void
capture_snap(const guchar *pd, int offset, int len, packet_counts *ld)
{
guint32 oui;
guint16 etype;
if (!BYTES_ARE_IN_FRAME(offset, len, 5)) {
ld->other++;
return;
}
oui = pd[offset] << 16 | pd[offset+1] << 8 | pd[offset+2];
etype = pntohs(&pd[offset+3]);
switch (oui) {
case OUI_ENCAP_ETHER:
case OUI_CISCO_90:
case OUI_APPLE_ATALK:
/* No, I have no idea why Apple used
one of their own OUIs, rather than
OUI_ENCAP_ETHER, and an Ethernet
packet type as protocol ID, for
AppleTalk data packets - but used
OUI_ENCAP_ETHER and an Ethernet
packet type for AARP packets. */
capture_ethertype(etype, pd, offset+5, len, ld);
break;
case OUI_CISCO:
capture_ethertype(etype, pd, offset+5, len, ld);
break;
case OUI_MARVELL:
/*
* OLPC packet. The PID is an Ethertype, but
* there's a mesh header between the PID and
* the payload. (We assume the header is
* 5 bytes, for now).
*/
capture_ethertype(etype, pd, offset+5+5, len, ld);
break;
default:
ld->other++;
break;
}
}
void
capture_sll(const guchar *pd, int len, packet_counts *ld)
{
guint16 protocol;
if (!BYTES_ARE_IN_FRAME(0, len, SLL_HEADER_SIZE)) {
ld->other++;
return;
}
protocol = pntohs(&pd[14]);
if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
/*
* "proto" is *not* a length field, it's a Linux internal
* protocol type.
*/
switch (protocol) {
case LINUX_SLL_P_802_2:
/*
* 802.2 LLC.
*/
capture_llc(pd, len, SLL_HEADER_SIZE, ld);
break;
case LINUX_SLL_P_ETHERNET:
/*
* Ethernet.
*/
capture_eth(pd, SLL_HEADER_SIZE, len, ld);
break;
case LINUX_SLL_P_802_3:
/*
* Novell IPX inside 802.3 with no 802.2 LLC
* header.
*/
capture_ipx(ld);
break;
case LINUX_SLL_P_PPPHDLC:
/*
* PPP HDLC.
*/
capture_ppp_hdlc(pd, len, SLL_HEADER_SIZE, ld);
break;
default:
ld->other++;
break;
}
} else
capture_ethertype(protocol, pd, SLL_HEADER_SIZE, len, ld);
}
void
capture_ap1394(const guchar *pd, int offset, int len, packet_counts *ld)
{
guint16 etype;
if (!BYTES_ARE_IN_FRAME(offset, len, 18)) {
ld->other++;
return;
}
/* Skip destination and source addresses */
offset += 16;
etype = pntoh16(&pd[offset]);
offset += 2;
capture_ethertype(etype, pd, offset, len, ld);
}
void
capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
{
guint16 etype, length;
int ethhdr_type; /* the type of ethernet frame */
if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
ld->other++;
return;
}
etype = pntohs(&pd[offset+12]);
if (etype <= IEEE_802_3_MAX_LEN) {
/* Oh, yuck. Cisco ISL frames require special interpretation of the
destination address field; fortunately, they can be recognized by
checking the first 5 octets of the destination address, which are
01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */
if ((pd[offset] == 0x01 || pd[offset] == 0x0C) && pd[offset+1] == 0x00
&& pd[offset+2] == 0x0C && pd[offset+3] == 0x00
&& pd[offset+4] == 0x00) {
capture_isl(pd, offset, len, ld);
return;
}
}
/*
* If the type/length field is <= the maximum 802.3 length,
* and is not zero, this is an 802.3 frame, and it's a length
* field; it might be an Novell "raw 802.3" frame, with no
* 802.2 LLC header, or it might be a frame with an 802.2 LLC
* header.
*
* If the type/length field is >= the minimum Ethernet II length,
* this is an Ethernet II frame, and it's a type field.
*
* If the type/length field is > maximum 802.3 length and < minimum
* Ethernet II length, then this is an invalid packet.
*
* If the type/length field is zero (ETHERTYPE_UNK), this is
* a frame used internally by the Cisco MDS switch to contain
* Fibre Channel ("Vegas"). We treat that as an Ethernet II
* frame; the dissector for those frames registers itself with
* an ethernet type of ETHERTYPE_UNK.
*/
if (etype > IEEE_802_3_MAX_LEN && etype < ETHERNET_II_MIN_LEN) {
ld->other++;
return;
}
if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
length = etype;
/* Is there an 802.2 layer? I can tell by looking at the first 2
bytes after the 802.3 header. If they are 0xffff, then what
follows the 802.3 header is an IPX payload, meaning no 802.2.
(IPX/SPX is they only thing that can be contained inside a
straight 802.3 packet). A non-0xffff value means that there's an
802.2 layer inside the 802.3 layer */
if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
ethhdr_type = ETHERNET_802_3;
}
else {
ethhdr_type = ETHERNET_802_2;
}
/* Convert the LLC length from the 802.3 header to a total
frame length, by adding in the size of any data that preceded
the Ethernet header, and adding in the Ethernet header size,
and set the payload and captured-payload lengths to the minima
of the total length and the frame lengths. */
length += offset + ETH_HEADER_SIZE;
if (len > length)
len = length;
} else {
ethhdr_type = ETHERNET_II;
}
offset += ETH_HEADER_SIZE;
switch (ethhdr_type) {
case ETHERNET_802_3:
capture_ipx(ld);
break;
case ETHERNET_802_2:
capture_llc(pd, offset, len, ld);
break;
case ETHERNET_II:
capture_ethertype(etype, pd, offset, len, ld);
break;
}
}
