Wireshark-dev: Re: [Wireshark-dev] redback dissector update
From: "Luis Ontanon" <[email protected]>
Date: Fri, 13 Apr 2007 14:41:33 +0200
Can you gzip the patches, some MUAs (e.g. google mail) mangle the text
attachments in a way that patches become unusable.

Luis.

On 4/13/07, Florian Lohoff <[email protected]> wrote:
Hi,
i took the time to polish the redback dissector a little and decode some
more protocols:


Index: epan/dissectors/packet-redback.c
===================================================================
--- epan/dissectors/packet-redback.c    (revision 21405)
+++ epan/dissectors/packet-redback.c    (working copy)
@@ -6,7 +6,7 @@
  * By Gerald Combs <[email protected]>
  *
  * Start of RedBack SE400/800 tcpdump trace disassembly
- * Copyright 2005,2006 Florian Lohoff <[email protected]>
+ * Copyright 2005-2007 Florian Lohoff <[email protected]>
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -41,6 +41,7 @@
 static dissector_handle_t eth_handle;
 static dissector_handle_t clnp_handle;
 static dissector_handle_t arp_handle;
+static dissector_handle_t ppp_handle;

 /* wrapper for passing the PIC type to the generic ATM dissector */
 static void
@@ -81,47 +82,58 @@
                             "Layer3 Offset: %u", l3off);
   tisub = proto_tree_add_text (subtree, tvb, 22, 2,
                             "Data Offset: %u", dataoff);
-  next_tvb = tvb_new_subset(tvb, l3off, -1, -1);

   /* Mark the gap as "Data" for now */
   if (dataoff > l3off) {
        proto_tree_add_text (subtree, tvb, 24, l3off-24, "Data (%d bytes)", l3off-24);
   }

-  /*
-   * Just a guess - In case we see a difference in dataoff vs l3off
-   * we assume there is an ethernet header. Traces from an OC12 didnt
-   * show any header in here
-   */
-  if (dataoff > l3off) {
-    call_dissector(eth_handle, next_tvb, pinfo, tree);
-  } else {
-    switch(proto) {
-      case 0x01:
+  switch(proto) {
+    case 0x01:
         /*
         * IP - We assume IPv6 has a different protocol although
         * i might be wrong - Havent seen any traces
         */
-        call_dissector(ipv4_handle, next_tvb, pinfo, tree);
-        break;
-      case 0x02:
+      next_tvb = tvb_new_subset(tvb, dataoff, -1, -1);
+      call_dissector(ipv4_handle, next_tvb, pinfo, tree);
+      break;
+    case 0x02:
        /*
         * It is CLNP although it seem the Packet Asic fills
         * some data in the packet so we have a "broken" packet in
         * the trace
         */
-        call_dissector(clnp_handle, next_tvb, pinfo, tree);
-        break;
-      case 0x03: /* Unicast Ethernet tx - Seen with PPPoE PADO */
-      case 0x04: /* Unicast Ethernet rx - Seen with ARP  */
-      case 0x08: /* Broadcast Ethernet rx - Seen with PPPoE PADI */
-        call_dissector(eth_handle, next_tvb, pinfo, tree);
-        break;
-      default:
-       tisub = proto_tree_add_text (subtree, tvb, 24, length-24,
+      next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
+      call_dissector(clnp_handle, next_tvb, pinfo, tree);
+      break;
+    case 0x06:
+
+      /* HACK This is a guess - i dont know what this flag means
+       * but my best guess is that it means "incoming" e.g.
+       * the direction of the packet. In case of incoming PPP
+       * packets there seems to be some padding which does
+       * not get reflected in the l3off/dataoff
+       */
+
+      if (flags & 0x00400000) {
+        next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
+      } else {
+       proto_tree_add_text (subtree, tvb, l3off, 4, "Unknown Data (%d bytes)", 4);
+        next_tvb = tvb_new_subset(tvb, l3off+4, -1, -1);
+      }
+
+      call_dissector(ppp_handle, next_tvb, pinfo, tree);
+      break;
+    case 0x03: /* Unicast Ethernet tx - Seen with PPPoE PADO */
+    case 0x04: /* Unicast Ethernet rx - Seen with ARP  */
+    case 0x08: /* Broadcast Ethernet rx - Seen with PPPoE PADI */
+      next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
+      call_dissector(eth_handle, next_tvb, pinfo, tree);
+      break;
+    default:
+      tisub = proto_tree_add_text (subtree, tvb, 24, length-24,
                                "Unknown Protocol Data %u", proto);
-        break;
-    }
+      break;
   }
   return;
 }
@@ -147,6 +159,7 @@
   eth_handle = find_dissector("eth_withoutfcs");
   clnp_handle = find_dissector("clnp");
   arp_handle = find_dissector("arp");
+  ppp_handle = find_dissector("ppp");

   redback_handle = create_dissector_handle(dissect_redback, proto_redback);
   dissector_add("wtap_encap", WTAP_ENCAP_REDBACK, redback_handle);


Flo
--
Florian Lohoff                  [email protected]             +49-171-2280134
        Those who would give up a little freedom to get a little
          security shall soon have neither - Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFGH3aaUaz2rXW+gJcRAlqnAKDYNRmZ9Ncml3hfDFnLnqf7BSib+ACgzteO
9mJeGSiuxwmpiDbeurSM8e0=
=i3yd
-----END PGP SIGNATURE-----

_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev



--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan