One Complete Example
Here we present the decoder for IP version 4 with added commentary to explain what is going on.
Note that the DecoderScript here is not written totally in line with the recommendations given in this manual. Many single-word field tags, for example, are written without enclosing quotes. This may serve a useful purpose in reminding you that many of our recommendations are just that and not hard-and-fast rules.
/* Internet Protocol version 4. Copyright 2016 Teledyne LeCroy, Inc. All rights reserved. */
IPv4 0x7f000401
/*
** This identifies the next protocol.
*/
NEXT_PROTOCOL (FromField protocol)
/*
** The length for the next protocol is calculated as the
** length of the entire IP packet (decoded as the field
** named tot_length) minus the length of
** the IP header.
*/
NEXT_PROTOCOL_SIZE (ThisLayerLength tot_length)
/*
** This is a custom method to handle fragmentation.
*/
FRAME_AFTER_DECODING (IpReconstructFragments a)
DECODE
/*
** This table is indexed by the IP version number. It
** identifies certain IP variants such as TUBA (TCP and UDP
** with Bigger Addresses). Full decoding of these variants
** is not supported. Basically version 4 is expected.
*/
TABLE ver_nums
{ 0 "Reserved"}
{ 4 "Internet Protocol ver. 4"}
{ 5 "ST" "ST Datagram Mode"}
{ 6 "SIP" "Simple Internet Protocol"}
{ 7 "TP/IX" "The Next Internet"}
{ 8 "PIP" "P Internet Protocol"}
{ 9 "TUBA"}
{ DEFAULT "Unassigned"}
ENDTABLE
/*
** This table lists the precedence levels defined for IP.
** The precedence is given by a three-bit field within
** the Type-of-service byte.
*/
TABLE prec
{ 7 "Network Control"}
{ 6 "Internetwork Control"}
{ 5 "CRITIC / ECP"}
{ 4 "Flash Override"}
{ 3 "Flash"}
{ 2 "Immediate"}
{ 1 "Priority"}
{ 0 "Routine"}
ENDTABLE
/*
** The table lists the options specified by the Delay
** bit in the Type-of-service byte.
*/
TABLE delay
{ 0 Normal }
{ 1 Low }
ENDTABLE
/*
** The table lists a pair of options that pertain to both
** the Throughput and the Reliability bit flags in the
** Type-of-service byte.
*/
TABLE norm_hi
{ 0 Normal }
{ 1 High }
ENDTABLE
/*
** The table lists the options specified by the
** may/don't fragment bit in the Flags field.
*/
TABLE df
{ 0 "May Fragment"}
{ 1 "Do not Fragment"}
ENDTABLE
/*
** The table lists the options specified by the
** last/more fragment(s) bit in the Flags field.
*/
TABLE mf
{ 0 "Last Fragment"}
{ 1 "More Fragments"}
ENDTABLE
/*
** This table lists the next-layer protocol codes.
** Apart from ICMP, GGP, TCP, EGP, IGP and UDP,
** most of these are rarely encountered.
*/
TABLE protocol
{ 0 "IPv6 Hop-by-Hop Option"}
{ 1 "ICMP" "Internet Control Message Protocol"}
{ 2 "IGMP" "Internet Group Management Protocol"}
{ 3 "GGP" "Gateway-to-Gateway Protocol"}
{ 4 "IP in IP (encapsulation)"}
{ 5 "Streaming protocol"}
{ 6 "TCP" "Transmission Control Protocol"}
{ 7 "CBT"}
{ 8 "EGP" "Exterior Gateway Protocol"}
{ 9 "IGP" "Interior Gateway Protocol"}
{ 10 "BBN RCC Monitoring"}
{ 11 "NVP" "Network Voice Protocol"}
{ 12 "PUP"}
{ 13 "ARGUS"}
{ 14 "EMCON"}
{ 15 "Cross Net Debugger"}
{ 16 "Chaos"}
{ 17 "UDP" "User Datagram Protocol"}
{ 18 "Multiplexing"}
{ 19 "DCN Measurement Subsystems"}
{ 20 "HMP" "Host Monitoring Protocol"}
{ 21 "Packet Radio Measurement"}
{ 22 "XEROX NS IDP"}
{ 23 "TRUNK-1"}
{ 24 "TRUNK-2"}
{ 25 "LEAF-1"}
{ 26 "LEAF-2"}
{ 27 "RDP" "Reliable Data Protocol"}
{ 28 "IRTP" "Internet Reliable Transaction"}
{ 29 "ISO Transport Protocol Class 4"}
{ 30 "Bulk Data Transfer Protocol"}
{ 31 "MFE Network Services Protocol"}
{ 32 "MERIT Internodal Protocol"}
{ 33 "SEP" "Sequential Exchange Protocol"}
{ 34 "3PC" "Third Party Connect"}
{ 35 "IDPR" "Inter-Domain Policy Routing Protocol"}
{ 36 "XTP"}
{ 37 "DDP" "Datagram Delivery Protocol"}
{ 38 "IDPR Control Message Transport Protocol"}
{ 39 "TP++ Transport Protocol"}
{ 40 "IL Transport Protocol"}
{ 41 "IP ver6" "Internet Protocol version 6"}
{ 42 "SDRP" "Source Demand Routing Protocol"}
{ 43 "Routing Header for IPv6"}
{ 44 "Fragment Header for IPv6"}
{ 45 "Inter-Domain Routing Protocol"}
{ 46 "Reservation Protocol"}
{ 47 "General Routing Encapsulation"}
{ 48 "Mobile Host Routing Protocol"}
{ 49 "BNA"}
{ 50 "Encap Security Payload for IPv6"}
{ 51 "Authentication Header for IPv6"}
{ 52 "Integrated Net Layer Security"}
{ 53 "IP with Encryption"}
{ 54 "NBMA Address Resolution Protocol"}
{ 55 "IP Mobility"}
{ 56 "Transport Layer Security Protocol"}
{ 57 "SKIP"}
{ 58 "ICMP for IP ver6"}
{ 59 "No Next Header for IP ver6"}
{ 60 "Destination Options for IP ver6"}
{ 61 "Any Host Internal Protocol"}
{ 62 "CFTP"}
{ 63 "any local network"}
{ 64 "SATNET and Backroom EXPAK"}
{ 65 "Kryptolan"}
{ 66 "MIT Remote Virtual Disk Protocol"}
{ 67 "Internet Pluribus Packet Core"}
{ 68 "any distributed file system"}
{ 69 "SATNET Monitoring"}
{ 70 "VISA Protocol"}
{ 71 "Internet Packet Core Utility"}
{ 72 "Computer Protocol Network Executive"}
{ 73 "Computer Protocol Heart Beat"}
{ 74 "Wang Span Network"}
{ 75 "Packet Video Protocol"}
{ 76 "Backroom SATNET Monitoring"}
{ 77 "SUN ND PROTOCOL"}
{ 78 "WIDEBAND Monitoring"}
{ 79 "WIDEBAND EXPAK"}
{ 80 "ISO IP" "ISO Internet Protocol"}
{ 81 "VMTP"}
{ 82 "SECURE-VMTP"}
{ 83 "VINES"}
{ 84 "TTP" }
{ 85 "NSFNET-IGP"}
{ 86 "Dissimilar Gateway Protocol"}
{ 87 "TCF"}
{ 88 "EIGRP"}
{ 89 "OSPF-IGP"}
{ 90 "Sprite RPC Protocol"}
{ 91 "Locus Address Resolution Protocol"}
{ 92 "Multicast Transport Protocol"}
{ 93 "AX.25 Frames"}
{ 94 "IP-within-IP Encapsulation Protocol"}
{ 95 "Mobile Internetworking Control Protocol"}
{ 96 "Semaphore Communications Sec. Protocol"}
{ 97 "Ethernet-within-IP Encapsulation"}
{ 98 "Encapsulation Header"}
{ 99 "Any private encryption scheme"}
{ 100 "GMTP"}
{ 101 "Ipsilon Flow Management Protocol"}
{ 102 "PNNI over IP"}
{ 103 "PIM" "Protocol Independent Multicast"}
{ 104 "ARIS"}
{ 105 "SCPS"}
{ 106 "ONX"}
{ 107 "Active Networks"}
{ 108 "IP Payload Compression Protocol"}
{ 109 "Sitara Networks Protocol"}
{ 110 "Compaq Peer Protocol"}
{ 111 "IPX in IP"}
{ 112 "Virtual Router Redundancy Protocol"}
{ 113 "PGM Reliable Transport Protocol"}
{ 114 "0-hop" "Any 0-hop protocol"}
{ 255 Reserved }
{ Default "???" "Protocol Not Found"}
ENDTABLE
/*
** This table lists codes for the IP options that may
** follow the main IP header. Note that this table
** contains names of statements for processing each
** option.
*/
TABLE ip_options
{ 0 "End of List"}
{ 1 "No Operation"}
{ 7 "" "Record Route" 1 misc_pointer}
{ 10 "" "Experimental Measurement" 1 misc_opt}
{ 11 "" "MTU Probe" 1 misc_opt}
{ 12 "" "MTU Reply" 1 misc_opt}
{ 15 "" ENCODE 1 misc_opt}
{ 68 "" "Time Stamp" 1 ts}
{ 82 "" Traceroute 1 misc_opt}
{ 130 "" Security 1 security }
{ 131 "" "Loose Source Route" 1 misc_pointer}
{ 133 "Extended Security"}
{ 134 "Commercial Security"}
{ 136 "Stream ID"}
{ 137 "Strict Source Route"}
{ 142 "Expermental Access Control"}
{ 144 "IMI Traffic Descriptor"}
{ 145 "EIP" }
{ 147 "Address Extension"}
{ 148 "" "Router Alert" 1 rtr_opt}
{ 149 "Selective Directed Broadcast"}
{ 150 "NSAP Addresses"}
{ 205 "Experimental Flow Control"}
{ Default "Unknown IP Option"}
ENDTABLE
/*
** This table lists security levels. This is used
** when processing the Security option.
*/
TABLE sec_TABLE
{ 0x00000001 "Reserved 4"}
{ 0x0000003d "Top Secret"}
{ 0x0000005a "Secret"}
{ 0x00000096 "Confidential"}
{ 0x00000066 "Reserved 3"}
{ 0x000000cc "Reserved 2"}
{ 0x000000ab Unclassified }
{ 0x000000f1 "Reserved 1"}
{ Default "Unknown Security Classification"}
ENDTABLE
/*
** This table is used in processing the Router Alert
** option.
*/
TABLE rtr_options
{ 0x00000000 "Examine all packets"}
{ Default "Reserved"}
ENDTABLE
/*
** The IP header begins with a four-bit field that contains
** the protocol version number. If we find a version below
** 4 then we will have a failed VERIFY resulting in the frame
** being marked in red.
*/
FIELD version (Fixed 4 Bits) (TABLE ver_nums) "Version" VERIFY (FieldIs GreaterThanOrEqualTo 4)
/*
** The IHL field contains the IP Header Length as a count of
** 32-bit words. The base header consists of a fixed 5 such
** words, hence the check that this value is at least 5.
** Anything beyond 5 words comprises options.
*/
FIELD ihl (Fixed 4 Bits) (Decimal) IN_SUMMARY IHL 30 "Header Length" VERIFY (FieldIs GreaterThanOrEqualTo 5 ) ALSO (IsNoMoreThanLayerInDwords)
/*
** Here we decode the Type Of Service byte. Note that this
** could have been done with a GROUP FIELD. For completeness
** we display the two reserved bits rather than covering them
** up with a RESERVED statement.
*/
GROUP tos "Type of Service"
{
FIELD preced (Fixed 3 Bits) (Binary) ALSO (Table prec)
Precedence
FIELD delay (Fixed 1 Bit) (Binary) ALSO (Table delay) Delay
FIELD thru (Fixed 1 Bit) (Binary) ALSO (Table norm_hi)
Throughput
FIELD reli (Fixed 1 Bit) (Binary) ALSO (Table norm_hi)
Reliability
FIELD reserv (Fixed 2 Bits) (Binary) Reserved
}
/*
** This field contains the length of the total IP packet in
** bytes including the IP header. Thus this is the length of
** the IP layer plus all subsequent layers.
*/
FIELD tot_length (Fixed 2 Byte) (Decimal) IN_SUMMARY Length 50
"Total Length"
/*
** The ID field contains the packet's serial number. This
** is used for reassembling fragmented packets.
*/
FIELD id (Fixed 2 Byte) (Hex) IN_SUMMARY ID 50 Identification
/*
** The Control Flags field contains one unused bit plus two
** bit flags:
** may/don't fragment
** last fragment/more fragments coming
*/
GROUP ctrl_flags "Control Flags"
{
FIELD reser (Fixed 1 Bit) (Binary) Reserved VERIFY
(FieldIs EqualTo 0 )
FIELD df (Fixed 1 Bit) (Table df) DF
FIELD mf (Fixed 1 Bit) (Table mf) MF
}
/*
** For a fragment, this field contains the offset of its
** starting point within the full packet.
*/
FIELD offset (Fixed 13 Bits) (Decimal) "Fragment Offset"
/*
** The Time-To-Live field contains the number of seconds
** before a router should discard the packet.
*/
FIELD ttl (Fixed 1) (Decimal) IN_SUMMARY Time 40 "Time to live sec."
/*
** This field contains a code that identifies the next-layer
** protocol. Note that we verify that the code is present
** in our table of protocols.
*/
FIELD protocol (Fixed 1) (Table protocol) IN_SUMMARY Protocol 100
Protocol VERIFY (IsInTable protocol)
/*
** Next comes a 16-bit checksum on the header so far, that is
** 10 bytes worth.
*/
FIELD chksum (Fixed 2 Byte) (Hex) IN_SUMMARY Checksum 65 "Header
Checksum" VERIFY (IpChecksum ihl)
/*
** The source and destinations addresses of the packet are
** decoded here. These are formatted in dot-quad notation
** (e.g. "64.147.250.27"). Note that the addresses are stored
** in intra-frame (within the current frame only) data
** so that they can be used in the Summary pane for other protocols,
** such as HTTP.
*/
FIELD src_addr (Fixed 4 Byte) RETRIEVE (StoreIntraframeField source_ip_address) (IPAddress) IN_SUMMARY Source 90 "Source Address"
FIELD dest_addr (Fixed 4 Byte) RETRIEVE (StoreIntraframeField destination_ip_address) (IPAddress) IN_SUMMARY Destination 90 "Destination Address"
/*
** Here we have a loop to process any IP options.
** The option_loop GROUP is repeated until all the header
** data is processed (i.e. the count of doublewords in IHL
** minus 5).
*/
GROUP option_loop IF (FieldIs GreaterThan 5 ihl) REPEAT SIZE (FromField DWords ihl 5)
{
/*
** Here's a good use of a GROUP FIELD to decode and display
** the option type.
*/
GROUP FIELD ip_opt_type (Fixed 1) (Table ip_options)"IP Option"
{
/*
** Most options include a one-byte length field.
** The extra data in the options table indicates
** whether this should be present or not.
*/
FIELD opt_length (Fixed 1) IF (MatchTableDataip_options ip_opt_type 1) (Decimal)"Option length"
/*
** We branch to option-specific code
** for the rest of the job.
*/
BRANCH (FromTable ip_options ip_opt_type)
}
}
/*
** The following two fields deal with the possibility
** that the frame is fragmented.
*/
FIELD set_fragmentation (Fixed 0)
PROCESSING (IpSetFragmentation a mf offset src_addr dest_addr decoder ID set_fragmentation)
(Decimal) SUPPRESS_DETAIL
FIELD consume_fragment (ToEndOfLayer) IF (IpWholePayloadNotAvailable a) (Constant "Decode is in another frame") "Payload is fragmented"
/*
** Here ends the main path of this decoder. The statements
** that follow are for decoding specific IP options and
** we have not commented them.
*/
END_MAIN_PATH
GROUP misc_pointer
{
FIELD miscellaneous_pointer (Fixed 1) (Decimal) Pointer
FIELD miscellaneous_data (FromField Bytes opt_length 3) (StringOfHex 6) Data
}
FIELD misc_opt (FromField Bytes opt_length 2) (StringOfHex 6)Data
GROUP ts
{
FIELD ts_point (Fixed 1) (Decimal) Pointer
FIELD ts_flags (Fixed 1) (Binary) Flags
FIELD ts_data (FromField Bytes opt_length 4) (StringOfHex 6) "TS Data"
}
GROUP security
{
FIELD sec_class (Fixed 1) (Table sec_TABLE) Classification
FIELD sec_flags (FromField Bytes opt_length 3) (StringOfHex 6) Flags
}
GROUP rtr_opt
{
FIELD rtr_opt_data (Fixed 2) (Table rtr_options) "Router Option"
}