumption that we have an FCS, so let's
act as if that's the case. Remove the FCS length from the
tvbuff. */
tvblen -= 4;
}
/* Read Trailer-length field */
trailer_length = tvb_get_guint8(tvb, tvblen-5);
/* Should match overall length of trailer */
if ((tvblen-5) != trailer_length) {
return 0;
}
/* Last 2 bytes are the checksum */
cksum = tvb_get_ntohs(tvb, tvblen-2);
/* Verify the checksum; if not valid, it means that the trailer is not valid */
SET_CKSUM_VEC_TVB(vec, tvb, offset, trailer_length + 3);
comp_cksum = in_cksum(&vec, 1);
if (pntoh16(&comp_cksum) != cksum) {
return 0;
}
/* OK: We have our trailer - create protocol root */
ti = proto_tree_add_item(tree, proto_ixiatrailer, tvb, offset, trailer_length + 5, ENC_NA);
/* Append summary to item, if configured to */
if (ixiatrailer_summary_in_tree) {
proto_item_append_text(ti, ", Length: %u, Checksum: 0x%x", trailer_length, cksum);
}
/* Create subtree */
ixiatrailer_tree = proto_item_add_subtree(ti, ett_ixiatrailer);
while (offset < trailer_length - 2)
{
field_type = tvb_get_guint8(tvb, offset++);
field_length = tvb_get_guint8(tvb, offset++);
switch (field_type) {
case IXIATRAILER_FTYPE_ORIGINAL_PACKET_SIZE:
if (field_length != 2){
expert_add_info_format(pinfo, ti, &ei_ixiatrailer_field_length_invalid, "Field length %u invalid", field_length);
break;
}
ti = proto_tree_add_item(ixiatrailer_tree, hf_ixiatrailer_packetlen, tvb, offset, field_length, ENC_BIG_ENDIAN);
proto_item_append_text(ti, " bytes");
break;
case IXIATRAILER_FTYPE_TIMESTAMP_LOCAL:
case IXIATRAILER_FTYPE_TIMESTAMP_NTP:
case IXIATRAILER_FTYPE_TIMESTAMP_GPS:
case IXIATRAILER_FTYPE_TIMESTAMP_1588:
case IXIATRAILER_FTYPE_TIMESTAMP_HOLDOVER:
if (field_length != 8) {
expert_add_info_format(pinfo, ti, &ei_ixiatrailer_field_length_invalid, "Field length %u invalid", field_length);
break;
}
/* Timestamp */
ti = proto_tree_add_item(ixiatrailer_tree, hf_ixiatrailer_timestamp, tvb, offset, field_length, ENC_TIME_SECS_NSECS|ENC_BIG_ENDIAN);
proto_item_append_text(ti, "; Source: %s", val_to_str_const(field_type, ixiatrailer_ftype_timestamp, "Unknown"));
break;
default:
/* Not a recognized time format - just show as bytes */
ti = proto_tree_add_item(ixiatrailer_tree, hf_ixiatrailer_generic, tvb, offset, field_length, ENC_NA);
proto_item_append_text(ti, " [Id: %u, Length: %u bytes]", field_type, field_length);
break;
};
offset += field_length;
}
/* We are claiming all of the bytes */
return tvblen;
}
void
proto_register_ixiatrailer(void)
{
static hf_register_info hf[] = {
{ &hf_ixiatrailer_packetlen, {
"Original packet length", "ixiatrailer.packetlen", FT_UINT16, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_ixiatrailer_timestamp, {
"Time Stamp", "ixiatrailer.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0x0, NULL, HFILL }},
{ &hf_ixiatrailer_generic, {
"Generic Field", "ixiatrailer.generic", FT_BYTES, BASE_NONE,
NULL, 0x0, NULL, HFILL }},
};
static gint *ixiatrailer_ett[] = {
&ett_ixiatrailer
};
static ei_register_info ei[] = {
{ &ei_ixiatrailer_field_length_invalid, { "ixiatrailer.field_length_invalid", PI_MALFORMED, PI_ERROR, "Field length invalid", EXPFILL }},
};
module_t *ixiatrailer_module;
expert_module_t* expert_ixiatrailer;
proto_ixiatrailer = proto_register_protocol("Ixia Trailer", "IXIATRAILER", "ixiatrailer");
proto_register_field_array(proto_ixiatrailer, hf, array_length(hf));
proto_register_subtree_array(ixiatrailer_ett, array_length(ixiatrailer_ett));
expert_ixiatrailer = expert_register_protocol(proto_ixiatrailer);
expert_register_field_array(expert_ixiatrailer, ei, array_length(ei));
ixiatrailer_module = prefs_register_protocol(proto_ixiatrailer, NULL);
prefs_register_bool_preference(ixiatrailer_module, "summary_in_tree",
"Show trailer summary in protocol tree",
"Whether the trailer summary line should be shown in the protocol tree",
&ixiatrailer_summary_in_tree);
}
void
proto_reg_handoff_ixiatrailer(void)
{
/* Check for Ixia format in the ethernet trailer */
heur_dissector_add("eth.trailer", dissect_ixiatrailer, "Ixia Trailer", "ixiatrailer_eth", proto_ixiatrailer, HEURISTIC_ENABLE);
}
/*
* Editor modelines - https://www.wireshark.org/tools/modelines.html
*
* Local Variables:
* c-basic-offset: 2
* tab-width: 8
* indent-tabs-mode: nil
* End:
*
* ex: set shiftwidth=2 tabstop=8 expandtab:
* :indentSize=2:tabSize=8:noTabs=true:
*/
|