Wireshark · Ethereal-dev: [ethereal-dev] AH protocol, newbie questions

Ethereal-dev: [ethereal-dev] AH protocol, newbie questions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Brian Craft <bcboy@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Date: Thu, 11 Feb 1999 18:21:46 -0500

hey -- I was just hacking ethereal so I could browse AH
packets (rfc2502). 

I don't really know what I'm doing, but I'm including a patch which
sorta works (in transport mode) & a capture of a few pings over AH.

Any comments would be welcome. I'm unclear on how to deal with
recursion (e.g. IP contains AH contains IP, in tunnel mode, etc),
and on the role of global pi.

I also wasn't sure if AH should be a separate file, or part of
the packet-ip.c

The patch is against 0.5.1.

b.c.

diff -uNr ethereal-0.5.1/Makefile.am ethereal-0.5.1-ah/Makefile.am
--- ethereal-0.5.1/Makefile.am	Sun Jan  3 17:13:01 1999
+++ ethereal-0.5.1-ah/Makefile.am	Thu Feb 11 14:33:55 1999
@@ -27,6 +27,7 @@
 	packet-llc.c   \
 	packet-lpd.c   \
 	packet-ip.c    \
+	packet-ah.c    \
 	packet-ipv6.c  \
 	packet-ipx.c   \
 	packet-nbipx.c \
diff -uNr ethereal-0.5.1/packet-ah.c ethereal-0.5.1-ah/packet-ah.c
--- ethereal-0.5.1/packet-ah.c	Wed Dec 31 16:00:00 1969
+++ ethereal-0.5.1-ah/packet-ah.c	Thu Feb 11 15:20:00 1999
@@ -0,0 +1,126 @@
+/* packet-ah.c
+ * Routines for AH protocol packet disassembly
+ *
+ * $Id$
+ *
+ * Ethereal - Network traffic analyzer
+ * By Gerald Combs <gerald@xxxxxxxx>
+ * Copyright 1998 Gerald Combs
+ *
+ * 
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <gtk/gtk.h>
+
+#include <stdio.h>
+
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+# include <netinet/in.h>
+#endif
+
+#include "ethereal.h"
+#include "packet.h"
+#include "etypes.h"
+#include "resolv.h"
+#include "util.h"
+
+extern packet_info pi;
+
+void
+dissect_ah(const u_char *pd, int offset, frame_data *fd, GtkTree *tree) {
+  e_ahhdr       iph;
+  GtkWidget *ip_tree, *ti;
+  guint      hlen;
+  static const value_string proto_vals[] = { {IP_PROTO_ICMP, "ICMP"},
+                                             {IP_PROTO_IGMP, "IGMP"},
+                                             {IP_PROTO_TCP,  "TCP" },
+                                             {IP_PROTO_UDP,  "UDP" },
+                                             {IP_PROTO_OSPF, "OSPF"},
+                                             {0,             NULL  } };
+  /* To do: check for runts, errs, etc. */
+  /* Avoids alignment problems on many architectures. */
+  memcpy(&iph, &pd[offset], sizeof(e_ahhdr));
+  iph.ah_res = ntohs(iph.ah_res);
+  iph.ah_spi  = ntohl(iph.ah_spi);
+  iph.ah_sqn = ntohl(iph.ah_sqn);
+
+  hlen = (iph.ah_len+2) * 4;	/* IP header length, in bytes */
+  
+  switch (iph.ah_prot) {
+    case IP_PROTO_ICMP:
+    case IP_PROTO_IGMP:
+    case IP_PROTO_TCP:
+    case IP_PROTO_UDP:
+    case IP_PROTO_OSPF:
+      /* Names are set in the associated dissect_* routines */
+      break;
+    default:
+      if (check_col(fd, COL_PROTOCOL))
+        col_add_str(fd, COL_PROTOCOL, "IP");
+      if (check_col(fd, COL_INFO))
+        col_add_fstr(fd, COL_INFO, "Unknown IP protocol (%02x)", iph.ah_prot);
+  }
+
+  if (tree) {
+    ti = add_item_to_tree(GTK_WIDGET(tree), offset, hlen, "IP Authentication Header");
+    ip_tree = gtk_tree_new();
+    add_subtree(ti, ip_tree, ETT_IP);
+    add_item_to_tree(ip_tree, offset,      1, "Protocol: %s",
+      val_to_str(iph.ah_prot, proto_vals, "Unknown (%x)"));
+/*    add_item_to_tree(ip_tree, offset,      1, "Protocol");  */
+    add_item_to_tree(ip_tree, offset+1,    1, "Header length: %d bytes", hlen); 
+    add_item_to_tree(ip_tree, offset+2,    2, "Reserved"); 
+    add_item_to_tree(ip_tree, offset+4,    4, "Security parameter index: %d", iph.ah_spi); 
+    add_item_to_tree(ip_tree, offset+8,    4, "Sequence number: %d", iph.ah_sqn); 
+    add_item_to_tree(ip_tree, offset+12,   hlen-sizeof(e_ahhdr), "Authentication data"); 
+  }
+
+/* what is this for? 
+  pi.srcip = ip_to_str( (guint8 *) &iph.ip_src);
+  pi.destip = ip_to_str( (guint8 *) &iph.ip_dst);
+  pi.ipproto = iph.ah_prot;
+  pi.iplen = iph.ip_len;
+  pi.iphdrlen = iph.ip_hl;
+  pi.ip_src = iph.ip_src;*/
+
+  offset += hlen;
+  switch (iph.ah_prot) {
+    case IP_PROTO_ICMP:
+      dissect_icmp(pd, offset, fd, tree);
+     break;
+    case IP_PROTO_IGMP:
+      dissect_igmp(pd, offset, fd, tree);
+     break;
+    case IP_PROTO_TCP:
+      dissect_tcp(pd, offset, fd, tree);
+     break;
+   case IP_PROTO_UDP:
+      dissect_udp(pd, offset, fd, tree);
+      break;
+    case IP_PROTO_OSPF:
+      dissect_ospf(pd, offset, fd, tree);
+     break;
+  }
+}
+
diff -uNr ethereal-0.5.1/packet-ip.c ethereal-0.5.1-ah/packet-ip.c
--- ethereal-0.5.1/packet-ip.c	Mon Dec 28 20:08:20 1998
+++ ethereal-0.5.1-ah/packet-ip.c	Thu Feb 11 14:30:09 1999
@@ -548,12 +548,15 @@
     case IP_PROTO_TCP:
       dissect_tcp(pd, offset, fd, tree);
      break;
-   case IP_PROTO_UDP:
+    case IP_PROTO_UDP:
       dissect_udp(pd, offset, fd, tree);
       break;
     case IP_PROTO_OSPF:
       dissect_ospf(pd, offset, fd, tree);
-     break;
+      break;
+    case IP_PROTO_AH:
+      dissect_ah(pd, offset, fd, tree);
+      break;
   }
 }
 
diff -uNr ethereal-0.5.1/packet.h ethereal-0.5.1-ah/packet.h
--- ethereal-0.5.1/packet.h	Sat Jan  2 13:22:32 1999
+++ ethereal-0.5.1-ah/packet.h	Thu Feb 11 15:20:26 1999
@@ -279,7 +279,18 @@
 #define IP_PROTO_IGMP  2
 #define IP_PROTO_TCP   6
 #define IP_PROTO_UDP  17
+#define IP_PROTO_AH   51
 #define IP_PROTO_OSPF 89
+
+/* AH structs and definitions */
+
+typedef struct _e_ahhdr {
+  guint8  ah_prot;
+  guint8  ah_len;
+  guint16 ah_res;
+  guint32 ah_spi;
+  guint32 ah_sqn;
+} e_ahhdr;
 
 /* Null/loopback structs and definitions */

Attachment: cap1
Description: Binary data

Follow-Ups:
- Re: [ethereal-dev] AH protocol, newbie questions
  - From: Guy Harris
- Re: [ethereal-dev] AH protocol, newbie questions
  - From: Guy Harris
- Re: [ethereal-dev] AH protocol, newbie questions
  - From: Johan Sultan

Prev by Date: Re: [ethereal-dev] Changes to boost maximum packet size checked in
Next by Date: Re: [ethereal-dev] AH protocol, newbie questions
Previous by thread: Re: [ethereal-dev] Changes to boost maximum packet size checked in
Next by thread: Re: [ethereal-dev] AH protocol, newbie questions
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$