const gchar *
tvb_arphrdaddr_to_str(tvbuff_t *tvb, gint offset, int ad_len, guint16 type)
{
if (ad_len == 0)
return "<No address>";
if (ARP_HW_IS_ETHER(type, ad_len)) {
/* Ethernet address (or IEEE 802.x address, which is the same type of
address). */
return tvb_ether_to_str(tvb, offset);
}
return tvb_bytes_to_str(tvb, offset, ad_len);
}
static void
dissect_arp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
guint16 ar_hrd;
guint16 ar_pro;
guint8 ar_hln;
guint8 ar_pln;
guint16 ar_op;
int tot_len;
proto_tree *arp_tree = NULL;
proto_item *ti, *item;
const gchar *op_str;
int sha_offset, spa_offset, tha_offset, tpa_offset;
const guint8 *spa_val, *tpa_val;
gboolean is_gratuitous;
gboolean duplicate_detected = FALSE;
guint32 duplicate_ip = 0;
/* Call it ARP, for now, so that if we throw an exception before
we decide whether it's ARP or RARP or IARP or ATMARP, it shows
up in the packet list as ARP.
Clear the Info column so that, if we throw an exception, it
shows up as a short or malformed ARP frame. */
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ARP");
col_clear(pinfo->cinfo, COL_INFO);
/* Hardware Address Type */
ar_hrd = tvb_get_ntohs(tvb, AR_HRD);
if (ar_hrd == ARPHRD_ATM2225) {
call_dissector(atmarp_handle, tvb, pinfo, tree);
return;
}
/* Protocol Address Type */
ar_pro = tvb_get_ntohs(tvb, AR_PRO);
/* Hardware Address Size */
ar_hln = tvb_get_guint8(tvb, AR_HLN);
/* Protocol Address Size */
ar_pln = tvb_get_guint8(tvb, AR_PLN);
/* Operation */
ar_op = tvb_get_ntohs(tvb, AR_OP);
tot_len = MIN_ARP_HEADER_SIZE + ar_hln*2 + ar_pln*2;
/* Adjust the length of this tvbuff to include only the ARP datagram.
Our caller may use that to determine how much of its packet
was padding. */
tvb_set_reported_length(tvb, tot_len);
if (check_col(pinfo->cinfo, COL_PROTOCOL)) {
switch (ar_op) {
case ARPOP_REQUEST:
if (global_arp_detect_request_storm)
{
request_seen(pinfo);
}
/* FALLTHRU */
case ARPOP_REPLY:
default:
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ARP");
break;
case ARPOP_RREQUEST:
case ARPOP_RREPLY:
col_set_str(pinfo->cinfo, COL_PROTOCOL, "RARP");
break;
case ARPOP_IREQUEST:
case ARPOP_IREPLY:
col_set_str(pinfo->cinfo, COL_PROTOCOL, "Inverse ARP");
break;
}
}
/* Get the offsets of the addresses. */
/* Source Hardware Address */
sha_offset = MIN_ARP_HEADER_SIZE;
/* Source Protocol Address */
spa_offset = sha_offset + ar_hln;
/* Target Hardware Address */
tha_offset = spa_offset + ar_pln;
/* Target Protocol Address */
tpa_offset = tha_offset + ar_hln;
if ((ar_op == ARPOP_REPLY || ar_op == ARPOP_REQUEST) &&
ARP_HW_IS_ETHER(ar_hrd, ar_hln) &&
ARP_PRO_IS_IPv4(ar_pro, ar_pln)) {
/* inform resolv.c module of the new discovered addresses */
guint32 ip;
const guint8 *mac;
/* Add sender address if sender MAC address is neither a broadcast/
multicast address nor an all-zero address and if sender IP address
isn't all zeroes. */
ip = tvb_get_ipv4(tvb, spa_offset);
mac = tvb_get_ptr(tvb, sha_offset, 6);
if ((mac[0] & 0x01) == 0 && memcmp(mac, mac_allzero, 6) != 0 && ip != 0)
{
add_ether_byip(ip, mac);
if (global_arp_detect_duplicate_ip_addresses)
{
duplicate_detected =
check_for_duplicate_addresses(pinfo, tree, tvb, mac, ip,
&duplicate_ip);
}
}
/* Add target address if target MAC address is neither a broadcast/
multicast address nor an all-zero address and if target IP address
isn't all zeroes. */
/* Do not add target address if the packet is a Request. According to the RFC,
target addresses in requests have no meaning */
ip = tvb_get_ipv4(tvb, tpa_offset);
mac = tvb_get_ptr(tvb, tha_offset, 6);
if ((mac[0] & 0x01) == 0 && memcmp(mac, mac_allzero, 6) != 0 && ip != 0
&& ar_op != ARPOP_REQUEST)
{
add_ether_byip(ip, mac);
if (global_arp_detect_duplicate_ip_addresses)
{
duplicate_detected =
check_for_duplicate_addresses(pinfo, tree, tvb, mac, ip,
&duplicate_ip);
}
}
}
if (!tree && !check_col(pinfo->cinfo, COL_INFO)) {
/* We're not building a protocol tree and we're not setting the Info
column, so we don't have any more work to do. */
return;
}
spa_val = tvb_get_ptr(tvb, spa_offset, ar_pln);
tpa_val = tvb_get_ptr(tvb, tpa_offset, ar_pln);
/* ARP requests/replies with the same sender and target protocol
address are flagged as "gratuitous ARPs", i.e. ARPs sent out as,
in effect, an announcement that the machine has MAC address
XX:XX:XX:XX:XX:XX and IPv4 address YY.YY.YY.YY. Requests are to
provoke complaints if some other machine has the same IPv4 address,
replies are used to announce relocation of network address, like
in failover solutions. */
if (((ar_op == ARPOP_REQUEST) || (ar_op == ARPOP_REPLY)) && (memcmp(spa_val, tpa_val, ar_pln) == 0))
is_gratuitous = TRUE;
else
is_gratuitous = FALSE;
if (check_col(pinfo->cinfo, COL_INFO)) {
switch (ar_op) {
case ARPOP_REQUEST:
if (is_gratuitous)
col_add_fstr(pinfo->cinfo, COL_INFO, "Gratuitous ARP for %s (Request)",
arpproaddr_to_str(tpa_val, ar_pln, ar_pro));
else
col_add_fstr(pinfo->cinfo, COL_INFO, "Who has %s? Tell %s",
arpproaddr_to_str(tpa_val, ar_pln, ar_pro),
arpproaddr_to_str(spa_val, ar_pln, ar_pro));
break;
case ARPOP_REPLY:
if (is_gratuitous)
col_add_fstr(pinfo->cinfo, COL_INFO, "Gratuitous ARP for %s (Reply)",
arpproaddr_to_str(spa_val, ar_pln, ar_pro));
else
col_add_fstr(pinfo->cinfo, COL_INFO, "%s is at %s",
arpproaddr_to_str(spa_val, ar_pln, ar_pro),
tvb_arphrdaddr_to_str(tvb, sha_offset, ar_hln, ar_hrd));
break;
case ARPOP_RREQUEST:
case ARPOP_IREQUEST:
col_add_fstr(pinfo->cinfo, COL_INFO, "Who is %s? Tell %s",
tvb_arphrdaddr_to_str(tvb, tha_offset, ar_hln, ar_hrd),
tvb_arphrdaddr_to_str(tvb, sha_offset, ar_hln, ar_hrd));
break;
case ARPOP_RREPLY:
col_add_fstr(pinfo->cinfo, COL_INFO, "%s is at %s",
tvb_arphrdaddr_to_str(tvb, tha_offset, ar_hln, ar_hrd),
arpproaddr_to_str(tpa_val, ar_pln, ar_pro));
break;
case ARPOP_IREPLY:
col_add_fstr(pinfo->cinfo, COL_INFO, "%s is at %s",
tvb_arphrdaddr_to_str(tvb, sha_offset, ar_hln, ar_hrd),
arpproaddr_to_str(spa_val, ar_pln, ar_pro));
break;
default:
col_add_fstr(pinfo->cinfo, COL_INFO, "Unknown ARP opcode 0x%04x", ar_op);
break;
}
}
if (tree) {
if ((op_str = match_strval(ar_op, op_vals))) {
if (is_gratuitous && (ar_op == ARPOP_REQUEST))
op_str = "request/gratuitous ARP";
if (is_gratuitous && (ar_op == ARPOP_REPLY))
op_str = "reply/gratuitous ARP";
ti = proto_tree_add_protocol_format(tree, proto_arp, tvb, 0, tot_len,
"Address Resolution Protocol (%s)", op_str);
} else
ti = proto_tree_add_protocol_format(tree, proto_arp, tvb, 0, tot_len,
"Address Resolution Protocol (opcode 0x%04x)", ar_op);
arp_tree = proto_item_add_subtree(ti, ett_arp);
proto_tree_add_uint(arp_tree, hf_arp_hard_type, tvb, AR_HRD, 2, ar_hrd);
proto_tree_add_uint(arp_tree, hf_arp_proto_type, tvb, AR_PRO, 2, ar_pro);
proto_tree_add_uint(arp_tree, hf_arp_hard_size, tvb, AR_HLN, 1, ar_hln);
proto_tree_add_uint(arp_tree, hf_arp_proto_size, tvb, AR_PLN, 1, ar_pln);
proto_tree_add_uint(arp_tree, hf_arp_opcode, tvb, AR_OP, 2, ar_op);
item = proto_tree_add_boolean(arp_tree, hf_arp_isgratuitous, tvb, 0, 0, is_gratuitous);
PROTO_ITEM_SET_GENERATED(item);
if (ar_hln != 0) {
proto_tree_add_item(arp_tree,
ARP_HW_IS_ETHER(ar_hrd, ar_hln) ?
hf_arp_src_hw_mac :
hf_arp_src_hw,
tvb, sha_offset, ar_hln, FALSE);
}
if (ar_pln != 0) {
proto_tree_add_item(arp_tree,
ARP_PRO_IS_IPv4(ar_pro, ar_pln) ?
hf_arp_src_proto_ipv4 :
hf_arp_src_proto,
tvb, spa_offset, ar_pln, FALSE);
}
if (ar_hln != 0) {
proto_tree_add_item(arp_tree,
ARP_HW_IS_ETHER(ar_hrd, ar_hln) ?
hf_arp_dst_hw_mac :
hf_arp_dst_hw,
tvb, tha_offset, ar_hln, FALSE);
}
if (ar_pln != 0) {
proto_tree_add_item(arp_tree,
ARP_PRO_IS_IPv4(ar_pro, ar_pln) ?
hf_arp_dst_proto_ipv4 :
hf_arp_dst_proto,
tvb, tpa_offset, ar_pln, FALSE);
}
}
if (global_arp_detect_request_storm)
{
check_for_storm_count(tvb, pinfo, arp_tree);
}
if (duplicate_detected)
{
/* Also indicate in info column */
if (check_col(pinfo->cinfo, COL_INFO))
{
col_append_fstr(pinfo->cinfo, COL_INFO, " (duplicate use of %s detected!)",
arpproaddr_to_str((guint8*)&duplicate_ip, 4, ETHERTYPE_IP));
}
}
}
static packet* ArpDissector(packet *pkt)
{
struct arp_header *arp;
struct arp_eth_header *earp;
char ips[ARP_IP_STR_SIZE];
char macs[ARP_IP_STR_SIZE];
struct in_addr ip_addr;
char ip_str[INET6_ADDRSTRLEN];
/* size check */
if (pkt->len < sizeof(struct arp_header)) {
LogPrintf(LV_ERROR, "ARP size error");
return NULL;
}
arp = (struct arp_header *)pkt->data;
if (ARP_HW_IS_ETHER(ntohs(arp->ar_hrd), arp->ar_hln) &&
ARP_PRO_IS_IPv4(ntohs(arp->ar_pro), arp->ar_pln)) {
earp = (struct arp_eth_header *)(arp + 1);
switch (ntohs(arp->ar_op)) {
case ARPOP_REQUEST:
ip_addr.s_addr = *((unsigned int *)(earp->arp_spa));
sprintf(ips, "%s", inet_ntop(AF_INET, &ip_addr, ip_str, INET6_ADDRSTRLEN));
sprintf(macs, "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x", earp->arp_sha[0], earp->arp_sha[1], earp->arp_sha[2], earp->arp_sha[3], earp->arp_sha[4], earp->arp_sha[5]);
ArpPei(ips, macs, pkt);
break;
case ARPOP_REPLY:
ip_addr.s_addr = *((unsigned int *)(earp->arp_spa));
sprintf(ips, "%s", inet_ntop(AF_INET, &ip_addr, ip_str, INET6_ADDRSTRLEN));
sprintf(macs, "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x", earp->arp_sha[0], earp->arp_sha[1], earp->arp_sha[2], earp->arp_sha[3], earp->arp_sha[4], earp->arp_sha[5]);
ArpPei(ips, macs, pkt);
ip_addr.s_addr = *((unsigned int *)(earp->arp_tpa));
sprintf(ips, "%s", inet_ntop(AF_INET, &ip_addr, ip_str, INET6_ADDRSTRLEN));
sprintf(macs, "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x", earp->arp_tha[0], earp->arp_tha[1], earp->arp_tha[2], earp->arp_tha[3], earp->arp_tha[4], earp->arp_tha[5]);
ArpPei(ips, macs, pkt);
break;
case ARPOP_RREQUEST:
ip_addr.s_addr = *((unsigned int *)(earp->arp_spa));
sprintf(ips, "%s", inet_ntop(AF_INET, &ip_addr, ip_str, INET6_ADDRSTRLEN));
sprintf(macs, "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x", earp->arp_sha[0], earp->arp_sha[1], earp->arp_sha[2], earp->arp_sha[3], earp->arp_sha[4], earp->arp_sha[5]);
ArpPei(ips, macs, pkt);
break;
case ARPOP_RREPLY:
ip_addr.s_addr = *((unsigned int *)(earp->arp_spa));
sprintf(ips, "%s", inet_ntop(AF_INET, &ip_addr, ip_str, INET6_ADDRSTRLEN));
sprintf(macs, "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x", earp->arp_sha[0], earp->arp_sha[1], earp->arp_sha[2], earp->arp_sha[3], earp->arp_sha[4], earp->arp_sha[5]);
ArpPei(ips, macs, pkt);
ip_addr.s_addr = *((unsigned int *)(earp->arp_tpa));
sprintf(ips, "%s", inet_ntop(AF_INET, &ip_addr, ip_str, INET6_ADDRSTRLEN));
sprintf(macs, "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x", earp->arp_tha[0], earp->arp_tha[1], earp->arp_tha[2], earp->arp_tha[3], earp->arp_tha[4], earp->arp_tha[5]);
ArpPei(ips, macs, pkt);
break;
default:
return NULL;
}
}
return NULL;
}