I have made a small patch to perform decoding of Cisco ISL encapsulated
packets. I'm enclosing the patch below, and seeking some advice on how
to proceed with this, since I'm only moderately happy with the current
patch.
The ISL encapsulation is defined at
http://www.cisco.com/warp/public/741/4.html
Notice that the way to decide that this is an ISL encapsulated packet
(as far as I can see) is that:
- it has an Ethernet length field (not type)
- it has SSAP = DSAP = 0xaa
- it has a multicast destination, 01:00:0c:00:00:00 (actually only 40
bits are fixed, this is not incorporated in the current patch)
Currently I make the decision of whether this is an ISL encapsulated
packet or not inside llc_print() - but ether_encap_print() is needed to
actually print what is inside the ISL packet. In reality I need more of
the code from ether_if_print() (for instance to print an LLC packet
encapsulated in ISL, which is perfectly possible) - but I would prefer
not to duplicate most of ether_if_print(). Any suggestion on how to
proceed with this?
Example of output formats:
20:21:23.540286 ISL vlan#10 202.102.230.155.80 > 195.204.87.133.15184: .
1460:2920(1460) ack 1 win 17262 (DF)
20:21:23.540304 ISL vlan#10 194.29.200.31.27015 > 195.204.87.133.35315: udp 121
and with -e specified:
20:22:05.598974 0:4:4d:27:a5:93 1:0:c:0:0:0 0000 1139: ISL vlan#10 0:4:9b:6c:98:8
0:1:97:d9:6c:0 0800 1095: 207.253.106.11.80 > 195.204.87.133.15410: P 1460:2515(1055)
ack 1 win 8760 (DF) [tos 0x60]
20:22:05.605233 0:4:4d:27:a5:93 1:0:c:0:0:0 0000 289: ISL vlan#10 0:4:4e:b1:ec:8
0:1:97:d9:6c:0 0800 245: 194.29.200.31.27015 > 195.204.87.133.33104: udp 217
The patch below is against tcpdump-2001.07.30.
(Oh yeah, for those of you wondering how to capture Cisco ISL packets -
connect two Cisco ISL speakers with a hub between them, and configure
both ends to half duplex. Connect your tcpdump box to the hub. You may
get some errors on large packets, since ISL adds 30 bytes and your hub
may not like that - but it is certainly good enough to test the basic
functionality.)
Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
----------------------------------------------------------------------
*** print-llc.c.orig Sun Jul 22 01:14:23 2001
--- print-llc.c Wed Aug 1 14:43:44 2001
***************
*** 47,52 ****
--- 47,53 ----
#include "llc.h"
#include "ethertype.h"
+ #include "ether.h"
static struct tok cmd2str[] = {
{ LLC_UI, "ui" },
***************
*** 71,76 ****
--- 72,78 ----
register u_short et;
u_int16_t control;
register int ret;
+ static char ISLdst[] = "\001\000\014\000\000\000";
if (caplen < 3) {
(void)printf("[|llc]");
***************
*** 180,185 ****
--- 182,210 ----
default_print((u_char *)p, caplen);
return (0);
}
+ if (memcmp(edst, ISLdst, 6) == 0) {
+ u_int16_t vlan;
+ u_short ether_type;
+ struct ether_header *ep;
+ vlan = ntohs(*(u_int16_t *)(p+6)) >> 1;
+ printf("ISL vlan#%d ", vlan);
+ p += 12;
+ /* We're duplicating parts of ether_if_print here */
+ ep = (struct ether_header *)p;
+ caplen -= (16 + ETHER_HDRLEN);
+ length -= (16 + ETHER_HDRLEN);
+ p += ETHER_HDRLEN;
+ ether_type = ntohs(ep->ether_type);
+ if (eflag)
+ (void)printf("%s %s %s %d: ",
+ etheraddr_string(ESRC(ep)),
+ etheraddr_string(EDST(ep)),
+ etherproto_string(ep->ether_type),
+ length);
+ ether_encap_print(ether_type, p, length, caplen,
+extracted_ethertype);
+ return (1);
+ }
+
if (vflag)
(void)printf("snap %s ", protoid_string(llc.llcpi));
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
