void capture_ethertype(guint16 etype, const guchar *pd, int offset, int len, packet_counts *ld) { switch (etype) { case ETHERTYPE_ARP: ld->arp++; break; case ETHERTYPE_IP: capture_ip(pd, offset, len, ld); break; case ETHERTYPE_IPv6: capture_ipv6(pd, offset, len, ld); break; case ETHERTYPE_IPX: capture_ipx(ld); break; case ETHERTYPE_VLAN: capture_vlan(pd, offset, len, ld); break; case ETHERTYPE_IEEE_802_1AD: case ETHERTYPE_IEEE_802_1AH: capture_ieee8021ah(pd, offset, len, ld); break; case ETHERTYPE_VINES_IP: case ETHERTYPE_VINES_ECHO: capture_vines(ld); break; default: ld->other++; break; } }
void capture_sll(const guchar *pd, int len, packet_counts *ld) { guint16 protocol; if (!BYTES_ARE_IN_FRAME(0, len, SLL_HEADER_SIZE)) { ld->other++; return; } protocol = pntohs(&pd[14]); if (protocol <= 1536) { /* yes, 1536 - that's how Linux does it */ /* * "proto" is *not* a length field, it's a Linux internal * protocol type. */ switch (protocol) { case LINUX_SLL_P_802_2: /* * 802.2 LLC. */ capture_llc(pd, len, SLL_HEADER_SIZE, ld); break; case LINUX_SLL_P_ETHERNET: /* * Ethernet. */ capture_eth(pd, SLL_HEADER_SIZE, len, ld); break; case LINUX_SLL_P_802_3: /* * Novell IPX inside 802.3 with no 802.2 LLC * header. */ capture_ipx(ld); break; case LINUX_SLL_P_PPPHDLC: /* * PPP HDLC. */ capture_ppp_hdlc(pd, len, SLL_HEADER_SIZE, ld); break; default: ld->other++; break; } } else capture_ethertype(protocol, pd, SLL_HEADER_SIZE, len, ld); }
void capture_eth(const guchar *pd, int offset, int len, packet_counts *ld) { guint16 etype, length; int ethhdr_type; /* the type of ethernet frame */ if (!BYTES_ARE_IN_FRAME(offset, len, ETH_HEADER_SIZE)) { ld->other++; return; } etype = pntohs(&pd[offset+12]); if (etype <= IEEE_802_3_MAX_LEN) { /* Oh, yuck. Cisco ISL frames require special interpretation of the destination address field; fortunately, they can be recognized by checking the first 5 octets of the destination address, which are 01-00-0C-00-00 or 0C-00-0C-00-00 for ISL frames. */ if ((pd[offset] == 0x01 || pd[offset] == 0x0C) && pd[offset+1] == 0x00 && pd[offset+2] == 0x0C && pd[offset+3] == 0x00 && pd[offset+4] == 0x00) { capture_isl(pd, offset, len, ld); return; } } /* * If the type/length field is <= the maximum 802.3 length, * and is not zero, this is an 802.3 frame, and it's a length * field; it might be an Novell "raw 802.3" frame, with no * 802.2 LLC header, or it might be a frame with an 802.2 LLC * header. * * If the type/length field is >= the minimum Ethernet II length, * this is an Ethernet II frame, and it's a type field. * * If the type/length field is > maximum 802.3 length and < minimum * Ethernet II length, then this is an invalid packet. * * If the type/length field is zero (ETHERTYPE_UNK), this is * a frame used internally by the Cisco MDS switch to contain * Fibre Channel ("Vegas"). We treat that as an Ethernet II * frame; the dissector for those frames registers itself with * an ethernet type of ETHERTYPE_UNK. */ if (etype > IEEE_802_3_MAX_LEN && etype < ETHERNET_II_MIN_LEN) { ld->other++; return; } if (etype <= IEEE_802_3_MAX_LEN && etype != ETHERTYPE_UNK) { length = etype; /* Is there an 802.2 layer? I can tell by looking at the first 2 bytes after the 802.3 header. If they are 0xffff, then what follows the 802.3 header is an IPX payload, meaning no 802.2. (IPX/SPX is they only thing that can be contained inside a straight 802.3 packet). A non-0xffff value means that there's an 802.2 layer inside the 802.3 layer */ if (pd[offset+14] == 0xff && pd[offset+15] == 0xff) { ethhdr_type = ETHERNET_802_3; } else { ethhdr_type = ETHERNET_802_2; } /* Convert the LLC length from the 802.3 header to a total frame length, by adding in the size of any data that preceded the Ethernet header, and adding in the Ethernet header size, and set the payload and captured-payload lengths to the minima of the total length and the frame lengths. */ length += offset + ETH_HEADER_SIZE; if (len > length) len = length; } else { ethhdr_type = ETHERNET_II; } offset += ETH_HEADER_SIZE; switch (ethhdr_type) { case ETHERNET_802_3: capture_ipx(ld); break; case ETHERNET_802_2: capture_llc(pd, offset, len, ld); break; case ETHERNET_II: capture_ethertype(etype, pd, offset, len, ld); break; } }
void capture_llc(const guchar *pd, int offset, int len, packet_counts *ld) { int is_snap; guint16 control; int llc_header_len; if (!BYTES_ARE_IN_FRAME(offset, len, 2)) { ld->other++; return; } is_snap = (pd[offset] == SAP_SNAP) && (pd[offset+1] == SAP_SNAP); llc_header_len = 2; /* DSAP + SSAP */ /* * XXX - the page referred to in the comment above about the * Command/Response bit also implies that LLC Type 2 always * uses extended operation, so we don't need to determine * whether it's basic or extended operation; is that the case? */ control = get_xdlc_control(pd, offset+2, pd[offset+1] & SSAP_CR_BIT); llc_header_len += XDLC_CONTROL_LEN(control, TRUE); if (!BYTES_ARE_IN_FRAME(offset, len, llc_header_len)) { ld->other++; return; } if (!XDLC_IS_INFORMATION(control)) { ld->other++; return; } if (is_snap) capture_snap(pd, offset+llc_header_len, len, ld); else { /* non-SNAP */ switch (pd[offset]) { case SAP_IP: capture_ip(pd, offset + llc_header_len, len, ld); break; case SAP_NETWARE1: case SAP_NETWARE2: capture_ipx(ld); break; case SAP_NETBIOS: capture_netbios(ld); break; case SAP_VINES1: case SAP_VINES2: capture_vines(ld); break; default: ld->other++; break; } } }