/src/wireshark/epan/dissectors/packet-cisco-wids.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* packet-cwids.c |
2 | | * Routines for dissecting wireless ids packets sent from a Cisco |
3 | | * access point to the WLSE (or whatever) |
4 | | * |
5 | | * Copyright 2006 Joerg Mayer (see AUTHORS file) |
6 | | * |
7 | | * Wireshark - Network traffic analyzer |
8 | | * By Gerald Combs <gerald@wireshark.org> |
9 | | * Copyright 1998 Gerald Combs |
10 | | * |
11 | | * SPDX-License-Identifier: GPL-2.0-or-later |
12 | | */ |
13 | | |
14 | | /* With current IOS, you can use Cisco wireless Bridges/APs as |
15 | | * wireless sniffers and configure them to send the data to some |
16 | | * central IDS: |
17 | | * interface dot11Radio 0 |
18 | | * station-role scanner |
19 | | * monitor frames endpoint ip address 172.22.1.1 port 8999 truncate 2312 |
20 | | * These frames are raw, i.e. they don't have a pcap header. |
21 | | * Running wireshark at the receiving end will provide those. |
22 | | */ |
23 | | |
24 | | /* 2do: |
25 | | * - Find out more about the contents of the capture header |
26 | | * - Protect the address fields etc (all columns?) |
27 | | * - Create subelements and put each header and packet into it |
28 | | * - fuzz-test the dissector |
29 | | * - Find some heuristic to detect the packet automagically and |
30 | | * convert dissector into a heuristic dissector |
31 | | * - Is the TRY/CATCH stuff OK? |
32 | | */ |
33 | | |
34 | | #include "config.h" |
35 | | |
36 | | #include <wiretap/wtap.h> |
37 | | |
38 | | #include <epan/packet.h> |
39 | | #include <epan/exceptions.h> |
40 | | #include <epan/expert.h> |
41 | | #include <epan/show_exception.h> |
42 | | |
43 | | static int proto_cwids; |
44 | | static int hf_cwids_version; |
45 | | static int hf_cwids_timestamp; |
46 | | static int hf_cwids_unknown1; |
47 | | static int hf_cwids_channel; |
48 | | static int hf_cwids_unknown2; |
49 | | static int hf_cwids_reallength; |
50 | | static int hf_cwids_capturelen; |
51 | | static int hf_cwids_unknown3; |
52 | | |
53 | | static int ett_cwids; |
54 | | |
55 | | static expert_field ei_ieee80211_subpacket; |
56 | | |
57 | | static dissector_handle_t cwids_handle; |
58 | | |
59 | | static dissector_handle_t ieee80211_radio_handle; |
60 | | |
61 | | static int |
62 | | dissect_cwids(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) |
63 | 0 | { |
64 | 0 | tvbuff_t *wlan_tvb; |
65 | 0 | proto_tree *ti, *cwids_tree; |
66 | 0 | volatile int offset = 0; |
67 | 0 | uint16_t capturelen; |
68 | |
|
69 | 0 | col_set_str(pinfo->cinfo, COL_PROTOCOL, "CWIDS"); |
70 | 0 | col_set_str(pinfo->cinfo, COL_INFO, "Cwids: "); |
71 | | /* FIXME: col_set_fence(pinfo->cinfo, all-cols, only addr-cols?); */ |
72 | |
|
73 | 0 | cwids_tree = NULL; |
74 | |
|
75 | 0 | while(tvb_reported_length_remaining(tvb, offset) > 0) { |
76 | 0 | struct ieee_802_11_phdr phdr; |
77 | |
|
78 | 0 | ti = proto_tree_add_item(tree, proto_cwids, tvb, offset, 28, ENC_NA); |
79 | 0 | cwids_tree = proto_item_add_subtree(ti, ett_cwids); |
80 | |
|
81 | 0 | memset(&phdr, 0, sizeof(phdr)); |
82 | 0 | phdr.fcs_len = 0; /* no FCS */ |
83 | 0 | phdr.decrypted = false; |
84 | 0 | phdr.datapad = false; |
85 | 0 | phdr.phy = PHDR_802_11_PHY_UNKNOWN; |
86 | 0 | proto_tree_add_item(cwids_tree, hf_cwids_version, tvb, offset, 2, ENC_BIG_ENDIAN); |
87 | 0 | offset += 2; |
88 | 0 | proto_tree_add_item(cwids_tree, hf_cwids_timestamp, tvb, offset, 6, ENC_NA); |
89 | 0 | offset += 6; |
90 | 0 | proto_tree_add_item(cwids_tree, hf_cwids_unknown1, tvb, offset, 1, ENC_NA); |
91 | 0 | offset += 1; |
92 | 0 | phdr.has_channel = true; |
93 | 0 | phdr.channel = tvb_get_uint8(tvb, offset); |
94 | 0 | proto_tree_add_item(cwids_tree, hf_cwids_channel, tvb, offset, 1, ENC_BIG_ENDIAN); |
95 | 0 | offset += 1; |
96 | 0 | proto_tree_add_item(cwids_tree, hf_cwids_unknown2, tvb, offset, 6, ENC_NA); |
97 | 0 | offset += 6; |
98 | 0 | proto_tree_add_item(cwids_tree, hf_cwids_reallength, tvb, offset, 2, ENC_BIG_ENDIAN); |
99 | 0 | offset += 2; |
100 | 0 | capturelen = tvb_get_ntohs(tvb, offset); |
101 | 0 | proto_tree_add_item(cwids_tree, hf_cwids_capturelen, tvb, offset, 2, ENC_BIG_ENDIAN); |
102 | 0 | offset += 2; |
103 | 0 | proto_tree_add_item(cwids_tree, hf_cwids_unknown3, tvb, offset, 8, ENC_NA); |
104 | 0 | offset += 8; |
105 | |
|
106 | 0 | wlan_tvb = tvb_new_subset_length(tvb, offset, capturelen); |
107 | | /* Continue after ieee80211 dissection errors */ |
108 | 0 | TRY { |
109 | 0 | call_dissector_with_data(ieee80211_radio_handle, wlan_tvb, pinfo, tree, &phdr); |
110 | 0 | } CATCH_BOUNDS_ERRORS { |
111 | 0 | show_exception(wlan_tvb, pinfo, tree, EXCEPT_CODE, GET_MESSAGE); |
112 | |
|
113 | 0 | expert_add_info(pinfo, ti, &ei_ieee80211_subpacket); |
114 | 0 | } ENDTRY; |
115 | |
|
116 | 0 | offset += capturelen; |
117 | 0 | } |
118 | 0 | return tvb_captured_length(tvb); |
119 | 0 | } |
120 | | |
121 | | void proto_register_cwids(void); |
122 | | void proto_reg_handoff_cwids(void); |
123 | | |
124 | | void |
125 | | proto_register_cwids(void) |
126 | 14 | { |
127 | 14 | static hf_register_info hf[] = { |
128 | 14 | { &hf_cwids_version, |
129 | 14 | { "Capture Version", "cwids.version", FT_UINT16, BASE_DEC, NULL, |
130 | 14 | 0x0, "Version or format of record", HFILL }}, |
131 | | |
132 | 14 | { &hf_cwids_timestamp, |
133 | 14 | { "Timestamp [us]", "cwids.timestamp", FT_BYTES, BASE_NONE, NULL, |
134 | 14 | 0x0, NULL, HFILL }}, |
135 | | |
136 | 14 | { &hf_cwids_unknown1, |
137 | 14 | { "Unknown1", "cwids.unknown1", FT_BYTES, BASE_NONE, NULL, |
138 | 14 | 0x0, "1st Unknown block", HFILL }}, |
139 | | |
140 | 14 | { &hf_cwids_channel, |
141 | 14 | { "Channel", "cwids.channel", FT_UINT8, BASE_DEC, NULL, |
142 | 14 | 0x0, "Channel for this capture", HFILL }}, |
143 | | |
144 | 14 | { &hf_cwids_unknown2, |
145 | 14 | { "Unknown2", "cwids.unknown2", FT_BYTES, BASE_NONE, NULL, |
146 | 14 | 0x0, "2nd Unknown block", HFILL }}, |
147 | | |
148 | 14 | { &hf_cwids_reallength, |
149 | 14 | { "Original length", "cwids.reallen", FT_UINT16, BASE_DEC, NULL, |
150 | 14 | 0x0, "Original num bytes in frame", HFILL }}, |
151 | | |
152 | 14 | { &hf_cwids_capturelen, |
153 | 14 | { "Capture length", "cwids.caplen", FT_UINT16, BASE_DEC, NULL, |
154 | 14 | 0x0, "Captured bytes in record", HFILL }}, |
155 | | |
156 | 14 | { &hf_cwids_unknown3, |
157 | 14 | { "Unknown3", "cwids.unknown3", FT_BYTES, BASE_NONE, NULL, |
158 | 14 | 0x0, "3rd Unknown block", HFILL }}, |
159 | | |
160 | 14 | }; |
161 | 14 | static int *ett[] = { |
162 | 14 | &ett_cwids, |
163 | 14 | }; |
164 | | |
165 | 14 | static ei_register_info ei[] = { |
166 | 14 | { &ei_ieee80211_subpacket, { "cwids.ieee80211_malformed", PI_MALFORMED, PI_ERROR, "Malformed or short IEEE80211 subpacket", EXPFILL }}, |
167 | 14 | }; |
168 | | |
169 | 14 | expert_module_t* expert_cwids; |
170 | | |
171 | 14 | proto_cwids = proto_register_protocol("Cisco Wireless IDS Captures", "CWIDS", "cwids"); |
172 | 14 | proto_register_field_array(proto_cwids, hf, array_length(hf)); |
173 | 14 | proto_register_subtree_array(ett, array_length(ett)); |
174 | 14 | expert_cwids = expert_register_protocol(proto_cwids); |
175 | 14 | expert_register_field_array(expert_cwids, ei, array_length(ei)); |
176 | | |
177 | 14 | cwids_handle = register_dissector("cwids", dissect_cwids, proto_cwids); |
178 | 14 | } |
179 | | |
180 | | void |
181 | | proto_reg_handoff_cwids(void) |
182 | 14 | { |
183 | 14 | dissector_add_for_decode_as_with_preference("udp.port", cwids_handle); |
184 | 14 | ieee80211_radio_handle = find_dissector_add_dependency("wlan_noqos_radio", proto_cwids); |
185 | 14 | } |
186 | | |
187 | | /* |
188 | | * Editor modelines - https://www.wireshark.org/tools/modelines.html |
189 | | * |
190 | | * Local variables: |
191 | | * c-basic-offset: 8 |
192 | | * tab-width: 8 |
193 | | * indent-tabs-mode: t |
194 | | * End: |
195 | | * |
196 | | * vi: set shiftwidth=8 tabstop=8 noexpandtab: |
197 | | * :indentSize=8:tabSize=8:noTabs=false: |
198 | | */ |