Wireshark · Wireshark-dev: [Wireshark-dev] redback dissector update

Wireshark-dev: [Wireshark-dev] redback dissector update

From: Florian Lohoff <flo@xxxxxxxxxx>

Date: Fri, 13 Apr 2007 14:24:58 +0200

Hi,
i took the time to polish the redback dissector a little and decode some
more protocols:


Index: epan/dissectors/packet-redback.c
===================================================================
--- epan/dissectors/packet-redback.c	(revision 21405)
+++ epan/dissectors/packet-redback.c	(working copy)
@@ -6,7 +6,7 @@
  * By Gerald Combs <gerald@xxxxxxxxxxxxx>
  *
  * Start of RedBack SE400/800 tcpdump trace disassembly
- * Copyright 2005,2006 Florian Lohoff <flo@xxxxxxxxxx>
+ * Copyright 2005-2007 Florian Lohoff <flo@xxxxxxxxxx>
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -41,6 +41,7 @@
 static dissector_handle_t eth_handle;
 static dissector_handle_t clnp_handle;
 static dissector_handle_t arp_handle;
+static dissector_handle_t ppp_handle;
 
 /* wrapper for passing the PIC type to the generic ATM dissector */
 static void
@@ -81,47 +82,58 @@
                             "Layer3 Offset: %u", l3off);
   tisub = proto_tree_add_text (subtree, tvb, 22, 2,
                             "Data Offset: %u", dataoff);
-  next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
 
   /* Mark the gap as "Data" for now */
   if (dataoff > l3off) {
 	proto_tree_add_text (subtree, tvb, 24, l3off-24, "Data (%d bytes)", l3off-24);	
   }
 
-  /*
-   * Just a guess - In case we see a difference in dataoff vs l3off
-   * we assume there is an ethernet header. Traces from an OC12 didnt
-   * show any header in here
-   */
-  if (dataoff > l3off) {
-    call_dissector(eth_handle, next_tvb, pinfo, tree);
-  } else {
-    switch(proto) {
-      case 0x01:
+  switch(proto) {
+    case 0x01:
         /*
 	 * IP - We assume IPv6 has a different protocol although
 	 * i might be wrong - Havent seen any traces
 	 */
-        call_dissector(ipv4_handle, next_tvb, pinfo, tree);
-        break;
-      case 0x02:
+      next_tvb = tvb_new_subset(tvb, dataoff, -1, -1);
+      call_dissector(ipv4_handle, next_tvb, pinfo, tree);
+      break;
+    case 0x02:
 	/*
 	 * It is CLNP although it seem the Packet Asic fills
 	 * some data in the packet so we have a "broken" packet in
 	 * the trace
 	 */
-        call_dissector(clnp_handle, next_tvb, pinfo, tree);
-        break;
-      case 0x03: /* Unicast Ethernet tx - Seen with PPPoE PADO */
-      case 0x04: /* Unicast Ethernet rx - Seen with ARP  */
-      case 0x08: /* Broadcast Ethernet rx - Seen with PPPoE PADI */
-        call_dissector(eth_handle, next_tvb, pinfo, tree);
-        break;
-      default:
-	tisub = proto_tree_add_text (subtree, tvb, 24, length-24,
+      next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
+      call_dissector(clnp_handle, next_tvb, pinfo, tree);
+      break;
+    case 0x06:
+
+      /* HACK This is a guess - i dont know what this flag means
+       * but my best guess is that it means "incoming" e.g.
+       * the direction of the packet. In case of incoming PPP
+       * packets there seems to be some padding which does
+       * not get reflected in the l3off/dataoff
+       */
+
+      if (flags & 0x00400000) {
+        next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
+      } else {
+	proto_tree_add_text (subtree, tvb, l3off, 4, "Unknown Data (%d bytes)", 4);
+        next_tvb = tvb_new_subset(tvb, l3off+4, -1, -1);
+      }
+
+      call_dissector(ppp_handle, next_tvb, pinfo, tree);
+      break;
+    case 0x03: /* Unicast Ethernet tx - Seen with PPPoE PADO */
+    case 0x04: /* Unicast Ethernet rx - Seen with ARP  */
+    case 0x08: /* Broadcast Ethernet rx - Seen with PPPoE PADI */
+      next_tvb = tvb_new_subset(tvb, l3off, -1, -1);
+      call_dissector(eth_handle, next_tvb, pinfo, tree);
+      break;
+    default:
+      tisub = proto_tree_add_text (subtree, tvb, 24, length-24,
 				"Unknown Protocol Data %u", proto);
-        break;
-    }
+      break;
   }
   return;
 }
@@ -147,6 +159,7 @@
   eth_handle = find_dissector("eth_withoutfcs");
   clnp_handle = find_dissector("clnp");
   arp_handle = find_dissector("arp");
+  ppp_handle = find_dissector("ppp");
 
   redback_handle = create_dissector_handle(dissect_redback, proto_redback);
   dissector_add("wtap_encap", WTAP_ENCAP_REDBACK, redback_handle);


Flo
-- 
Florian Lohoff                  flo@xxxxxxxxxx             +49-171-2280134
	Those who would give up a little freedom to get a little 
          security shall soon have neither - Benjamin Franklin

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: [Wireshark-dev] redback dissector update
  - From: Luis Ontanon

Prev by Date: [Wireshark-dev] [PATCH] Added lower case treatment for Megaco messages
Next by Date: Re: [Wireshark-dev] redback dissector update
Previous by thread: Re: [Wireshark-dev] [PATCH] Added lower case treatment for Megaco messages
Next by thread: Re: [Wireshark-dev] redback dissector update
Index(es):
- Date
- Thread