1 /* packet-pcap_pktdata.c 2 * Dissect packet data from a pcap or pcapng file or from a "remote pcap" 3 * protocol. 4 * 5 * Copyright 2015, Michal Labedzki for Tieto Corporation 6 * 7 * Wireshark - Network traffic analyzer 8 * By Gerald Combs <gerald@wireshark.org> 9 * Copyright 1998 Gerald Combs 10 * 11 * SPDX-License-Identifier: GPL-2.0-or-later 12 */ 13 14 #include "config.h" 15 16 #include <epan/packet.h> 17 #include <epan/expert.h> 18 19 #include <wiretap/wtap.h> 20 #include <wiretap/pcap-encap.h> 21 22 #include <epan/dissectors/packet-pcap_pktdata.h> 23 24 void proto_register_pcap_pktdata(void); 25 void proto_reg_handoff_pcap_pktdata(void); 26 27 static int proto_pcap_pktdata = -1; 28 29 static int hf_pcap_pktdata_pseudoheader = -1; 30 static int hf_pcap_pktdata_pseudoheader_bluetooth_direction = -1; 31 static int hf_pcap_pktdata_undecoded_data = -1; 32 33 static gint ett_pcap_pktdata_pseudoheader = -1; 34 35 static expert_field ei_pcap_pktdata_linktype_unknown = EI_INIT; 36 static expert_field ei_pcap_pktdata_cant_generate_phdr = EI_INIT; 37 38 static dissector_table_t wtap_encap_table; 39 40 /* 41 * Link-layer header type values. 42 * 43 * Includes both the official documented values from 44 * 45 * http://www.tcpdump.org/linktypes.html 46 * 47 * and values not listed there. The names are, in most cases, the 48 * LINKTYPE_ names with LINKTYPE_ stripped off. 49 */ 50 const value_string link_type_vals[] = { SolutionAnalysis()51 { 0, "NULL" }, 52 { 1, "ETHERNET" }, 53 { 2, "EXP_ETHERNET" }, /* 3Mb experimental Ethernet */ 54 { 3, "AX25" }, 55 { 4, "PRONET" }, /* Proteon PRONET */ 56 { 5, "CHAOS" }, /* MIT Chaosnet */ 57 { 6, "IEEE802_5" }, 58 { 7, "ARCNET_BSD" }, 59 { 8, "SLIP" }, SolutionAnalysis(const SolutionAnalysis & rhs)60 { 9, "PPP" }, 61 { 10, "FDDI" }, 62 { 32, "REDBACK" }, /* Redback SmartEdge 400/800 */ 63 { 50, "PPP_HDLC" }, 64 { 51, "PPP_ETHER" }, 65 { 99, "SYMANTEC_FIREWALL" }, 66 { 100, "ATM_RFC1483" }, 67 { 101, "RAW" }, 68 { 102, "BSD/OS SLIP" }, ~SolutionAnalysis()69 { 103, "BSD/OS PPP" }, 70 { 104, "C_HDLC" }, 71 { 105, "IEEE802_11" }, 72 { 106, "LINUX_ATM_CLIP" }, 73 { 107, "FRELAY" }, 74 { 108, "LOOP" }, 75 { 109, "ENC" }, 76 { 110, "LANE8023" }, /* ATM LANE + 802.3 */ 77 { 111, "HIPPI" }, /* NetBSD HIPPI */ operator =(const SolutionAnalysis & rhs)78 { 112, "HDLC" }, /* NetBSD HDLC framing */ 79 { 113, "LINUX_SLL" }, 80 { 114, "LTALK" }, 81 { 115, "ECONET" }, /* Acorn Econet */ 82 { 116, "IPFILTER" }, /* Reserved for use with OpenBSD ipfilter */ 83 { 117, "PFLOG" }, 84 { 118, "CISCO_IOS" }, /* for Cisco-internal use */ 85 { 119, "IEEE802_11_PRISM" }, 86 { 120, "IEEE802_11_AIRONET" }, /* 802.11 plus FreeBSD Aironet drive metadata header */ 87 { 121, "HHDLC" }, /* reserved for Siemens HiPath HDLC - never used */ 88 { 122, "IP_OVER_FC" }, 89 { 123, "SUNATM" }, 90 { 124, "RIO" }, /* Private use for RapidIO */ 91 { 125, "PCI_EXP" }, /* Private use for PCI Express */ 92 { 126, "AURORA" }, /* Xilinx Aurora link layer */ getKktViolation(QProblemB * const qp,real_t * const maxStat,real_t * const maxFeas,real_t * const maxCmpl) const93 { 127, "IEEE802_11_RADIOTAP" }, 94 { 128, "TZSP" }, /* reserved for TZSP encapsulation - never used */ 95 { 129, "ARCNET_LINUX" }, 96 { 130, "JUNIPER_MLPPP" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 97 { 131, "JUNIPER_MLFR" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 98 { 132, "JUNIPER_ES" }, /* Juniper-private, but handled by tcpdump */ 99 { 133, "JUNIPER_GGSN" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 100 { 134, "JUNIPER_MFR" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 101 { 135, "JUNIPER_ATM2" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 102 { 136, "JUNIPER_SVCS" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 103 { 137, "JUNIPER_ATM1" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 104 { 138, "APPLE_IP_OVER_IEEE1394" }, 105 { 139, "MTP2_WITH_PHDR" }, 106 { 140, "MTP2" }, 107 { 141, "MTP3" }, 108 { 142, "SCCP" }, 109 { 143, "DOCSIS" }, 110 { 144, "LINUX_IRDA" }, 111 { 145, "IBM_SP" }, /* Reserved for IBM SP switch */ 112 { 146, "IBM_SN" }, /* Reserved for IBM Next Federation switch */ 113 { 147, "USER_0" }, 114 { 148, "USER_1" }, 115 { 149, "USER_2" }, 116 { 150, "USER_3" }, 117 { 151, "USER_4" }, 118 { 152, "USER_5" }, 119 { 153, "USER_6" }, 120 { 154, "USER_7" }, 121 { 155, "USER_8" }, 122 { 156, "USER_9" }, 123 { 157, "USER_10" }, 124 { 158, "USER_11" }, 125 { 159, "USER_12" }, 126 { 160, "USER_13" }, 127 { 161, "USER_14" }, 128 { 162, "USER_15" }, 129 { 163, "IEEE802_11_AVS" }, 130 { 164, "JUNIPER_MONITOR" }, /* Juniper-private, but handled by tcpdump */ 131 { 165, "BACNET_MS_TP" }, 132 { 166, "PPP_PPPD" }, 133 { 167, "JUNIPER_PPPOE" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 134 { 168, "JUNIPER_PPPOE_ATM" }, /* Juniper-private, but handled by tcpdump */ 135 { 169, "GPRS_LLC" }, 136 { 170, "GPF_T" }, /* GPF-T (ITU-T G.7041/Y.1303) */ 137 { 171, "GPF_F" }, /* GPF-F (ITU-T G.7041/Y.1303) */ 138 { 172, "GCOM_TIE1" }, /* Reserved for Gcom's T1/E1 line monitoring equipment */ 139 { 173, "GCOM_SERIAL" }, /* Reserved for Gcom's T1/E1 line monitoring equipment */ 140 { 174, "JUNIPER_PIC_PEER" }, /* Juniper-private */ 141 { 175, "ERF_ETH" }, /* ERF header followed by Ethernet */ 142 { 176, "ERF_POS" }, /* ERF header followed by Packet-over-SONET */ 143 { 177, "LINUX_LAPD" }, 144 { 178, "JUNIPER_ETHER" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 145 { 179, "JUNIPER_PPP" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 146 { 180, "JUNIPER_FRELAY" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 147 { 181, "JUNIPER_CHDLC" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 148 { 182, "MFR" }, /* Multi Link Frame Relay (FRF.16) */ 149 { 183, "JUNIPER_VP" }, /* Juniper-private, but handled by tcpdump and Wireshark */ 150 { 184, "A429" }, /* Arinc 429 frames */ 151 { 185, "A653_ICM" }, /* Aricn 653 Interpartition Communication messages */ 152 { 186, "USB" }, /* Older USB header */ 153 { 187, "BLUETOOTH_HCI_H4" }, 154 { 188, "IEEE802_16_MAC_CPS" }, /* IEEE 802.16 MAC Common Part Sublayer */ 155 { 189, "USB_LINUX" }, 156 { 190, "CAN20B" }, /* CAN v2.0B packets */ 157 { 191, "IEEE802_15_4_LINUX" }, /* IEEE 802.15.4, with address fields padded, as is done by Linux drivers */ 158 { 192, "PPI" }, 159 { 193, "IEEE802_16_MAC_CPS_RADIO" }, /* 802.16 MAC Common Part Sublayer plus a radiotap radio header */ 160 { 194, "JUNIPER_ISM" }, /* Juniper-private */ 161 { 195, "IEEE802_15_4" }, 162 { 196, "SITA" }, 163 { 197, "ERF" }, 164 { 198, "RAIF1" }, /* Special header prepended to Ethernet packets when capturing from a u10 Networks board */ 165 { 199, "IPMB" }, /* IPMB packet for IPMI */ getKktViolation(QProblem * const qp,real_t * const maxStat,real_t * const maxFeas,real_t * const maxCmpl) const166 { 200, "JUNIPER_ST" }, /* Juniper-private */ 167 { 201, "BLUETOOTH_HCI_H4_WITH_PHDR" }, 168 { 202, "AX25_KISS" }, 169 { 203, "LAPD" }, 170 { 204, "PPP_WITH_DIR" }, 171 { 205, "C_HDLC_WITH_DIR" }, 172 { 206, "FRELAY_WITH_DIR" }, 173 { 207, "LAPB_WITH_DIR" }, /* LAPB with direction pseudo-header */ 174 { 209, "IPMB_LINUX" }, 175 { 210, "FLEXRAY" }, /* FlexRay automotive bus */ 176 { 211, "MOST" }, /* Media Oriented Systems Transport */ 177 { 212, "LIN" }, /* Local Interconnect Network */ 178 { 213, "X2E_SERIAL" }, /* X2E-private for serial line capture */ 179 { 214, "X2E_XORAYA" }, /* X2E-private for Xoraya data logger family */ 180 { 215, "IEEE802_15_4_NONASK_PHY" }, 181 { 216, "LINUX_EVDEV" }, /* Linux evdev messages */ 182 { 217, "GSMTAP_UM" }, /* "gsmtap" header followed by GSM Um interface packets */ 183 { 218, "GSMTAP_UM" }, /* "gsmtap" header followed by GSM Abis interface packets */ 184 { 219, "MPLS" }, /* MPLS label (stack?) as the link-layer header */ 185 { 220, "USB_LINUX_MMAPPED" }, 186 { 221, "DECT" }, /* DECT packets, with a pseudo-header */ 187 { 222, "AOS" }, /* AOS Space Data Link Protocol */ 188 { 223, "WIHART" }, /* Wireless HART */ 189 { 224, "FC_2" }, 190 { 225, "FC_2_WITH_FRAME_DELIMS" }, 191 { 226, "IPNET" }, 192 { 227, "CAN_SOCKETCAN" }, 193 { 228, "IPV4" }, 194 { 229, "IPV6" }, 195 { 230, "IEEE802_15_4_NOFCS" }, 196 { 231, "DBUS" }, 197 { 232, "JUNIPER_VS" }, /* Juniper-private */ 198 { 233, "JUNIPER_SRX_E2E" }, /* Juniper-private */ 199 { 234, "JUNIPER_FIBRECHANNEL" }, /* Juniper-private */ 200 { 235, "DVB_CI" }, 201 { 236, "MUX27010" }, 202 { 237, "STANAG_5066_D_PDU" }, 203 { 238, "JUNIPER_ATM_CEMIC" }, /* Juniper-private */ 204 { 239, "NFLOG" }, 205 { 240, "NETANALYZER" }, 206 { 241, "NETANALYZER_TRANSPARENT" }, 207 { 242, "IPOIB" }, 208 { 243, "MPEG_2_TS" }, 209 { 244, "NG40" }, 210 { 245, "NFC_LLCP" }, 211 { 246, "PFSYNC" }, 212 { 247, "INFINIBAND" }, 213 { 248, "SCTP" }, 214 { 249, "USBPCAP" }, 215 { 250, "RTAC_SERIAL" }, 216 { 251, "BLUETOOTH_LE_LL" }, 217 { 252, "WIRESHARK_UPPER_PDU" }, /* Upper-layer protocol saves from Wireshark */ 218 { 253, "NETLINK" }, 219 { 254, "BLUETOOTH_LINUX_MONITOR" }, 220 { 255, "BLUETOOTH_BREDR_BB" }, 221 { 256, "BLUETOOTH_LE_LL_WITH_PHDR" }, 222 { 257, "PROFIBUS_DL" }, 223 { 258, "PKTAP" }, 224 { 259, "EPON" }, 225 { 260, "IPMI_HPM_2" }, 226 { 261, "ZWAVE_R1_R2" }, 227 { 262, "ZWAVE_R3" }, 228 { 263, "WATTSTOPPER_DLM" }, 229 { 264, "ISO_14443" }, 230 { 265, "RDS" }, 231 { 266, "USB_DARWIN" }, 232 { 267, "OPENFLOW" }, 233 { 268, "SDLC" }, 234 { 269, "TI_LLN_SNIFFER" }, 235 { 270, "LORATAP" }, 236 { 271, "VSOCK" }, 237 { 272, "NORDIC_BLE" }, 238 { 273, "DOCSIS31_XRA31" }, 239 { 274, "ETHERNET_MPACKET" }, 240 { 275, "DISPLAYPORT_AUX" }, 241 { 276, "LINUX_SLL2" }, 242 { 277, "SERCOS_MONITOR" }, 243 { 278, "OPENVIZSLA" }, 244 { 279, "EBHSCR" }, 245 { 280, "VPP_DISPATCH" }, 246 { 281, "DSA_TAG_BRCM" }, 247 { 282, "DSA_TAG_BRCM_PREPEND" }, 248 { 283, "IEEE802_15_4_TAP" }, 249 { 0, NULL } 250 }; 251 252 static const value_string pseudoheader_bluetooth_direction_vals[] = { getKktViolation(SQProblem * const qp,real_t * const maxStat,real_t * const maxFeas,real_t * const maxCmpl) const253 { 0, "Sent" }, 254 { 1, "Recv" }, 255 { 0, NULL } 256 }; 257 258 static int 259 dissect_pcap_pktdata(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) 260 { 261 gint offset = 0; 262 guint32 *link_type; 263 tvbuff_t *next_tvb; 264 proto_item *pseudoheader_item; getVarianceCovariance(QProblemB * const qp,const real_t * const g_b_bA_VAR,real_t * const Primal_Dual_VAR) const265 proto_tree *pseudoheader_tree = NULL; 266 proto_item *packet_item; 267 struct eth_phdr eth; 268 void *phdr; 269 270 DISSECTOR_ASSERT(data); 271 272 link_type = (guint32 *) data; 273 274 /* 275 * We're passed a pointer to a LINKTYPE_ value. getVarianceCovariance(QProblem * qp,const real_t * const g_b_bA_VAR,real_t * const Primal_Dual_VAR) const276 * Find the Wiretap encapsulation for that value. 277 */ 278 pinfo->rec->rec_header.packet_header.pkt_encap = wtap_pcap_encap_to_wtap_encap(*link_type); 279 280 /* 281 * Do we know that type? 282 */ 283 if (pinfo->rec->rec_header.packet_header.pkt_encap == WTAP_ENCAP_UNKNOWN) { 284 /* 285 * Nothing we know. 286 * Just report that and give up. 287 */ 288 packet_item = proto_tree_add_item(tree, hf_pcap_pktdata_undecoded_data, tvb, offset, tvb_reported_length(tvb), ENC_NA); 289 expert_add_info_format(pinfo, packet_item, 290 &ei_pcap_pktdata_linktype_unknown, 291 "Link-layer header type %u is not supported", 292 *link_type); 293 return tvb_captured_length(tvb); 294 } 295 296 /* 297 * You can't just call an arbitrary subdissector based on a 298 * WTAP_ENCAP_ value, because they may expect a particular 299 * pseudo-header to be passed to them, and may not accept 300 * a null pseudo-header pointer. 301 * 302 * First, check whether this WTAP_ENCAP_ value corresponds 303 * to a link-layer header type where Wiretap generates a 304 * pseudo-header from the bytes at the beginning of the 305 * packet data. 306 */ 307 if (wtap_encap_requires_phdr(pinfo->rec->rec_header.packet_header.pkt_encap)) { 308 /* 309 * It does. Do we have code to do that? 310 */ 311 switch (pinfo->rec->rec_header.packet_header.pkt_encap) { 312 313 case WTAP_ENCAP_BLUETOOTH_H4_WITH_PHDR: 314 pseudoheader_item = proto_tree_add_item(tree, hf_pcap_pktdata_pseudoheader, tvb, offset, 4, ENC_NA); 315 pseudoheader_tree = proto_item_add_subtree(pseudoheader_item, ett_pcap_pktdata_pseudoheader); 316 proto_tree_add_item(pseudoheader_tree, hf_pcap_pktdata_pseudoheader_bluetooth_direction, tvb, offset, 4, ENC_BIG_ENDIAN); 317 if (tvb_get_guint32(tvb, offset, ENC_BIG_ENDIAN) == 0) 318 pinfo->p2p_dir = P2P_DIR_SENT; 319 else if (tvb_get_guint32(tvb, offset, ENC_BIG_ENDIAN) == 1) 320 pinfo->p2p_dir = P2P_DIR_RECV; 321 else 322 pinfo->p2p_dir = P2P_DIR_UNKNOWN; 323 offset += 4; 324 phdr = NULL; 325 break; 326 327 case WTAP_ENCAP_ATM_PDUS: 328 /* TODO */ 329 case WTAP_ENCAP_IRDA: 330 /* TODO */ 331 case WTAP_ENCAP_MTP2_WITH_PHDR: 332 /* TODO no description for pseudoheader at http://www.tcpdump.org/linktypes.html */ 333 case WTAP_ENCAP_LINUX_LAPD: 334 /* TODO */ 335 case WTAP_ENCAP_SITA: 336 /* TODO */ 337 case WTAP_ENCAP_BLUETOOTH_LINUX_MONITOR: 338 /* TODO */ 339 case WTAP_ENCAP_NFC_LLCP: 340 /* TODO */ 341 case WTAP_ENCAP_PPP_WITH_PHDR: 342 /* TODO */ 343 case WTAP_ENCAP_ERF: 344 /* TODO no description for pseudoheader at http://www.tcpdump.org/linktypes.html */ 345 case WTAP_ENCAP_I2C_LINUX: 346 /* TODO */ 347 default: 348 /* 349 * No. Give up. 350 */ 351 packet_item = proto_tree_add_item(tree, hf_pcap_pktdata_undecoded_data, tvb, offset, tvb_reported_length(tvb), ENC_NA); 352 expert_add_info_format(pinfo, packet_item, 353 &ei_pcap_pktdata_cant_generate_phdr, 354 "No pseudo-header can be generated for link-layer header type %u", 355 *link_type); 356 return tvb_captured_length(tvb); 357 } 358 } else { 359 /* 360 * These also require a pseudo-header, but it's not constructed 361 * from packet data. 362 */ 363 switch (pinfo->rec->rec_header.packet_header.pkt_encap) { 364 365 case WTAP_ENCAP_ETHERNET: 366 eth.fcs_len = -1; /* Unknown whether we have an FCS */ 367 phdr = ð 368 break; 369 370 default: 371 phdr = NULL; 372 break; 373 } 374 } 375 376 next_tvb = tvb_new_subset_remaining(tvb, offset); 377 378 offset = dissector_try_uint_new(wtap_encap_table, pinfo->rec->rec_header.packet_header.pkt_encap, next_tvb, pinfo, tree, TRUE, phdr); 379 380 return offset; 381 } 382 383 void 384 proto_register_pcap_pktdata(void) 385 { 386 static hf_register_info hf[] = { 387 { &hf_pcap_pktdata_pseudoheader, 388 { "Pseudoheader", "pcap_pktdata.data.pseudoheader", 389 FT_NONE, BASE_NONE, NULL, 0x00, 390 NULL, HFILL } 391 }, 392 { &hf_pcap_pktdata_pseudoheader_bluetooth_direction, 393 { "Direction", "pcap_pktdata.pseudoheader.bluetooth.direction", 394 FT_UINT32, BASE_HEX, VALS(pseudoheader_bluetooth_direction_vals), 0x00, 395 NULL, HFILL } 396 }, 397 { &hf_pcap_pktdata_undecoded_data, 398 { "Undecoded data", "pcap_pktdata.undecoded_data", 399 FT_NONE, BASE_NONE, NULL, 0x00, 400 NULL, HFILL } 401 }, 402 }; 403 404 static gint *ett[] = { 405 &ett_pcap_pktdata_pseudoheader, 406 }; 407 408 static ei_register_info ei[] = { 409 { &ei_pcap_pktdata_linktype_unknown, { "pcap_pktdata.linktype_unknown", PI_UNDECODED, PI_NOTE, "That link-layer header type is not supported", EXPFILL }}, 410 { &ei_pcap_pktdata_cant_generate_phdr, { "pcap_pktdata.cant_generate_phdr", PI_UNDECODED, PI_NOTE, "No pseudo-header can be generated for that link-layer header type", EXPFILL }}, 411 }; 412 413 expert_module_t *expert_pcap_pktdata; 414 415 proto_pcap_pktdata = proto_register_protocol("pcap/pcapng packet data", "pcap_pktdata", "pcap_pktdata"); 416 proto_register_field_array(proto_pcap_pktdata, hf, array_length(hf)); 417 proto_register_subtree_array(ett, array_length(ett)); 418 expert_pcap_pktdata = expert_register_protocol(proto_pcap_pktdata); 419 expert_register_field_array(expert_pcap_pktdata, ei, array_length(ei)); 420 421 register_dissector("pcap_pktdata", dissect_pcap_pktdata, proto_pcap_pktdata); 422 } 423 424 void 425 proto_reg_handoff_pcap_pktdata(void) 426 { 427 wtap_encap_table = find_dissector_table("wtap_encap"); 428 } 429