2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * Code by Matt Thomas, Digital Equipment Corporation
22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL
26 static const char rcsid[] _U_ =
27 "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.53.2.3 2003/12/29 22:33:18 hannes Exp $";
34 #include <tcpdump-stdinc.h>
39 #include "interface.h"
40 #include "addrtoname.h"
41 #include "extract.h" /* must come after interface.h */
44 #include "ethertype.h"
46 static struct tok llc_values[] = {
47 { LLCSAP_NULL, "Null" },
48 { LLCSAP_GLOBAL, "Global" },
49 { LLCSAP_8021B_I, "802.1B I" },
50 { LLCSAP_8021B_G, "802.1B G" },
52 { LLCSAP_PROWAYNM, "ProWay NM" },
53 { LLCSAP_8021D, "STP" },
54 { LLCSAP_RS511, "RS511" },
55 { LLCSAP_ISO8208, "ISO8208" },
56 { LLCSAP_PROWAY, "ProWay" },
57 { LLCSAP_SNAP, "SNAP" },
58 { LLCSAP_IPX, "IPX" },
59 { LLCSAP_NETBEUI, "NetBeui" },
60 { LLCSAP_ISONS, "OSI" },
63 static struct tok cmd2str[] = {
70 { LLC_SABME, "sabme" },
76 * Returns non-zero IFF it succeeds in printing the header
79 llc_print(const u_char *p, u_int length, u_int caplen,
80 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype)
88 (void)printf("[|llc]");
89 default_print((u_char *)p, caplen);
93 /* Watch out for possible alignment problems */
94 memcpy((char *)&llc, (char *)p, min(caplen, sizeof(llc)));
97 printf("LLC, dsap %s (0x%02x), ssap %s (0x%02x), cmd 0x%02x, ",
98 tok2str(llc_values,"Unknown",llc.dsap),
100 tok2str(llc_values,"Unknown",llc.ssap),
104 if (llc.ssap == LLCSAP_GLOBAL && llc.dsap == LLCSAP_GLOBAL) {
106 * This is an Ethernet_802.3 IPX frame; it has an
107 * 802.3 header (i.e., an Ethernet header where the
108 * type/length field is <= ETHERMTU, i.e. it's a length
109 * field, not a type field), but has no 802.2 header -
110 * the IPX packet starts right after the Ethernet header,
111 * with a signature of two bytes of 0xFF (which is
114 * (It might also have been an Ethernet_802.3 IPX at
115 * one time, but got bridged onto another network,
116 * such as an 802.11 network; this has appeared in at
117 * least one capture file.)
119 printf("(NOV-802.3) ");
120 ipx_print(p, length);
124 if (llc.ssap == LLCSAP_8021D && llc.dsap == LLCSAP_8021D) {
125 stp_print(p, length);
129 if (llc.ssap == LLCSAP_IP && llc.dsap == LLCSAP_IP) {
130 ip_print(p+4, length-4);
134 if (llc.ssap == LLCSAP_IPX && llc.dsap == LLCSAP_IPX &&
135 llc.llcui == LLC_UI) {
137 * This is an Ethernet_802.2 IPX frame, with an 802.3
138 * header and an 802.2 LLC header with the source and
139 * destination SAPs being the IPX SAP.
141 * Skip DSAP, LSAP, and control field.
143 printf("(NOV-802.2) ");
147 ipx_print(p, length);
151 #ifdef TCPDUMP_DO_SMB
152 if (llc.ssap == LLCSAP_NETBEUI && llc.dsap == LLCSAP_NETBEUI
153 && (!(llc.llcu & LLC_S_FMT) || llc.llcu == LLC_U_FMT)) {
155 * we don't actually have a full netbeui parser yet, but the
156 * smb parser can handle many smb-in-netbeui packets, which
157 * is very useful, so we call that
159 * We don't call it for S frames, however, just I frames
160 * (which are frames that don't have the low-order bit,
161 * LLC_S_FMT, set in the first byte of the control field)
162 * and UI frames (whose control field is just 3, LLC_U_FMT).
166 * Skip the DSAP and LSAP.
173 * OK, what type of LLC frame is this? The length
174 * of the control field depends on that - I frames
175 * have a two-byte control field, and U frames have
176 * a one-byte control field.
178 if (llc.llcu == LLC_U_FMT) {
185 * The control field in I and S frames is
188 control = EXTRACT_LE_16BITS(&llc.llcu);
193 netbeui_print(control, p, length);
197 if (llc.ssap == LLCSAP_ISONS && llc.dsap == LLCSAP_ISONS
198 && llc.llcui == LLC_UI) {
199 isoclns_print(p + 3, length - 3, caplen - 3);
203 if (llc.ssap == LLCSAP_SNAP && llc.dsap == LLCSAP_SNAP
204 && llc.llcui == LLC_UI) {
207 if (caplen < sizeof(llc)) {
208 (void)printf("[|llc-snap]");
209 default_print((u_char *)p, caplen);
213 caplen -= sizeof(llc);
214 length -= sizeof(llc);
217 orgcode = EXTRACT_24BITS(&llc.llc_orgcode[0]);
218 et = EXTRACT_16BITS(&llc.llc_ethertype[0]);
220 * XXX - what *is* the right bridge pad value here?
221 * Does anybody ever bridge one form of LAN traffic
222 * over a networking type that uses 802.2 LLC?
224 ret = snap_print(p, length, caplen, extracted_ethertype,
230 if ((llc.ssap & ~LLC_GSAP) == llc.dsap) {
231 if (eflag || esrc == NULL || edst == NULL)
232 (void)printf("%s ", llcsap_string(llc.dsap));
234 (void)printf("%s > %s %s ",
235 etheraddr_string(esrc),
236 etheraddr_string(edst),
237 llcsap_string(llc.dsap));
239 if (eflag || esrc == NULL || edst == NULL)
240 (void)printf("%s > %s ",
241 llcsap_string(llc.ssap & ~LLC_GSAP),
242 llcsap_string(llc.dsap));
244 (void)printf("%s %s > %s %s ",
245 etheraddr_string(esrc),
246 llcsap_string(llc.ssap & ~LLC_GSAP),
247 etheraddr_string(edst),
248 llcsap_string(llc.dsap));
251 if ((llc.llcu & LLC_U_FMT) == LLC_U_FMT) {
256 cmd = LLC_U_CMD(llc.llcu);
257 m = tok2str(cmd2str, "%02x", cmd);
258 switch ((llc.ssap & LLC_GSAP) | (llc.llcu & LLC_U_POLL)) {
259 case 0: f = 'C'; break;
260 case LLC_GSAP: f = 'R'; break;
261 case LLC_U_POLL: f = 'P'; break;
262 case LLC_GSAP|LLC_U_POLL: f = 'F'; break;
263 default: f = '?'; break;
266 printf("%s/%c", m, f);
272 if ((llc.llcu & ~LLC_U_POLL) == LLC_XID) {
273 if (*p == LLC_XID_FI) {
274 printf(": %02x %02x", p[1], p[2]);
284 * The control field in I and S frames is little-endian.
286 control = EXTRACT_LE_16BITS(&llc.llcu);
287 switch ((llc.ssap & LLC_GSAP) | (control & LLC_IS_POLL)) {
288 case 0: f = 'C'; break;
289 case LLC_GSAP: f = 'R'; break;
290 case LLC_IS_POLL: f = 'P'; break;
291 case LLC_GSAP|LLC_IS_POLL: f = 'F'; break;
292 default: f = '?'; break;
295 if ((control & LLC_S_FMT) == LLC_S_FMT) {
296 static const char *llc_s[] = { "rr", "rej", "rnr", "03" };
297 (void)printf("%s (r=%d,%c)",
298 llc_s[LLC_S_CMD(control)],
302 (void)printf("I (s=%d,r=%d,%c)",
311 (void)printf(" len=%d", length);
316 snap_print(const u_char *p, u_int length, u_int caplen,
317 u_short *extracted_ethertype, u_int32_t orgcode, u_short et,
323 case OUI_ENCAP_ETHER:
326 * This is an encapsulated Ethernet packet,
327 * or a packet bridged by some piece of
328 * Cisco hardware; the protocol ID is
329 * an Ethernet protocol type.
331 ret = ether_encap_print(et, p, length, caplen,
332 extracted_ethertype);
338 if (et == ETHERTYPE_ATALK) {
340 * No, I have no idea why Apple used one
341 * of their own OUIs, rather than
342 * 0x000000, and an Ethernet packet
343 * type, for Appletalk data packets,
344 * but used 0x000000 and an Ethernet
345 * packet type for AARP packets.
347 ret = ether_encap_print(et, p, length, caplen,
348 extracted_ethertype);
355 if (et == PID_CISCO_CDP) {
356 cdp_print(p, length, caplen);
364 case PID_RFC2684_ETH_FCS:
365 case PID_RFC2684_ETH_NOFCS:
367 * XXX - remove the last two bytes for
368 * PID_RFC2684_ETH_FCS?
373 caplen -= bridge_pad;
374 length -= bridge_pad;
378 * What remains is an Ethernet packet.
380 ether_print(p, length, caplen);
383 case PID_RFC2684_802_5_FCS:
384 case PID_RFC2684_802_5_NOFCS:
386 * XXX - remove the last two bytes for
387 * PID_RFC2684_ETH_FCS?
390 * Skip the padding, but not the Access
393 caplen -= bridge_pad;
394 length -= bridge_pad;
398 * What remains is an 802.5 Token Ring
401 token_print(p, length, caplen);
404 case PID_RFC2684_FDDI_FCS:
405 case PID_RFC2684_FDDI_NOFCS:
407 * XXX - remove the last two bytes for
408 * PID_RFC2684_ETH_FCS?
413 caplen -= bridge_pad + 1;
414 length -= bridge_pad + 1;
418 * What remains is an FDDI packet.
420 fddi_print(p, length, caplen);
423 case PID_RFC2684_BPDU:
424 stp_print(p, length);
projects / dragonfly.git / blob