1 /* 2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 */ 21 22 #include <sys/cdefs.h> 23 #ifndef lint 24 __RCSID("$NetBSD: print-sll.c,v 1.6 2015/03/31 21:59:35 christos Exp $"); 25 #endif 26 27 #define NETDISSECT_REWORKED 28 #ifdef HAVE_CONFIG_H 29 #include "config.h" 30 #endif 31 32 #include <tcpdump-stdinc.h> 33 34 #include "interface.h" 35 #include "addrtoname.h" 36 #include "ethertype.h" 37 #include "extract.h" 38 39 #include "ether.h" 40 41 /* 42 * For captures on Linux cooked sockets, we construct a fake header 43 * that includes: 44 * 45 * a 2-byte "packet type" which is one of: 46 * 47 * LINUX_SLL_HOST packet was sent to us 48 * LINUX_SLL_BROADCAST packet was broadcast 49 * LINUX_SLL_MULTICAST packet was multicast 50 * LINUX_SLL_OTHERHOST packet was sent to somebody else 51 * LINUX_SLL_OUTGOING packet was sent *by* us; 52 * 53 * a 2-byte Ethernet protocol field; 54 * 55 * a 2-byte link-layer type; 56 * 57 * a 2-byte link-layer address length; 58 * 59 * an 8-byte source link-layer address, whose actual length is 60 * specified by the previous value. 61 * 62 * All fields except for the link-layer address are in network byte order. 63 * 64 * DO NOT change the layout of this structure, or change any of the 65 * LINUX_SLL_ values below. If you must change the link-layer header 66 * for a "cooked" Linux capture, introduce a new DLT_ type (ask 67 * "tcpdump-workers@lists.tcpdump.org" for one, so that you don't give it 68 * a value that collides with a value already being used), and use the 69 * new header in captures of that type, so that programs that can 70 * handle DLT_LINUX_SLL captures will continue to handle them correctly 71 * without any change, and so that capture files with different headers 72 * can be told apart and programs that read them can dissect the 73 * packets in them. 74 * 75 * This structure, and the #defines below, must be the same in the 76 * libpcap and tcpdump versions of "sll.h". 77 */ 78 79 /* 80 * A DLT_LINUX_SLL fake link-layer header. 81 */ 82 #define SLL_HDR_LEN 16 /* total header length */ 83 #define SLL_ADDRLEN 8 /* length of address field */ 84 85 struct sll_header { 86 uint16_t sll_pkttype; /* packet type */ 87 uint16_t sll_hatype; /* link-layer address type */ 88 uint16_t sll_halen; /* link-layer address length */ 89 uint8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */ 90 uint16_t sll_protocol; /* protocol */ 91 }; 92 93 /* 94 * The LINUX_SLL_ values for "sll_pkttype"; these correspond to the 95 * PACKET_ values on Linux, but are defined here so that they're 96 * available even on systems other than Linux, and so that they 97 * don't change even if the PACKET_ values change. 98 */ 99 #define LINUX_SLL_HOST 0 100 #define LINUX_SLL_BROADCAST 1 101 #define LINUX_SLL_MULTICAST 2 102 #define LINUX_SLL_OTHERHOST 3 103 #define LINUX_SLL_OUTGOING 4 104 105 /* 106 * The LINUX_SLL_ values for "sll_protocol"; these correspond to the 107 * ETH_P_ values on Linux, but are defined here so that they're 108 * available even on systems other than Linux. We assume, for now, 109 * that the ETH_P_ values won't change in Linux; if they do, then: 110 * 111 * if we don't translate them in "pcap-linux.c", capture files 112 * won't necessarily be readable if captured on a system that 113 * defines ETH_P_ values that don't match these values; 114 * 115 * if we do translate them in "pcap-linux.c", that makes life 116 * unpleasant for the BPF code generator, as the values you test 117 * for in the kernel aren't the values that you test for when 118 * reading a capture file, so the fixup code run on BPF programs 119 * handed to the kernel ends up having to do more work. 120 * 121 * Add other values here as necessary, for handling packet types that 122 * might show up on non-Ethernet, non-802.x networks. (Not all the ones 123 * in the Linux "if_ether.h" will, I suspect, actually show up in 124 * captures.) 125 */ 126 #define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */ 127 #define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */ 128 129 static const struct tok sll_pkttype_values[] = { 130 { LINUX_SLL_HOST, "In" }, 131 { LINUX_SLL_BROADCAST, "B" }, 132 { LINUX_SLL_MULTICAST, "M" }, 133 { LINUX_SLL_OTHERHOST, "P" }, 134 { LINUX_SLL_OUTGOING, "Out" }, 135 { 0, NULL} 136 }; 137 138 static inline void 139 sll_print(netdissect_options *ndo, register const struct sll_header *sllp, u_int length) 140 { 141 u_short ether_type; 142 143 ND_PRINT((ndo, "%3s ",tok2str(sll_pkttype_values,"?",EXTRACT_16BITS(&sllp->sll_pkttype)))); 144 145 /* 146 * XXX - check the link-layer address type value? 147 * For now, we just assume 6 means Ethernet. 148 * XXX - print others as strings of hex? 149 */ 150 if (EXTRACT_16BITS(&sllp->sll_halen) == 6) 151 ND_PRINT((ndo, "%s ", etheraddr_string(ndo, sllp->sll_addr))); 152 153 if (!ndo->ndo_qflag) { 154 ether_type = EXTRACT_16BITS(&sllp->sll_protocol); 155 156 if (ether_type <= ETHERMTU) { 157 /* 158 * Not an Ethernet type; what type is it? 159 */ 160 switch (ether_type) { 161 162 case LINUX_SLL_P_802_3: 163 /* 164 * Ethernet_802.3 IPX frame. 165 */ 166 ND_PRINT((ndo, "802.3")); 167 break; 168 169 case LINUX_SLL_P_802_2: 170 /* 171 * 802.2. 172 */ 173 ND_PRINT((ndo, "802.2")); 174 break; 175 176 default: 177 /* 178 * What is it? 179 */ 180 ND_PRINT((ndo, "ethertype Unknown (0x%04x)", 181 ether_type)); 182 break; 183 } 184 } else { 185 ND_PRINT((ndo, "ethertype %s (0x%04x)", 186 tok2str(ethertype_values, "Unknown", ether_type), 187 ether_type)); 188 } 189 ND_PRINT((ndo, ", length %u: ", length)); 190 } 191 } 192 193 /* 194 * This is the top level routine of the printer. 'p' points to the 195 * Linux "cooked capture" header of the packet, 'h->ts' is the timestamp, 196 * 'h->len' is the length of the packet off the wire, and 'h->caplen' 197 * is the number of bytes actually captured. 198 */ 199 u_int 200 sll_if_print(netdissect_options *ndo, const struct pcap_pkthdr *h, const u_char *p) 201 { 202 u_int caplen = h->caplen; 203 u_int length = h->len; 204 register const struct sll_header *sllp; 205 u_short ether_type; 206 u_short extracted_ethertype; 207 208 if (caplen < SLL_HDR_LEN) { 209 /* 210 * XXX - this "can't happen" because "pcap-linux.c" always 211 * adds this many bytes of header to every packet in a 212 * cooked socket capture. 213 */ 214 ND_PRINT((ndo, "[|sll]")); 215 return (caplen); 216 } 217 218 sllp = (const struct sll_header *)p; 219 220 if (ndo->ndo_eflag) 221 sll_print(ndo, sllp, length); 222 223 /* 224 * Go past the cooked-mode header. 225 */ 226 length -= SLL_HDR_LEN; 227 caplen -= SLL_HDR_LEN; 228 p += SLL_HDR_LEN; 229 230 ether_type = EXTRACT_16BITS(&sllp->sll_protocol); 231 232 recurse: 233 /* 234 * Is it (gag) an 802.3 encapsulation, or some non-Ethernet 235 * packet type? 236 */ 237 if (ether_type <= ETHERMTU) { 238 /* 239 * Yes - what type is it? 240 */ 241 switch (ether_type) { 242 243 case LINUX_SLL_P_802_3: 244 /* 245 * Ethernet_802.3 IPX frame. 246 */ 247 ipx_print(ndo, p, length); 248 break; 249 250 case LINUX_SLL_P_802_2: 251 /* 252 * 802.2. 253 * Try to print the LLC-layer header & higher layers. 254 */ 255 if (llc_print(ndo, p, length, caplen, NULL, NULL, 256 &extracted_ethertype) == 0) 257 goto unknown; /* unknown LLC type */ 258 break; 259 260 default: 261 extracted_ethertype = 0; 262 /*FALLTHROUGH*/ 263 264 unknown: 265 /* ether_type not known, print raw packet */ 266 if (!ndo->ndo_eflag) 267 sll_print(ndo, sllp, length + SLL_HDR_LEN); 268 if (extracted_ethertype) { 269 ND_PRINT((ndo, "(LLC %s) ", 270 etherproto_string(htons(extracted_ethertype)))); 271 } 272 if (!ndo->ndo_suppress_default_print) 273 ND_DEFAULTPRINT(p, caplen); 274 break; 275 } 276 } else if (ether_type == ETHERTYPE_8021Q) { 277 /* 278 * Print VLAN information, and then go back and process 279 * the enclosed type field. 280 */ 281 if (caplen < 4 || length < 4) { 282 ND_PRINT((ndo, "[|vlan]")); 283 return (SLL_HDR_LEN); 284 } 285 if (ndo->ndo_eflag) { 286 uint16_t tag = EXTRACT_16BITS(p); 287 288 ND_PRINT((ndo, "%s, ", ieee8021q_tci_string(tag))); 289 } 290 291 ether_type = EXTRACT_16BITS(p + 2); 292 if (ether_type <= ETHERMTU) 293 ether_type = LINUX_SLL_P_802_2; 294 if (!ndo->ndo_qflag) { 295 ND_PRINT((ndo, "ethertype %s, ", 296 tok2str(ethertype_values, "Unknown", ether_type))); 297 } 298 p += 4; 299 length -= 4; 300 caplen -= 4; 301 goto recurse; 302 } else { 303 if (ethertype_print(ndo, ether_type, p, length, caplen) == 0) { 304 /* ether_type not known, print raw packet */ 305 if (!ndo->ndo_eflag) 306 sll_print(ndo, sllp, length + SLL_HDR_LEN); 307 if (!ndo->ndo_suppress_default_print) 308 ND_DEFAULTPRINT(p, caplen); 309 } 310 } 311 312 return (SLL_HDR_LEN); 313 } 314