1 /* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 */ 24 25 #ifndef lint 26 static const char rcsid[] _U_ = 27 "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.61.2.10 2007/02/08 07:07:51 guy Exp $"; 28 #endif 29 30 #ifdef HAVE_CONFIG_H 31 #include "config.h" 32 #endif 33 34 #include <tcpdump-stdinc.h> 35 36 #include <stdio.h> 37 #include <string.h> 38 39 #include "interface.h" 40 #include "addrtoname.h" 41 #include "extract.h" /* must come after interface.h */ 42 43 #include "llc.h" 44 #include "ethertype.h" 45 #include "oui.h" 46 47 static struct tok llc_values[] = { 48 { LLCSAP_NULL, "Null" }, 49 { LLCSAP_GLOBAL, "Global" }, 50 { LLCSAP_8021B_I, "802.1B I" }, 51 { LLCSAP_8021B_G, "802.1B G" }, 52 { LLCSAP_IP, "IP" }, 53 { LLCSAP_SNA, "SNA" }, 54 { LLCSAP_PROWAYNM, "ProWay NM" }, 55 { LLCSAP_8021D, "STP" }, 56 { LLCSAP_RS511, "RS511" }, 57 { LLCSAP_ISO8208, "ISO8208" }, 58 { LLCSAP_PROWAY, "ProWay" }, 59 { LLCSAP_SNAP, "SNAP" }, 60 { LLCSAP_IPX, "IPX" }, 61 { LLCSAP_NETBEUI, "NetBeui" }, 62 { LLCSAP_ISONS, "OSI" }, 63 { 0, NULL }, 64 }; 65 66 static struct tok llc_cmd_values[] = { 67 { LLC_UI, "ui" }, 68 { LLC_TEST, "test" }, 69 { LLC_XID, "xid" }, 70 { LLC_UA, "ua" }, 71 { LLC_DISC, "disc" }, 72 { LLC_DM, "dm" }, 73 { LLC_SABME, "sabme" }, 74 { LLC_FRMR, "frmr" }, 75 { 0, NULL } 76 }; 77 78 static const struct tok llc_flag_values[] = { 79 { 0, "Command" }, 80 { LLC_GSAP, "Response" }, 81 { LLC_U_POLL, "Poll" }, 82 { LLC_GSAP|LLC_U_POLL, "Final" }, 83 { LLC_IS_POLL, "Poll" }, 84 { LLC_GSAP|LLC_IS_POLL, "Final" }, 85 { 0, NULL } 86 }; 87 88 89 static const struct tok llc_ig_flag_values[] = { 90 { 0, "Individual" }, 91 { LLC_IG, "Group" }, 92 { 0, NULL } 93 }; 94 95 96 static const struct tok llc_supervisory_values[] = { 97 { 0, "Receiver Ready" }, 98 { 1, "Receiver not Ready" }, 99 { 2, "Reject" }, 100 { 0, NULL } 101 }; 102 103 104 static const struct tok cisco_values[] = { 105 { PID_CISCO_CDP, "CDP" }, 106 { PID_CISCO_VTP, "VTP" }, 107 { PID_CISCO_DTP, "DTP" }, 108 { 0, NULL } 109 }; 110 111 static const struct tok bridged_values[] = { 112 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 113 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 114 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 115 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 116 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 117 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 118 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 119 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 120 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 121 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 122 { PID_RFC2684_BPDU, "BPDU" }, 123 { 0, NULL }, 124 }; 125 126 static const struct tok null_values[] = { 127 { 0, NULL } 128 }; 129 130 struct oui_tok { 131 u_int32_t oui; 132 const struct tok *tok; 133 }; 134 135 static const struct oui_tok oui_to_tok[] = { 136 { OUI_ENCAP_ETHER, ethertype_values }, 137 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 138 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 139 { OUI_CISCO, cisco_values }, 140 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 141 { 0, NULL } 142 }; 143 144 /* 145 * Returns non-zero IFF it succeeds in printing the header 146 */ 147 int 148 llc_print(const u_char *p, u_int length, u_int caplen, 149 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype) 150 { 151 u_int8_t dsap_field, dsap, ssap_field, ssap; 152 u_int16_t control; 153 int is_u; 154 register int ret; 155 156 *extracted_ethertype = 0; 157 158 if (caplen < 3) { 159 (void)printf("[|llc]"); 160 default_print((u_char *)p, caplen); 161 return(0); 162 } 163 164 dsap_field = *p; 165 ssap_field = *(p + 1); 166 167 /* 168 * OK, what type of LLC frame is this? The length 169 * of the control field depends on that - I frames 170 * have a two-byte control field, and U frames have 171 * a one-byte control field. 172 */ 173 control = *(p + 2); 174 if ((control & LLC_U_FMT) == LLC_U_FMT) { 175 /* 176 * U frame. 177 */ 178 is_u = 1; 179 } else { 180 /* 181 * The control field in I and S frames is 182 * 2 bytes... 183 */ 184 if (caplen < 4) { 185 (void)printf("[|llc]"); 186 default_print((u_char *)p, caplen); 187 return(0); 188 } 189 190 /* 191 * ...and is little-endian. 192 */ 193 control = EXTRACT_LE_16BITS(p + 2); 194 is_u = 0; 195 } 196 197 if (ssap_field == LLCSAP_GLOBAL && dsap_field == LLCSAP_GLOBAL) { 198 /* 199 * This is an Ethernet_802.3 IPX frame; it has an 200 * 802.3 header (i.e., an Ethernet header where the 201 * type/length field is <= ETHERMTU, i.e. it's a length 202 * field, not a type field), but has no 802.2 header - 203 * the IPX packet starts right after the Ethernet header, 204 * with a signature of two bytes of 0xFF (which is 205 * LLCSAP_GLOBAL). 206 * 207 * (It might also have been an Ethernet_802.3 IPX at 208 * one time, but got bridged onto another network, 209 * such as an 802.11 network; this has appeared in at 210 * least one capture file.) 211 */ 212 213 if (eflag) 214 printf("IPX 802.3: "); 215 216 ipx_print(p, length); 217 return (1); 218 } 219 220 dsap = dsap_field & ~LLC_IG; 221 ssap = ssap_field & ~LLC_GSAP; 222 223 if (eflag) { 224 printf("LLC, dsap %s (0x%02x) %s, ssap %s (0x%02x) %s", 225 tok2str(llc_values, "Unknown", dsap), 226 dsap, 227 tok2str(llc_ig_flag_values, "Unknown", dsap_field & LLC_IG), 228 tok2str(llc_values, "Unknown", ssap), 229 ssap, 230 tok2str(llc_flag_values, "Unknown", ssap_field & LLC_GSAP)); 231 232 if (is_u) { 233 printf(", ctrl 0x%02x: ", control); 234 } else { 235 printf(", ctrl 0x%04x: ", control); 236 } 237 } 238 239 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 240 control == LLC_UI) { 241 stp_print(p+3, length-3); 242 return (1); 243 } 244 245 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 246 control == LLC_UI) { 247 ip_print(gndo, p+4, length-4); 248 return (1); 249 } 250 251 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 252 control == LLC_UI) { 253 /* 254 * This is an Ethernet_802.2 IPX frame, with an 802.3 255 * header and an 802.2 LLC header with the source and 256 * destination SAPs being the IPX SAP. 257 * 258 * Skip DSAP, LSAP, and control field. 259 */ 260 if (eflag) 261 printf("IPX 802.2: "); 262 263 ipx_print(p+3, length-3); 264 return (1); 265 } 266 267 #ifdef TCPDUMP_DO_SMB 268 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 269 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 270 /* 271 * we don't actually have a full netbeui parser yet, but the 272 * smb parser can handle many smb-in-netbeui packets, which 273 * is very useful, so we call that 274 * 275 * We don't call it for S frames, however, just I frames 276 * (which are frames that don't have the low-order bit, 277 * LLC_S_FMT, set in the first byte of the control field) 278 * and UI frames (whose control field is just 3, LLC_U_FMT). 279 */ 280 281 /* 282 * Skip the LLC header. 283 */ 284 if (is_u) { 285 p += 3; 286 length -= 3; 287 caplen -= 3; 288 } else { 289 p += 4; 290 length -= 4; 291 caplen -= 4; 292 } 293 netbeui_print(control, p, length); 294 return (1); 295 } 296 #endif 297 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 298 && control == LLC_UI) { 299 isoclns_print(p + 3, length - 3, caplen - 3); 300 return (1); 301 } 302 303 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 304 && control == LLC_UI) { 305 /* 306 * XXX - what *is* the right bridge pad value here? 307 * Does anybody ever bridge one form of LAN traffic 308 * over a networking type that uses 802.2 LLC? 309 */ 310 ret = snap_print(p+3, length-3, caplen-3, extracted_ethertype, 311 2); 312 if (ret) 313 return (ret); 314 } 315 316 if (!eflag) { 317 if (ssap == dsap) { 318 if (esrc == NULL || edst == NULL) 319 (void)printf("%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 320 else 321 (void)printf("%s > %s %s ", 322 etheraddr_string(esrc), 323 etheraddr_string(edst), 324 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 325 } else { 326 if (esrc == NULL || edst == NULL) 327 (void)printf("%s > %s ", 328 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 329 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 330 else 331 (void)printf("%s %s > %s %s ", 332 etheraddr_string(esrc), 333 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 334 etheraddr_string(edst), 335 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 336 } 337 } 338 339 if (is_u) { 340 printf("Unnumbered, %s, Flags [%s], length %u", 341 tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), 342 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)), 343 length); 344 345 p += 3; 346 length -= 3; 347 caplen -= 3; 348 349 if ((control & ~LLC_U_POLL) == LLC_XID) { 350 if (*p == LLC_XID_FI) { 351 printf(": %02x %02x", p[1], p[2]); 352 p += 3; 353 length -= 3; 354 caplen -= 3; 355 } 356 } 357 } else { 358 if ((control & LLC_S_FMT) == LLC_S_FMT) { 359 (void)printf("Supervisory, %s, rcv seq %u, Flags [%s], length %u", 360 tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), 361 LLC_IS_NR(control), 362 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 363 length); 364 } else { 365 (void)printf("Information, send seq %u, rcv seq %u, Flags [%s], length %u", 366 LLC_I_NS(control), 367 LLC_IS_NR(control), 368 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 369 length); 370 } 371 p += 4; 372 length -= 4; 373 caplen -= 4; 374 } 375 return(1); 376 } 377 378 int 379 snap_print(const u_char *p, u_int length, u_int caplen, 380 u_short *extracted_ethertype, u_int bridge_pad) 381 { 382 u_int32_t orgcode; 383 register u_short et; 384 register int ret; 385 386 TCHECK2(*p, 5); 387 orgcode = EXTRACT_24BITS(p); 388 et = EXTRACT_16BITS(p + 3); 389 390 if (eflag) { 391 const struct tok *tok = null_values; 392 const struct oui_tok *otp; 393 394 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 395 if (otp->oui == orgcode) { 396 tok = otp->tok; 397 break; 398 } 399 } 400 (void)printf("oui %s (0x%06x), %s %s (0x%04x): ", 401 tok2str(oui_values, "Unknown", orgcode), 402 orgcode, 403 (orgcode == 0x000000 ? "ethertype" : "pid"), 404 tok2str(tok, "Unknown", et), 405 et); 406 } 407 p += 5; 408 length -= 5; 409 caplen -= 5; 410 411 switch (orgcode) { 412 case OUI_ENCAP_ETHER: 413 case OUI_CISCO_90: 414 /* 415 * This is an encapsulated Ethernet packet, 416 * or a packet bridged by some piece of 417 * Cisco hardware; the protocol ID is 418 * an Ethernet protocol type. 419 */ 420 ret = ether_encap_print(et, p, length, caplen, 421 extracted_ethertype); 422 if (ret) 423 return (ret); 424 break; 425 426 case OUI_APPLETALK: 427 if (et == ETHERTYPE_ATALK) { 428 /* 429 * No, I have no idea why Apple used one 430 * of their own OUIs, rather than 431 * 0x000000, and an Ethernet packet 432 * type, for Appletalk data packets, 433 * but used 0x000000 and an Ethernet 434 * packet type for AARP packets. 435 */ 436 ret = ether_encap_print(et, p, length, caplen, 437 extracted_ethertype); 438 if (ret) 439 return (ret); 440 } 441 break; 442 443 case OUI_CISCO: 444 if (et == PID_CISCO_CDP) { 445 cdp_print(p, length, caplen); 446 return (1); 447 } 448 break; 449 450 case OUI_RFC2684: 451 switch (et) { 452 453 case PID_RFC2684_ETH_FCS: 454 case PID_RFC2684_ETH_NOFCS: 455 /* 456 * XXX - remove the last two bytes for 457 * PID_RFC2684_ETH_FCS? 458 */ 459 /* 460 * Skip the padding. 461 */ 462 TCHECK2(*p, bridge_pad); 463 caplen -= bridge_pad; 464 length -= bridge_pad; 465 p += bridge_pad; 466 467 /* 468 * What remains is an Ethernet packet. 469 */ 470 ether_print(p, length, caplen); 471 return (1); 472 473 case PID_RFC2684_802_5_FCS: 474 case PID_RFC2684_802_5_NOFCS: 475 /* 476 * XXX - remove the last two bytes for 477 * PID_RFC2684_ETH_FCS? 478 */ 479 /* 480 * Skip the padding, but not the Access 481 * Control field. 482 */ 483 TCHECK2(*p, bridge_pad); 484 caplen -= bridge_pad; 485 length -= bridge_pad; 486 p += bridge_pad; 487 488 /* 489 * What remains is an 802.5 Token Ring 490 * packet. 491 */ 492 token_print(p, length, caplen); 493 return (1); 494 495 case PID_RFC2684_FDDI_FCS: 496 case PID_RFC2684_FDDI_NOFCS: 497 /* 498 * XXX - remove the last two bytes for 499 * PID_RFC2684_ETH_FCS? 500 */ 501 /* 502 * Skip the padding. 503 */ 504 TCHECK2(*p, bridge_pad + 1); 505 caplen -= bridge_pad + 1; 506 length -= bridge_pad + 1; 507 p += bridge_pad + 1; 508 509 /* 510 * What remains is an FDDI packet. 511 */ 512 fddi_print(p, length, caplen); 513 return (1); 514 515 case PID_RFC2684_BPDU: 516 stp_print(p, length); 517 return (1); 518 } 519 } 520 return (0); 521 522 trunc: 523 (void)printf("[|snap]"); 524 return (1); 525 } 526 527 528 /* 529 * Local Variables: 530 * c-style: whitesmith 531 * c-basic-offset: 8 532 * End: 533 */ 534
