2 * Copyright (c) 1992, 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * Code by Matt Thomas, Digital Equipment Corporation
22 * with an awful lot of hacking by Jeffrey Mogul, DECWRL
28 static const char rcsid[] _U_ =
29 "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.61 2005/04/06 21:32:41 mcr Exp $";
36 #include <tcpdump-stdinc.h>
41 #include "interface.h"
42 #include "addrtoname.h"
43 #include "extract.h" /* must come after interface.h */
46 #include "ethertype.h"
49 static struct tok llc_values[] = {
50 { LLCSAP_NULL, "Null" },
51 { LLCSAP_GLOBAL, "Global" },
52 { LLCSAP_8021B_I, "802.1B I" },
53 { LLCSAP_8021B_G, "802.1B G" },
55 { LLCSAP_PROWAYNM, "ProWay NM" },
56 { LLCSAP_8021D, "STP" },
57 { LLCSAP_RS511, "RS511" },
58 { LLCSAP_ISO8208, "ISO8208" },
59 { LLCSAP_PROWAY, "ProWay" },
60 { LLCSAP_SNAP, "SNAP" },
61 { LLCSAP_IPX, "IPX" },
62 { LLCSAP_NETBEUI, "NetBeui" },
63 { LLCSAP_ISONS, "OSI" },
66 static struct tok cmd2str[] = {
73 { LLC_SABME, "sabme" },
79 * Returns non-zero IFF it succeeds in printing the header
82 llc_print(const u_char *p, u_int length, u_int caplen,
83 const u_char *esrc, const u_char *edst, u_short *extracted_ethertype)
91 (void)printf("[|llc]");
92 default_print((u_char *)p, caplen);
96 /* Watch out for possible alignment problems */
97 memcpy((char *)&llc, (char *)p, min(caplen, sizeof(llc)));
100 printf("LLC, dsap %s (0x%02x), ssap %s (0x%02x), cmd 0x%02x: ",
101 tok2str(llc_values,"Unknown",llc.dsap),
103 tok2str(llc_values,"Unknown",llc.ssap),
107 if (llc.ssap == LLCSAP_GLOBAL && llc.dsap == LLCSAP_GLOBAL) {
109 * This is an Ethernet_802.3 IPX frame; it has an
110 * 802.3 header (i.e., an Ethernet header where the
111 * type/length field is <= ETHERMTU, i.e. it's a length
112 * field, not a type field), but has no 802.2 header -
113 * the IPX packet starts right after the Ethernet header,
114 * with a signature of two bytes of 0xFF (which is
117 * (It might also have been an Ethernet_802.3 IPX at
118 * one time, but got bridged onto another network,
119 * such as an 802.11 network; this has appeared in at
120 * least one capture file.)
124 printf("IPX-802.3: ");
126 ipx_print(p, length);
130 if (llc.ssap == LLCSAP_8021D && llc.dsap == LLCSAP_8021D) {
131 stp_print(p, length);
135 if (llc.ssap == LLCSAP_IP && llc.dsap == LLCSAP_IP) {
136 ip_print(gndo, p+4, length-4);
140 if (llc.ssap == LLCSAP_IPX && llc.dsap == LLCSAP_IPX &&
141 llc.llcui == LLC_UI) {
143 * This is an Ethernet_802.2 IPX frame, with an 802.3
144 * header and an 802.2 LLC header with the source and
145 * destination SAPs being the IPX SAP.
147 * Skip DSAP, LSAP, and control field.
149 printf("(NOV-802.2) ");
153 ipx_print(p, length);
157 #ifdef TCPDUMP_DO_SMB
158 if (llc.ssap == LLCSAP_NETBEUI && llc.dsap == LLCSAP_NETBEUI
159 && (!(llc.llcu & LLC_S_FMT) || llc.llcu == LLC_U_FMT)) {
161 * we don't actually have a full netbeui parser yet, but the
162 * smb parser can handle many smb-in-netbeui packets, which
163 * is very useful, so we call that
165 * We don't call it for S frames, however, just I frames
166 * (which are frames that don't have the low-order bit,
167 * LLC_S_FMT, set in the first byte of the control field)
168 * and UI frames (whose control field is just 3, LLC_U_FMT).
172 * Skip the DSAP and LSAP.
179 * OK, what type of LLC frame is this? The length
180 * of the control field depends on that - I frames
181 * have a two-byte control field, and U frames have
182 * a one-byte control field.
184 if (llc.llcu == LLC_U_FMT) {
191 * The control field in I and S frames is
194 control = EXTRACT_LE_16BITS(&llc.llcu);
199 netbeui_print(control, p, length);
203 if (llc.ssap == LLCSAP_ISONS && llc.dsap == LLCSAP_ISONS
204 && llc.llcui == LLC_UI) {
205 isoclns_print(p + 3, length - 3, caplen - 3);
209 if (llc.ssap == LLCSAP_SNAP && llc.dsap == LLCSAP_SNAP
210 && llc.llcui == LLC_UI) {
213 if (caplen < sizeof(llc)) {
214 (void)printf("[|llc-snap]");
215 default_print((u_char *)p, caplen);
219 caplen -= sizeof(llc);
220 length -= sizeof(llc);
223 orgcode = EXTRACT_24BITS(&llc.llc_orgcode[0]);
224 et = EXTRACT_16BITS(&llc.llc_ethertype[0]);
227 (void)printf("oui %s (0x%06x), ethertype %s (0x%04x): ",
228 tok2str(oui_values,"Unknown",orgcode),
230 tok2str(ethertype_values,"Unknown", et),
234 * XXX - what *is* the right bridge pad value here?
235 * Does anybody ever bridge one form of LAN traffic
236 * over a networking type that uses 802.2 LLC?
238 ret = snap_print(p, length, caplen, extracted_ethertype,
244 if ((llc.ssap & ~LLC_GSAP) == llc.dsap) {
245 if (eflag || esrc == NULL || edst == NULL)
246 (void)printf("%s ", llcsap_string(llc.dsap));
248 (void)printf("%s > %s %s ",
249 etheraddr_string(esrc),
250 etheraddr_string(edst),
251 llcsap_string(llc.dsap));
253 if (eflag || esrc == NULL || edst == NULL)
254 (void)printf("%s > %s ",
255 llcsap_string(llc.ssap & ~LLC_GSAP),
256 llcsap_string(llc.dsap));
258 (void)printf("%s %s > %s %s ",
259 etheraddr_string(esrc),
260 llcsap_string(llc.ssap & ~LLC_GSAP),
261 etheraddr_string(edst),
262 llcsap_string(llc.dsap));
265 if ((llc.llcu & LLC_U_FMT) == LLC_U_FMT) {
270 cmd = LLC_U_CMD(llc.llcu);
271 m = tok2str(cmd2str, "%02x", cmd);
272 switch ((llc.ssap & LLC_GSAP) | (llc.llcu & LLC_U_POLL)) {
273 case 0: f = 'C'; break;
274 case LLC_GSAP: f = 'R'; break;
275 case LLC_U_POLL: f = 'P'; break;
276 case LLC_GSAP|LLC_U_POLL: f = 'F'; break;
277 default: f = '?'; break;
280 printf("%s/%c", m, f);
286 if ((llc.llcu & ~LLC_U_POLL) == LLC_XID) {
287 if (*p == LLC_XID_FI) {
288 printf(": %02x %02x", p[1], p[2]);
298 * The control field in I and S frames is little-endian.
300 control = EXTRACT_LE_16BITS(&llc.llcu);
301 switch ((llc.ssap & LLC_GSAP) | (control & LLC_IS_POLL)) {
302 case 0: f = 'C'; break;
303 case LLC_GSAP: f = 'R'; break;
304 case LLC_IS_POLL: f = 'P'; break;
305 case LLC_GSAP|LLC_IS_POLL: f = 'F'; break;
306 default: f = '?'; break;
309 if ((control & LLC_S_FMT) == LLC_S_FMT) {
310 static const char *llc_s[] = { "rr", "rej", "rnr", "03" };
311 (void)printf("%s (r=%d,%c)",
312 llc_s[LLC_S_CMD(control)],
316 (void)printf("I (s=%d,r=%d,%c)",
329 snap_print(const u_char *p, u_int length, u_int caplen,
330 u_short *extracted_ethertype, u_int32_t orgcode, u_short et,
336 case OUI_ENCAP_ETHER:
339 * This is an encapsulated Ethernet packet,
340 * or a packet bridged by some piece of
341 * Cisco hardware; the protocol ID is
342 * an Ethernet protocol type.
344 ret = ether_encap_print(et, p, length, caplen,
345 extracted_ethertype);
351 if (et == ETHERTYPE_ATALK) {
353 * No, I have no idea why Apple used one
354 * of their own OUIs, rather than
355 * 0x000000, and an Ethernet packet
356 * type, for Appletalk data packets,
357 * but used 0x000000 and an Ethernet
358 * packet type for AARP packets.
360 ret = ether_encap_print(et, p, length, caplen,
361 extracted_ethertype);
368 if (et == PID_CISCO_CDP) {
369 cdp_print(p, length, caplen);
377 case PID_RFC2684_ETH_FCS:
378 case PID_RFC2684_ETH_NOFCS:
380 * XXX - remove the last two bytes for
381 * PID_RFC2684_ETH_FCS?
386 caplen -= bridge_pad;
387 length -= bridge_pad;
391 * What remains is an Ethernet packet.
393 ether_print(p, length, caplen);
396 case PID_RFC2684_802_5_FCS:
397 case PID_RFC2684_802_5_NOFCS:
399 * XXX - remove the last two bytes for
400 * PID_RFC2684_ETH_FCS?
403 * Skip the padding, but not the Access
406 caplen -= bridge_pad;
407 length -= bridge_pad;
411 * What remains is an 802.5 Token Ring
414 token_print(p, length, caplen);
417 case PID_RFC2684_FDDI_FCS:
418 case PID_RFC2684_FDDI_NOFCS:
420 * XXX - remove the last two bytes for
421 * PID_RFC2684_ETH_FCS?
426 caplen -= bridge_pad + 1;
427 length -= bridge_pad + 1;
431 * What remains is an FDDI packet.
433 fddi_print(p, length, caplen);
436 case PID_RFC2684_BPDU:
437 stp_print(p, length);
447 * c-style: whitesmith