1 /*- 2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * This code is derived from the Stanford/CMU enet packet filter, 6 * (net/enet.c) distributed as part of 4.3BSD, and code contributed 7 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 8 * Berkeley Laboratory. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the University of 21 * California, Berkeley and its contributors. 22 * 4. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * @(#)bpf.h 7.1 (Berkeley) 5/7/91 39 */ 40 41 /* 42 * This is libpcap's cut-down version of bpf.h; it includes only 43 * the stuff needed for the code generator and the userland BPF 44 * interpreter, and the libpcap APIs for setting filters, etc.. 45 * 46 * "pcap-bpf.c" will include the native OS version, as it deals with 47 * the OS's BPF implementation. 48 * 49 * At least two programs found by Google Code Search explicitly includes 50 * <pcap/bpf.h> (even though <pcap.h>/<pcap/pcap.h> includes it for you), 51 * so moving that stuff to <pcap/pcap.h> would break the build for some 52 * programs. 53 */ 54 55 /* 56 * If we've already included <net/bpf.h>, don't re-define this stuff. 57 * We assume BSD-style multiple-include protection in <net/bpf.h>, 58 * which is true of all but the oldest versions of FreeBSD and NetBSD, 59 * or Tru64 UNIX-style multiple-include protection (or, at least, 60 * Tru64 UNIX 5.x-style; I don't have earlier versions available to check), 61 * or AIX-style multiple-include protection (or, at least, AIX 5.x-style; 62 * I don't have earlier versions available to check), or QNX-style 63 * multiple-include protection (as per GitHub pull request #394). 64 * 65 * We do not check for BPF_MAJOR_VERSION, as that's defined by 66 * <linux/filter.h>, which is directly or indirectly included in some 67 * programs that also include pcap.h, and <linux/filter.h> doesn't 68 * define stuff we need. 69 * 70 * This also provides our own multiple-include protection. 71 */ 72 #if !defined(_NET_BPF_H_) && !defined(_NET_BPF_H_INCLUDED) && !defined(_BPF_H_) && !defined(_H_BPF) && !defined(lib_pcap_bpf_h) 73 #define lib_pcap_bpf_h 74 75 #ifdef __cplusplus 76 extern "C" { 77 #endif 78 79 /* BSD style release date */ 80 #define BPF_RELEASE 199606 81 82 #ifdef MSDOS /* must be 32-bit */ 83 typedef long bpf_int32; 84 typedef unsigned long bpf_u_int32; 85 #else 86 typedef int bpf_int32; 87 typedef u_int bpf_u_int32; 88 #endif 89 90 /* 91 * Alignment macros. BPF_WORDALIGN rounds up to the next 92 * even multiple of BPF_ALIGNMENT. 93 * 94 * Tcpdump's print-pflog.c uses this, so we define it here. 95 */ 96 #ifndef __NetBSD__ 97 #define BPF_ALIGNMENT sizeof(bpf_int32) 98 #else 99 #define BPF_ALIGNMENT sizeof(long) 100 #endif 101 #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) 102 103 /* 104 * Structure for "pcap_compile()", "pcap_setfilter()", etc.. 105 */ 106 struct bpf_program { 107 u_int bf_len; 108 struct bpf_insn *bf_insns; 109 }; 110 111 /* 112 * Link-layer header type codes. 113 * 114 * Do *NOT* add new values to this list without asking 115 * "tcpdump-workers (at) lists.tcpdump.org" for a value. Otherwise, you run 116 * the risk of using a value that's already being used for some other 117 * purpose, and of having tools that read libpcap-format captures not 118 * being able to handle captures with your new DLT_ value, with no hope 119 * that they will ever be changed to do so (as that would destroy their 120 * ability to read captures using that value for that other purpose). 121 * 122 * See 123 * 124 * http://www.tcpdump.org/linktypes.html 125 * 126 * for detailed descriptions of some of these link-layer header types. 127 */ 128 129 /* 130 * These are the types that are the same on all platforms, and that 131 * have been defined by <net/bpf.h> for ages. 132 */ 133 #define DLT_NULL 0 /* BSD loopback encapsulation */ 134 #define DLT_EN10MB 1 /* Ethernet (10Mb) */ 135 #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ 136 #define DLT_AX25 3 /* Amateur Radio AX.25 */ 137 #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ 138 #define DLT_CHAOS 5 /* Chaos */ 139 #define DLT_IEEE802 6 /* 802.5 Token Ring */ 140 #define DLT_ARCNET 7 /* ARCNET, with BSD-style header */ 141 #define DLT_SLIP 8 /* Serial Line IP */ 142 #define DLT_PPP 9 /* Point-to-point Protocol */ 143 #define DLT_FDDI 10 /* FDDI */ 144 145 /* 146 * These are types that are different on some platforms, and that 147 * have been defined by <net/bpf.h> for ages. We use #ifdefs to 148 * detect the BSDs that define them differently from the traditional 149 * libpcap <net/bpf.h> 150 * 151 * XXX - DLT_ATM_RFC1483 is 13 in BSD/OS, and DLT_RAW is 14 in BSD/OS, 152 * but I don't know what the right #define is for BSD/OS. 153 */ 154 #define DLT_ATM_RFC1483 11 /* LLC-encapsulated ATM */ 155 156 #ifdef __OpenBSD__ 157 #define DLT_RAW 14 /* raw IP */ 158 #else 159 #define DLT_RAW 12 /* raw IP */ 160 #endif 161 162 /* 163 * Given that the only OS that currently generates BSD/OS SLIP or PPP 164 * is, well, BSD/OS, arguably everybody should have chosen its values 165 * for DLT_SLIP_BSDOS and DLT_PPP_BSDOS, which are 15 and 16, but they 166 * didn't. So it goes. 167 */ 168 #if defined(__NetBSD__) || defined(__FreeBSD__) 169 #ifndef DLT_SLIP_BSDOS 170 #define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ 171 #define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ 172 #endif 173 #else 174 #define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ 175 #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ 176 #endif 177 178 /* 179 * 17 was used for DLT_PFLOG in OpenBSD; it no longer is. 180 * 181 * It was DLT_LANE8023 in SuSE 6.3, so we defined LINKTYPE_PFLOG 182 * as 117 so that pflog captures would use a link-layer header type 183 * value that didn't collide with any other values. On all 184 * platforms other than OpenBSD, we defined DLT_PFLOG as 117, 185 * and we mapped between LINKTYPE_PFLOG and DLT_PFLOG. 186 * 187 * OpenBSD eventually switched to using 117 for DLT_PFLOG as well. 188 * 189 * Don't use 17 for anything else. 190 */ 191 192 /* 193 * 18 is used for DLT_PFSYNC in OpenBSD, NetBSD, DragonFly BSD and 194 * Mac OS X; don't use it for anything else. (FreeBSD uses 121, 195 * which collides with DLT_HHDLC, even though it doesn't use 18 196 * for anything and doesn't appear to have ever used it for anything.) 197 * 198 * We define it as 18 on those platforms; it is, unfortunately, used 199 * for DLT_CIP in Suse 6.3, so we don't define it as DLT_PFSYNC 200 * in general. As the packet format for it, like that for 201 * DLT_PFLOG, is not only OS-dependent but OS-version-dependent, 202 * we don't support printing it in tcpdump except on OSes that 203 * have the relevant header files, so it's not that useful on 204 * other platforms. 205 */ 206 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__DragonFly__) || defined(__APPLE__) 207 #define DLT_PFSYNC 18 208 #endif 209 210 #define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ 211 212 /* 213 * Apparently Redback uses this for its SmartEdge 400/800. I hope 214 * nobody else decided to use it, too. 215 */ 216 #define DLT_REDBACK_SMARTEDGE 32 217 218 /* 219 * These values are defined by NetBSD; other platforms should refrain from 220 * using them for other purposes, so that NetBSD savefiles with link 221 * types of 50 or 51 can be read as this type on all platforms. 222 */ 223 #define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ 224 #define DLT_PPP_ETHER 51 /* PPP over Ethernet */ 225 226 /* 227 * The Axent Raptor firewall - now the Symantec Enterprise Firewall - uses 228 * a link-layer type of 99 for the tcpdump it supplies. The link-layer 229 * header has 6 bytes of unknown data, something that appears to be an 230 * Ethernet type, and 36 bytes that appear to be 0 in at least one capture 231 * I've seen. 232 */ 233 #define DLT_SYMANTEC_FIREWALL 99 234 235 /* 236 * Values between 100 and 103 are used in capture file headers as 237 * link-layer header type LINKTYPE_ values corresponding to DLT_ types 238 * that differ between platforms; don't use those values for new DLT_ 239 * new types. 240 */ 241 242 /* 243 * Values starting with 104 are used for newly-assigned link-layer 244 * header type values; for those link-layer header types, the DLT_ 245 * value returned by pcap_datalink() and passed to pcap_open_dead(), 246 * and the LINKTYPE_ value that appears in capture files, are the 247 * same. 248 * 249 * DLT_MATCHING_MIN is the lowest such value; DLT_MATCHING_MAX is 250 * the highest such value. 251 */ 252 #define DLT_MATCHING_MIN 104 253 254 /* 255 * This value was defined by libpcap 0.5; platforms that have defined 256 * it with a different value should define it here with that value - 257 * a link type of 104 in a save file will be mapped to DLT_C_HDLC, 258 * whatever value that happens to be, so programs will correctly 259 * handle files with that link type regardless of the value of 260 * DLT_C_HDLC. 261 * 262 * The name DLT_C_HDLC was used by BSD/OS; we use that name for source 263 * compatibility with programs written for BSD/OS. 264 * 265 * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, 266 * for source compatibility with programs written for libpcap 0.5. 267 */ 268 #define DLT_C_HDLC 104 /* Cisco HDLC */ 269 #define DLT_CHDLC DLT_C_HDLC 270 271 #define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ 272 273 /* 274 * 106 is reserved for Linux Classical IP over ATM; it's like DLT_RAW, 275 * except when it isn't. (I.e., sometimes it's just raw IP, and 276 * sometimes it isn't.) We currently handle it as DLT_LINUX_SLL, 277 * so that we don't have to worry about the link-layer header.) 278 */ 279 280 /* 281 * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides 282 * with other values. 283 * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header 284 * (DLCI, etc.). 285 */ 286 #define DLT_FRELAY 107 287 288 /* 289 * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except 290 * that the AF_ type in the link-layer header is in network byte order. 291 * 292 * DLT_LOOP is 12 in OpenBSD, but that's DLT_RAW in other OSes, so 293 * we don't use 12 for it in OSes other than OpenBSD. 294 */ 295 #ifdef __OpenBSD__ 296 #define DLT_LOOP 12 297 #else 298 #define DLT_LOOP 108 299 #endif 300 301 /* 302 * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's 303 * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other 304 * than OpenBSD. 305 */ 306 #ifdef __OpenBSD__ 307 #define DLT_ENC 13 308 #else 309 #define DLT_ENC 109 310 #endif 311 312 /* 313 * Values between 110 and 112 are reserved for use in capture file headers 314 * as link-layer types corresponding to DLT_ types that might differ 315 * between platforms; don't use those values for new DLT_ types 316 * other than the corresponding DLT_ types. 317 */ 318 319 /* 320 * This is for Linux cooked sockets. 321 */ 322 #define DLT_LINUX_SLL 113 323 324 /* 325 * Apple LocalTalk hardware. 326 */ 327 #define DLT_LTALK 114 328 329 /* 330 * Acorn Econet. 331 */ 332 #define DLT_ECONET 115 333 334 /* 335 * Reserved for use with OpenBSD ipfilter. 336 */ 337 #define DLT_IPFILTER 116 338 339 /* 340 * OpenBSD DLT_PFLOG. 341 */ 342 #define DLT_PFLOG 117 343 344 /* 345 * Registered for Cisco-internal use. 346 */ 347 #define DLT_CISCO_IOS 118 348 349 /* 350 * For 802.11 cards using the Prism II chips, with a link-layer 351 * header including Prism monitor mode information plus an 802.11 352 * header. 353 */ 354 #define DLT_PRISM_HEADER 119 355 356 /* 357 * Reserved for Aironet 802.11 cards, with an Aironet link-layer header 358 * (see Doug Ambrisko's FreeBSD patches). 359 */ 360 #define DLT_AIRONET_HEADER 120 361 362 /* 363 * Sigh. 364 * 365 * This was reserved for Siemens HiPath HDLC on 2002-01-25, as 366 * requested by Tomas Kukosa. 367 * 368 * On 2004-02-25, a FreeBSD checkin to sys/net/bpf.h was made that 369 * assigned 121 as DLT_PFSYNC. Its libpcap does DLT_ <-> LINKTYPE_ 370 * mapping, so it probably supports capturing on the pfsync device 371 * but not saving the captured data to a pcap file. 372 * 373 * OpenBSD, from which pf came, however, uses 18 for DLT_PFSYNC; 374 * their libpcap does no DLT_ <-> LINKTYPE_ mapping, so it would 375 * use 18 in pcap files as well. 376 * 377 * NetBSD and DragonFly BSD also use 18 for DLT_PFSYNC; their 378 * libpcaps do DLT_ <-> LINKTYPE_ mapping, and neither has an entry 379 * for DLT_PFSYNC, so it might not be able to write out dump files 380 * with 18 as the link-layer header type. (Earlier versions might 381 * not have done mapping, in which case they'd work the same way 382 * OpenBSD does.) 383 * 384 * Mac OS X defines it as 18, but doesn't appear to use it as of 385 * Mac OS X 10.7.3. Its libpcap does DLT_ <-> LINKTYPE_ mapping. 386 * 387 * We'll define DLT_PFSYNC as 121 on FreeBSD and define it as 18 on 388 * all other platforms. We'll define DLT_HHDLC as 121 on everything 389 * except for FreeBSD; anybody who wants to compile, on FreeBSD, code 390 * that uses DLT_HHDLC is out of luck. 391 * 392 * We'll define LINKTYPE_PFSYNC as 18, *even on FreeBSD*, and map 393 * it, so that savefiles won't use 121 for PFSYNC - they'll all 394 * use 18. Code that uses pcap_datalink() to determine the link-layer 395 * header type of a savefile won't, when built and run on FreeBSD, 396 * be able to distinguish between LINKTYPE_PFSYNC and LINKTYPE_HHDLC 397 * capture files; code that doesn't, such as the code in Wireshark, 398 * will be able to distinguish between them. 399 */ 400 #ifdef __FreeBSD__ 401 #define DLT_PFSYNC 121 402 #else 403 #define DLT_HHDLC 121 404 #endif 405 406 /* 407 * This is for RFC 2625 IP-over-Fibre Channel. 408 * 409 * This is not for use with raw Fibre Channel, where the link-layer 410 * header starts with a Fibre Channel frame header; it's for IP-over-FC, 411 * where the link-layer header starts with an RFC 2625 Network_Header 412 * field. 413 */ 414 #define DLT_IP_OVER_FC 122 415 416 /* 417 * This is for Full Frontal ATM on Solaris with SunATM, with a 418 * pseudo-header followed by an AALn PDU. 419 * 420 * There may be other forms of Full Frontal ATM on other OSes, 421 * with different pseudo-headers. 422 * 423 * If ATM software returns a pseudo-header with VPI/VCI information 424 * (and, ideally, packet type information, e.g. signalling, ILMI, 425 * LANE, LLC-multiplexed traffic, etc.), it should not use 426 * DLT_ATM_RFC1483, but should get a new DLT_ value, so tcpdump 427 * and the like don't have to infer the presence or absence of a 428 * pseudo-header and the form of the pseudo-header. 429 */ 430 #define DLT_SUNATM 123 /* Solaris+SunATM */ 431 432 /* 433 * Reserved as per request from Kent Dahlgren <kent (at) praesum.com> 434 * for private use. 435 */ 436 #define DLT_RIO 124 /* RapidIO */ 437 #define DLT_PCI_EXP 125 /* PCI Express */ 438 #define DLT_AURORA 126 /* Xilinx Aurora link layer */ 439 440 /* 441 * Header for 802.11 plus a number of bits of link-layer information 442 * including radio information, used by some recent BSD drivers as 443 * well as the madwifi Atheros driver for Linux. 444 */ 445 #define DLT_IEEE802_11_RADIO 127 /* 802.11 plus radiotap radio header */ 446 447 /* 448 * Reserved for the TZSP encapsulation, as per request from 449 * Chris Waters <chris.waters (at) networkchemistry.com> 450 * TZSP is a generic encapsulation for any other link type, 451 * which includes a means to include meta-information 452 * with the packet, e.g. signal strength and channel 453 * for 802.11 packets. 454 */ 455 #define DLT_TZSP 128 /* Tazmen Sniffer Protocol */ 456 457 /* 458 * BSD's ARCNET headers have the source host, destination host, 459 * and type at the beginning of the packet; that's what's handed 460 * up to userland via BPF. 461 * 462 * Linux's ARCNET headers, however, have a 2-byte offset field 463 * between the host IDs and the type; that's what's handed up 464 * to userland via PF_PACKET sockets. 465 * 466 * We therefore have to have separate DLT_ values for them. 467 */ 468 #define DLT_ARCNET_LINUX 129 /* ARCNET */ 469 470 /* 471 * Juniper-private data link types, as per request from 472 * Hannes Gredler <hannes (at) juniper.net>. The DLT_s are used 473 * for passing on chassis-internal metainformation such as 474 * QOS profiles, etc.. 475 */ 476 #define DLT_JUNIPER_MLPPP 130 477 #define DLT_JUNIPER_MLFR 131 478 #define DLT_JUNIPER_ES 132 479 #define DLT_JUNIPER_GGSN 133 480 #define DLT_JUNIPER_MFR 134 481 #define DLT_JUNIPER_ATM2 135 482 #define DLT_JUNIPER_SERVICES 136 483 #define DLT_JUNIPER_ATM1 137 484 485 /* 486 * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund 487 * <dieter (at) apple.com>. The header that's presented is an Ethernet-like 488 * header: 489 * 490 * #define FIREWIRE_EUI64_LEN 8 491 * struct firewire_header { 492 * u_char firewire_dhost[FIREWIRE_EUI64_LEN]; 493 * u_char firewire_shost[FIREWIRE_EUI64_LEN]; 494 * u_short firewire_type; 495 * }; 496 * 497 * with "firewire_type" being an Ethernet type value, rather than, 498 * for example, raw GASP frames being handed up. 499 */ 500 #define DLT_APPLE_IP_OVER_IEEE1394 138 501 502 /* 503 * Various SS7 encapsulations, as per a request from Jeff Morriss 504 * <jeff.morriss[AT]ulticom.com> and subsequent discussions. 505 */ 506 #define DLT_MTP2_WITH_PHDR 139 /* pseudo-header with various info, followed by MTP2 */ 507 #define DLT_MTP2 140 /* MTP2, without pseudo-header */ 508 #define DLT_MTP3 141 /* MTP3, without pseudo-header or MTP2 */ 509 #define DLT_SCCP 142 /* SCCP, without pseudo-header or MTP2 or MTP3 */ 510 511 /* 512 * DOCSIS MAC frames. 513 */ 514 #define DLT_DOCSIS 143 515 516 /* 517 * Linux-IrDA packets. Protocol defined at http://www.irda.org. 518 * Those packets include IrLAP headers and above (IrLMP...), but 519 * don't include Phy framing (SOF/EOF/CRC & byte stuffing), because Phy 520 * framing can be handled by the hardware and depend on the bitrate. 521 * This is exactly the format you would get capturing on a Linux-IrDA 522 * interface (irdaX), but not on a raw serial port. 523 * Note the capture is done in "Linux-cooked" mode, so each packet include 524 * a fake packet header (struct sll_header). This is because IrDA packet 525 * decoding is dependant on the direction of the packet (incomming or 526 * outgoing). 527 * When/if other platform implement IrDA capture, we may revisit the 528 * issue and define a real DLT_IRDA... 529 * Jean II 530 */ 531 #define DLT_LINUX_IRDA 144 532 533 /* 534 * Reserved for IBM SP switch and IBM Next Federation switch. 535 */ 536 #define DLT_IBM_SP 145 537 #define DLT_IBM_SN 146 538 539 /* 540 * Reserved for private use. If you have some link-layer header type 541 * that you want to use within your organization, with the capture files 542 * using that link-layer header type not ever be sent outside your 543 * organization, you can use these values. 544 * 545 * No libpcap release will use these for any purpose, nor will any 546 * tcpdump release use them, either. 547 * 548 * Do *NOT* use these in capture files that you expect anybody not using 549 * your private versions of capture-file-reading tools to read; in 550 * particular, do *NOT* use them in products, otherwise you may find that 551 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 552 * read capture files from your firewall/intrusion detection/traffic 553 * monitoring/etc. appliance, or whatever product uses that DLT_ value, 554 * and you may also find that the developers of those applications will 555 * not accept patches to let them read those files. 556 * 557 * Also, do not use them if somebody might send you a capture using them 558 * for *their* private type and tools using them for *your* private type 559 * would have to read them. 560 * 561 * Instead, ask "tcpdump-workers (at) lists.tcpdump.org" for a new DLT_ value, 562 * as per the comment above, and use the type you're given. 563 */ 564 #define DLT_USER0 147 565 #define DLT_USER1 148 566 #define DLT_USER2 149 567 #define DLT_USER3 150 568 #define DLT_USER4 151 569 #define DLT_USER5 152 570 #define DLT_USER6 153 571 #define DLT_USER7 154 572 #define DLT_USER8 155 573 #define DLT_USER9 156 574 #define DLT_USER10 157 575 #define DLT_USER11 158 576 #define DLT_USER12 159 577 #define DLT_USER13 160 578 #define DLT_USER14 161 579 #define DLT_USER15 162 580 581 /* 582 * For future use with 802.11 captures - defined by AbsoluteValue 583 * Systems to store a number of bits of link-layer information 584 * including radio information: 585 * 586 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 587 * 588 * but it might be used by some non-AVS drivers now or in the 589 * future. 590 */ 591 #define DLT_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 592 593 /* 594 * Juniper-private data link type, as per request from 595 * Hannes Gredler <hannes (at) juniper.net>. The DLT_s are used 596 * for passing on chassis-internal metainformation such as 597 * QOS profiles, etc.. 598 */ 599 #define DLT_JUNIPER_MONITOR 164 600 601 /* 602 * BACnet MS/TP frames. 603 */ 604 #define DLT_BACNET_MS_TP 165 605 606 /* 607 * Another PPP variant as per request from Karsten Keil <kkeil (at) suse.de>. 608 * 609 * This is used in some OSes to allow a kernel socket filter to distinguish 610 * between incoming and outgoing packets, on a socket intended to 611 * supply pppd with outgoing packets so it can do dial-on-demand and 612 * hangup-on-lack-of-demand; incoming packets are filtered out so they 613 * don't cause pppd to hold the connection up (you don't want random 614 * input packets such as port scans, packets from old lost connections, 615 * etc. to force the connection to stay up). 616 * 617 * The first byte of the PPP header (0xff03) is modified to accomodate 618 * the direction - 0x00 = IN, 0x01 = OUT. 619 */ 620 #define DLT_PPP_PPPD 166 621 622 /* 623 * Names for backwards compatibility with older versions of some PPP 624 * software; new software should use DLT_PPP_PPPD. 625 */ 626 #define DLT_PPP_WITH_DIRECTION DLT_PPP_PPPD 627 #define DLT_LINUX_PPP_WITHDIRECTION DLT_PPP_PPPD 628 629 /* 630 * Juniper-private data link type, as per request from 631 * Hannes Gredler <hannes (at) juniper.net>. The DLT_s are used 632 * for passing on chassis-internal metainformation such as 633 * QOS profiles, cookies, etc.. 634 */ 635 #define DLT_JUNIPER_PPPOE 167 636 #define DLT_JUNIPER_PPPOE_ATM 168 637 638 #define DLT_GPRS_LLC 169 /* GPRS LLC */ 639 #define DLT_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 640 #define DLT_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */ 641 642 /* 643 * Requested by Oolan Zimmer <oz (at) gcom.com> for use in Gcom's T1/E1 line 644 * monitoring equipment. 645 */ 646 #define DLT_GCOM_T1E1 172 647 #define DLT_GCOM_SERIAL 173 648 649 /* 650 * Juniper-private data link type, as per request from 651 * Hannes Gredler <hannes (at) juniper.net>. The DLT_ is used 652 * for internal communication to Physical Interface Cards (PIC) 653 */ 654 #define DLT_JUNIPER_PIC_PEER 174 655 656 /* 657 * Link types requested by Gregor Maier <gregor (at) endace.com> of Endace 658 * Measurement Systems. They add an ERF header (see 659 * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of 660 * the link-layer header. 661 */ 662 #define DLT_ERF_ETH 175 /* Ethernet */ 663 #define DLT_ERF_POS 176 /* Packet-over-SONET */ 664 665 /* 666 * Requested by Daniele Orlandi <daniele (at) orlandi.com> for raw LAPD 667 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 668 * includes additional information before the LAPD header, so it's 669 * not necessarily a generic LAPD header. 670 */ 671 #define DLT_LINUX_LAPD 177 672 673 /* 674 * Juniper-private data link type, as per request from 675 * Hannes Gredler <hannes (at) juniper.net>. 676 * The DLT_ are used for prepending meta-information 677 * like interface index, interface name 678 * before standard Ethernet, PPP, Frelay & C-HDLC Frames 679 */ 680 #define DLT_JUNIPER_ETHER 178 681 #define DLT_JUNIPER_PPP 179 682 #define DLT_JUNIPER_FRELAY 180 683 #define DLT_JUNIPER_CHDLC 181 684 685 /* 686 * Multi Link Frame Relay (FRF.16) 687 */ 688 #define DLT_MFR 182 689 690 /* 691 * Juniper-private data link type, as per request from 692 * Hannes Gredler <hannes (at) juniper.net>. 693 * The DLT_ is used for internal communication with a 694 * voice Adapter Card (PIC) 695 */ 696 #define DLT_JUNIPER_VP 183 697 698 /* 699 * Arinc 429 frames. 700 * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>. 701 * Every frame contains a 32bit A429 label. 702 * More documentation on Arinc 429 can be found at 703 * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf 704 */ 705 #define DLT_A429 184 706 707 /* 708 * Arinc 653 Interpartition Communication messages. 709 * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>. 710 * Please refer to the A653-1 standard for more information. 711 */ 712 #define DLT_A653_ICM 185 713 714 /* 715 * USB packets, beginning with a USB setup header; requested by 716 * Paolo Abeni <paolo.abeni (at) email.it>. 717 */ 718 #define DLT_USB 186 719 720 /* 721 * Bluetooth HCI UART transport layer (part H:4); requested by 722 * Paolo Abeni. 723 */ 724 #define DLT_BLUETOOTH_HCI_H4 187 725 726 /* 727 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz 728 * <cruz_petagay (at) bah.com>. 729 */ 730 #define DLT_IEEE802_16_MAC_CPS 188 731 732 /* 733 * USB packets, beginning with a Linux USB header; requested by 734 * Paolo Abeni <paolo.abeni (at) email.it>. 735 */ 736 #define DLT_USB_LINUX 189 737 738 /* 739 * Controller Area Network (CAN) v. 2.0B packets. 740 * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>. 741 * Used to dump CAN packets coming from a CAN Vector board. 742 * More documentation on the CAN v2.0B frames can be found at 743 * http://www.can-cia.org/downloads/?269 744 */ 745 #define DLT_CAN20B 190 746 747 /* 748 * IEEE 802.15.4, with address fields padded, as is done by Linux 749 * drivers; requested by Juergen Schimmer. 750 */ 751 #define DLT_IEEE802_15_4_LINUX 191 752 753 /* 754 * Per Packet Information encapsulated packets. 755 * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>. 756 */ 757 #define DLT_PPI 192 758 759 /* 760 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; 761 * requested by Charles Clancy. 762 */ 763 #define DLT_IEEE802_16_MAC_CPS_RADIO 193 764 765 /* 766 * Juniper-private data link type, as per request from 767 * Hannes Gredler <hannes (at) juniper.net>. 768 * The DLT_ is used for internal communication with a 769 * integrated service module (ISM). 770 */ 771 #define DLT_JUNIPER_ISM 194 772 773 /* 774 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 775 * nothing); requested by Mikko Saarnivala <mikko.saarnivala (at) sensinode.com>. 776 * For this one, we expect the FCS to be present at the end of the frame; 777 * if the frame has no FCS, DLT_IEEE802_15_4_NOFCS should be used. 778 */ 779 #define DLT_IEEE802_15_4 195 780 781 /* 782 * Various link-layer types, with a pseudo-header, for SITA 783 * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew (at) gmail.com). 784 */ 785 #define DLT_SITA 196 786 787 /* 788 * Various link-layer types, with a pseudo-header, for Endace DAG cards; 789 * encapsulates Endace ERF records. Requested by Stephen Donnelly 790 * <stephen (at) endace.com>. 791 */ 792 #define DLT_ERF 197 793 794 /* 795 * Special header prepended to Ethernet packets when capturing from a 796 * u10 Networks board. Requested by Phil Mulholland 797 * <phil (at) u10networks.com>. 798 */ 799 #define DLT_RAIF1 198 800 801 /* 802 * IPMB packet for IPMI, beginning with the I2C slave address, followed 803 * by the netFn and LUN, etc.. Requested by Chanthy Toeung 804 * <chanthy.toeung (at) ca.kontron.com>. 805 */ 806 #define DLT_IPMB 199 807 808 /* 809 * Juniper-private data link type, as per request from 810 * Hannes Gredler <hannes (at) juniper.net>. 811 * The DLT_ is used for capturing data on a secure tunnel interface. 812 */ 813 #define DLT_JUNIPER_ST 200 814 815 /* 816 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header 817 * that includes direction information; requested by Paolo Abeni. 818 */ 819 #define DLT_BLUETOOTH_HCI_H4_WITH_PHDR 201 820 821 /* 822 * AX.25 packet with a 1-byte KISS header; see 823 * 824 * http://www.ax25.net/kiss.htm 825 * 826 * as per Richard Stearn <richard (at) rns-stearn.demon.co.uk>. 827 */ 828 #define DLT_AX25_KISS 202 829 830 /* 831 * LAPD packets from an ISDN channel, starting with the address field, 832 * with no pseudo-header. 833 * Requested by Varuna De Silva <varunax (at) gmail.com>. 834 */ 835 #define DLT_LAPD 203 836 837 /* 838 * Variants of various link-layer headers, with a one-byte direction 839 * pseudo-header prepended - zero means "received by this host", 840 * non-zero (any non-zero value) means "sent by this host" - as per 841 * Will Barker <w.barker (at) zen.co.uk>. 842 */ 843 #define DLT_PPP_WITH_DIR 204 /* PPP - don't confuse with DLT_PPP_WITH_DIRECTION */ 844 #define DLT_C_HDLC_WITH_DIR 205 /* Cisco HDLC */ 845 #define DLT_FRELAY_WITH_DIR 206 /* Frame Relay */ 846 #define DLT_LAPB_WITH_DIR 207 /* LAPB */ 847 848 /* 849 * 208 is reserved for an as-yet-unspecified proprietary link-layer 850 * type, as requested by Will Barker. 851 */ 852 853 /* 854 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman 855 * <avn (at) pigeonpoint.com>. 856 */ 857 #define DLT_IPMB_LINUX 209 858 859 /* 860 * FlexRay automotive bus - http://www.flexray.com/ - as requested 861 * by Hannes Kaelber <hannes.kaelber (at) x2e.de>. 862 */ 863 #define DLT_FLEXRAY 210 864 865 /* 866 * Media Oriented Systems Transport (MOST) bus for multimedia 867 * transport - http://www.mostcooperation.com/ - as requested 868 * by Hannes Kaelber <hannes.kaelber (at) x2e.de>. 869 */ 870 #define DLT_MOST 211 871 872 /* 873 * Local Interconnect Network (LIN) bus for vehicle networks - 874 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber 875 * <hannes.kaelber (at) x2e.de>. 876 */ 877 #define DLT_LIN 212 878 879 /* 880 * X2E-private data link type used for serial line capture, 881 * as requested by Hannes Kaelber <hannes.kaelber (at) x2e.de>. 882 */ 883 #define DLT_X2E_SERIAL 213 884 885 /* 886 * X2E-private data link type used for the Xoraya data logger 887 * family, as requested by Hannes Kaelber <hannes.kaelber (at) x2e.de>. 888 */ 889 #define DLT_X2E_XORAYA 214 890 891 /* 892 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 893 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets 894 * of 0 as preamble, one octet of SFD, one octet of frame length+ 895 * reserved bit, and then the MAC-layer data, starting with the 896 * frame control field). 897 * 898 * Requested by Max Filippov <jcmvbkbc (at) gmail.com>. 899 */ 900 #define DLT_IEEE802_15_4_NONASK_PHY 215 901 902 /* 903 * David Gibson <david (at) gibson.dropbear.id.au> requested this for 904 * captures from the Linux kernel /dev/input/eventN devices. This 905 * is used to communicate keystrokes and mouse movements from the 906 * Linux kernel to display systems, such as Xorg. 907 */ 908 #define DLT_LINUX_EVDEV 216 909 910 /* 911 * GSM Um and Abis interfaces, preceded by a "gsmtap" header. 912 * 913 * Requested by Harald Welte <laforge (at) gnumonks.org>. 914 */ 915 #define DLT_GSMTAP_UM 217 916 #define DLT_GSMTAP_ABIS 218 917 918 /* 919 * MPLS, with an MPLS label as the link-layer header. 920 * Requested by Michele Marchetto <michele (at) openbsd.org> on behalf 921 * of OpenBSD. 922 */ 923 #define DLT_MPLS 219 924 925 /* 926 * USB packets, beginning with a Linux USB header, with the USB header 927 * padded to 64 bytes; required for memory-mapped access. 928 */ 929 #define DLT_USB_LINUX_MMAPPED 220 930 931 /* 932 * DECT packets, with a pseudo-header; requested by 933 * Matthias Wenzel <tcpdump (at) mazzoo.de>. 934 */ 935 #define DLT_DECT 221 936 937 /* 938 * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1 (at) nasa.gov> 939 * Date: Mon, 11 May 2009 11:18:30 -0500 940 * 941 * DLT_AOS. We need it for AOS Space Data Link Protocol. 942 * I have already written dissectors for but need an OK from 943 * legal before I can submit a patch. 944 * 945 */ 946 #define DLT_AOS 222 947 948 /* 949 * Wireless HART (Highway Addressable Remote Transducer) 950 * From the HART Communication Foundation 951 * IES/PAS 62591 952 * 953 * Requested by Sam Roberts <vieuxtech (at) gmail.com>. 954 */ 955 #define DLT_WIHART 223 956 957 /* 958 * Fibre Channel FC-2 frames, beginning with a Frame_Header. 959 * Requested by Kahou Lei <kahou82 (at) gmail.com>. 960 */ 961 #define DLT_FC_2 224 962 963 /* 964 * Fibre Channel FC-2 frames, beginning with an encoding of the 965 * SOF, and ending with an encoding of the EOF. 966 * 967 * The encodings represent the frame delimiters as 4-byte sequences 968 * representing the corresponding ordered sets, with K28.5 969 * represented as 0xBC, and the D symbols as the corresponding 970 * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, 971 * is represented as 0xBC 0xB5 0x55 0x55. 972 * 973 * Requested by Kahou Lei <kahou82 (at) gmail.com>. 974 */ 975 #define DLT_FC_2_WITH_FRAME_DELIMS 225 976 977 /* 978 * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed (at) Sun.COM>. 979 * 980 * The pseudo-header starts with a one-byte version number; for version 2, 981 * the pseudo-header is: 982 * 983 * struct dl_ipnetinfo { 984 * u_int8_t dli_version; 985 * u_int8_t dli_family; 986 * u_int16_t dli_htype; 987 * u_int32_t dli_pktlen; 988 * u_int32_t dli_ifindex; 989 * u_int32_t dli_grifindex; 990 * u_int32_t dli_zsrc; 991 * u_int32_t dli_zdst; 992 * }; 993 * 994 * dli_version is 2 for the current version of the pseudo-header. 995 * 996 * dli_family is a Solaris address family value, so it's 2 for IPv4 997 * and 26 for IPv6. 998 * 999 * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing 1000 * packets, and 2 for packets arriving from another zone on the same 1001 * machine. 1002 * 1003 * dli_pktlen is the length of the packet data following the pseudo-header 1004 * (so the captured length minus dli_pktlen is the length of the 1005 * pseudo-header, assuming the entire pseudo-header was captured). 1006 * 1007 * dli_ifindex is the interface index of the interface on which the 1008 * packet arrived. 1009 * 1010 * dli_grifindex is the group interface index number (for IPMP interfaces). 1011 * 1012 * dli_zsrc is the zone identifier for the source of the packet. 1013 * 1014 * dli_zdst is the zone identifier for the destination of the packet. 1015 * 1016 * A zone number of 0 is the global zone; a zone number of 0xffffffff 1017 * means that the packet arrived from another host on the network, not 1018 * from another zone on the same machine. 1019 * 1020 * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates 1021 * which of those it is. 1022 */ 1023 #define DLT_IPNET 226 1024 1025 /* 1026 * CAN (Controller Area Network) frames, with a pseudo-header as supplied 1027 * by Linux SocketCAN. See Documentation/networking/can.txt in the Linux 1028 * source. 1029 * 1030 * Requested by Felix Obenhuber <felix (at) obenhuber.de>. 1031 */ 1032 #define DLT_CAN_SOCKETCAN 227 1033 1034 /* 1035 * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies 1036 * whether it's v4 or v6. Requested by Darren Reed <Darren.Reed (at) Sun.COM>. 1037 */ 1038 #define DLT_IPV4 228 1039 #define DLT_IPV6 229 1040 1041 /* 1042 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 1043 * nothing), and with no FCS at the end of the frame; requested by 1044 * Jon Smirl <jonsmirl (at) gmail.com>. 1045 */ 1046 #define DLT_IEEE802_15_4_NOFCS 230 1047 1048 /* 1049 * Raw D-Bus: 1050 * 1051 * http://www.freedesktop.org/wiki/Software/dbus 1052 * 1053 * messages: 1054 * 1055 * http://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages 1056 * 1057 * starting with the endianness flag, followed by the message type, etc., 1058 * but without the authentication handshake before the message sequence: 1059 * 1060 * http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol 1061 * 1062 * Requested by Martin Vidner <martin (at) vidner.net>. 1063 */ 1064 #define DLT_DBUS 231 1065 1066 /* 1067 * Juniper-private data link type, as per request from 1068 * Hannes Gredler <hannes (at) juniper.net>. 1069 */ 1070 #define DLT_JUNIPER_VS 232 1071 #define DLT_JUNIPER_SRX_E2E 233 1072 #define DLT_JUNIPER_FIBRECHANNEL 234 1073 1074 /* 1075 * DVB-CI (DVB Common Interface for communication between a PC Card 1076 * module and a DVB receiver). See 1077 * 1078 * http://www.kaiser.cx/pcap-dvbci.html 1079 * 1080 * for the specification. 1081 * 1082 * Requested by Martin Kaiser <martin (at) kaiser.cx>. 1083 */ 1084 #define DLT_DVB_CI 235 1085 1086 /* 1087 * Variant of 3GPP TS 27.010 multiplexing protocol (similar to, but 1088 * *not* the same as, 27.010). Requested by Hans-Christoph Schemmel 1089 * <hans-christoph.schemmel (at) cinterion.com>. 1090 */ 1091 #define DLT_MUX27010 236 1092 1093 /* 1094 * STANAG 5066 D_PDUs. Requested by M. Baris Demiray 1095 * <barisdemiray (at) gmail.com>. 1096 */ 1097 #define DLT_STANAG_5066_D_PDU 237 1098 1099 /* 1100 * Juniper-private data link type, as per request from 1101 * Hannes Gredler <hannes (at) juniper.net>. 1102 */ 1103 #define DLT_JUNIPER_ATM_CEMIC 238 1104 1105 /* 1106 * NetFilter LOG messages 1107 * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets) 1108 * 1109 * Requested by Jakub Zawadzki <darkjames-ws (at) darkjames.pl> 1110 */ 1111 #define DLT_NFLOG 239 1112 1113 /* 1114 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 1115 * for Ethernet packets with a 4-byte pseudo-header and always 1116 * with the payload including the FCS, as supplied by their 1117 * netANALYZER hardware and software. 1118 * 1119 * Requested by Holger P. Frommer <HPfrommer (at) hilscher.com> 1120 */ 1121 #define DLT_NETANALYZER 240 1122 1123 /* 1124 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 1125 * for Ethernet packets with a 4-byte pseudo-header and FCS and 1126 * with the Ethernet header preceded by 7 bytes of preamble and 1127 * 1 byte of SFD, as supplied by their netANALYZER hardware and 1128 * software. 1129 * 1130 * Requested by Holger P. Frommer <HPfrommer (at) hilscher.com> 1131 */ 1132 #define DLT_NETANALYZER_TRANSPARENT 241 1133 1134 /* 1135 * IP-over-InfiniBand, as specified by RFC 4391. 1136 * 1137 * Requested by Petr Sumbera <petr.sumbera (at) oracle.com>. 1138 */ 1139 #define DLT_IPOIB 242 1140 1141 /* 1142 * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0). 1143 * 1144 * Requested by Guy Martin <gmsoft (at) tuxicoman.be>. 1145 */ 1146 #define DLT_MPEG_2_TS 243 1147 1148 /* 1149 * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as 1150 * used by their ng40 protocol tester. 1151 * 1152 * Requested by Jens Grimmer <jens.grimmer (at) ng4t.com>. 1153 */ 1154 #define DLT_NG40 244 1155 1156 /* 1157 * Pseudo-header giving adapter number and flags, followed by an NFC 1158 * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU, 1159 * as specified by NFC Forum Logical Link Control Protocol Technical 1160 * Specification LLCP 1.1. 1161 * 1162 * Requested by Mike Wakerly <mikey (at) google.com>. 1163 */ 1164 #define DLT_NFC_LLCP 245 1165 1166 /* 1167 * 245 is used as LINKTYPE_PFSYNC; do not use it for any other purpose. 1168 * 1169 * DLT_PFSYNC has different values on different platforms, and all of 1170 * them collide with something used elsewhere. On platforms that 1171 * don't already define it, define it as 245. 1172 */ 1173 #if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && !defined(__DragonFly__) && !defined(__APPLE__) 1174 #define DLT_PFSYNC 246 1175 #endif 1176 1177 /* 1178 * Raw InfiniBand packets, starting with the Local Routing Header. 1179 * 1180 * Requested by Oren Kladnitsky <orenk (at) mellanox.com>. 1181 */ 1182 #define DLT_INFINIBAND 247 1183 1184 /* 1185 * SCTP, with no lower-level protocols (i.e., no IPv4 or IPv6). 1186 * 1187 * Requested by Michael Tuexen <Michael.Tuexen (at) lurchi.franken.de>. 1188 */ 1189 #define DLT_SCTP 248 1190 1191 /* 1192 * USB packets, beginning with a USBPcap header. 1193 * 1194 * Requested by Tomasz Mon <desowin (at) gmail.com> 1195 */ 1196 #define DLT_USBPCAP 249 1197 1198 /* 1199 * Schweitzer Engineering Laboratories "RTAC" product serial-line 1200 * packets. 1201 * 1202 * Requested by Chris Bontje <chris_bontje (at) selinc.com>. 1203 */ 1204 #define DLT_RTAC_SERIAL 250 1205 1206 /* 1207 * Bluetooth Low Energy air interface link-layer packets. 1208 * 1209 * Requested by Mike Kershaw <dragorn (at) kismetwireless.net>. 1210 */ 1211 #define DLT_BLUETOOTH_LE_LL 251 1212 1213 /* 1214 * DLT type for upper-protocol layer PDU saves from wireshark. 1215 * 1216 * the actual contents are determined by two TAGs stored with each 1217 * packet: 1218 * EXP_PDU_TAG_LINKTYPE the link type (LINKTYPE_ value) of the 1219 * original packet. 1220 * 1221 * EXP_PDU_TAG_PROTO_NAME the name of the wireshark dissector 1222 * that can make sense of the data stored. 1223 */ 1224 #define DLT_WIRESHARK_UPPER_PDU 252 1225 1226 /* 1227 * DLT type for the netlink protocol (nlmon devices). 1228 */ 1229 #define DLT_NETLINK 253 1230 1231 /* 1232 * Bluetooth Linux Monitor headers for the BlueZ stack. 1233 */ 1234 #define DLT_BLUETOOTH_LINUX_MONITOR 254 1235 1236 /* 1237 * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as 1238 * captured by Ubertooth. 1239 */ 1240 #define DLT_BLUETOOTH_BREDR_BB 255 1241 1242 /* 1243 * Bluetooth Low Energy link layer packets, as captured by Ubertooth. 1244 */ 1245 #define DLT_BLUETOOTH_LE_LL_WITH_PHDR 256 1246 1247 /* 1248 * PROFIBUS data link layer. 1249 */ 1250 #define DLT_PROFIBUS_DL 257 1251 1252 /* 1253 * Apple's DLT_PKTAP headers. 1254 * 1255 * Sadly, the folks at Apple either had no clue that the DLT_USERn values 1256 * are for internal use within an organization and partners only, and 1257 * didn't know that the right way to get a link-layer header type is to 1258 * ask tcpdump.org for one, or knew and didn't care, so they just 1259 * used DLT_USER2, which causes problems for everything except for 1260 * their version of tcpdump. 1261 * 1262 * So I'll just give them one; hopefully this will show up in a 1263 * libpcap release in time for them to get this into 10.10 Big Sur 1264 * or whatever Mavericks' successor is called. LINKTYPE_PKTAP 1265 * will be 258 *even on OS X*; that is *intentional*, so that 1266 * PKTAP files look the same on *all* OSes (different OSes can have 1267 * different numerical values for a given DLT_, but *MUST NOT* have 1268 * different values for what goes in a file, as files can be moved 1269 * between OSes!). 1270 * 1271 * When capturing, on a system with a Darwin-based OS, on a device 1272 * that returns 149 (DLT_USER2 and Apple's DLT_PKTAP) with this 1273 * version of libpcap, the DLT_ value for the pcap_t will be DLT_PKTAP, 1274 * and that will continue to be DLT_USER2 on Darwin-based OSes. That way, 1275 * binary compatibility with Mavericks is preserved for programs using 1276 * this version of libpcap. This does mean that if you were using 1277 * DLT_USER2 for some capture device on OS X, you can't do so with 1278 * this version of libpcap, just as you can't with Apple's libpcap - 1279 * on OS X, they define DLT_PKTAP to be DLT_USER2, so programs won't 1280 * be able to distinguish between PKTAP and whatever you were using 1281 * DLT_USER2 for. 1282 * 1283 * If the program saves the capture to a file using this version of 1284 * libpcap's pcap_dump code, the LINKTYPE_ value in the file will be 1285 * LINKTYPE_PKTAP, which will be 258, even on Darwin-based OSes. 1286 * That way, the file will *not* be a DLT_USER2 file. That means 1287 * that the latest version of tcpdump, when built with this version 1288 * of libpcap, and sufficiently recent versions of Wireshark will 1289 * be able to read those files and interpret them correctly; however, 1290 * Apple's version of tcpdump in OS X 10.9 won't be able to handle 1291 * them. (Hopefully, Apple will pick up this version of libpcap, 1292 * and the corresponding version of tcpdump, so that tcpdump will 1293 * be able to handle the old LINKTYPE_USER2 captures *and* the new 1294 * LINKTYPE_PKTAP captures.) 1295 */ 1296 #ifdef __APPLE__ 1297 #define DLT_PKTAP DLT_USER2 1298 #else 1299 #define DLT_PKTAP 258 1300 #endif 1301 1302 /* 1303 * Ethernet packets preceded by a header giving the last 6 octets 1304 * of the preamble specified by 802.3-2012 Clause 65, section 1305 * 65.1.3.2 "Transmit". 1306 */ 1307 #define DLT_EPON 259 1308 1309 /* 1310 * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format" 1311 * in the PICMG HPM.2 specification. 1312 */ 1313 #define DLT_IPMI_HPM_2 260 1314 1315 /* 1316 * per Joshua Wright <jwright (at) hasborg.com>, formats for Zwave captures. 1317 */ 1318 #define DLT_ZWAVE_R1_R2 261 1319 #define DLT_ZWAVE_R3 262 1320 1321 /* 1322 * per Steve Karg <skarg (at) users.sourceforge.net>, formats for Wattstopper 1323 * Digital Lighting Management room bus serial protocol captures. 1324 */ 1325 #define DLT_WATTSTOPPER_DLM 263 1326 1327 #define DLT_MATCHING_MAX 263 /* highest value in the "matching" range */ 1328 1329 /* 1330 * DLT and savefile link type values are split into a class and 1331 * a member of that class. A class value of 0 indicates a regular 1332 * DLT_/LINKTYPE_ value. 1333 */ 1334 #define DLT_CLASS(x) ((x) & 0x03ff0000) 1335 1336 /* 1337 * NetBSD-specific generic "raw" link type. The class value indicates 1338 * that this is the generic raw type, and the lower 16 bits are the 1339 * address family we're dealing with. Those values are NetBSD-specific; 1340 * do not assume that they correspond to AF_ values for your operating 1341 * system. 1342 */ 1343 #define DLT_CLASS_NETBSD_RAWAF 0x02240000 1344 #define DLT_NETBSD_RAWAF(af) (DLT_CLASS_NETBSD_RAWAF | (af)) 1345 #define DLT_NETBSD_RAWAF_AF(x) ((x) & 0x0000ffff) 1346 #define DLT_IS_NETBSD_RAWAF(x) (DLT_CLASS(x) == DLT_CLASS_NETBSD_RAWAF) 1347 1348 1349 /* 1350 * The instruction encodings. 1351 * 1352 * Please inform tcpdump-workers (at) lists.tcpdump.org if you use any 1353 * of the reserved values, so that we can note that they're used 1354 * (and perhaps implement it in the reference BPF implementation 1355 * and encourage its implementation elsewhere). 1356 */ 1357 1358 /* 1359 * The upper 8 bits of the opcode aren't used. BSD/OS used 0x8000. 1360 */ 1361 1362 /* instruction classes */ 1363 #define BPF_CLASS(code) ((code) & 0x07) 1364 #define BPF_LD 0x00 1365 #define BPF_LDX 0x01 1366 #define BPF_ST 0x02 1367 #define BPF_STX 0x03 1368 #define BPF_ALU 0x04 1369 #define BPF_JMP 0x05 1370 #define BPF_RET 0x06 1371 #define BPF_MISC 0x07 1372 1373 /* ld/ldx fields */ 1374 #define BPF_SIZE(code) ((code) & 0x18) 1375 #define BPF_W 0x00 1376 #define BPF_H 0x08 1377 #define BPF_B 0x10 1378 /* 0x18 reserved; used by BSD/OS */ 1379 #define BPF_MODE(code) ((code) & 0xe0) 1380 #define BPF_IMM 0x00 1381 #define BPF_ABS 0x20 1382 #define BPF_IND 0x40 1383 #define BPF_MEM 0x60 1384 #define BPF_LEN 0x80 1385 #define BPF_MSH 0xa0 1386 /* 0xc0 reserved; used by BSD/OS */ 1387 /* 0xe0 reserved; used by BSD/OS */ 1388 1389 /* alu/jmp fields */ 1390 #define BPF_OP(code) ((code) & 0xf0) 1391 #define BPF_ADD 0x00 1392 #define BPF_SUB 0x10 1393 #define BPF_MUL 0x20 1394 #define BPF_DIV 0x30 1395 #define BPF_OR 0x40 1396 #define BPF_AND 0x50 1397 #define BPF_LSH 0x60 1398 #define BPF_RSH 0x70 1399 #define BPF_NEG 0x80 1400 #define BPF_MOD 0x90 1401 #define BPF_XOR 0xa0 1402 /* 0xb0 reserved */ 1403 /* 0xc0 reserved */ 1404 /* 0xd0 reserved */ 1405 /* 0xe0 reserved */ 1406 /* 0xf0 reserved */ 1407 1408 #define BPF_JA 0x00 1409 #define BPF_JEQ 0x10 1410 #define BPF_JGT 0x20 1411 #define BPF_JGE 0x30 1412 #define BPF_JSET 0x40 1413 /* 0x50 reserved; used on BSD/OS */ 1414 /* 0x60 reserved */ 1415 /* 0x70 reserved */ 1416 /* 0x80 reserved */ 1417 /* 0x90 reserved */ 1418 /* 0xa0 reserved */ 1419 /* 0xb0 reserved */ 1420 /* 0xc0 reserved */ 1421 /* 0xd0 reserved */ 1422 /* 0xe0 reserved */ 1423 /* 0xf0 reserved */ 1424 #define BPF_SRC(code) ((code) & 0x08) 1425 #define BPF_K 0x00 1426 #define BPF_X 0x08 1427 1428 /* ret - BPF_K and BPF_X also apply */ 1429 #define BPF_RVAL(code) ((code) & 0x18) 1430 #define BPF_A 0x10 1431 /* 0x18 reserved */ 1432 1433 /* misc */ 1434 #define BPF_MISCOP(code) ((code) & 0xf8) 1435 #define BPF_TAX 0x00 1436 /* 0x08 reserved */ 1437 /* 0x10 reserved */ 1438 /* 0x18 reserved */ 1439 /* #define BPF_COP 0x20 NetBSD "coprocessor" extensions */ 1440 /* 0x28 reserved */ 1441 /* 0x30 reserved */ 1442 /* 0x38 reserved */ 1443 /* #define BPF_COPX 0x40 NetBSD "coprocessor" extensions */ 1444 /* also used on BSD/OS */ 1445 /* 0x48 reserved */ 1446 /* 0x50 reserved */ 1447 /* 0x58 reserved */ 1448 /* 0x60 reserved */ 1449 /* 0x68 reserved */ 1450 /* 0x70 reserved */ 1451 /* 0x78 reserved */ 1452 #define BPF_TXA 0x80 1453 /* 0x88 reserved */ 1454 /* 0x90 reserved */ 1455 /* 0x98 reserved */ 1456 /* 0xa0 reserved */ 1457 /* 0xa8 reserved */ 1458 /* 0xb0 reserved */ 1459 /* 0xb8 reserved */ 1460 /* 0xc0 reserved; used on BSD/OS */ 1461 /* 0xc8 reserved */ 1462 /* 0xd0 reserved */ 1463 /* 0xd8 reserved */ 1464 /* 0xe0 reserved */ 1465 /* 0xe8 reserved */ 1466 /* 0xf0 reserved */ 1467 /* 0xf8 reserved */ 1468 1469 /* 1470 * The instruction data structure. 1471 */ 1472 struct bpf_insn { 1473 u_short code; 1474 u_char jt; 1475 u_char jf; 1476 bpf_u_int32 k; 1477 }; 1478 1479 /* 1480 * Auxiliary data, for use when interpreting a filter intended for the 1481 * Linux kernel when the kernel rejects the filter (requiring us to 1482 * run it in userland). It contains VLAN tag information. 1483 */ 1484 struct bpf_aux_data { 1485 u_short vlan_tag_present; 1486 u_short vlan_tag; 1487 }; 1488 1489 /* 1490 * Macros for insn array initializers. 1491 */ 1492 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } 1493 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } 1494 1495 #if __STDC__ || defined(__cplusplus) 1496 extern int bpf_validate(const struct bpf_insn *, int); 1497 extern u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int); 1498 extern u_int bpf_filter_with_aux_data(const struct bpf_insn *, const u_char *, u_int, u_int, const struct bpf_aux_data *); 1499 #else 1500 extern int bpf_validate(); 1501 extern u_int bpf_filter(); 1502 extern u_int bpf_filter(); 1503 #endif 1504 1505 /* 1506 * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). 1507 */ 1508 #define BPF_MEMWORDS 16 1509 1510 #ifdef __cplusplus 1511 } 1512 #endif 1513 1514 #endif /* !defined(_NET_BPF_H_) && !defined(_BPF_H_) && !defined(_H_BPF) && !defined(lib_pcap_bpf_h) */ 1515