One Complete Example

Here we present the decoder for IP version 4 with added commentary to explain what is going on.

Note that the DecoderScript here is not written totally in line with the recommendations given in this manual. Many single-word field tags, for example, are written without enclosing quotes. This may serve a useful purpose in reminding you that many of our recommendations are just that and not hard-and-fast rules.

/* Internet Protocol version 4. Copyright 2016 Teledyne LeCroy, Inc. All rights reserved. */

IPv4 0x7f000401

 

/*

** This identifies the next protocol.

*/

NEXT_PROTOCOL (FromField protocol)

/*

** The length for the next protocol is calculated as the

** length of the entire IP packet (decoded as the field

** named tot_length) minus the length of

** the IP header.

*/

NEXT_PROTOCOL_SIZE (ThisLayerLength tot_length)

 

/*

** This is a custom method to handle fragmentation.

*/

FRAME_AFTER_DECODING (IpReconstructFragments a)

 

DECODE

 

/*

** This table is indexed by the IP version number. It

** identifies certain IP variants such as TUBA (TCP and UDP

** with Bigger Addresses). Full decoding of these variants

** is not supported. Basically version 4 is expected.

*/

TABLE ver_nums

{ 0 "Reserved"}

{ 4 "Internet Protocol ver. 4"}

{ 5 "ST" "ST Datagram Mode"}

{ 6 "SIP" "Simple Internet Protocol"}

{ 7 "TP/IX" "The Next Internet"}

{ 8 "PIP" "P Internet Protocol"}

{ 9 "TUBA"}

{ DEFAULT "Unassigned"}

ENDTABLE

 

/*

** This table lists the precedence levels defined for IP.

** The precedence is given by a three-bit field within

** the Type-of-service byte.

*/

TABLE prec

{ 7 "Network Control"}

{ 6 "Internetwork Control"}

{ 5 "CRITIC / ECP"}

{ 4 "Flash Override"}

{ 3 "Flash"}

{ 2 "Immediate"}

{ 1 "Priority"}

{ 0 "Routine"}

ENDTABLE

 

/*

** The table lists the options specified by the Delay

** bit in the Type-of-service byte.

*/

TABLE delay

{ 0 Normal }

{ 1 Low }

ENDTABLE

 

/*

** The table lists a pair of options that pertain to both

** the Throughput and the Reliability bit flags in the

** Type-of-service byte.

*/

TABLE norm_hi

{ 0 Normal }

{ 1 High }

ENDTABLE

 

/*

** The table lists the options specified by the

** may/don't fragment bit in the Flags field.

*/

TABLE df

{ 0 "May Fragment"}

{ 1 "Do not Fragment"}

ENDTABLE

 

/*

** The table lists the options specified by the

** last/more fragment(s) bit in the Flags field.

*/

TABLE mf

{ 0 "Last Fragment"}

{ 1 "More Fragments"}

ENDTABLE

 

/*

** This table lists the next-layer protocol codes.

** Apart from ICMP, GGP, TCP, EGP, IGP and UDP,

** most of these are rarely encountered.

*/

TABLE protocol

{ 0 "IPv6 Hop-by-Hop Option"}

{ 1 "ICMP" "Internet Control Message Protocol"}

{ 2 "IGMP" "Internet Group Management Protocol"}

{ 3 "GGP" "Gateway-to-Gateway Protocol"}

{ 4 "IP in IP (encapsulation)"}

{ 5 "Streaming protocol"}

{ 6 "TCP" "Transmission Control Protocol"}

{ 7 "CBT"}

{ 8 "EGP" "Exterior Gateway Protocol"}

{ 9 "IGP" "Interior Gateway Protocol"}

{ 10 "BBN RCC Monitoring"}

{ 11 "NVP" "Network Voice Protocol"}

{ 12 "PUP"}

{ 13 "ARGUS"}

{ 14 "EMCON"}

{ 15 "Cross Net Debugger"}

{ 16 "Chaos"}

{ 17 "UDP" "User Datagram Protocol"}

{ 18 "Multiplexing"}

{ 19 "DCN Measurement Subsystems"}

{ 20 "HMP" "Host Monitoring Protocol"}

{ 21 "Packet Radio Measurement"}

{ 22 "XEROX NS IDP"}

{ 23 "TRUNK-1"}

{ 24 "TRUNK-2"}

{ 25 "LEAF-1"}

{ 26 "LEAF-2"}

{ 27 "RDP" "Reliable Data Protocol"}

{ 28 "IRTP" "Internet Reliable Transaction"}

{ 29 "ISO Transport Protocol Class 4"}

{ 30 "Bulk Data Transfer Protocol"}

{ 31 "MFE Network Services Protocol"}

{ 32 "MERIT Internodal Protocol"}

{ 33 "SEP" "Sequential Exchange Protocol"}

{ 34 "3PC" "Third Party Connect"}

{ 35 "IDPR" "Inter-Domain Policy Routing Protocol"}

{ 36 "XTP"}

{ 37 "DDP" "Datagram Delivery Protocol"}

{ 38 "IDPR Control Message Transport Protocol"}

{ 39 "TP++ Transport Protocol"}

{ 40 "IL Transport Protocol"}

{ 41 "IP ver6" "Internet Protocol version 6"}

{ 42 "SDRP" "Source Demand Routing Protocol"}

{ 43 "Routing Header for IPv6"}

{ 44 "Fragment Header for IPv6"}

{ 45 "Inter-Domain Routing Protocol"}

{ 46 "Reservation Protocol"}

{ 47 "General Routing Encapsulation"}

{ 48 "Mobile Host Routing Protocol"}

{ 49 "BNA"}

{ 50 "Encap Security Payload for IPv6"}

{ 51 "Authentication Header for IPv6"}

{ 52 "Integrated Net Layer Security"}

{ 53 "IP with Encryption"}

{ 54 "NBMA Address Resolution Protocol"}

{ 55 "IP Mobility"}

{ 56 "Transport Layer Security Protocol"}

{ 57 "SKIP"}

{ 58 "ICMP for IP ver6"}

{ 59 "No Next Header for IP ver6"}

{ 60 "Destination Options for IP ver6"}

{ 61 "Any Host Internal Protocol"}

{ 62 "CFTP"}

{ 63 "any local network"}

{ 64 "SATNET and Backroom EXPAK"}

{ 65 "Kryptolan"}

{ 66 "MIT Remote Virtual Disk Protocol"}

{ 67 "Internet Pluribus Packet Core"}

{ 68 "any distributed file system"}

{ 69 "SATNET Monitoring"}

{ 70 "VISA Protocol"}

{ 71 "Internet Packet Core Utility"}

{ 72 "Computer Protocol Network Executive"}

{ 73 "Computer Protocol Heart Beat"}

{ 74 "Wang Span Network"}

{ 75 "Packet Video Protocol"}

{ 76 "Backroom SATNET Monitoring"}

{ 77 "SUN ND PROTOCOL"}

{ 78 "WIDEBAND Monitoring"}

{ 79 "WIDEBAND EXPAK"}

{ 80 "ISO IP" "ISO Internet Protocol"}

{ 81 "VMTP"}

{ 82 "SECURE-VMTP"}

{ 83 "VINES"}

{ 84 "TTP" }

{ 85 "NSFNET-IGP"}

{ 86 "Dissimilar Gateway Protocol"}

{ 87 "TCF"}

{ 88 "EIGRP"}

{ 89 "OSPF-IGP"}

{ 90 "Sprite RPC Protocol"}

{ 91 "Locus Address Resolution Protocol"}

{ 92 "Multicast Transport Protocol"}

{ 93 "AX.25 Frames"}

{ 94 "IP-within-IP Encapsulation Protocol"}

{ 95 "Mobile Internetworking Control Protocol"}

{ 96 "Semaphore Communications Sec. Protocol"}

{ 97 "Ethernet-within-IP Encapsulation"}

{ 98 "Encapsulation Header"}

{ 99 "Any private encryption scheme"}

{ 100 "GMTP"}

{ 101 "Ipsilon Flow Management Protocol"}

{ 102 "PNNI over IP"}

{ 103 "PIM" "Protocol Independent Multicast"}

{ 104 "ARIS"}

{ 105 "SCPS"}

{ 106 "ONX"}

{ 107 "Active Networks"}

{ 108 "IP Payload Compression Protocol"}

{ 109 "Sitara Networks Protocol"}

{ 110 "Compaq Peer Protocol"}

{ 111 "IPX in IP"}

{ 112 "Virtual Router Redundancy Protocol"}

{ 113 "PGM Reliable Transport Protocol"}

{ 114 "0-hop" "Any 0-hop protocol"}

{ 255 Reserved }

{ Default "???" "Protocol Not Found"}

ENDTABLE

 

/*

** This table lists codes for the IP options that may

** follow the main IP header. Note that this table

** contains names of statements for processing each

** option.

*/

TABLE ip_options

{ 0 "End of List"}

{ 1 "No Operation"}

{ 7 "" "Record Route" 1 misc_pointer}

{ 10 "" "Experimental Measurement" 1 misc_opt}

{ 11 "" "MTU Probe" 1 misc_opt}

{ 12 "" "MTU Reply" 1 misc_opt}

{ 15 "" ENCODE 1 misc_opt}

{ 68 "" "Time Stamp" 1 ts}

{ 82 "" Traceroute 1 misc_opt}

{ 130 "" Security 1 security }

{ 131 "" "Loose Source Route" 1 misc_pointer}

{ 133 "Extended Security"}

{ 134 "Commercial Security"}

{ 136 "Stream ID"}

{ 137 "Strict Source Route"}

{ 142 "Expermental Access Control"}

{ 144 "IMI Traffic Descriptor"}

{ 145 "EIP" }

{ 147 "Address Extension"}

{ 148 "" "Router Alert" 1 rtr_opt}

{ 149 "Selective Directed Broadcast"}

{ 150 "NSAP Addresses"}

{ 205 "Experimental Flow Control"}

{ Default "Unknown IP Option"}

ENDTABLE

 

/*

** This table lists security levels. This is used

** when processing the Security option.

*/

TABLE sec_TABLE

{ 0x00000001 "Reserved 4"}

{ 0x0000003d "Top Secret"}

{ 0x0000005a "Secret"}

{ 0x00000096 "Confidential"}

{ 0x00000066 "Reserved 3"}

{ 0x000000cc "Reserved 2"}

{ 0x000000ab Unclassified }

{ 0x000000f1 "Reserved 1"}

{ Default "Unknown Security Classification"}

ENDTABLE

 

/*

** This table is used in processing the Router Alert

** option.

*/

TABLE rtr_options

{ 0x00000000 "Examine all packets"}

{ Default "Reserved"}

ENDTABLE

 

/*

** The IP header begins with a four-bit field that contains

** the protocol version number. If we find a version below

** 4 then we will have a failed VERIFY resulting in the frame

** being marked in red.

*/

FIELD version (Fixed 4 Bits) (TABLE ver_nums) "Version" VERIFY (FieldIs GreaterThanOrEqualTo 4)

 

/*

** The IHL field contains the IP Header Length as a count of

** 32-bit words. The base header consists of a fixed 5 such

** words, hence the check that this value is at least 5.

** Anything beyond 5 words comprises options.

*/

FIELD ihl (Fixed 4 Bits) (Decimal) IN_SUMMARY IHL 30 "Header Length" VERIFY (FieldIs GreaterThanOrEqualTo 5 ) ALSO (IsNoMoreThanLayerInDwords)

 

/*

** Here we decode the Type Of Service byte. Note that this

** could have been done with a GROUP FIELD. For completeness

** we display the two reserved bits rather than covering them

** up with a RESERVED statement.

*/

GROUP tos "Type of Service"

{

FIELD preced (Fixed 3 Bits) (Binary) ALSO (Table prec)

Precedence

FIELD delay (Fixed 1 Bit) (Binary) ALSO (Table delay) Delay

FIELD thru (Fixed 1 Bit) (Binary) ALSO (Table norm_hi)

Throughput

FIELD reli (Fixed 1 Bit) (Binary) ALSO (Table norm_hi)

Reliability

FIELD reserv (Fixed 2 Bits) (Binary) Reserved

}

 

/*

** This field contains the length of the total IP packet in

** bytes including the IP header. Thus this is the length of

** the IP layer plus all subsequent layers.

*/

FIELD tot_length (Fixed 2 Byte) (Decimal) IN_SUMMARY Length 50

"Total Length"

 

/*

** The ID field contains the packet's serial number. This

** is used for reassembling fragmented packets.

*/

FIELD id (Fixed 2 Byte) (Hex) IN_SUMMARY ID 50 Identification

 

/*

** The Control Flags field contains one unused bit plus two

** bit flags:

** may/don't fragment

** last fragment/more fragments coming

*/

GROUP ctrl_flags "Control Flags"

{

FIELD reser (Fixed 1 Bit) (Binary) Reserved VERIFY

(FieldIs EqualTo 0 )

FIELD df (Fixed 1 Bit) (Table df) DF

FIELD mf (Fixed 1 Bit) (Table mf) MF

}

 

/*

** For a fragment, this field contains the offset of its

** starting point within the full packet.

*/

FIELD offset (Fixed 13 Bits) (Decimal) "Fragment Offset"

 

/*

** The Time-To-Live field contains the number of seconds

** before a router should discard the packet.

*/

FIELD ttl (Fixed 1) (Decimal) IN_SUMMARY Time 40 "Time to live sec."

 

/*

** This field contains a code that identifies the next-layer

** protocol. Note that we verify that the code is present

** in our table of protocols.

*/

FIELD protocol (Fixed 1) (Table protocol) IN_SUMMARY Protocol 100

Protocol VERIFY (IsInTable protocol)

/*

** Next comes a 16-bit checksum on the header so far, that is

** 10 bytes worth.

*/

FIELD chksum (Fixed 2 Byte) (Hex) IN_SUMMARY Checksum 65 "Header

Checksum" VERIFY (IpChecksum ihl)

 

/*

** The source and destinations addresses of the packet are

** decoded here. These are formatted in dot-quad notation

** (e.g. "64.147.250.27"). Note that the addresses are stored

** in intra-frame (within the current frame only) data

** so that they can be used in the Summary pane for other protocols,

** such as HTTP.

*/

FIELD src_addr (Fixed 4 Byte) RETRIEVE (StoreIntraframeField source_ip_address) (IPAddress) IN_SUMMARY Source 90 "Source Address"

 

FIELD dest_addr (Fixed 4 Byte) RETRIEVE (StoreIntraframeField destination_ip_address) (IPAddress) IN_SUMMARY Destination 90 "Destination Address"

 

/*

** Here we have a loop to process any IP options.

** The option_loop GROUP is repeated until all the header

** data is processed (i.e. the count of doublewords in IHL

** minus 5).

*/

GROUP option_loop IF (FieldIs GreaterThan 5 ihl) REPEAT SIZE (FromField DWords ihl 5)

{

/*

** Here's a good use of a GROUP FIELD to decode and display

** the option type.

*/

GROUP FIELD ip_opt_type (Fixed 1) (Table ip_options)"IP Option"

{

/*

** Most options include a one-byte length field.

** The extra data in the options table indicates

** whether this should be present or not.

*/

FIELD opt_length (Fixed 1) IF (MatchTableDataip_options ip_opt_type 1) (Decimal)"Option length"

 

/*

** We branch to option-specific code

** for the rest of the job.

*/

BRANCH (FromTable ip_options ip_opt_type)

}

}

 

/*

** The following two fields deal with the possibility

** that the frame is fragmented.

*/

FIELD set_fragmentation (Fixed 0)

PROCESSING (IpSetFragmentation a mf offset src_addr dest_addr decoder ID set_fragmentation)

(Decimal) SUPPRESS_DETAIL

 

FIELD consume_fragment (ToEndOfLayer) IF (IpWholePayloadNotAvailable a) (Constant "Decode is in another frame") "Payload is fragmented"

 

/*

** Here ends the main path of this decoder. The statements

** that follow are for decoding specific IP options and

** we have not commented them.

*/

END_MAIN_PATH

 

GROUP misc_pointer

{

FIELD miscellaneous_pointer (Fixed 1) (Decimal) Pointer

FIELD miscellaneous_data (FromField Bytes opt_length 3) (StringOfHex 6) Data

}

 

FIELD misc_opt (FromField Bytes opt_length 2) (StringOfHex 6)Data

 

GROUP ts

{

FIELD ts_point (Fixed 1) (Decimal) Pointer

 

FIELD ts_flags (Fixed 1) (Binary) Flags

 

FIELD ts_data (FromField Bytes opt_length 4) (StringOfHex 6) "TS Data"

}

 

GROUP security

{

FIELD sec_class (Fixed 1) (Table sec_TABLE) Classification

 

FIELD sec_flags (FromField Bytes opt_length 3) (StringOfHex 6) Flags

}

 

GROUP rtr_opt

{

FIELD rtr_opt_data (Fixed 2) (Table rtr_options) "Router Option"

}