Hi,
i took the time to polish the redback dissector a little and decode some
more protocols:
Index: epan/dissectors/packet-redback.c
===================================================================
--- epan/dissectors/packet-redback.c (revision 21405)
+++ epan/dissectors/packet-redback.c (working copy)
@@ -6,7 +6,7 @@
* By Gerald Combs <gerald@xxxxxxxxxxxxx>
*
* Start of RedBack SE400/800 tcpdump trace disassembly
- * Copyright 2005,2006 Florian Lohoff <flo@xxxxxxxxxx>
+ * Copyright 2005-2007 Florian Lohoff <flo@xxxxxxxxxx>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -41,6 +41,7 @@
static dissector_handle_t eth_handle;
static dissector_handle_t clnp_handle;
static dissector_handle_t arp_handle;
+static dissector_handle_t ppp_handle;
/* wrapper for passing the PIC type to the generic ATM dissector */
static void
@@ -81,47 +82,58 @@
"Layer3 Offset: %u", l3off);
tisub = proto_tree_add_text (subtree, tvb, 22, 2,
"Data Offset: %u", dataoff);
- next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
/* Mark the gap as "Data" for now */
if (dataoff > l3off) {
proto_tree_add_text (subtree, tvb, 24, l3off-24, "Data (%d bytes)", l3off-24);
}
- /*
- * Just a guess - In case we see a difference in dataoff vs l3off
- * we assume there is an ethernet header. Traces from an OC12 didnt
- * show any header in here
- */
- if (dataoff > l3off) {
- call_dissector(eth_handle, next_tvb, pinfo, tree);
- } else {
- switch(proto) {
- case 0x01:
+ switch(proto) {
+ case 0x01:
/*
* IP - We assume IPv6 has a different protocol although
* i might be wrong - Havent seen any traces
*/
- call_dissector(ipv4_handle, next_tvb, pinfo, tree);
- break;
- case 0x02:
+ next_tvb = tvb_new_subset(tvb, dataoff, -1, -1);
+ call_dissector(ipv4_handle, next_tvb, pinfo, tree);
+ break;
+ case 0x02:
/*
* It is CLNP although it seem the Packet Asic fills
* some data in the packet so we have a "broken" packet in
* the trace
*/
- call_dissector(clnp_handle, next_tvb, pinfo, tree);
- break;
- case 0x03: /* Unicast Ethernet tx - Seen with PPPoE PADO */
- case 0x04: /* Unicast Ethernet rx - Seen with ARP */
- case 0x08: /* Broadcast Ethernet rx - Seen with PPPoE PADI */
- call_dissector(eth_handle, next_tvb, pinfo, tree);
- break;
- default:
- tisub = proto_tree_add_text (subtree, tvb, 24, length-24,
+ next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
+ call_dissector(clnp_handle, next_tvb, pinfo, tree);
+ break;
+ case 0x06:
+
+ /* HACK This is a guess - i dont know what this flag means
+ * but my best guess is that it means "incoming" e.g.
+ * the direction of the packet. In case of incoming PPP
+ * packets there seems to be some padding which does
+ * not get reflected in the l3off/dataoff
+ */
+
+ if (flags & 0x00400000) {
+ next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
+ } else {
+ proto_tree_add_text (subtree, tvb, l3off, 4, "Unknown Data (%d bytes)", 4);
+ next_tvb = tvb_new_subset(tvb, l3off+4, -1, -1);
+ }
+
+ call_dissector(ppp_handle, next_tvb, pinfo, tree);
+ break;
+ case 0x03: /* Unicast Ethernet tx - Seen with PPPoE PADO */
+ case 0x04: /* Unicast Ethernet rx - Seen with ARP */
+ case 0x08: /* Broadcast Ethernet rx - Seen with PPPoE PADI */
+ next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
+ call_dissector(eth_handle, next_tvb, pinfo, tree);
+ break;
+ default:
+ tisub = proto_tree_add_text (subtree, tvb, 24, length-24,
"Unknown Protocol Data %u", proto);
- break;
- }
+ break;
}
return;
}
@@ -147,6 +159,7 @@
eth_handle = find_dissector("eth_withoutfcs");
clnp_handle = find_dissector("clnp");
arp_handle = find_dissector("arp");
+ ppp_handle = find_dissector("ppp");
redback_handle = create_dissector_handle(dissect_redback, proto_redback);
dissector_add("wtap_encap", WTAP_ENCAP_REDBACK, redback_handle);
Flo
--
Florian Lohoff flo@xxxxxxxxxx +49-171-2280134
Those who would give up a little freedom to get a little
security shall soon have neither - Benjamin Franklin
Attachment:
signature.asc
Description: Digital signature
