Wireshark-bugs: [Wireshark-bugs] [Bug 1464] New: patch for packet-symantec.c for new capture fil
Date: Fri, 23 Mar 2007 18:41:56 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1464

           Summary: patch for packet-symantec.c for new capture file format
           Product: Wireshark
           Version: 0.99.5
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Enhancement
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: sgsguy@xxxxxxxxx


Build Information:
Version 0.99.5 (SVN Rev 20677)

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.7, with GLib 2.12.7, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.4, with ADNS, with Lua 5.1,
with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio
PortAudio V19-devel, with AirPcap.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0
(packet.dll version 4.0.0.755), based on libpcap version 0.9.5, without
AirPcap.

Built using Microsoft Visual C++ 6.0 build 8804

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
packet-symantec.c cannot parse capture files created by tcpdump on Symantec
firewall appliance running SGS v3 code level.  The symantec packet header in
the capture file has been lengthened and the ethertype field has moved.

Using TortoiseSVN 1.4.3, I've generated patch to handle new file format.
Sorry about the line wrap - I can attach the patch if necessary.
I can include old- and new-format capture files with some preparation.
Do I just attach them to this bug report?
patch follows:

Index: packet-symantec.c
===================================================================
--- packet-symantec.c   (revision 21067)
+++ packet-symantec.c   (working copy)
@@ -1,8 +1,9 @@
 /* packet-symantec.c
  * Routines for dissection of packets from the Axent Raptor firewall/
- * Symantec Enterprise Firewall
+ * Symantec Enterprise Firewall/Symantec Gateway Security appliance
+ * v2/Symantec Gateway Security appliance v3.
  *
- * $Id$
+ * $Id: 
  *
  * Wireshark - Network traffic analyzer
  * By Gerald Combs <gerald@xxxxxxxxxxxxx>
@@ -46,33 +47,82 @@
 {
        proto_item *ti;
        proto_tree *symantec_tree = NULL;
-       guint16 etype;
+       guint16 etypev2, etypev3;
        tvbuff_t *next_tvb;

        /*
+        * Symantec records come in two variants:
+        *
+        * The older variant, dating from Axent days and continuing until
+        * the SGS v2.0.1 code level, is 44 bytes long.
         * The first 4 bytes are the IPv4 address of the interface that
         * captured the data, followed by 2 bytes of 0, then an Ethernet
         * type, followed by 36 bytes of 0.
+        *
+        * The newer variant, introduced either in SGS v3.0 or v3.0.1
+        * (possibly in concert with VLAN support), is 56 bytes long.
+        * The first 4 bytes are the IPv4 address of the interface that
+        * captured the data, followed by 6 bytes of 0, then an Ethernet
+        * type, followed by 44 bytes of 0.
+        *
+        * Unfortunately, there is no flag to distiguish between the two
+        * flavours.  The only indication of which flavour you have is the
+        * offset of the ETHERTYPE field.  Fortunately, Symantec didn't
+        * use ETHERTYPE_UNK as a valid value.
         */
+
+       etypev2 = tvb_get_ntohs(tvb, 6);
+       etypev3 = tvb_get_ntohs(tvb, 10);
+       
+       /* a valid packet can't be both v2 and v3 or neither v2 nor v3, */
+       if ((etypev2 == 0) == (etypev3 == 0))
+               return 0;
+               
        if (check_col(pinfo->cinfo, COL_PROTOCOL))
                col_add_str(pinfo->cinfo, COL_PROTOCOL, "Symantec");
-       if (check_col(pinfo->cinfo, COL_INFO))
-               col_add_fstr(pinfo->cinfo, COL_INFO, "Symantec Enterprise
Firewall");
-       if (tree) {
-               ti = proto_tree_add_protocol_format(tree, proto_symantec, tvb,
-                   0, 44, "Symantec firewall");
-               symantec_tree = proto_item_add_subtree(ti, ett_symantec);
+               
+       if (etypev3 == 0) {     /* SEF and SGS v2 processing */
+               if (check_col(pinfo->cinfo, COL_INFO))
+                       col_add_str(pinfo->cinfo, COL_INFO, "Symantec
Enterprise Firewall");
+               if (tree) {
+                       ti = proto_tree_add_protocol_format(tree,
proto_symantec, tvb,
+                               0, 44, "Symantec firewall");
+                       symantec_tree = proto_item_add_subtree(ti,
ett_symantec);
+               }
+               if (tree) {
+                       proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
+                               0, 4, FALSE);
+                       proto_tree_add_uint(symantec_tree, hf_symantec_etype,
tvb,
+                               6, 2, etypev2);
+               }
+               next_tvb = tvb_new_subset(tvb, 44, -1, -1);
+               dissector_try_port(ethertype_dissector_table, etypev2,
next_tvb, pinfo,
+                       tree);
        }
-       etype = tvb_get_ntohs(tvb, 6);
-       if (tree) {
-               proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
-                   0, 4, FALSE);
-               proto_tree_add_uint(symantec_tree, hf_symantec_etype, tvb,
-                   6, 2, etype);
+
+       if (etypev2 == 0) {     /* SGS v3 processing */
+               if (check_col(pinfo->cinfo, COL_INFO))
+                       col_add_str(pinfo->cinfo, COL_INFO, "Symantec SGS v3");
+               if (tree) {
+                       ti = proto_tree_add_protocol_format(tree,
proto_symantec, tvb,
+                               0, 56, "Symantec SGSv3");
+                       symantec_tree = proto_item_add_subtree(ti,
ett_symantec);
+               }
+               if (tree) {
+                       proto_tree_add_item(symantec_tree, hf_symantec_if, tvb,
+                               0, 4, FALSE);
+                       proto_tree_add_uint(symantec_tree, hf_symantec_etype,
tvb,
+                               10, 2, etypev3);
+               }
+               /*
+                * Dissection of VLAN information will have to wait until
+                * availability of a capture file from an SGSv3 box using VLAN
+                * tagging.
+                */
+               next_tvb = tvb_new_subset(tvb, 56, -1, -1);
+               dissector_try_port(ethertype_dissector_table, etypev3,
next_tvb, pinfo,
+                       tree);
        }
-       next_tvb = tvb_new_subset(tvb, 44, -1, -1);
-       dissector_try_port(ethertype_dissector_table, etype, next_tvb, pinfo,
-           tree);
 }

 void
@@ -80,10 +130,10 @@
 {
        static hf_register_info hf[] = {
                { &hf_symantec_if,
-                   { "Interface",      "symantec.if", FT_IPv4, BASE_NONE,
NULL, 0x0,
+                   { "Interface", "symantec.if", FT_IPv4,  BASE_NONE, NULL,
0x0,
                        "Interface", HFILL }},
                { &hf_symantec_etype,
-                   { "Type",   "symantec.type", FT_UINT16, BASE_HEX,
VALS(etype_vals), 0x0,
+                   { "Type",    "symantec.type", FT_UINT16, BASE_HEX,
VALS(etype_vals), 0x0,
                        "", HFILL }},
        };
        static gint *ett[] = {


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.