void
capture_ethertype(guint16 etype, const guchar *pd, int offset, int len,
packet_counts *ld)
{
switch (etype) {
case ETHERTYPE_ARP:
ld->arp++;
break;
case ETHERTYPE_IP:
capture_ip(pd, offset, len, ld);
break;
case ETHERTYPE_IPv6:
capture_ipv6(pd, offset, len, ld);
break;
case ETHERTYPE_IPX:
capture_ipx(ld);
break;
case ETHERTYPE_VLAN:
capture_vlan(pd, offset, len, ld);
break;
case ETHERTYPE_IEEE_802_1AD:
case ETHERTYPE_IEEE_802_1AH:
capture_ieee8021ah(pd, offset, len, ld);
break;
case ETHERTYPE_VINES_IP:
case ETHERTYPE_VINES_ECHO:
capture_vines(ld);
break;
default:
ld->other++;
break;
}
}
void
capture_sll(const guchar *pd, int len, packet_counts *ld)
{
guint16 protocol;
if (!BYTES_ARE_IN_FRAME(0, len, SLL_HEADER_SIZE)) {
ld->other++;
return;
}
protocol = pntohs(&pd[14]);
if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */
/*
* "proto" is *not* a length field, it's a Linux internal
* protocol type.
*/
switch (protocol) {
case LINUX_SLL_P_802_2:
/*
* 802.2 LLC.
*/
capture_llc(pd, len, SLL_HEADER_SIZE, ld);
break;
case LINUX_SLL_P_ETHERNET:
/*
* Ethernet.
*/
capture_eth(pd, SLL_HEADER_SIZE, len, ld);
break;
case LINUX_SLL_P_802_3:
/*
* Novell IPX inside 802.3 with no 802.2 LLC
* header.
*/
capture_ipx(ld);
break;
case LINUX_SLL_P_PPPHDLC:
/*
* PPP HDLC.
*/
capture_ppp_hdlc(pd, len, SLL_HEADER_SIZE, ld);
break;
default:
ld->other++;
break;
}
} else
capture_ethertype(protocol, pd, SLL_HEADER_SIZE, len, ld);
}
void
capture_eth(const guchar *pd, int offset, int len, packet_counts *ld)
{
guint16 etype, length;
int ethhdr_type; /* the type of ethernet frame */
if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) {
ld->other++;
return;
}
etype = pntohs(&pd[offset+12]);
if (etype <= IEEE_802_3_MAX_LEN) {
/* Oh, yuck. Cisco ISL frames require special interpretation of the
destination address field; fortunately, they can be recognized by
checking the first 5 octets of the destination address, which are
01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */
if ((pd[offset] == 0x01 || pd[offset] == 0x0C) && pd[offset+1] == 0x00
&& pd[offset+2] == 0x0C && pd[offset+3] == 0x00
&& pd[offset+4] == 0x00) {
capture_isl(pd, offset, len, ld);
return;
}
}
/*
* If the type/length field is <= the maximum 802.3 length,
* and is not zero, this is an 802.3 frame, and it's a length
* field; it might be an Novell "raw 802.3" frame, with no
* 802.2 LLC header, or it might be a frame with an 802.2 LLC
* header.
*
* If the type/length field is >= the minimum Ethernet II length,
* this is an Ethernet II frame, and it's a type field.
*
* If the type/length field is > maximum 802.3 length and < minimum
* Ethernet II length, then this is an invalid packet.
*
* If the type/length field is zero (ETHERTYPE_UNK), this is
* a frame used internally by the Cisco MDS switch to contain
* Fibre Channel ("Vegas"). We treat that as an Ethernet II
* frame; the dissector for those frames registers itself with
* an ethernet type of ETHERTYPE_UNK.
*/
if (etype > IEEE_802_3_MAX_LEN && etype < ETHERNET_II_MIN_LEN) {
ld->other++;
return;
}
if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) {
length = etype;
/* Is there an 802.2 layer? I can tell by looking at the first 2
bytes after the 802.3 header. If they are 0xffff, then what
follows the 802.3 header is an IPX payload, meaning no 802.2.
(IPX/SPX is they only thing that can be contained inside a
straight 802.3 packet). A non-0xffff value means that there's an
802.2 layer inside the 802.3 layer */
if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) {
ethhdr_type = ETHERNET_802_3;
}
else {
ethhdr_type = ETHERNET_802_2;
}
/* Convert the LLC length from the 802.3 header to a total
frame length, by adding in the size of any data that preceded
the Ethernet header, and adding in the Ethernet header size,
and set the payload and captured-payload lengths to the minima
of the total length and the frame lengths. */
length += offset + ETH_HEADER_SIZE;
if (len > length)
len = length;
} else {
ethhdr_type = ETHERNET_II;
}
offset += ETH_HEADER_SIZE;
switch (ethhdr_type) {
case ETHERNET_802_3:
capture_ipx(ld);
break;
case ETHERNET_802_2:
capture_llc(pd, offset, len, ld);
break;
case ETHERNET_II:
capture_ethertype(etype, pd, offset, len, ld);
break;
}
}
void
capture_llc(const guchar *pd, int offset, int len, packet_counts *ld) {
int is_snap;
guint16 control;
int llc_header_len;
if (!BYTES_ARE_IN_FRAME(offset, len, 2)) {
ld->other++;
return;
}
is_snap = (pd[offset] == SAP_SNAP) && (pd[offset+1] == SAP_SNAP);
llc_header_len = 2; /* DSAP + SSAP */
/*
* XXX - the page referred to in the comment above about the
* Command/Response bit also implies that LLC Type 2 always
* uses extended operation, so we don't need to determine
* whether it's basic or extended operation; is that the case?
*/
control = get_xdlc_control(pd, offset+2, pd[offset+1] & SSAP_CR_BIT);
llc_header_len += XDLC_CONTROL_LEN(control, TRUE);
if (!BYTES_ARE_IN_FRAME(offset, len, llc_header_len)) {
ld->other++;
return;
}
if (!XDLC_IS_INFORMATION(control)) {
ld->other++;
return;
}
if (is_snap)
capture_snap(pd, offset+llc_header_len, len, ld);
else {
/* non-SNAP */
switch (pd[offset]) {
case SAP_IP:
capture_ip(pd, offset + llc_header_len, len, ld);
break;
case SAP_NETWARE1:
case SAP_NETWARE2:
capture_ipx(ld);
break;
case SAP_NETBIOS:
capture_netbios(ld);
break;
case SAP_VINES1:
case SAP_VINES2:
capture_vines(ld);
break;
default:
ld->other++;
break;
}
}
}
