1/* 2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Code by Matt Thomas, Digital Equipment Corporation 22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL 23 */ 24 25#include <sys/cdefs.h> 26#ifndef lint 27#if 0 28static const char rcsid[] _U_ = 29 "@(#) Header: /tcpdump/master/tcpdump/print-llc.c,v 1.75 2007-04-13 09:43:11 hannes Exp"; 30#else 31__RCSID("$NetBSD: print-llc.c,v 1.2 2010/12/05 05:11:30 christos Exp $"); 32#endif 33#endif 34 35#ifdef HAVE_CONFIG_H 36#include "config.h" 37#endif 38 39#include <tcpdump-stdinc.h> 40 41#include <stdio.h> 42#include <string.h> 43 44#include "interface.h" 45#include "addrtoname.h" 46#include "extract.h" /* must come after interface.h */ 47 48#include "llc.h" 49#include "ethertype.h" 50#include "oui.h" 51 52static struct tok llc_values[] = { 53 { LLCSAP_NULL, "Null" }, 54 { LLCSAP_GLOBAL, "Global" }, 55 { LLCSAP_8021B_I, "802.1B I" }, 56 { LLCSAP_8021B_G, "802.1B G" }, 57 { LLCSAP_IP, "IP" }, 58 { LLCSAP_SNA, "SNA" }, 59 { LLCSAP_PROWAYNM, "ProWay NM" }, 60 { LLCSAP_8021D, "STP" }, 61 { LLCSAP_RS511, "RS511" }, 62 { LLCSAP_ISO8208, "ISO8208" }, 63 { LLCSAP_PROWAY, "ProWay" }, 64 { LLCSAP_SNAP, "SNAP" }, 65 { LLCSAP_IPX, "IPX" }, 66 { LLCSAP_NETBEUI, "NetBeui" }, 67 { LLCSAP_ISONS, "OSI" }, 68 { 0, NULL }, 69}; 70 71static struct tok llc_cmd_values[] = { 72 { LLC_UI, "ui" }, 73 { LLC_TEST, "test" }, 74 { LLC_XID, "xid" }, 75 { LLC_UA, "ua" }, 76 { LLC_DISC, "disc" }, 77 { LLC_DM, "dm" }, 78 { LLC_SABME, "sabme" }, 79 { LLC_FRMR, "frmr" }, 80 { 0, NULL } 81}; 82 83static const struct tok llc_flag_values[] = { 84 { 0, "Command" }, 85 { LLC_GSAP, "Response" }, 86 { LLC_U_POLL, "Poll" }, 87 { LLC_GSAP|LLC_U_POLL, "Final" }, 88 { LLC_IS_POLL, "Poll" }, 89 { LLC_GSAP|LLC_IS_POLL, "Final" }, 90 { 0, NULL } 91}; 92 93 94static const struct tok llc_ig_flag_values[] = { 95 { 0, "Individual" }, 96 { LLC_IG, "Group" }, 97 { 0, NULL } 98}; 99 100 101static const struct tok llc_supervisory_values[] = { 102 { 0, "Receiver Ready" }, 103 { 1, "Receiver not Ready" }, 104 { 2, "Reject" }, 105 { 0, NULL } 106}; 107 108 109static const struct tok cisco_values[] = { 110 { PID_CISCO_CDP, "CDP" }, 111 { PID_CISCO_VTP, "VTP" }, 112 { PID_CISCO_DTP, "DTP" }, 113 { PID_CISCO_UDLD, "UDLD" }, 114 { PID_CISCO_PVST, "PVST" }, 115 { 0, NULL } 116}; 117 118static const struct tok bridged_values[] = { 119 { PID_RFC2684_ETH_FCS, "Ethernet + FCS" }, 120 { PID_RFC2684_ETH_NOFCS, "Ethernet w/o FCS" }, 121 { PID_RFC2684_802_4_FCS, "802.4 + FCS" }, 122 { PID_RFC2684_802_4_NOFCS, "802.4 w/o FCS" }, 123 { PID_RFC2684_802_5_FCS, "Token Ring + FCS" }, 124 { PID_RFC2684_802_5_NOFCS, "Token Ring w/o FCS" }, 125 { PID_RFC2684_FDDI_FCS, "FDDI + FCS" }, 126 { PID_RFC2684_FDDI_NOFCS, "FDDI w/o FCS" }, 127 { PID_RFC2684_802_6_FCS, "802.6 + FCS" }, 128 { PID_RFC2684_802_6_NOFCS, "802.6 w/o FCS" }, 129 { PID_RFC2684_BPDU, "BPDU" }, 130 { 0, NULL }, 131}; 132 133static const struct tok null_values[] = { 134 { 0, NULL } 135}; 136 137struct oui_tok { 138 u_int32_t oui; 139 const struct tok *tok; 140}; 141 142static const struct oui_tok oui_to_tok[] = { 143 { OUI_ENCAP_ETHER, ethertype_values }, 144 { OUI_CISCO_90, ethertype_values }, /* uses some Ethertype values */ 145 { OUI_APPLETALK, ethertype_values }, /* uses some Ethertype values */ 146 { OUI_CISCO, cisco_values }, 147 { OUI_RFC2684, bridged_values }, /* bridged, RFC 2427 FR or RFC 2864 ATM */ 148 { 0, NULL } 149}; 150 151/* 152 * Returns non-zero IFF it succeeds in printing the header 153 */ 154int 155llc_print(const u_char *p, u_int length, u_int caplen, 156 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype) 157{ 158 u_int8_t dsap_field, dsap, ssap_field, ssap; 159 u_int16_t control; 160 int is_u; 161 register int ret; 162 163 *extracted_ethertype = 0; 164 165 if (caplen < 3) { 166 (void)printf("[|llc]"); 167 default_print((u_char *)p, caplen); 168 return(0); 169 } 170 171 dsap_field = *p; 172 ssap_field = *(p + 1); 173 174 /* 175 * OK, what type of LLC frame is this? The length 176 * of the control field depends on that - I frames 177 * have a two-byte control field, and U frames have 178 * a one-byte control field. 179 */ 180 control = *(p + 2); 181 if ((control & LLC_U_FMT) == LLC_U_FMT) { 182 /* 183 * U frame. 184 */ 185 is_u = 1; 186 } else { 187 /* 188 * The control field in I and S frames is 189 * 2 bytes... 190 */ 191 if (caplen < 4) { 192 (void)printf("[|llc]"); 193 default_print((u_char *)p, caplen); 194 return(0); 195 } 196 197 /* 198 * ...and is little-endian. 199 */ 200 control = EXTRACT_LE_16BITS(p + 2); 201 is_u = 0; 202 } 203 204 if (ssap_field == LLCSAP_GLOBAL && dsap_field == LLCSAP_GLOBAL) { 205 /* 206 * This is an Ethernet_802.3 IPX frame; it has an 207 * 802.3 header (i.e., an Ethernet header where the 208 * type/length field is <= ETHERMTU, i.e. it's a length 209 * field, not a type field), but has no 802.2 header - 210 * the IPX packet starts right after the Ethernet header, 211 * with a signature of two bytes of 0xFF (which is 212 * LLCSAP_GLOBAL). 213 * 214 * (It might also have been an Ethernet_802.3 IPX at 215 * one time, but got bridged onto another network, 216 * such as an 802.11 network; this has appeared in at 217 * least one capture file.) 218 */ 219 220 if (eflag) 221 printf("IPX 802.3: "); 222 223 ipx_print(p, length); 224 return (1); 225 } 226 227 dsap = dsap_field & ~LLC_IG; 228 ssap = ssap_field & ~LLC_GSAP; 229 230 if (eflag) { 231 printf("LLC, dsap %s (0x%02x) %s, ssap %s (0x%02x) %s", 232 tok2str(llc_values, "Unknown", dsap), 233 dsap, 234 tok2str(llc_ig_flag_values, "Unknown", dsap_field & LLC_IG), 235 tok2str(llc_values, "Unknown", ssap), 236 ssap, 237 tok2str(llc_flag_values, "Unknown", ssap_field & LLC_GSAP)); 238 239 if (is_u) { 240 printf(", ctrl 0x%02x: ", control); 241 } else { 242 printf(", ctrl 0x%04x: ", control); 243 } 244 } 245 246 if (ssap == LLCSAP_8021D && dsap == LLCSAP_8021D && 247 control == LLC_UI) { 248 stp_print(p+3, length-3); 249 return (1); 250 } 251 252 if (ssap == LLCSAP_IP && dsap == LLCSAP_IP && 253 control == LLC_UI) { 254 ip_print(gndo, p+4, length-4); 255 return (1); 256 } 257 258 if (ssap == LLCSAP_IPX && dsap == LLCSAP_IPX && 259 control == LLC_UI) { 260 /* 261 * This is an Ethernet_802.2 IPX frame, with an 802.3 262 * header and an 802.2 LLC header with the source and 263 * destination SAPs being the IPX SAP. 264 * 265 * Skip DSAP, LSAP, and control field. 266 */ 267 if (eflag) 268 printf("IPX 802.2: "); 269 270 ipx_print(p+3, length-3); 271 return (1); 272 } 273 274#ifdef TCPDUMP_DO_SMB 275 if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI 276 && (!(control & LLC_S_FMT) || control == LLC_U_FMT)) { 277 /* 278 * we don't actually have a full netbeui parser yet, but the 279 * smb parser can handle many smb-in-netbeui packets, which 280 * is very useful, so we call that 281 * 282 * We don't call it for S frames, however, just I frames 283 * (which are frames that don't have the low-order bit, 284 * LLC_S_FMT, set in the first byte of the control field) 285 * and UI frames (whose control field is just 3, LLC_U_FMT). 286 */ 287 288 /* 289 * Skip the LLC header. 290 */ 291 if (is_u) { 292 p += 3; 293 length -= 3; 294 caplen -= 3; 295 } else { 296 p += 4; 297 length -= 4; 298 caplen -= 4; 299 } 300 netbeui_print(control, p, length); 301 return (1); 302 } 303#endif 304 if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS 305 && control == LLC_UI) { 306 isoclns_print(p + 3, length - 3, caplen - 3); 307 return (1); 308 } 309 310 if (ssap == LLCSAP_SNAP && dsap == LLCSAP_SNAP 311 && control == LLC_UI) { 312 /* 313 * XXX - what *is* the right bridge pad value here? 314 * Does anybody ever bridge one form of LAN traffic 315 * over a networking type that uses 802.2 LLC? 316 */ 317 ret = snap_print(p+3, length-3, caplen-3, 2); 318 if (ret) 319 return (ret); 320 } 321 322 if (!eflag) { 323 if (ssap == dsap) { 324 if (esrc == NULL || edst == NULL) 325 (void)printf("%s ", tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 326 else 327 (void)printf("%s > %s %s ", 328 etheraddr_string(esrc), 329 etheraddr_string(edst), 330 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 331 } else { 332 if (esrc == NULL || edst == NULL) 333 (void)printf("%s > %s ", 334 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 335 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 336 else 337 (void)printf("%s %s > %s %s ", 338 etheraddr_string(esrc), 339 tok2str(llc_values, "Unknown SSAP 0x%02x", ssap), 340 etheraddr_string(edst), 341 tok2str(llc_values, "Unknown DSAP 0x%02x", dsap)); 342 } 343 } 344 345 if (is_u) { 346 printf("Unnumbered, %s, Flags [%s], length %u", 347 tok2str(llc_cmd_values, "%02x", LLC_U_CMD(control)), 348 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_U_POLL)), 349 length); 350 351 p += 3; 352 length -= 3; 353 caplen -= 3; 354 355 if ((control & ~LLC_U_POLL) == LLC_XID) { 356 if (*p == LLC_XID_FI) { 357 printf(": %02x %02x", p[1], p[2]); 358 p += 3; 359 length -= 3; 360 caplen -= 3; 361 } 362 } 363 } else { 364 if ((control & LLC_S_FMT) == LLC_S_FMT) { 365 (void)printf("Supervisory, %s, rcv seq %u, Flags [%s], length %u", 366 tok2str(llc_supervisory_values,"?",LLC_S_CMD(control)), 367 LLC_IS_NR(control), 368 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 369 length); 370 } else { 371 (void)printf("Information, send seq %u, rcv seq %u, Flags [%s], length %u", 372 LLC_I_NS(control), 373 LLC_IS_NR(control), 374 tok2str(llc_flag_values,"?",(ssap_field & LLC_GSAP) | (control & LLC_IS_POLL)), 375 length); 376 } 377 p += 4; 378 length -= 4; 379 caplen -= 4; 380 } 381 return(1); 382} 383 384int 385snap_print(const u_char *p, u_int length, u_int caplen, u_int bridge_pad) 386{ 387 u_int32_t orgcode; 388 register u_short et; 389 register int ret; 390 391 TCHECK2(*p, 5); 392 orgcode = EXTRACT_24BITS(p); 393 et = EXTRACT_16BITS(p + 3); 394 395 if (eflag) { 396 const struct tok *tok = null_values; 397 const struct oui_tok *otp; 398 399 for (otp = &oui_to_tok[0]; otp->tok != NULL; otp++) { 400 if (otp->oui == orgcode) { 401 tok = otp->tok; 402 break; 403 } 404 } 405 (void)printf("oui %s (0x%06x), %s %s (0x%04x): ", 406 tok2str(oui_values, "Unknown", orgcode), 407 orgcode, 408 (orgcode == 0x000000 ? "ethertype" : "pid"), 409 tok2str(tok, "Unknown", et), 410 et); 411 } 412 p += 5; 413 length -= 5; 414 caplen -= 5; 415 416 switch (orgcode) { 417 case OUI_ENCAP_ETHER: 418 case OUI_CISCO_90: 419 /* 420 * This is an encapsulated Ethernet packet, 421 * or a packet bridged by some piece of 422 * Cisco hardware; the protocol ID is 423 * an Ethernet protocol type. 424 */ 425 ret = ethertype_print(et, p, length, caplen); 426 if (ret) 427 return (ret); 428 break; 429 430 case OUI_APPLETALK: 431 if (et == ETHERTYPE_ATALK) { 432 /* 433 * No, I have no idea why Apple used one 434 * of their own OUIs, rather than 435 * 0x000000, and an Ethernet packet 436 * type, for Appletalk data packets, 437 * but used 0x000000 and an Ethernet 438 * packet type for AARP packets. 439 */ 440 ret = ethertype_print(et, p, length, caplen); 441 if (ret) 442 return (ret); 443 } 444 break; 445 446 case OUI_CISCO: 447 switch (et) { 448 case PID_CISCO_CDP: 449 cdp_print(p, length, caplen); 450 return (1); 451 case PID_CISCO_DTP: 452 dtp_print(p, length); 453 return (1); 454 case PID_CISCO_UDLD: 455 udld_print(p, length); 456 return (1); 457 case PID_CISCO_VTP: 458 vtp_print(p, length); 459 return (1); 460 case PID_CISCO_PVST: 461 stp_print(p, length); 462 return (1); 463 default: 464 break; 465 } 466 467 case OUI_RFC2684: 468 switch (et) { 469 470 case PID_RFC2684_ETH_FCS: 471 case PID_RFC2684_ETH_NOFCS: 472 /* 473 * XXX - remove the last two bytes for 474 * PID_RFC2684_ETH_FCS? 475 */ 476 /* 477 * Skip the padding. 478 */ 479 TCHECK2(*p, bridge_pad); 480 caplen -= bridge_pad; 481 length -= bridge_pad; 482 p += bridge_pad; 483 484 /* 485 * What remains is an Ethernet packet. 486 */ 487 ether_print(p, length, caplen, NULL, NULL); 488 return (1); 489 490 case PID_RFC2684_802_5_FCS: 491 case PID_RFC2684_802_5_NOFCS: 492 /* 493 * XXX - remove the last two bytes for 494 * PID_RFC2684_ETH_FCS? 495 */ 496 /* 497 * Skip the padding, but not the Access 498 * Control field. 499 */ 500 TCHECK2(*p, bridge_pad); 501 caplen -= bridge_pad; 502 length -= bridge_pad; 503 p += bridge_pad; 504 505 /* 506 * What remains is an 802.5 Token Ring 507 * packet. 508 */ 509 token_print(p, length, caplen); 510 return (1); 511 512 case PID_RFC2684_FDDI_FCS: 513 case PID_RFC2684_FDDI_NOFCS: 514 /* 515 * XXX - remove the last two bytes for 516 * PID_RFC2684_ETH_FCS? 517 */ 518 /* 519 * Skip the padding. 520 */ 521 TCHECK2(*p, bridge_pad + 1); 522 caplen -= bridge_pad + 1; 523 length -= bridge_pad + 1; 524 p += bridge_pad + 1; 525 526 /* 527 * What remains is an FDDI packet. 528 */ 529 fddi_print(p, length, caplen); 530 return (1); 531 532 case PID_RFC2684_BPDU: 533 stp_print(p, length); 534 return (1); 535 } 536 } 537 return (0); 538 539trunc: 540 (void)printf("[|snap]"); 541 return (1); 542} 543 544 545/* 546 * Local Variables: 547 * c-style: whitesmith 548 * c-basic-offset: 8 549 * End: 550 */ 551