1 /* EtherApe
2 * Copyright (C) 2001 Juan Toledo, Riccardo Ghetta
3 *
4 * This file is mostly a rehash of algorithms found in
5 * packet-*. of ethereal
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #ifdef HAVE_CONFIG_H
22 #include "config.h"
23 #endif
24
25 #include "appdata.h"
26 #include <ctype.h>
27 #include <string.h>
28 #ifdef HAVE_SYS_TYPES_H
29 #include <sys/types.h>
30 #endif
31 #ifdef HAVE_SYS_SOCKET_H
32 #include <sys/socket.h>
33 #endif
34 #ifdef HAVE_NETINET_IN_H
35 #include <netinet/in.h>
36 #endif
37 #ifdef HAVE_ARPA_INET_H
38 #include <arpa/inet.h>
39 #endif
40
41 #include <pcap.h> /* for DLT_* */
42
43 #include "prot_types.h"
44 #include "util.h"
45 #include "decode_proto.h"
46 #include "protocols.h"
47 #include "conversations.h"
48 #include "datastructs.h"
49 #include "preferences.h"
50 #include "node.h"
51 #include "links.h"
52 #include "names/names.h"
53
54 #define TCP_FTP 21
55 #define TCP_NETBIOS_SSN 139
56 #define UDP_NETBIOS_NS 138
57
58 /* Enums */
59 enum rpc_type
60 {
61 RPC_CALL = 0,
62 RPC_REPLY = 1
63 };
64
65 enum rpc_program
66 {
67 PORTMAP_PROGRAM = 100000,
68 NFS_PROGRAM = 100003,
69 YPSERV_PROGRAM = 100004,
70 MOUNT_PROGRAM = 100005,
71 YPBIND_PROGRAM = 100007,
72 YPPASSWD_PROGRAM = 100009,
73 REXEC_PROGRAM = 100017,
74 STAT_PROGRAM = 100024,
75 BOOTPARAMS_PROGRAM = 100026,
76 NLM_PROGRAM = 100021,
77 YPXFR_PROGRAM = 100069,
78 KERBPROG_PROGRAM = 100078
79 };
80
81 /* internal struct - decode helper */
82 typedef struct
83 {
84 const guint8 *original_packet; /* original start of packet */
85 guint original_len; /* total captured lenght */
86
87 const guint8 *cur_packet; /* pointer to current level start of packet */
88 guint cur_len; /* current level remaining length */
89
90 /* decode outputs */
91
92 packet_protos_t *pr_stack; /* detected protocol stack */
93 guint pr_cur_level; /* current protocol depth on stack */
94
95 /* node ids */
96 node_id_t dst_node_id;
97 node_id_t src_node_id;
98
99 /* These are used for conversations */
100 address_t global_src_address;
101 address_t global_dst_address;
102 guint16 global_src_port;
103 guint16 global_dst_port;
104 } decode_proto_t;
105
106 /* extracts the protocol stack from packet */
107 static void decode_protocol_stack(decode_proto_t *dp, packet_protos_t *protostack_tofill,
108 const guint8 *pkt, guint cap_len);
109
110 /* sets protoname at current level, and passes at next level */
111 static void decode_proto_add(decode_proto_t *dp, const gchar *proto);
112 static void decode_proto_add_fmt(decode_proto_t *dp, const gchar *fmt, ...);
113
114 /* advances current packet start to prepare for next protocol */
115 static void add_offset(decode_proto_t *dp, guint offset);
116
117 static void add_node_packet(node_t *node,
118 packet_info_t *packet,
119 packet_direction direction);
120
121 /* decoder func proto */
122 typedef void (*get_fun)(decode_proto_t *dp);
123
124 /* specific decoders declarations */
125 static void get_loop(decode_proto_t *dp);
126 static void get_eth_type(decode_proto_t *dp);
127 static void get_fddi_type(decode_proto_t *dp);
128 static void get_ieee802_5_type(decode_proto_t *dp);
129 static void get_eth_II(decode_proto_t *dp, etype_t etype);
130 static void get_eth_802_3(decode_proto_t *dp, ethhdrtype_t ethhdr_type);
131 static void get_radiotap(decode_proto_t *dp);
132 #if defined(DLT_PPI)
133 static void get_ppi(decode_proto_t *dp);
134 #endif
135 static void get_wlan(decode_proto_t *dp);
136 static void get_linux_sll(decode_proto_t *dp);
137
138 static void get_llc(decode_proto_t *dp);
139 static void get_ip(decode_proto_t *dp);
140 static void get_ipx(decode_proto_t *dp);
141 static void get_tcp(decode_proto_t *dp);
142 static void get_udp(decode_proto_t *dp);
143
144 static void get_netbios(decode_proto_t *dp);
145 static void get_netbios_ssn(decode_proto_t *dp);
146 static void get_netbios_dgm(decode_proto_t *dp);
147 static void get_ftp(decode_proto_t *dp);
148
149 static gboolean get_rpc(decode_proto_t *dp, gboolean is_udp);
150 static guint16 choose_port(guint16 a, guint16 b);
151 static void append_etype_prot(decode_proto_t *dp, etype_t etype);
152
153 /* etherape has to handle several data link layer (OSI L2) packet types.
154 * The following table tries to make easier adding new types.
155 * End of table is signaled by an entry with lt_desc NULL */
156 typedef struct linktype_data_tag
157 {
158 const gchar *lt_desc; /* linktype description */
159 unsigned int dlt_linktype; /* pcap link type (DLT_xxxx defines) */
160 apemode_t l2_idtype; /* link level address slot in node_id_t */
161 get_fun fun; /* linktype base decoder function */
162 } linktype_data_t;
163
164
165
166 /* current link type entry */
167 const linktype_data_t *lkentry = NULL;
168
169 static linktype_data_t linktypes[] = {
170 {"Ethernet", DLT_EN10MB, LINK6, get_eth_type },
171 {"RAW", DLT_RAW, IP, get_ip }, /* raw IP like PPP,SLIP */
172 #ifdef DLT_LINUX_SLL
173 {"LINUX_SLL", DLT_LINUX_SLL, IP, get_linux_sll }, /* Linux cooked */
174 #endif
175 {"BSD Loopback", DLT_NULL, IP, get_loop }, /* ignore l2 data */
176 {"OpenBSD Loopback", DLT_LOOP, IP, get_loop }, /* ignore l2 data */
177 {"FDDI", DLT_FDDI, LINK6, get_fddi_type },
178 {"IEEE802.5", DLT_IEEE802, LINK6, get_ieee802_5_type }, /* Token Ring */
179 {"WLAN", DLT_IEEE802_11, LINK6, get_wlan },
180 /* Wireless with radiotap header */
181 {"WLAN+RTAP", DLT_IEEE802_11_RADIO, LINK6, get_radiotap },
182 #if defined(DLT_PPI)
183 {"PPI", DLT_PPI, LINK6, get_ppi }, /* PPI encapsulation */
184 #endif
185 {NULL, 0, 0, NULL } /* terminating entry, must be last */
186 };
187
188 /* ------------------------------------------------------------
189 * L2 offset decoders
190 * ------------------------------------------------------------*/
191
192 /* Sets the correct linktype entry. Returns false if not found */
setup_link_type(unsigned int linktype)193 gboolean setup_link_type(unsigned int linktype)
194 {
195 int i;
196
197 lkentry = NULL;
198 for (i = 0; linktypes[i].lt_desc != NULL; ++i) {
199 if (linktypes[i].dlt_linktype == linktype) {
200 lkentry = linktypes + i;
201 g_my_info(_("Link type is %s"), lkentry->lt_desc);
202 return TRUE;
203 }
204 }
205
206 return FALSE; /* link type not supported */
207 }
208
209 /* true if current device captures l2 data */
has_linklevel(void)210 gboolean has_linklevel(void)
211 {
212 if (lkentry)
213 return lkentry->l2_idtype == LINK6;
214 else
215 return FALSE;
216 }
217
218 /* ------------------------------------------------------------
219 * Implementation
220 * ------------------------------------------------------------*/
decode_proto_add(decode_proto_t * dp,const gchar * proto)221 static void decode_proto_add(decode_proto_t *dp, const gchar *proto)
222 {
223 if (dp->pr_cur_level <= STACK_SIZE) {
224 dp->pr_stack->protonames[dp->pr_cur_level] = g_strdup(proto);
225 dp->pr_cur_level++;
226 }
227 else
228 g_warning("protocol \"%.10s\" too deeply nested, ignored", proto ? proto : "");
229 }
decode_proto_add_fmt(decode_proto_t * dp,const gchar * fmt,...)230 static void decode_proto_add_fmt(decode_proto_t *dp, const gchar *fmt, ...)
231 {
232 va_list ap;
233 if (dp->pr_cur_level <= STACK_SIZE) {
234 va_start(ap, fmt);
235 dp->pr_stack->protonames[dp->pr_cur_level] = g_strdup_vprintf(fmt, ap);
236 va_end(ap);
237 dp->pr_cur_level++;
238 }
239 else
240 g_warning("protocol \"%.10s\" too deeply nested, ignored", fmt ? fmt : "");
241 }
242
add_offset(decode_proto_t * dp,guint offset)243 static void add_offset(decode_proto_t *dp, guint offset)
244 {
245 if (dp->cur_len < offset)
246 dp->cur_len = 0; /* no usable data remaining */
247 else {
248 dp->cur_packet += offset;
249 dp->cur_len -= offset;
250 }
251 }
252
253 /* This function is called everytime there is a new packet in
254 * the network interface. It then updates traffic information
255 * for the appropriate nodes and links
256 * Receives both the captured (raw) size and the original packet size */
packet_acquired(guint8 * cap_bytes,guint cap_size,guint orig_size)257 void packet_acquired(guint8 *cap_bytes, guint cap_size, guint orig_size)
258 {
259 packet_info_t *packet;
260 link_id_t link_id;
261 decode_proto_t decp;
262 node_t *src_node;
263 node_t *dst_node;
264
265 if (!lkentry || !lkentry->fun) {
266 g_error(_("Data link entry not initialized"));
267 return; /* g_error() should abort, but just to be sure ... */
268 }
269
270 /* create a packet structure to hold data */
271 packet = g_malloc(sizeof(packet_info_t));
272
273 packet->size = orig_size;
274 packet->timestamp = appdata.now;
275 packet->ref_count = 0;
276 memset(&packet->prot_desc, 0, sizeof(packet->prot_desc));
277
278 /* decode the protocol tree */
279 decode_protocol_stack(&decp, &packet->prot_desc, cap_bytes, cap_size);
280
281 appdata.n_packets++;
282 appdata.total_mem_packets++;
283
284 src_node = nodes_catalog_find(&decp.src_node_id);
285 if (src_node == NULL) {
286 /* creates the new node, adding it to the catalog */
287 src_node = nodes_catalog_new(&decp.src_node_id);
288 g_assert(src_node);
289 }
290 dst_node = nodes_catalog_find(&decp.dst_node_id);
291 if (dst_node == NULL) {
292 /* creates the new node, adding it to the catalog */
293 dst_node = nodes_catalog_new(&decp.dst_node_id);
294 g_assert(dst_node);
295 }
296
297 /* Add this packet information to the src and dst nodes */
298 add_node_packet(src_node, packet, OUTBOUND);
299 add_node_packet(dst_node, packet, INBOUND);
300
301 /* Update names list for these nodes */
302 get_packet_names(&src_node->node_stats.stats_protos, &dst_node->node_stats.stats_protos,
303 cap_bytes, cap_size, &packet->prot_desc, lkentry->dlt_linktype);
304
305 /* And now we update link traffic information for this packet
306 packets originating from lesser addresses are arbitrarily marked outbound
307 link ids are pairs of node addresses, with the lesser one first
308 */
309 if (node_id_compare(&decp.src_node_id, &decp.dst_node_id) < 1) {
310 /* src id <= dst id, direct packet */
311 link_id.src = decp.src_node_id;
312 link_id.dst = decp.dst_node_id;
313 links_catalog_add_packet(&link_id, packet, OUTBOUND);
314 }
315 else {
316 /* src id > dst id, inverse packet */
317 link_id.src = decp.dst_node_id;
318 link_id.dst = decp.src_node_id;
319 links_catalog_add_packet(&link_id, packet, INBOUND);
320 }
321
322 /* finally, update global protocol stats */
323 protocol_summary_add_packet(packet);
324 }
325
326
327 /* We update node information for each new packet that arrives in the
328 * network. If the node the packet refers to is unknown, we
329 * create it. */
add_node_packet(node_t * node,packet_info_t * packet,packet_direction direction)330 static void add_node_packet(node_t *node,
331 packet_info_t *packet,
332 packet_direction direction)
333 {
334
335 traffic_stats_add_packet(&node->node_stats, packet, direction);
336
337 /* If this is the first packet we've heard from the node in a while,
338 * we add it to the list of new nodes so that the main app know this
339 * node is active again */
340 if (node->node_stats.pkt_list.length == 1)
341 new_nodes_add(node);
342 }
343
decode_protocol_stack(decode_proto_t * dp,packet_protos_t * protostack_tofill,const guint8 * pkt,guint cap_len)344 static void decode_protocol_stack(decode_proto_t *dp, packet_protos_t *protostack_tofill,
345 const guint8 *pkt, guint cap_len)
346 {
347 guint i;
348
349 /* initialize data helper */
350 dp->original_packet = pkt;
351 dp->original_len = cap_len;
352 dp->cur_packet = pkt;
353 dp->cur_len = cap_len;
354 dp->pr_stack = protostack_tofill;
355 dp->pr_cur_level = 1; /* level zero is topmost protocol, will be filled later */
356 node_id_clear(&dp->dst_node_id);
357 node_id_clear(&dp->src_node_id);
358 address_clear(&dp->global_src_address);
359 address_clear(&dp->global_dst_address);
360 dp->global_src_port = 0;
361 dp->global_dst_port = 0;
362
363
364 /* call current link decode function */
365 g_assert(lkentry && lkentry->fun);
366 lkentry->fun(dp);
367
368 /* first position is top proto */
369 for (i = STACK_SIZE; i > 0; --i) {
370 if (dp->pr_stack->protonames[i]) {
371 dp->pr_stack->protonames[0] = g_strdup(dp->pr_stack->protonames[i]);
372 break;
373 }
374 }
375 }
376
377 /* ------------------------------------------------------------
378 * Private functions
379 * ------------------------------------------------------------*/
380
381 /* bsd loopback */
get_loop(decode_proto_t * dp)382 static void get_loop(decode_proto_t *dp)
383 {
384 if (lkentry->dlt_linktype == DLT_LOOP)
385 decode_proto_add(dp, "LOOP");
386 else
387 decode_proto_add(dp, "NULL");
388
389 add_offset(dp, 4);
390 get_ip(dp);
391 }
392
get_eth_type(decode_proto_t * dp)393 static void get_eth_type(decode_proto_t *dp)
394 {
395 guint16 ethsize;
396 guint size_offset; /* offset of size field */
397 ethhdrtype_t ethhdr_type = ETHERNET_II; /* Default */
398
399 if (dp->cur_len < 20)
400 return; /* not big enough */
401
402 size_offset = 12; /* in a non VLAN packet offset of size field is 12 bytes */
403
404 /* the 16 bit field at offset 12 can have several meanings:
405 * in 802.3 is the packet size (<= 1500 or 0x5DC)
406 * in Ethernet II the size is really a packet type (>=1536/0x600)
407 * a packet with 802.1Q VLAN tag has a type of 0x8100.
408 * Jumbo frames pose a challenge because they are 802.3, but size > 1500
409 * Right now we don't support jumbo frames.
410 */
411 ethsize = pntohs(dp->cur_packet + size_offset);
412
413 if (ethsize == ETHERTYPE_VLAN) {
414 /* 802.1Q VLAN tagged packet. The 4 byte VLAN header is inserted between
415 * source addr and length */
416 decode_proto_add(dp, "802.1Q");
417 if (DEBUG_ENABLED) {
418 guint16 vlanid = pntohs(dp->cur_packet + 14) & 0x0fff;
419 g_my_debug("VLAN id: %u", vlanid);
420 }
421 size_offset = 16;
422 ethsize = pntohs(dp->cur_packet + size_offset); /* get the real size */
423 }
424
425 if (ethsize <= 1500) {
426 /* 802.3 ethernet */
427
428 /* Is there an 802.2 layer? I can tell by looking at the first 2
429 * bytes after the 802.3 header. If they are 0xffff, then what
430 * follows the 802.3 header is an IPX payload, meaning no 802.2.
431 * (IPX/SPX is they only thing that can be contained inside a
432 * straight 802.3 cur_packet). A non-0xffff value means that
433 * there's an 802.2 layer inside the 802.3 layer */
434 if (dp->cur_packet[size_offset+2] == 0xff &&
435 dp->cur_packet[size_offset+3] == 0xff)
436 ethhdr_type = ETHERNET_802_3;
437 else
438 ethhdr_type = ETHERNET_802_2;
439
440 /* Oh, yuck. Cisco ISL frames require special interpretation of the
441 * destination address field; fortunately, they can be recognized by
442 * checking the first 5 octets of the destination address, which are
443 * 01-00-0C-00-00 for ISL frames. */
444 if (dp->cur_packet[0] == 0x01 && dp->cur_packet[1] == 0x00 &&
445 dp->cur_packet[2] == 0x0C && dp->cur_packet[3] == 0x00 &&
446 dp->cur_packet[4] == 0x00) {
447 /* TODO Analyze ISL frames */
448 decode_proto_add(dp, "ISL");
449 return;
450 }
451 }
452
453 /* node ids */
454 dp->dst_node_id.node_type = LINK6;
455 memmove(dp->dst_node_id.addr.eth, dp->cur_packet + 0,
456 sizeof(dp->dst_node_id.addr.eth));
457 dp->src_node_id.node_type = LINK6;
458 memmove(dp->src_node_id.addr.eth, dp->cur_packet + 6,
459 sizeof(dp->src_node_id.addr.eth));
460
461 add_offset(dp, size_offset + 2);
462
463 if (ethhdr_type == ETHERNET_802_3) {
464 decode_proto_add(dp, "802.3-RAW");
465 return;
466 }
467
468 if (ethhdr_type == ETHERNET_802_2) {
469 decode_proto_add(dp, "802.3");
470 get_eth_802_3(dp, ethhdr_type);
471 return;
472 }
473
474 /* Else, it's ETHERNET_II, so the size is really a type field */
475 decode_proto_add(dp, "ETH_II");
476 get_eth_II(dp, (etype_t)ethsize);
477 } /* get_eth_type */
478
get_eth_802_3(decode_proto_t * dp,ethhdrtype_t ethhdr_type)479 static void get_eth_802_3(decode_proto_t *dp, ethhdrtype_t ethhdr_type)
480 {
481 switch (ethhdr_type)
482 {
483 case ETHERNET_802_2:
484 get_llc(dp);
485 break;
486 case ETHERNET_802_3:
487 get_ipx(dp);
488 break;
489 default:
490 break;
491 }
492 } /* get_eth_802_3 */
493
get_fddi_type(decode_proto_t * dp)494 static void get_fddi_type(decode_proto_t *dp)
495 {
496 decode_proto_add(dp, "FDDI");
497
498 if (dp->cur_len < 14)
499 return; /* not big enough */
500
501 decode_proto_add(dp, "LLC");
502
503 /* node ids */
504 dp->dst_node_id.node_type = LINK6;
505 memmove(dp->dst_node_id.addr.eth, dp->cur_packet + 1,
506 sizeof(dp->dst_node_id.addr.eth));
507 dp->src_node_id.node_type = LINK6;
508 memmove(dp->src_node_id.addr.eth, dp->cur_packet + 7,
509 sizeof(dp->src_node_id.addr.eth));
510
511 /* Ok, this is only temporary while I truly dissect LLC
512 * and fddi */
513 if (dp->cur_len < 21)
514 return; /* not big enough */
515
516 if ((dp->cur_packet[19] == 0x08) && (dp->cur_packet[20] == 0x00)) {
517 add_offset(dp, 21);
518 get_ip(dp);
519 }
520 } /* get_fddi_type */
521
get_ieee802_5_type(decode_proto_t * dp)522 static void get_ieee802_5_type(decode_proto_t *dp)
523 {
524 decode_proto_add(dp, "Token Ring");
525
526 if (dp->cur_len < 15)
527 return; /* not big enough */
528
529 /* node ids */
530 dp->dst_node_id.node_type = LINK6;
531 memmove(dp->dst_node_id.addr.eth, dp->cur_packet + 2,
532 sizeof(dp->dst_node_id.addr.eth));
533 dp->src_node_id.node_type = LINK6;
534 memmove(dp->src_node_id.addr.eth, dp->cur_packet + 8,
535 sizeof(dp->src_node_id.addr.eth));
536
537 if (dp->cur_len < 22)
538 return; /* not big enough */
539
540 /* As with FDDI, we only support LLC by now */
541 decode_proto_add(dp, "LLC");
542
543 if ((dp->cur_packet[20] == 0x08) && (dp->cur_packet[21] == 0x00)) {
544 add_offset(dp, 22);
545 get_ip(dp);
546 }
547 }
548
get_eth_II(decode_proto_t * dp,etype_t etype)549 static void get_eth_II(decode_proto_t *dp, etype_t etype)
550 {
551 if (etype == ETHERTYPE_IP || etype == ETHERTYPE_IPv6)
552 get_ip(dp);
553 else if (etype == ETHERTYPE_IPX)
554 get_ipx(dp);
555 else
556 append_etype_prot(dp, etype);
557 } /* get_eth_II */
558
559 /* handles radiotap header */
get_radiotap(decode_proto_t * dp)560 static void get_radiotap(decode_proto_t *dp)
561 {
562 guint16 rtlen;
563
564 if (dp->cur_len < 32) {
565 g_warning(_("Radiotap:captured size too small, packet discarded"));
566 decode_proto_add(dp, "RADIOTAP");
567 return;
568 }
569
570 /* radiotap hdr has 8 bit of version, plus 8bit of padding, followed by
571 * 16bit len field. We don't need to parse the header, just skip it
572 * Note: header little endian */
573 #ifdef WORDS_BIGENDIAN
574 rtlen = phtons(dp->cur_packet+2);
575 #else
576 rtlen = *(guint16 *)(dp->cur_packet+2);
577 #endif
578
579 add_offset(dp, rtlen);
580 get_wlan(dp);
581 }
582
583 #if defined(DLT_PPI)
584 /* handles PPI (Per Packet Incapsulation) header */
get_ppi(decode_proto_t * dp)585 static void get_ppi(decode_proto_t *dp)
586 {
587 static const linktype_data_t *pph_lkentry = NULL;
588 guint16 pph_len;
589 guint32 pph_dlt;
590 int i;
591
592 if (dp->cur_len < 64) {
593 g_warning(_("PPI:captured size too small, packet discarded"));
594 decode_proto_add(dp, "PPI");
595 return;
596 }
597
598 /* PPI hdr has 8 bit of version, plus 8bit of flags, followed by
599 * 16bit len field and finally by a 32 bit DLT number.
600 * Between header and data there could be some optional information fields.
601 * We don't need to parse header or fields, just skip it
602 * Note: all ppi dati are in little-endian order */
603 #ifdef WORDS_BIGENDIAN
604 pph_len = phtons(dp->cur_packet+2);
605 pph_dlt = phtonl(dp->cur_packet+4);
606 #else
607 pph_len = *(guint16 *)(dp->cur_packet+2);
608 pph_dlt = *(guint32 *)(dp->cur_packet+4);
609 #endif
610
611 add_offset(dp, pph_len);
612 /* if the last packet seen has a different dlt type, we rescan the table */
613 if (!pph_lkentry || pph_lkentry->dlt_linktype != pph_dlt) {
614 pph_lkentry = NULL;
615 for (i = 0; linktypes[i].lt_desc != NULL; ++i) {
616 if (linktypes[i].dlt_linktype == pph_dlt) {
617 pph_lkentry = linktypes + i;
618 pph_lkentry->fun(dp);
619 }
620 }
621 g_warning(_("PPI:unsupported link type %u, packet discarded"), pph_dlt);
622 return;
623 }
624 pph_lkentry->fun(dp);
625 }
626 #endif
627
decode_wlan_mgmt(decode_proto_t * dp,uint8_t subtype)628 static void decode_wlan_mgmt(decode_proto_t *dp, uint8_t subtype)
629 {
630 switch (subtype)
631 {
632 case 0: /* association request */
633 case 1: /* association response */
634 case 2: /* REassociation request */
635 case 3: /* REassociation response */
636 decode_proto_add(dp, "WLAN-ASSOC");
637 break;
638 case 4: /* probe req */
639 case 5: /* probe resp */
640 decode_proto_add(dp, "WLAN-PROBE");
641 break;
642 case 8:
643 decode_proto_add(dp, "WLAN-BEACON");
644 break;
645 case 9:
646 decode_proto_add(dp, "WLAN-ATIM");
647 break;
648 case 10: /* deassociation */
649 decode_proto_add(dp, "WLAN-DEASSOC");
650 break;
651 case 11: /* authentication */
652 case 12: /* DEauthentication */
653 decode_proto_add(dp, "WLAN-AUTH");
654 break;
655 default:
656 decode_proto_add(dp, "WLAN-MGMT-UNKN");
657 break;
658 }
659 }
660
decode_wlan_ctrl(decode_proto_t * dp,uint8_t subtype)661 static void decode_wlan_ctrl(decode_proto_t *dp, uint8_t subtype)
662 {
663 switch (subtype)
664 {
665 case 10: /* PS-Poll */
666 decode_proto_add(dp, "WLAN-PS-POLL");
667 break;
668 case 11: /* RTS */
669 decode_proto_add(dp, "WLAN-RTS");
670 break;
671 case 12: /* CTS */
672 decode_proto_add(dp, "WLAN-CTS");
673 break;
674 case 13: /* ACK */
675 decode_proto_add(dp, "WLAN-ACK");
676 break;
677 case 14: /* CF End */
678 case 15: /* CF End + CF-ACK */
679 decode_proto_add(dp, "WLAN-CF-END");
680 break;
681 default:
682 decode_proto_add(dp, "WLAN-CTRL-UNKN");
683 break;
684 }
685 }
686
687 /* ieee802.11 wlans */
get_wlan(decode_proto_t * dp)688 static void get_wlan(decode_proto_t *dp)
689 {
690 uint8_t type;
691 uint8_t subtype;
692 uint8_t wep;
693 uint8_t fromtods;
694 uint8_t dstofs;
695 uint8_t srcofs;
696
697 decode_proto_add(dp, "IEE802.11"); /* experimental */
698 if (dp->cur_len < 10) {
699 g_warning(_("wlan:captured size too small (less than 10 bytes), packet discarded"));
700 return;
701 }
702
703 /* frame control field: two bytes, network order
704 * frame type is in bits 2-3, subtype 4-7, tods 8, fromds 9, wep 14 */
705 type = (dp->cur_packet[0] >> 2) & 0x03;
706 subtype = (dp->cur_packet[0] >> 4) & 0x0f;
707 fromtods = (dp->cur_packet[1]) & 0x03;
708 wep = (dp->cur_packet[1] >> 6) & 0x01;
709
710 /* WLAN packets can have up to four (!) addresses, while EtherApe handles
711 * only two :-)
712 * We *could* register the packet twice or even three times, to show the full
713 * traffic, but while useful to understand how WLAN really works usually one
714 * prefers to ignore switches, APs and so on, so we try to decode only the
715 * SA/DA addresses. AP ones are used only for station to AP traffic.
716 * On most modes BSSID is crammed into one of the unused addresses.
717 * Note:
718 * In monitor mode we could pick up a packet multiple times: for example first
719 * from node A to AP, then from AP to node B.
720 * In that case, traffic statistics will be wrong! */
721 if (fromtods > 3) {
722 g_warning(_("Invalid tofromds field in WLAN packet: 0x%x"), fromtods);
723 return;
724 }
725
726 /* a1:4 a2:10 a3:16 a4:24 */
727 switch (fromtods)
728 {
729 case 0:
730 /* fromds:0, tods:0 ---> DA=addr1, SA=addr2, BSSID=addr3, no addr4 */
731 dstofs = 4;
732 srcofs = 10;
733 break;
734 case 1:
735 /* fromds:0, tods:1 ---> DA=addr3, SA=addr2, BSSID=addr1, no addr4 */
736 dstofs = 16;
737 srcofs = 10;
738 break;
739 case 2:
740 /* fromds:1, tods:0 ---> DA=addr1, SA=addr3, BSSID=addr2, no addr4 */
741 dstofs = 4;
742 srcofs = 16;
743 break;
744 case 3:
745 /* fromds:1, tods:1 ---> DA=addr3, SA=addr4, RA=addr1, TA=addr2 */
746 dstofs = 16;
747 srcofs = 24;
748 break;
749 }
750
751 if (dp->cur_len < dstofs + 6) {
752 g_warning(_("wlan:captured size too small (read %u, needed %u), packet discarded"), dp->cur_len, dstofs+6);
753 return;
754 }
755 dp->dst_node_id.node_type = LINK6;
756 memmove(dp->dst_node_id.addr.eth, dp->cur_packet + dstofs,
757 sizeof(dp->dst_node_id.addr.eth));
758
759 if (type == 1) {
760 /* control frame */
761 if (subtype == 11) {
762 /* for type 1 frames (control) only RTS (subtype 11) has two addresses,
763 while other subtypes have only one address. */
764 if (dp->cur_len < srcofs + 6) {
765 g_warning(_("wlan:captured size too small (read %u, needed %u), RTS packet discarded"),
766 dp->cur_len, srcofs+6);
767 return;
768 }
769 dp->src_node_id.node_type = LINK6;
770 memmove(dp->src_node_id.addr.eth, dp->cur_packet + srcofs,
771 sizeof(dp->src_node_id.addr.eth));
772 add_offset(dp, 16);
773 }
774 else
775 add_offset(dp, 10);
776 decode_wlan_ctrl(dp, subtype);
777 return;
778 }
779
780 if (dp->cur_len < srcofs + 6) {
781 g_warning(_("wlan:captured size too small (read %u, needed %u), packet discarded"),
782 dp->cur_len, srcofs+6);
783 return;
784 }
785 dp->src_node_id.node_type = LINK6;
786 memmove(dp->src_node_id.addr.eth, dp->cur_packet + srcofs,
787 sizeof(dp->src_node_id.addr.eth));
788
789 if (fromtods != 3)
790 add_offset(dp, 24);
791 else
792 add_offset(dp, 30); /* fourth address present */
793
794 switch (type)
795 {
796 case 2:
797 /* data frame */
798 if (!wep) {
799 if (subtype == 8)
800 add_offset(dp, 2); /* QOS info present */
801 get_llc(dp);
802 }
803 else
804 decode_proto_add(dp, "WLAN-CRYPTED");
805 break;
806
807 case 0:
808 /* mgmt frame */
809 decode_wlan_mgmt(dp, subtype);
810 break;
811
812 case 3:
813 /* reserved frame - AP specific */
814 g_warning(_("wlan:frame type 0x%x is reserved, decode aborted"), type);
815 return;
816
817 default:
818 g_warning(_("wlan:unknown frame type 0x%x, decode aborted"), type);
819 return;
820 }
821 }
822
823 /* Gets the protocol type out of the linux-sll header.
824 * I have no real idea of what can be there, but since IP
825 * is 0x800 I guess it follows ethernet specifications */
get_linux_sll(decode_proto_t * dp)826 static void get_linux_sll(decode_proto_t *dp)
827 {
828 etype_t etype;
829
830 decode_proto_add(dp, "LINUX-SLL");
831
832 etype = pntohs(&dp->cur_packet[14]);
833
834 add_offset(dp, 16);
835 if (etype == ETHERTYPE_IP || etype == ETHERTYPE_IPv6)
836 get_ip(dp);
837 else if (etype == ETHERTYPE_IPX)
838 get_ipx(dp);
839 else
840 append_etype_prot(dp, etype);
841 } /* get_linux_sll_type */
842
get_llc(decode_proto_t * dp)843 static void get_llc(decode_proto_t *dp)
844 {
845 #define XDLC_I 0x00 /* Information frames */
846 #define XDLC_U 0x03 /* Unnumbered frames */
847 #define XDLC_UI 0x00 /* Unnumbered Information */
848 #define XDLC_IS_INFORMATION(control) \
849 (((control) & 0x1) == XDLC_I || (control) == (XDLC_UI|XDLC_U))
850
851 sap_type_t dsap, ssap;
852 guint16 control;
853
854 if (dp->cur_len < 4)
855 return;
856
857 dsap = dp->cur_packet[0];
858 ssap = dp->cur_packet[1];
859
860 if (dsap == SAP_SNAP && ssap == SAP_SNAP) {
861 /* LLC SNAP: has an additional ethernet II type added */
862 etype_t eth2_type;
863 eth2_type = (etype_t)pntohs(dp->cur_packet + 6);
864 add_offset(dp, 8);
865 get_eth_II(dp, eth2_type);
866 return;
867 }
868
869 decode_proto_add(dp, "LLC");
870
871 /* To get this control value is actually a lot more
872 * complicated than this, see xdlc.c in ethereal,
873 * but I'll try like this, it seems it works for my pourposes at
874 * least most of the time */
875 control = dp->cur_packet[2];
876
877 if (!XDLC_IS_INFORMATION(control))
878 return;
879
880 add_offset(dp, 3);
881
882 switch (dsap)
883 {
884 case SAP_NULL:
885 decode_proto_add(dp, "LLC-NULL");
886 break;
887 case SAP_LLC_SLMGMT:
888 decode_proto_add(dp, "LLC-SLMGMT");
889 break;
890 case SAP_SNA_PATHCTRL:
891 decode_proto_add(dp, "PATHCTRL");
892 break;
893 case SAP_IP:
894 get_ip(dp);
895 break;
896 case SAP_SNA1:
897 decode_proto_add(dp, "SNA1");
898 break;
899 case SAP_SNA2:
900 decode_proto_add(dp, "SNA2");
901 break;
902 case SAP_PROWAY_NM_INIT:
903 decode_proto_add(dp, "PROWAY-NM-INIT");
904 break;
905 case SAP_TI:
906 decode_proto_add(dp, "TI");
907 break;
908 case SAP_BPDU:
909 decode_proto_add(dp, "BPDU");
910 break;
911 case SAP_RS511:
912 decode_proto_add(dp, "RS511");
913 break;
914 case SAP_X25:
915 decode_proto_add(dp, "X25");
916 break;
917 case SAP_XNS:
918 decode_proto_add(dp, "XNS");
919 break;
920 case SAP_NESTAR:
921 decode_proto_add(dp, "NESTAR");
922 break;
923 case SAP_PROWAY_ASLM:
924 decode_proto_add(dp, "PROWAY-ASLM");
925 break;
926 case SAP_ARP:
927 decode_proto_add(dp, "ARP");
928 break;
929 case SAP_SNAP:
930 /* We are not supposed to reach this point */
931 g_warning("Reached SNAP while checking for DSAP in get_llc");
932 decode_proto_add(dp, "LLC-SNAP");
933 break;
934 case SAP_VINES1:
935 decode_proto_add(dp, "VINES1");
936 break;
937 case SAP_VINES2:
938 decode_proto_add(dp, "VINES2");
939 break;
940 case SAP_NETWARE:
941 get_ipx(dp);
942 break;
943 case SAP_NETBIOS:
944 decode_proto_add(dp, "NETBIOS");
945 get_netbios(dp);
946 break;
947 case SAP_IBMNM:
948 decode_proto_add(dp, "IBMNM");
949 break;
950 case SAP_RPL1:
951 decode_proto_add(dp, "RPL1");
952 break;
953 case SAP_UB:
954 decode_proto_add(dp, "UB");
955 break;
956 case SAP_RPL2:
957 decode_proto_add(dp, "RPL2");
958 break;
959 case SAP_OSINL:
960 decode_proto_add(dp, "OSINL");
961 break;
962 case SAP_GLOBAL:
963 decode_proto_add(dp, "LLC-GLOBAL");
964 break;
965 }
966 } /* get_llc */
967
get_ip(decode_proto_t * dp)968 static void get_ip(decode_proto_t *dp)
969 {
970 guint16 fragment_offset = 0;
971 iptype_t ip_type;
972 int ip_version, ip_hl;
973
974 if (dp->cur_len < 20)
975 return;
976
977 ip_version = (dp->cur_packet[0] >> 4) & 15;
978 switch (ip_version)
979 {
980 case 4:
981 // ipv4
982 ip_hl = (dp->cur_packet[0] & 15) << 2;
983 if (ip_hl < 20)
984 return;
985 decode_proto_add(dp, "IP");
986
987 ip_type = dp->cur_packet[9];
988 fragment_offset = pntohs(dp->cur_packet + 6);
989 fragment_offset &= 0x0fff;
990
991 if (appdata.mode != LINK6) {
992 /* we want node higher level node ids */
993 dp->dst_node_id.node_type = IP;
994 address_clear(&dp->dst_node_id.addr.ip);
995 dp->dst_node_id.addr.ip.type = AF_INET;
996 memmove(dp->dst_node_id.addr.ip.addr_v4, dp->cur_packet + 16,
997 sizeof(dp->dst_node_id.addr.ip.addr_v4));
998 dp->src_node_id.node_type = IP;
999 address_clear(&dp->src_node_id.addr.ip);
1000 dp->src_node_id.addr.ip.type = AF_INET;
1001 memmove(dp->src_node_id.addr.ip.addr_v4, dp->cur_packet + 12,
1002 sizeof(dp->src_node_id.addr.ip.addr_v4));
1003 }
1004
1005 add_offset(dp, ip_hl);
1006 break;
1007 case 6:
1008 // ipv6
1009 if (dp->cur_len < 40)
1010 return;
1011 decode_proto_add(dp, "IPV6");
1012
1013 ip_type = dp->cur_packet[6];
1014
1015 if (appdata.mode != LINK6) {
1016 /* we want higher level node ids */
1017 dp->dst_node_id.node_type = IP;
1018 dp->dst_node_id.addr.ip.type = AF_INET6;
1019 memmove(dp->dst_node_id.addr.ip.addr_v6, dp->cur_packet + 24,
1020 sizeof(dp->dst_node_id.addr.ip.addr_v6));
1021 dp->src_node_id.node_type = IP;
1022 dp->src_node_id.addr.ip.type = AF_INET6;
1023 memmove(dp->src_node_id.addr.ip.addr_v6, dp->cur_packet + 8,
1024 sizeof(dp->src_node_id.addr.ip.addr_v6));
1025 }
1026
1027 add_offset(dp, 40);
1028 break;
1029 default:
1030 return;
1031 }
1032
1033 /* This is used for conversations */
1034 address_copy(&dp->global_src_address, &dp->src_node_id.addr.ip);
1035 address_copy(&dp->global_dst_address, &dp->dst_node_id.addr.ip);
1036
1037 switch (ip_type)
1038 {
1039 case IP_PROTO_ICMP:
1040 decode_proto_add(dp, "ICMP");
1041 break;
1042 case IP_PROTO_TCP:
1043 if (fragment_offset)
1044 decode_proto_add(dp, "TCP_FRAGMENT");
1045 else
1046 get_tcp(dp);
1047 break;
1048 case IP_PROTO_UDP:
1049 if (fragment_offset)
1050 decode_proto_add(dp, "UDP_FRAGMENT");
1051 else
1052 get_udp(dp);
1053 break;
1054 case IP_PROTO_IGMP:
1055 decode_proto_add(dp, "IGMP");
1056 break;
1057 case IP_PROTO_GGP:
1058 decode_proto_add(dp, "GGP");
1059 break;
1060 case IP_PROTO_IPIP:
1061 decode_proto_add(dp, "IPIP");
1062 break;
1063 case IP_PROTO_ST:
1064 decode_proto_add(dp, "ST");
1065 break;
1066 case IP_PROTO_CBT:
1067 decode_proto_add(dp, "CBT");
1068 break;
1069 case IP_PROTO_EGP:
1070 decode_proto_add(dp, "EGP");
1071 break;
1072 case IP_PROTO_IGP:
1073 decode_proto_add(dp, "IGP");
1074 break;
1075 case IP_PROTO_PUP:
1076 decode_proto_add(dp, "PUP");
1077 break;
1078 case IP_PROTO_IDP:
1079 decode_proto_add(dp, "IDP");
1080 break;
1081 case IP_PROTO_TP:
1082 decode_proto_add(dp, "TP");
1083 break;
1084 case IP_PROTO_IPV6:
1085 decode_proto_add(dp, "IPV6");
1086 break;
1087 case IP_PROTO_ROUTING:
1088 decode_proto_add(dp, "ROUTING");
1089 break;
1090 case IP_PROTO_FRAGMENT:
1091 decode_proto_add(dp, "FRAGMENT");
1092 break;
1093 case IP_PROTO_RSVP:
1094 decode_proto_add(dp, "RSVP");
1095 break;
1096 case IP_PROTO_GRE:
1097 decode_proto_add(dp, "GRE");
1098 break;
1099 case IP_PROTO_ESP:
1100 decode_proto_add(dp, "ESP");
1101 break;
1102 case IP_PROTO_AH:
1103 decode_proto_add(dp, "AH");
1104 break;
1105 case IP_PROTO_ICMPV6:
1106 decode_proto_add(dp, "ICMPV6");
1107 break;
1108 case IP_PROTO_NONE:
1109 decode_proto_add(dp, "NONE");
1110 break;
1111 case IP_PROTO_DSTOPTS:
1112 decode_proto_add(dp, "DSTOPTS");
1113 break;
1114 case IP_PROTO_VINES:
1115 decode_proto_add(dp, "VINES");
1116 break;
1117 case IP_PROTO_EIGRP:
1118 decode_proto_add(dp, "EIGRP");
1119 break;
1120 case IP_PROTO_OSPF:
1121 decode_proto_add(dp, "OSPF");
1122 break;
1123 case IP_PROTO_ENCAP:
1124 decode_proto_add(dp, "ENCAP");
1125 break;
1126 case IP_PROTO_PIM:
1127 decode_proto_add(dp, "PIM");
1128 break;
1129 case IP_PROTO_IPCOMP:
1130 decode_proto_add(dp, "IPCOMP");
1131 break;
1132 case IP_PROTO_VRRP:
1133 decode_proto_add(dp, "VRRP");
1134 break;
1135 default:
1136 decode_proto_add(dp, "IP_UNKNOWN");
1137 }
1138 }
1139
get_ipx(decode_proto_t * dp)1140 static void get_ipx(decode_proto_t *dp)
1141 {
1142 ipx_socket_t ipx_dsocket, ipx_ssocket;
1143 ipx_type_t ipx_type;
1144
1145 /* Make sure this is an IPX cur_packet */
1146 if (dp->cur_len < 30 || *(guint16 *)(dp->cur_packet) != 0xffff)
1147 return;
1148
1149 decode_proto_add(dp, "IPX");
1150
1151 ipx_dsocket = pntohs(dp->cur_packet + 16);
1152 ipx_ssocket = pntohs(dp->cur_packet + 28);
1153 ipx_type = *(guint8 *)(dp->cur_packet + 5);
1154
1155 switch (ipx_type)
1156 {
1157 /* Look at the socket with these two types */
1158 case IPX_PACKET_TYPE_PEP:
1159 case IPX_PACKET_TYPE_IPX:
1160 break;
1161 case IPX_PACKET_TYPE_RIP:
1162 decode_proto_add(dp, "IPX-RIP");
1163 break;
1164 case IPX_PACKET_TYPE_ECHO:
1165 decode_proto_add(dp, "IPX-ECHO");
1166 break;
1167 case IPX_PACKET_TYPE_ERROR:
1168 decode_proto_add(dp, "IPX-ERROR");
1169 break;
1170 case IPX_PACKET_TYPE_SPX:
1171 decode_proto_add(dp, "IPX-SPX");
1172 break;
1173 case IPX_PACKET_TYPE_NCP:
1174 decode_proto_add(dp, "IPX-NCP");
1175 break;
1176 case IPX_PACKET_TYPE_WANBCAST:
1177 decode_proto_add(dp, "IPX-NetBIOS");
1178 break;
1179 }
1180
1181 if ((ipx_type != IPX_PACKET_TYPE_IPX) && (ipx_type != IPX_PACKET_TYPE_PEP) &&
1182 (ipx_type != IPX_PACKET_TYPE_WANBCAST))
1183 return;
1184
1185 if ((ipx_dsocket == IPX_SOCKET_SAP) || (ipx_ssocket == IPX_SOCKET_SAP))
1186 decode_proto_add(dp, "IPX-SAP");
1187 else if ((ipx_dsocket == IPX_SOCKET_ATTACHMATE_GW) ||
1188 (ipx_ssocket == IPX_SOCKET_ATTACHMATE_GW))
1189 decode_proto_add(dp, "ATTACHMATE-GW");
1190 else if ((ipx_dsocket == IPX_SOCKET_PING_NOVELL) ||
1191 (ipx_ssocket == IPX_SOCKET_PING_NOVELL))
1192 decode_proto_add(dp, "PING-NOVELL");
1193 else if ((ipx_dsocket == IPX_SOCKET_NCP) || (ipx_ssocket == IPX_SOCKET_NCP))
1194 decode_proto_add(dp, "IPX-NCP");
1195 else if ((ipx_dsocket == IPX_SOCKET_IPXRIP) ||
1196 (ipx_ssocket == IPX_SOCKET_IPXRIP))
1197 decode_proto_add(dp, "IPX-RIP");
1198 else if ((ipx_dsocket == IPX_SOCKET_NETBIOS) ||
1199 (ipx_ssocket == IPX_SOCKET_NETBIOS))
1200 decode_proto_add(dp, "IPX-NetBIOS");
1201 else if ((ipx_dsocket == IPX_SOCKET_DIAGNOSTIC) ||
1202 (ipx_ssocket == IPX_SOCKET_DIAGNOSTIC))
1203 decode_proto_add(dp, "IPX-DIAG");
1204 else if ((ipx_dsocket == IPX_SOCKET_SERIALIZATION) ||
1205 (ipx_ssocket == IPX_SOCKET_SERIALIZATION))
1206 decode_proto_add(dp, "IPX-SERIAL.");
1207 else if ((ipx_dsocket == IPX_SOCKET_ADSM) ||
1208 (ipx_ssocket == IPX_SOCKET_ADSM))
1209 decode_proto_add(dp, "IPX-ADSM");
1210 else if ((ipx_dsocket == IPX_SOCKET_EIGRP) ||
1211 (ipx_ssocket == IPX_SOCKET_EIGRP))
1212 decode_proto_add(dp, "EIGRP");
1213 else if ((ipx_dsocket == IPX_SOCKET_WIDE_AREA_ROUTER) ||
1214 (ipx_ssocket == IPX_SOCKET_WIDE_AREA_ROUTER))
1215 decode_proto_add(dp, "IPX W.A. ROUTER");
1216 else if ((ipx_dsocket == IPX_SOCKET_TCP_TUNNEL) ||
1217 (ipx_ssocket == IPX_SOCKET_TCP_TUNNEL))
1218 decode_proto_add(dp, "IPX-TCP-TUNNEL");
1219 else if ((ipx_dsocket == IPX_SOCKET_UDP_TUNNEL) ||
1220 (ipx_ssocket == IPX_SOCKET_UDP_TUNNEL))
1221 decode_proto_add(dp, "IPX-UDP-TUNNEL");
1222 else if ((ipx_dsocket == IPX_SOCKET_NWLINK_SMB_SERVER) ||
1223 (ipx_ssocket == IPX_SOCKET_NWLINK_SMB_SERVER) ||
1224 (ipx_dsocket == IPX_SOCKET_NWLINK_SMB_NAMEQUERY) ||
1225 (ipx_ssocket == IPX_SOCKET_NWLINK_SMB_NAMEQUERY) ||
1226 (ipx_dsocket == IPX_SOCKET_NWLINK_SMB_REDIR) ||
1227 (ipx_ssocket == IPX_SOCKET_NWLINK_SMB_REDIR) ||
1228 (ipx_dsocket == IPX_SOCKET_NWLINK_SMB_MAILSLOT) ||
1229 (ipx_ssocket == IPX_SOCKET_NWLINK_SMB_MAILSLOT) ||
1230 (ipx_dsocket == IPX_SOCKET_NWLINK_SMB_MESSENGER) ||
1231 (ipx_ssocket == IPX_SOCKET_NWLINK_SMB_MESSENGER) ||
1232 (ipx_dsocket == IPX_SOCKET_NWLINK_SMB_BROWSE) ||
1233 (ipx_ssocket == IPX_SOCKET_NWLINK_SMB_BROWSE))
1234 decode_proto_add(dp, "IPX-SMB");
1235 else if ((ipx_dsocket == IPX_SOCKET_SNMP_AGENT) ||
1236 (ipx_ssocket == IPX_SOCKET_SNMP_AGENT) ||
1237 (ipx_dsocket == IPX_SOCKET_SNMP_SINK) ||
1238 (ipx_ssocket == IPX_SOCKET_SNMP_SINK))
1239 decode_proto_add(dp, "SNMP");
1240 else
1241 g_my_debug("Unknown IPX ports %d, %d", ipx_dsocket, ipx_ssocket);
1242 } /* get_ipx */
1243
get_tcp(decode_proto_t * dp)1244 static void get_tcp(decode_proto_t *dp)
1245 {
1246 const port_service_t *src_service, *dst_service, *chosen_service;
1247 port_type_t src_port, dst_port, chosen_port;
1248 guint8 th_off_x2;
1249 guint8 tcp_len;
1250 const gchar *str;
1251 gboolean src_pref = FALSE;
1252 gboolean dst_pref = FALSE;
1253
1254 decode_proto_add(dp, "TCP");
1255 dp->global_src_port = src_port = pntohs(dp->cur_packet);
1256 dp->global_dst_port = dst_port = pntohs(dp->cur_packet + 2);
1257
1258 if (appdata.mode == TCP) {
1259 /* tcp mode node ids have both addr and port - to work we need
1260 * to already have an IP node id */
1261 g_assert(dp->dst_node_id.node_type == IP);
1262 dp->dst_node_id.node_type = TCP;
1263 address_copy(&dp->dst_node_id.addr.tcp.host, &dp->global_dst_address);
1264 dp->dst_node_id.addr.tcp.port = dp->global_dst_port;
1265
1266 g_assert(dp->src_node_id.node_type == IP);
1267 dp->src_node_id.node_type = TCP;
1268 address_copy(&dp->src_node_id.addr.tcp.host, &dp->global_src_address);
1269 dp->src_node_id.addr.tcp.port = dp->global_src_port;
1270 }
1271
1272 th_off_x2 = *(guint8 *)(dp->cur_packet + 12);
1273 tcp_len = hi_nibble(th_off_x2) * 4; /* TCP header length, in bytes */
1274
1275 add_offset(dp, tcp_len);
1276
1277 /* Check whether this cur_packet belongs to a registered conversation */
1278 if ((str = find_conversation(&dp->global_src_address, &dp->global_dst_address,
1279 src_port, dst_port))) {
1280 decode_proto_add(dp, str);
1281 return;
1282 }
1283
1284 /* It's not possible to know in advance whether an UDP
1285 * cur_packet is an RPC cur_packet. We'll try */
1286 /* False means we are calling rpc from a TCP cur_packet */
1287 if (get_rpc(dp, FALSE))
1288 return;
1289
1290 if (src_port == TCP_NETBIOS_SSN || dst_port == TCP_NETBIOS_SSN) {
1291 get_netbios_ssn(dp);
1292 return;
1293 }
1294 else if (src_port == TCP_FTP || dst_port == TCP_FTP) {
1295 get_ftp(dp);
1296 return;
1297 }
1298
1299 src_service = services_tcp_find(src_port);
1300 dst_service = services_tcp_find(dst_port);
1301 chosen_port = choose_port(src_port, dst_port);
1302
1303 if (!src_service && !dst_service) {
1304 if (pref.group_unk)
1305 decode_proto_add(dp, "TCP-UNKNOWN");
1306 else {
1307 if (chosen_port == src_port)
1308 decode_proto_add_fmt(dp, "TCP:%d-%d", chosen_port, dst_port);
1309 else
1310 decode_proto_add_fmt(dp, "TCP:%d-%d", chosen_port, src_port);
1311 }
1312 return;
1313 }
1314
1315 /* if one of the services has user-defined color, then we favor it,
1316 * otherwise chosen_port wins */
1317 if (src_service)
1318 src_pref = src_service->preferred;
1319 if (dst_service)
1320 dst_pref = dst_service->preferred;
1321
1322 if (src_pref && !dst_pref)
1323 chosen_service = src_service;
1324 else if (!src_pref && dst_pref)
1325 chosen_service = dst_service;
1326 else if (!dst_service || ((src_port == chosen_port) && src_service))
1327 chosen_service = src_service;
1328 else
1329 chosen_service = dst_service;
1330
1331 decode_proto_add(dp, chosen_service->name);
1332 } /* get_tcp */
1333
get_udp(decode_proto_t * dp)1334 static void get_udp(decode_proto_t *dp)
1335 {
1336 const port_service_t *src_service, *dst_service, *chosen_service;
1337 port_type_t src_port, dst_port, chosen_port;
1338 gboolean src_pref = FALSE;
1339 gboolean dst_pref = FALSE;
1340
1341 decode_proto_add(dp, "UDP");
1342 dp->global_src_port = src_port = pntohs(dp->cur_packet);
1343 dp->global_dst_port = dst_port = pntohs(dp->cur_packet + 2);
1344
1345 if (appdata.mode == TCP) {
1346 /* tcp/udp mode node ids have both addr and port - to work we need
1347 * to already have an IP node id */
1348 g_assert(dp->dst_node_id.node_type == IP);
1349 dp->dst_node_id.node_type = TCP;
1350 address_copy(&dp->dst_node_id.addr.tcp.host, &dp->global_dst_address);
1351 dp->dst_node_id.addr.tcp.port = dp->global_dst_port;
1352
1353 g_assert(dp->src_node_id.node_type == IP);
1354 dp->src_node_id.node_type = TCP;
1355 address_copy(&dp->src_node_id.addr.tcp.host, &dp->global_src_address);
1356 dp->src_node_id.addr.tcp.port = dp->global_src_port;
1357 }
1358
1359 add_offset(dp, 8);
1360
1361 /* It's not possible to know in advance whether an UDP
1362 * cur_packet is an RPC cur_packet. We'll try */
1363 if (get_rpc(dp, TRUE))
1364 return;
1365
1366 if (src_port == UDP_NETBIOS_NS || dst_port == UDP_NETBIOS_NS) {
1367 get_netbios_dgm(dp);
1368 return;
1369 }
1370
1371 src_service = services_udp_find(src_port);
1372 dst_service = services_udp_find(dst_port);
1373
1374 chosen_port = choose_port(src_port, dst_port);
1375
1376 if (!dst_service && !src_service) {
1377 if (pref.group_unk)
1378 decode_proto_add(dp, "UDP-UNKNOWN");
1379 else {
1380 if (chosen_port == src_port)
1381 decode_proto_add_fmt(dp, "UDP:%d-%d", chosen_port, dst_port);
1382 else
1383 decode_proto_add_fmt(dp, "UDP:%d-%d", chosen_port, src_port);
1384 }
1385 return;
1386 }
1387
1388 /* if one of the services has user-defined color, then we favor it,
1389 * otherwise chosen_port wins */
1390 if (src_service)
1391 src_pref = src_service->preferred;
1392 if (dst_service)
1393 dst_pref = dst_service->preferred;
1394
1395 if (src_pref && !dst_pref)
1396 chosen_service = src_service;
1397 else if (!src_pref && dst_pref)
1398 chosen_service = dst_service;
1399 else if (!dst_service || ((src_port == chosen_port) && src_service))
1400 chosen_service = src_service;
1401 else
1402 chosen_service = dst_service;
1403 decode_proto_add(dp, chosen_service->name);
1404 }
1405
get_rpc(decode_proto_t * dp,gboolean is_udp)1406 static gboolean get_rpc(decode_proto_t *dp, gboolean is_udp)
1407 {
1408 int rpcstart;
1409 uint32_t rpcver;
1410 enum rpc_type msg_type;
1411 enum rpc_program msg_program;
1412 const gchar *rpc_prot = NULL;
1413
1414 /* Determine whether this is an RPC packet */
1415 if (dp->cur_len < 24)
1416 return FALSE; /* not big enough */
1417
1418 if (is_udp)
1419 rpcstart = 0;
1420 else
1421 rpcstart = 4;
1422
1423 msg_type = pntohl(dp->cur_packet + rpcstart + 4);
1424
1425 switch (msg_type)
1426 {
1427 case RPC_REPLY:
1428 /* RPC_REPLYs don't carry an rpc program tag */
1429 /* TODO In order to be able to dissect what is it's
1430 * protocol I'd have to keep track of who sent
1431 * which call - we use the same addr for both sides */
1432 if (!(rpc_prot = find_conversation(&dp->global_dst_address,
1433 &dp->global_dst_address,
1434 dp->global_dst_port, 0)))
1435 return FALSE;
1436 decode_proto_add(dp, "ONC-RPC");
1437 decode_proto_add(dp, rpc_prot);
1438 return TRUE;
1439
1440 case RPC_CALL:
1441 rpcver = pntohl(dp->cur_packet + rpcstart + 8);
1442 if (rpcver != 2)
1443 return FALSE; /* only ONC-RPC v2 */
1444
1445 msg_program = pntohl(dp->cur_packet + rpcstart + 12);
1446 switch (msg_program)
1447 {
1448 case BOOTPARAMS_PROGRAM:
1449 rpc_prot = "BOOTPARAMS";
1450 break;
1451 case MOUNT_PROGRAM:
1452 rpc_prot = "MOUNT";
1453 break;
1454 case NLM_PROGRAM:
1455 rpc_prot = "NLM";
1456 break;
1457 case PORTMAP_PROGRAM:
1458 rpc_prot = "PORTMAP";
1459 break;
1460 case STAT_PROGRAM:
1461 rpc_prot = "STAT";
1462 break;
1463 case NFS_PROGRAM:
1464 rpc_prot = "NFS";
1465 break;
1466 case YPBIND_PROGRAM:
1467 rpc_prot = "YPBIND";
1468 break;
1469 case YPSERV_PROGRAM:
1470 rpc_prot = "YPSERV";
1471 break;
1472 case YPXFR_PROGRAM:
1473 rpc_prot = "YPXFR";
1474 break;
1475 case YPPASSWD_PROGRAM:
1476 rpc_prot = "YPPASSWD";
1477 break;
1478 case REXEC_PROGRAM:
1479 rpc_prot = "REXEC";
1480 break;
1481 case KERBPROG_PROGRAM:
1482 rpc_prot = "KERBPROG";
1483 break;
1484 default:
1485 if (msg_program >= 100000 && msg_program <= 101999)
1486 rpc_prot = "RPC-UNKNOWN";
1487 else
1488 return FALSE;
1489 break;
1490 }
1491
1492 /* Search for an already existing conversation, if not, create one
1493 using the same address for both src and dst */
1494 g_assert(rpc_prot);
1495 if (!find_conversation(&dp->global_src_address, &dp->global_src_address, dp->global_src_port, 0))
1496 add_conversation(&dp->global_src_address, &dp->global_src_address,
1497 dp->global_src_port, 0, rpc_prot);
1498
1499 decode_proto_add(dp, "ONC-RPC");
1500 decode_proto_add(dp, rpc_prot);
1501 return TRUE;
1502
1503 default:
1504 return FALSE;
1505 }
1506
1507 return FALSE;
1508 } /* get_rpc */
1509
1510 /* This function is only called from a straight llc cur_packet,
1511 * never from an IP cur_packet */
get_netbios(decode_proto_t * dp)1512 void get_netbios(decode_proto_t *dp)
1513 {
1514 #define pletohs(p) ((guint16) \
1515 ((guint16)*((guint8 *)(p)+1)<<8| \
1516 (guint16)*((guint8 *)(p)+0)<<0))
1517
1518 guint16 hdr_len;
1519
1520 /* Check that there is room for the minimum header */
1521 if (dp->cur_len < 5)
1522 return;
1523
1524 hdr_len = pletohs(dp->cur_packet);
1525
1526 /* If there is any data at all, it is SMB (or so I understand
1527 * from Ethereal's cur_packet-netbios.c */
1528
1529 if (dp->cur_len > hdr_len)
1530 decode_proto_add(dp, "SMB");
1531 } /* get_netbios */
1532
get_netbios_ssn(decode_proto_t * dp)1533 void get_netbios_ssn(decode_proto_t *dp)
1534 {
1535 #define SESSION_MESSAGE 0
1536 guint8 mesg_type;
1537
1538 decode_proto_add(dp, "NETBIOS-SSN");
1539
1540 mesg_type = dp->cur_packet[0];
1541
1542 if (mesg_type == SESSION_MESSAGE)
1543 decode_proto_add(dp, "SMB");
1544
1545 /* TODO Calculate new dp->offset whenever we have
1546 * a "dissector" for a higher protocol */
1547 } /* get_netbions_ssn */
1548
get_netbios_dgm(decode_proto_t * dp)1549 void get_netbios_dgm(decode_proto_t *dp)
1550 {
1551 guint8 mesg_type;
1552
1553 decode_proto_add(dp, "NETBIOS-DGM");
1554
1555 mesg_type = dp->cur_packet[0];
1556
1557 /* Magic numbers copied from ethereal, as usual
1558 * They mean Direct (unique|group|broadcast) datagram */
1559 if (mesg_type == 0x10 || mesg_type == 0x11 || mesg_type == 0x12)
1560 decode_proto_add(dp, "SMB");
1561
1562 /* TODO Calculate new dp->offset whenever we have
1563 * a "dissector" for a higher protocol */
1564 } /* get_netbios_dgm */
1565
get_ftp(decode_proto_t * dp)1566 void get_ftp(decode_proto_t *dp)
1567 {
1568 gchar *mesg = NULL;
1569 gchar *str;
1570 guint hi_byte, low_byte;
1571 guint16 server_port;
1572 guint size = dp->cur_len;
1573 guint i = 0;
1574
1575 decode_proto_add(dp, "FTP");
1576 if (dp->cur_len < 3)
1577 return; /* not big enough */
1578
1579 if ((gchar)dp->cur_packet[0] != '2' ||
1580 (gchar)dp->cur_packet[1] != '2' ||
1581 (gchar)dp->cur_packet[2] != '7')
1582 return;
1583
1584 /* We have a passive message. Get the port */
1585 mesg = g_malloc(size + 1);
1586 g_assert(mesg);
1587
1588 memcpy(mesg, dp->cur_packet, size);
1589 mesg[size] = '\0';
1590
1591 g_my_debug("Found FTP passive command: %s", mesg);
1592
1593 str = strtok(mesg, "(,)");
1594 g_my_debug("FTP Token: %s", str ? str : "NULL");
1595 for (i = 0; i < 4 && str; i++) {
1596 str = strtok(NULL, "(,)");
1597 g_my_debug("FTP Token: %s", str ? str : "NULL");
1598 }
1599
1600 str = strtok(NULL, "(,)");
1601 g_my_debug("FTP Token: %s", str ? str : "NULL");
1602 if (!str || !sscanf(str, "%d", &hi_byte)) {
1603 g_free(mesg);
1604 return;
1605 }
1606 str = strtok(NULL, "(,)");
1607 g_my_debug("FTP Token: %s", str ? str : "NULL");
1608 if (!str || !sscanf(str, "%d", &low_byte)) {
1609 g_free(mesg);
1610 return;
1611 }
1612
1613 server_port = hi_byte * 256 + low_byte;
1614 g_my_debug("FTP Hi: %d. Low: %d. Passive port is %d", hi_byte, low_byte,
1615 server_port);
1616
1617 /* A port number zero means any port */
1618 add_conversation(&dp->global_src_address, &dp->global_dst_address,
1619 server_port, 0, "FTP-PASSIVE");
1620
1621 g_free(mesg);
1622 }
1623
1624 /* Given two port numbers, it returns the
1625 * one that is a privileged port if the other
1626 * is not. If not, just returns the lower numbered */
choose_port(guint16 a,guint16 b)1627 static guint16 choose_port(guint16 a, guint16 b)
1628 {
1629 guint ret;
1630
1631 if ((a < 1024) && (b >= 1024))
1632 ret = a;
1633 else if ((a >= 1024) && (b < 1024))
1634 ret = b;
1635 else if (a <= b)
1636 ret = a;
1637 else
1638 ret = b;
1639
1640 return ret;
1641 } /* choose_port */
1642
append_etype_prot(decode_proto_t * dp,etype_t etype)1643 static void append_etype_prot(decode_proto_t *dp, etype_t etype)
1644 {
1645 switch (etype)
1646 {
1647 case ETHERTYPE_IP:
1648 decode_proto_add(dp, "IP");
1649 break;
1650 case ETHERTYPE_ARP:
1651 decode_proto_add(dp, "ARP");
1652 break;
1653 case ETHERTYPE_IPv6:
1654 decode_proto_add(dp, "IPV6");
1655 break;
1656 case ETHERTYPE_X25L3:
1657 decode_proto_add(dp, "X25L3");
1658 break;
1659 case ETHERTYPE_REVARP:
1660 decode_proto_add(dp, "REVARP");
1661 break;
1662 case ETHERTYPE_ATALK:
1663 decode_proto_add(dp, "ATALK");
1664 break;
1665 case ETHERTYPE_AARP:
1666 decode_proto_add(dp, "AARP");
1667 break;
1668 case ETHERTYPE_IPX:
1669 break;
1670 case ETHERTYPE_VINES:
1671 decode_proto_add(dp, "VINES");
1672 break;
1673 case ETHERTYPE_TRAIN:
1674 decode_proto_add(dp, "TRAIN");
1675 break;
1676 case ETHERTYPE_LOOP:
1677 decode_proto_add(dp, "LOOP");
1678 break;
1679 case ETHERTYPE_PPPOED:
1680 decode_proto_add(dp, "PPPOED");
1681 break;
1682 case ETHERTYPE_PPPOES:
1683 decode_proto_add(dp, "PPPOES");
1684 break;
1685 case ETHERTYPE_VLAN:
1686 decode_proto_add(dp, "VLAN");
1687 break;
1688 case ETHERTYPE_SNMP:
1689 decode_proto_add(dp, "SNMP");
1690 break;
1691 case ETHERTYPE_DNA_DL:
1692 decode_proto_add(dp, "DNA-DL");
1693 break;
1694 case ETHERTYPE_DNA_RC:
1695 decode_proto_add(dp, "DNA-RC");
1696 break;
1697 case ETHERTYPE_DNA_RT:
1698 decode_proto_add(dp, "DNA-RT");
1699 break;
1700 case ETHERTYPE_DEC:
1701 decode_proto_add(dp, "DEC");
1702 break;
1703 case ETHERTYPE_DEC_DIAG:
1704 decode_proto_add(dp, "DEC-DIAG");
1705 break;
1706 case ETHERTYPE_DEC_CUST:
1707 decode_proto_add(dp, "DEC-CUST");
1708 break;
1709 case ETHERTYPE_DEC_SCA:
1710 decode_proto_add(dp, "DEC-SCA");
1711 break;
1712 case ETHERTYPE_DEC_LB:
1713 decode_proto_add(dp, "DEC-LB");
1714 break;
1715 case ETHERTYPE_MPLS:
1716 decode_proto_add(dp, "MPLS");
1717 break;
1718 case ETHERTYPE_MPLS_MULTI:
1719 decode_proto_add(dp, "MPLS-MULTI");
1720 break;
1721 case ETHERTYPE_LAT:
1722 decode_proto_add(dp, "LAT");
1723 break;
1724 case ETHERTYPE_PPP:
1725 decode_proto_add(dp, "PPP");
1726 break;
1727 case ETHERTYPE_WCP:
1728 decode_proto_add(dp, "WCP");
1729 break;
1730 case ETHERTYPE_3C_NBP_DGRAM:
1731 decode_proto_add(dp, "3C-NBP-DGRAM");
1732 break;
1733 case ETHERTYPE_ETHBRIDGE:
1734 decode_proto_add(dp, "ETHBRIDGE");
1735 break;
1736 case ETHERTYPE_UNK:
1737 decode_proto_add(dp, "ETH_UNKNOWN");
1738 }
1739 } /* append_etype_prot */
1740
1741