Home | History | Annotate | Download | only in pcap
      1 /*-
      2  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
      3  *	The Regents of the University of California.  All rights reserved.
      4  *
      5  * This code is derived from the Stanford/CMU enet packet filter,
      6  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
      7  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
      8  * Berkeley Laboratory.
      9  *
     10  * Redistribution and use in source and binary forms, with or without
     11  * modification, are permitted provided that the following conditions
     12  * are met:
     13  * 1. Redistributions of source code must retain the above copyright
     14  *    notice, this list of conditions and the following disclaimer.
     15  * 2. Redistributions in binary form must reproduce the above copyright
     16  *    notice, this list of conditions and the following disclaimer in the
     17  *    documentation and/or other materials provided with the distribution.
     18  * 3. All advertising materials mentioning features or use of this software
     19  *    must display the following acknowledgement:
     20  *      This product includes software developed by the University of
     21  *      California, Berkeley and its contributors.
     22  * 4. Neither the name of the University nor the names of its contributors
     23  *    may be used to endorse or promote products derived from this software
     24  *    without specific prior written permission.
     25  *
     26  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
     27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
     30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     36  * SUCH DAMAGE.
     37  *
     38  *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
     39  */
     40 
     41 /*
     42  * This is libpcap's cut-down version of bpf.h; it includes only
     43  * the stuff needed for the code generator and the userland BPF
     44  * interpreter, and the libpcap APIs for setting filters, etc..
     45  *
     46  * "pcap-bpf.c" will include the native OS version, as it deals with
     47  * the OS's BPF implementation.
     48  *
     49  * At least two programs found by Google Code Search explicitly includes
     50  * <pcap/bpf.h> (even though <pcap.h>/<pcap/pcap.h> includes it for you),
     51  * so moving that stuff to <pcap/pcap.h> would break the build for some
     52  * programs.
     53  */
     54 
     55 /*
     56  * If we've already included <net/bpf.h>, don't re-define this stuff.
     57  * We assume BSD-style multiple-include protection in <net/bpf.h>,
     58  * which is true of all but the oldest versions of FreeBSD and NetBSD,
     59  * or Tru64 UNIX-style multiple-include protection (or, at least,
     60  * Tru64 UNIX 5.x-style; I don't have earlier versions available to check),
     61  * or AIX-style multiple-include protection (or, at least, AIX 5.x-style;
     62  * I don't have earlier versions available to check), or QNX-style
     63  * multiple-include protection (as per GitHub pull request #394).
     64  *
     65  * We do not check for BPF_MAJOR_VERSION, as that's defined by
     66  * <linux/filter.h>, which is directly or indirectly included in some
     67  * programs that also include pcap.h, and <linux/filter.h> doesn't
     68  * define stuff we need.
     69  *
     70  * This also provides our own multiple-include protection.
     71  */
     72 #if !defined(_NET_BPF_H_) && !defined(_NET_BPF_H_INCLUDED) && !defined(_BPF_H_) && !defined(_H_BPF) && !defined(lib_pcap_bpf_h)
     73 #define lib_pcap_bpf_h
     74 
     75 #ifdef __cplusplus
     76 extern "C" {
     77 #endif
     78 
     79 /* BSD style release date */
     80 #define BPF_RELEASE 199606
     81 
     82 #ifdef MSDOS /* must be 32-bit */
     83 typedef long          bpf_int32;
     84 typedef unsigned long bpf_u_int32;
     85 #else
     86 typedef	int bpf_int32;
     87 typedef	u_int bpf_u_int32;
     88 #endif
     89 
     90 /*
     91  * Alignment macros.  BPF_WORDALIGN rounds up to the next
     92  * even multiple of BPF_ALIGNMENT.
     93  *
     94  * Tcpdump's print-pflog.c uses this, so we define it here.
     95  */
     96 #ifndef __NetBSD__
     97 #define BPF_ALIGNMENT sizeof(bpf_int32)
     98 #else
     99 #define BPF_ALIGNMENT sizeof(long)
    100 #endif
    101 #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
    102 
    103 /*
    104  * Structure for "pcap_compile()", "pcap_setfilter()", etc..
    105  */
    106 struct bpf_program {
    107 	u_int bf_len;
    108 	struct bpf_insn *bf_insns;
    109 };
    110 
    111 /*
    112  * Link-layer header type codes.
    113  *
    114  * Do *NOT* add new values to this list without asking
    115  * "tcpdump-workers (at) lists.tcpdump.org" for a value.  Otherwise, you run
    116  * the risk of using a value that's already being used for some other
    117  * purpose, and of having tools that read libpcap-format captures not
    118  * being able to handle captures with your new DLT_ value, with no hope
    119  * that they will ever be changed to do so (as that would destroy their
    120  * ability to read captures using that value for that other purpose).
    121  *
    122  * See
    123  *
    124  *	http://www.tcpdump.org/linktypes.html
    125  *
    126  * for detailed descriptions of some of these link-layer header types.
    127  */
    128 
    129 /*
    130  * These are the types that are the same on all platforms, and that
    131  * have been defined by <net/bpf.h> for ages.
    132  */
    133 #define DLT_NULL	0	/* BSD loopback encapsulation */
    134 #define DLT_EN10MB	1	/* Ethernet (10Mb) */
    135 #define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
    136 #define DLT_AX25	3	/* Amateur Radio AX.25 */
    137 #define DLT_PRONET	4	/* Proteon ProNET Token Ring */
    138 #define DLT_CHAOS	5	/* Chaos */
    139 #define DLT_IEEE802	6	/* 802.5 Token Ring */
    140 #define DLT_ARCNET	7	/* ARCNET, with BSD-style header */
    141 #define DLT_SLIP	8	/* Serial Line IP */
    142 #define DLT_PPP		9	/* Point-to-point Protocol */
    143 #define DLT_FDDI	10	/* FDDI */
    144 
    145 /*
    146  * These are types that are different on some platforms, and that
    147  * have been defined by <net/bpf.h> for ages.  We use #ifdefs to
    148  * detect the BSDs that define them differently from the traditional
    149  * libpcap <net/bpf.h>
    150  *
    151  * XXX - DLT_ATM_RFC1483 is 13 in BSD/OS, and DLT_RAW is 14 in BSD/OS,
    152  * but I don't know what the right #define is for BSD/OS.
    153  */
    154 #define DLT_ATM_RFC1483	11	/* LLC-encapsulated ATM */
    155 
    156 #ifdef __OpenBSD__
    157 #define DLT_RAW		14	/* raw IP */
    158 #else
    159 #define DLT_RAW		12	/* raw IP */
    160 #endif
    161 
    162 /*
    163  * Given that the only OS that currently generates BSD/OS SLIP or PPP
    164  * is, well, BSD/OS, arguably everybody should have chosen its values
    165  * for DLT_SLIP_BSDOS and DLT_PPP_BSDOS, which are 15 and 16, but they
    166  * didn't.  So it goes.
    167  */
    168 #if defined(__NetBSD__) || defined(__FreeBSD__)
    169 #ifndef DLT_SLIP_BSDOS
    170 #define DLT_SLIP_BSDOS	13	/* BSD/OS Serial Line IP */
    171 #define DLT_PPP_BSDOS	14	/* BSD/OS Point-to-point Protocol */
    172 #endif
    173 #else
    174 #define DLT_SLIP_BSDOS	15	/* BSD/OS Serial Line IP */
    175 #define DLT_PPP_BSDOS	16	/* BSD/OS Point-to-point Protocol */
    176 #endif
    177 
    178 /*
    179  * 17 was used for DLT_PFLOG in OpenBSD; it no longer is.
    180  *
    181  * It was DLT_LANE8023 in SuSE 6.3, so we defined LINKTYPE_PFLOG
    182  * as 117 so that pflog captures would use a link-layer header type
    183  * value that didn't collide with any other values.  On all
    184  * platforms other than OpenBSD, we defined DLT_PFLOG as 117,
    185  * and we mapped between LINKTYPE_PFLOG and DLT_PFLOG.
    186  *
    187  * OpenBSD eventually switched to using 117 for DLT_PFLOG as well.
    188  *
    189  * Don't use 17 for anything else.
    190  */
    191 
    192 /*
    193  * 18 is used for DLT_PFSYNC in OpenBSD, NetBSD, DragonFly BSD and
    194  * Mac OS X; don't use it for anything else.  (FreeBSD uses 121,
    195  * which collides with DLT_HHDLC, even though it doesn't use 18
    196  * for anything and doesn't appear to have ever used it for anything.)
    197  *
    198  * We define it as 18 on those platforms; it is, unfortunately, used
    199  * for DLT_CIP in Suse 6.3, so we don't define it as DLT_PFSYNC
    200  * in general.  As the packet format for it, like that for
    201  * DLT_PFLOG, is not only OS-dependent but OS-version-dependent,
    202  * we don't support printing it in tcpdump except on OSes that
    203  * have the relevant header files, so it's not that useful on
    204  * other platforms.
    205  */
    206 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__DragonFly__) || defined(__APPLE__)
    207 #define DLT_PFSYNC	18
    208 #endif
    209 
    210 #define DLT_ATM_CLIP	19	/* Linux Classical-IP over ATM */
    211 
    212 /*
    213  * Apparently Redback uses this for its SmartEdge 400/800.  I hope
    214  * nobody else decided to use it, too.
    215  */
    216 #define DLT_REDBACK_SMARTEDGE	32
    217 
    218 /*
    219  * These values are defined by NetBSD; other platforms should refrain from
    220  * using them for other purposes, so that NetBSD savefiles with link
    221  * types of 50 or 51 can be read as this type on all platforms.
    222  */
    223 #define DLT_PPP_SERIAL	50	/* PPP over serial with HDLC encapsulation */
    224 #define DLT_PPP_ETHER	51	/* PPP over Ethernet */
    225 
    226 /*
    227  * The Axent Raptor firewall - now the Symantec Enterprise Firewall - uses
    228  * a link-layer type of 99 for the tcpdump it supplies.  The link-layer
    229  * header has 6 bytes of unknown data, something that appears to be an
    230  * Ethernet type, and 36 bytes that appear to be 0 in at least one capture
    231  * I've seen.
    232  */
    233 #define DLT_SYMANTEC_FIREWALL	99
    234 
    235 /*
    236  * Values between 100 and 103 are used in capture file headers as
    237  * link-layer header type LINKTYPE_ values corresponding to DLT_ types
    238  * that differ between platforms; don't use those values for new DLT_
    239  * new types.
    240  */
    241 
    242 /*
    243  * Values starting with 104 are used for newly-assigned link-layer
    244  * header type values; for those link-layer header types, the DLT_
    245  * value returned by pcap_datalink() and passed to pcap_open_dead(),
    246  * and the LINKTYPE_ value that appears in capture files, are the
    247  * same.
    248  *
    249  * DLT_MATCHING_MIN is the lowest such value; DLT_MATCHING_MAX is
    250  * the highest such value.
    251  */
    252 #define DLT_MATCHING_MIN	104
    253 
    254 /*
    255  * This value was defined by libpcap 0.5; platforms that have defined
    256  * it with a different value should define it here with that value -
    257  * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
    258  * whatever value that happens to be, so programs will correctly
    259  * handle files with that link type regardless of the value of
    260  * DLT_C_HDLC.
    261  *
    262  * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
    263  * compatibility with programs written for BSD/OS.
    264  *
    265  * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
    266  * for source compatibility with programs written for libpcap 0.5.
    267  */
    268 #define DLT_C_HDLC	104	/* Cisco HDLC */
    269 #define DLT_CHDLC	DLT_C_HDLC
    270 
    271 #define DLT_IEEE802_11	105	/* IEEE 802.11 wireless */
    272 
    273 /*
    274  * 106 is reserved for Linux Classical IP over ATM; it's like DLT_RAW,
    275  * except when it isn't.  (I.e., sometimes it's just raw IP, and
    276  * sometimes it isn't.)  We currently handle it as DLT_LINUX_SLL,
    277  * so that we don't have to worry about the link-layer header.)
    278  */
    279 
    280 /*
    281  * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides
    282  * with other values.
    283  * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header
    284  * (DLCI, etc.).
    285  */
    286 #define DLT_FRELAY	107
    287 
    288 /*
    289  * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
    290  * that the AF_ type in the link-layer header is in network byte order.
    291  *
    292  * DLT_LOOP is 12 in OpenBSD, but that's DLT_RAW in other OSes, so
    293  * we don't use 12 for it in OSes other than OpenBSD.
    294  */
    295 #ifdef __OpenBSD__
    296 #define DLT_LOOP	12
    297 #else
    298 #define DLT_LOOP	108
    299 #endif
    300 
    301 /*
    302  * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's
    303  * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other
    304  * than OpenBSD.
    305  */
    306 #ifdef __OpenBSD__
    307 #define DLT_ENC		13
    308 #else
    309 #define DLT_ENC		109
    310 #endif
    311 
    312 /*
    313  * Values between 110 and 112 are reserved for use in capture file headers
    314  * as link-layer types corresponding to DLT_ types that might differ
    315  * between platforms; don't use those values for new DLT_ types
    316  * other than the corresponding DLT_ types.
    317  */
    318 
    319 /*
    320  * This is for Linux cooked sockets.
    321  */
    322 #define DLT_LINUX_SLL	113
    323 
    324 /*
    325  * Apple LocalTalk hardware.
    326  */
    327 #define DLT_LTALK	114
    328 
    329 /*
    330  * Acorn Econet.
    331  */
    332 #define DLT_ECONET	115
    333 
    334 /*
    335  * Reserved for use with OpenBSD ipfilter.
    336  */
    337 #define DLT_IPFILTER	116
    338 
    339 /*
    340  * OpenBSD DLT_PFLOG.
    341  */
    342 #define DLT_PFLOG	117
    343 
    344 /*
    345  * Registered for Cisco-internal use.
    346  */
    347 #define DLT_CISCO_IOS	118
    348 
    349 /*
    350  * For 802.11 cards using the Prism II chips, with a link-layer
    351  * header including Prism monitor mode information plus an 802.11
    352  * header.
    353  */
    354 #define DLT_PRISM_HEADER	119
    355 
    356 /*
    357  * Reserved for Aironet 802.11 cards, with an Aironet link-layer header
    358  * (see Doug Ambrisko's FreeBSD patches).
    359  */
    360 #define DLT_AIRONET_HEADER	120
    361 
    362 /*
    363  * Sigh.
    364  *
    365  * This was reserved for Siemens HiPath HDLC on 2002-01-25, as
    366  * requested by Tomas Kukosa.
    367  *
    368  * On 2004-02-25, a FreeBSD checkin to sys/net/bpf.h was made that
    369  * assigned 121 as DLT_PFSYNC.  Its libpcap does DLT_ <-> LINKTYPE_
    370  * mapping, so it probably supports capturing on the pfsync device
    371  * but not saving the captured data to a pcap file.
    372  *
    373  * OpenBSD, from which pf came, however, uses 18 for DLT_PFSYNC;
    374  * their libpcap does no DLT_ <-> LINKTYPE_ mapping, so it would
    375  * use 18 in pcap files as well.
    376  *
    377  * NetBSD and DragonFly BSD also use 18 for DLT_PFSYNC; their
    378  * libpcaps do DLT_ <-> LINKTYPE_ mapping, and neither has an entry
    379  * for DLT_PFSYNC, so it might not be able to write out dump files
    380  * with 18 as the link-layer header type.  (Earlier versions might
    381  * not have done mapping, in which case they'd work the same way
    382  * OpenBSD does.)
    383  *
    384  * Mac OS X defines it as 18, but doesn't appear to use it as of
    385  * Mac OS X 10.7.3.  Its libpcap does DLT_ <-> LINKTYPE_ mapping.
    386  *
    387  * We'll define DLT_PFSYNC as 121 on FreeBSD and define it as 18 on
    388  * all other platforms.  We'll define DLT_HHDLC as 121 on everything
    389  * except for FreeBSD; anybody who wants to compile, on FreeBSD, code
    390  * that uses DLT_HHDLC is out of luck.
    391  *
    392  * We'll define LINKTYPE_PFSYNC as 18, *even on FreeBSD*, and map
    393  * it, so that savefiles won't use 121 for PFSYNC - they'll all
    394  * use 18.  Code that uses pcap_datalink() to determine the link-layer
    395  * header type of a savefile won't, when built and run on FreeBSD,
    396  * be able to distinguish between LINKTYPE_PFSYNC and LINKTYPE_HHDLC
    397  * capture files; code that doesn't, such as the code in Wireshark,
    398  * will be able to distinguish between them.
    399  */
    400 #ifdef __FreeBSD__
    401 #define DLT_PFSYNC		121
    402 #else
    403 #define DLT_HHDLC		121
    404 #endif
    405 
    406 /*
    407  * This is for RFC 2625 IP-over-Fibre Channel.
    408  *
    409  * This is not for use with raw Fibre Channel, where the link-layer
    410  * header starts with a Fibre Channel frame header; it's for IP-over-FC,
    411  * where the link-layer header starts with an RFC 2625 Network_Header
    412  * field.
    413  */
    414 #define DLT_IP_OVER_FC		122
    415 
    416 /*
    417  * This is for Full Frontal ATM on Solaris with SunATM, with a
    418  * pseudo-header followed by an AALn PDU.
    419  *
    420  * There may be other forms of Full Frontal ATM on other OSes,
    421  * with different pseudo-headers.
    422  *
    423  * If ATM software returns a pseudo-header with VPI/VCI information
    424  * (and, ideally, packet type information, e.g. signalling, ILMI,
    425  * LANE, LLC-multiplexed traffic, etc.), it should not use
    426  * DLT_ATM_RFC1483, but should get a new DLT_ value, so tcpdump
    427  * and the like don't have to infer the presence or absence of a
    428  * pseudo-header and the form of the pseudo-header.
    429  */
    430 #define DLT_SUNATM		123	/* Solaris+SunATM */
    431 
    432 /*
    433  * Reserved as per request from Kent Dahlgren <kent (at) praesum.com>
    434  * for private use.
    435  */
    436 #define DLT_RIO                 124     /* RapidIO */
    437 #define DLT_PCI_EXP             125     /* PCI Express */
    438 #define DLT_AURORA              126     /* Xilinx Aurora link layer */
    439 
    440 /*
    441  * Header for 802.11 plus a number of bits of link-layer information
    442  * including radio information, used by some recent BSD drivers as
    443  * well as the madwifi Atheros driver for Linux.
    444  */
    445 #define DLT_IEEE802_11_RADIO	127	/* 802.11 plus radiotap radio header */
    446 
    447 /*
    448  * Reserved for the TZSP encapsulation, as per request from
    449  * Chris Waters <chris.waters (at) networkchemistry.com>
    450  * TZSP is a generic encapsulation for any other link type,
    451  * which includes a means to include meta-information
    452  * with the packet, e.g. signal strength and channel
    453  * for 802.11 packets.
    454  */
    455 #define DLT_TZSP                128     /* Tazmen Sniffer Protocol */
    456 
    457 /*
    458  * BSD's ARCNET headers have the source host, destination host,
    459  * and type at the beginning of the packet; that's what's handed
    460  * up to userland via BPF.
    461  *
    462  * Linux's ARCNET headers, however, have a 2-byte offset field
    463  * between the host IDs and the type; that's what's handed up
    464  * to userland via PF_PACKET sockets.
    465  *
    466  * We therefore have to have separate DLT_ values for them.
    467  */
    468 #define DLT_ARCNET_LINUX	129	/* ARCNET */
    469 
    470 /*
    471  * Juniper-private data link types, as per request from
    472  * Hannes Gredler <hannes (at) juniper.net>.  The DLT_s are used
    473  * for passing on chassis-internal metainformation such as
    474  * QOS profiles, etc..
    475  */
    476 #define DLT_JUNIPER_MLPPP       130
    477 #define DLT_JUNIPER_MLFR        131
    478 #define DLT_JUNIPER_ES          132
    479 #define DLT_JUNIPER_GGSN        133
    480 #define DLT_JUNIPER_MFR         134
    481 #define DLT_JUNIPER_ATM2        135
    482 #define DLT_JUNIPER_SERVICES    136
    483 #define DLT_JUNIPER_ATM1        137
    484 
    485 /*
    486  * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund
    487  * <dieter (at) apple.com>.  The header that's presented is an Ethernet-like
    488  * header:
    489  *
    490  *	#define FIREWIRE_EUI64_LEN	8
    491  *	struct firewire_header {
    492  *		u_char  firewire_dhost[FIREWIRE_EUI64_LEN];
    493  *		u_char  firewire_shost[FIREWIRE_EUI64_LEN];
    494  *		u_short firewire_type;
    495  *	};
    496  *
    497  * with "firewire_type" being an Ethernet type value, rather than,
    498  * for example, raw GASP frames being handed up.
    499  */
    500 #define DLT_APPLE_IP_OVER_IEEE1394	138
    501 
    502 /*
    503  * Various SS7 encapsulations, as per a request from Jeff Morriss
    504  * <jeff.morriss[AT]ulticom.com> and subsequent discussions.
    505  */
    506 #define DLT_MTP2_WITH_PHDR	139	/* pseudo-header with various info, followed by MTP2 */
    507 #define DLT_MTP2		140	/* MTP2, without pseudo-header */
    508 #define DLT_MTP3		141	/* MTP3, without pseudo-header or MTP2 */
    509 #define DLT_SCCP		142	/* SCCP, without pseudo-header or MTP2 or MTP3 */
    510 
    511 /*
    512  * DOCSIS MAC frames.
    513  */
    514 #define DLT_DOCSIS		143
    515 
    516 /*
    517  * Linux-IrDA packets. Protocol defined at http://www.irda.org.
    518  * Those packets include IrLAP headers and above (IrLMP...), but
    519  * don't include Phy framing (SOF/EOF/CRC & byte stuffing), because Phy
    520  * framing can be handled by the hardware and depend on the bitrate.
    521  * This is exactly the format you would get capturing on a Linux-IrDA
    522  * interface (irdaX), but not on a raw serial port.
    523  * Note the capture is done in "Linux-cooked" mode, so each packet include
    524  * a fake packet header (struct sll_header). This is because IrDA packet
    525  * decoding is dependant on the direction of the packet (incomming or
    526  * outgoing).
    527  * When/if other platform implement IrDA capture, we may revisit the
    528  * issue and define a real DLT_IRDA...
    529  * Jean II
    530  */
    531 #define DLT_LINUX_IRDA		144
    532 
    533 /*
    534  * Reserved for IBM SP switch and IBM Next Federation switch.
    535  */
    536 #define DLT_IBM_SP		145
    537 #define DLT_IBM_SN		146
    538 
    539 /*
    540  * Reserved for private use.  If you have some link-layer header type
    541  * that you want to use within your organization, with the capture files
    542  * using that link-layer header type not ever be sent outside your
    543  * organization, you can use these values.
    544  *
    545  * No libpcap release will use these for any purpose, nor will any
    546  * tcpdump release use them, either.
    547  *
    548  * Do *NOT* use these in capture files that you expect anybody not using
    549  * your private versions of capture-file-reading tools to read; in
    550  * particular, do *NOT* use them in products, otherwise you may find that
    551  * people won't be able to use tcpdump, or snort, or Ethereal, or... to
    552  * read capture files from your firewall/intrusion detection/traffic
    553  * monitoring/etc. appliance, or whatever product uses that DLT_ value,
    554  * and you may also find that the developers of those applications will
    555  * not accept patches to let them read those files.
    556  *
    557  * Also, do not use them if somebody might send you a capture using them
    558  * for *their* private type and tools using them for *your* private type
    559  * would have to read them.
    560  *
    561  * Instead, ask "tcpdump-workers (at) lists.tcpdump.org" for a new DLT_ value,
    562  * as per the comment above, and use the type you're given.
    563  */
    564 #define DLT_USER0		147
    565 #define DLT_USER1		148
    566 #define DLT_USER2		149
    567 #define DLT_USER3		150
    568 #define DLT_USER4		151
    569 #define DLT_USER5		152
    570 #define DLT_USER6		153
    571 #define DLT_USER7		154
    572 #define DLT_USER8		155
    573 #define DLT_USER9		156
    574 #define DLT_USER10		157
    575 #define DLT_USER11		158
    576 #define DLT_USER12		159
    577 #define DLT_USER13		160
    578 #define DLT_USER14		161
    579 #define DLT_USER15		162
    580 
    581 /*
    582  * For future use with 802.11 captures - defined by AbsoluteValue
    583  * Systems to store a number of bits of link-layer information
    584  * including radio information:
    585  *
    586  *	http://www.shaftnet.org/~pizza/software/capturefrm.txt
    587  *
    588  * but it might be used by some non-AVS drivers now or in the
    589  * future.
    590  */
    591 #define DLT_IEEE802_11_RADIO_AVS 163	/* 802.11 plus AVS radio header */
    592 
    593 /*
    594  * Juniper-private data link type, as per request from
    595  * Hannes Gredler <hannes (at) juniper.net>.  The DLT_s are used
    596  * for passing on chassis-internal metainformation such as
    597  * QOS profiles, etc..
    598  */
    599 #define DLT_JUNIPER_MONITOR     164
    600 
    601 /*
    602  * BACnet MS/TP frames.
    603  */
    604 #define DLT_BACNET_MS_TP	165
    605 
    606 /*
    607  * Another PPP variant as per request from Karsten Keil <kkeil (at) suse.de>.
    608  *
    609  * This is used in some OSes to allow a kernel socket filter to distinguish
    610  * between incoming and outgoing packets, on a socket intended to
    611  * supply pppd with outgoing packets so it can do dial-on-demand and
    612  * hangup-on-lack-of-demand; incoming packets are filtered out so they
    613  * don't cause pppd to hold the connection up (you don't want random
    614  * input packets such as port scans, packets from old lost connections,
    615  * etc. to force the connection to stay up).
    616  *
    617  * The first byte of the PPP header (0xff03) is modified to accomodate
    618  * the direction - 0x00 = IN, 0x01 = OUT.
    619  */
    620 #define DLT_PPP_PPPD		166
    621 
    622 /*
    623  * Names for backwards compatibility with older versions of some PPP
    624  * software; new software should use DLT_PPP_PPPD.
    625  */
    626 #define DLT_PPP_WITH_DIRECTION	DLT_PPP_PPPD
    627 #define DLT_LINUX_PPP_WITHDIRECTION	DLT_PPP_PPPD
    628 
    629 /*
    630  * Juniper-private data link type, as per request from
    631  * Hannes Gredler <hannes (at) juniper.net>.  The DLT_s are used
    632  * for passing on chassis-internal metainformation such as
    633  * QOS profiles, cookies, etc..
    634  */
    635 #define DLT_JUNIPER_PPPOE       167
    636 #define DLT_JUNIPER_PPPOE_ATM   168
    637 
    638 #define DLT_GPRS_LLC		169	/* GPRS LLC */
    639 #define DLT_GPF_T		170	/* GPF-T (ITU-T G.7041/Y.1303) */
    640 #define DLT_GPF_F		171	/* GPF-F (ITU-T G.7041/Y.1303) */
    641 
    642 /*
    643  * Requested by Oolan Zimmer <oz (at) gcom.com> for use in Gcom's T1/E1 line
    644  * monitoring equipment.
    645  */
    646 #define DLT_GCOM_T1E1		172
    647 #define DLT_GCOM_SERIAL		173
    648 
    649 /*
    650  * Juniper-private data link type, as per request from
    651  * Hannes Gredler <hannes (at) juniper.net>.  The DLT_ is used
    652  * for internal communication to Physical Interface Cards (PIC)
    653  */
    654 #define DLT_JUNIPER_PIC_PEER    174
    655 
    656 /*
    657  * Link types requested by Gregor Maier <gregor (at) endace.com> of Endace
    658  * Measurement Systems.  They add an ERF header (see
    659  * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of
    660  * the link-layer header.
    661  */
    662 #define DLT_ERF_ETH		175	/* Ethernet */
    663 #define DLT_ERF_POS		176	/* Packet-over-SONET */
    664 
    665 /*
    666  * Requested by Daniele Orlandi <daniele (at) orlandi.com> for raw LAPD
    667  * for vISDN (http://www.orlandi.com/visdn/).  Its link-layer header
    668  * includes additional information before the LAPD header, so it's
    669  * not necessarily a generic LAPD header.
    670  */
    671 #define DLT_LINUX_LAPD		177
    672 
    673 /*
    674  * Juniper-private data link type, as per request from
    675  * Hannes Gredler <hannes (at) juniper.net>.
    676  * The DLT_ are used for prepending meta-information
    677  * like interface index, interface name
    678  * before standard Ethernet, PPP, Frelay & C-HDLC Frames
    679  */
    680 #define DLT_JUNIPER_ETHER       178
    681 #define DLT_JUNIPER_PPP         179
    682 #define DLT_JUNIPER_FRELAY      180
    683 #define DLT_JUNIPER_CHDLC       181
    684 
    685 /*
    686  * Multi Link Frame Relay (FRF.16)
    687  */
    688 #define DLT_MFR                 182
    689 
    690 /*
    691  * Juniper-private data link type, as per request from
    692  * Hannes Gredler <hannes (at) juniper.net>.
    693  * The DLT_ is used for internal communication with a
    694  * voice Adapter Card (PIC)
    695  */
    696 #define DLT_JUNIPER_VP          183
    697 
    698 /*
    699  * Arinc 429 frames.
    700  * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>.
    701  * Every frame contains a 32bit A429 label.
    702  * More documentation on Arinc 429 can be found at
    703  * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf
    704  */
    705 #define DLT_A429                184
    706 
    707 /*
    708  * Arinc 653 Interpartition Communication messages.
    709  * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>.
    710  * Please refer to the A653-1 standard for more information.
    711  */
    712 #define DLT_A653_ICM            185
    713 
    714 /*
    715  * USB packets, beginning with a USB setup header; requested by
    716  * Paolo Abeni <paolo.abeni (at) email.it>.
    717  */
    718 #define DLT_USB			186
    719 
    720 /*
    721  * Bluetooth HCI UART transport layer (part H:4); requested by
    722  * Paolo Abeni.
    723  */
    724 #define DLT_BLUETOOTH_HCI_H4	187
    725 
    726 /*
    727  * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz
    728  * <cruz_petagay (at) bah.com>.
    729  */
    730 #define DLT_IEEE802_16_MAC_CPS	188
    731 
    732 /*
    733  * USB packets, beginning with a Linux USB header; requested by
    734  * Paolo Abeni <paolo.abeni (at) email.it>.
    735  */
    736 #define DLT_USB_LINUX		189
    737 
    738 /*
    739  * Controller Area Network (CAN) v. 2.0B packets.
    740  * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>.
    741  * Used to dump CAN packets coming from a CAN Vector board.
    742  * More documentation on the CAN v2.0B frames can be found at
    743  * http://www.can-cia.org/downloads/?269
    744  */
    745 #define DLT_CAN20B              190
    746 
    747 /*
    748  * IEEE 802.15.4, with address fields padded, as is done by Linux
    749  * drivers; requested by Juergen Schimmer.
    750  */
    751 #define DLT_IEEE802_15_4_LINUX	191
    752 
    753 /*
    754  * Per Packet Information encapsulated packets.
    755  * DLT_ requested by Gianluca Varenni <gianluca.varenni (at) cacetech.com>.
    756  */
    757 #define DLT_PPI			192
    758 
    759 /*
    760  * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header;
    761  * requested by Charles Clancy.
    762  */
    763 #define DLT_IEEE802_16_MAC_CPS_RADIO	193
    764 
    765 /*
    766  * Juniper-private data link type, as per request from
    767  * Hannes Gredler <hannes (at) juniper.net>.
    768  * The DLT_ is used for internal communication with a
    769  * integrated service module (ISM).
    770  */
    771 #define DLT_JUNIPER_ISM         194
    772 
    773 /*
    774  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
    775  * nothing); requested by Mikko Saarnivala <mikko.saarnivala (at) sensinode.com>.
    776  * For this one, we expect the FCS to be present at the end of the frame;
    777  * if the frame has no FCS, DLT_IEEE802_15_4_NOFCS should be used.
    778  */
    779 #define DLT_IEEE802_15_4	195
    780 
    781 /*
    782  * Various link-layer types, with a pseudo-header, for SITA
    783  * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew (at) gmail.com).
    784  */
    785 #define DLT_SITA		196
    786 
    787 /*
    788  * Various link-layer types, with a pseudo-header, for Endace DAG cards;
    789  * encapsulates Endace ERF records.  Requested by Stephen Donnelly
    790  * <stephen (at) endace.com>.
    791  */
    792 #define DLT_ERF			197
    793 
    794 /*
    795  * Special header prepended to Ethernet packets when capturing from a
    796  * u10 Networks board.  Requested by Phil Mulholland
    797  * <phil (at) u10networks.com>.
    798  */
    799 #define DLT_RAIF1		198
    800 
    801 /*
    802  * IPMB packet for IPMI, beginning with the I2C slave address, followed
    803  * by the netFn and LUN, etc..  Requested by Chanthy Toeung
    804  * <chanthy.toeung (at) ca.kontron.com>.
    805  */
    806 #define DLT_IPMB		199
    807 
    808 /*
    809  * Juniper-private data link type, as per request from
    810  * Hannes Gredler <hannes (at) juniper.net>.
    811  * The DLT_ is used for capturing data on a secure tunnel interface.
    812  */
    813 #define DLT_JUNIPER_ST          200
    814 
    815 /*
    816  * Bluetooth HCI UART transport layer (part H:4), with pseudo-header
    817  * that includes direction information; requested by Paolo Abeni.
    818  */
    819 #define DLT_BLUETOOTH_HCI_H4_WITH_PHDR	201
    820 
    821 /*
    822  * AX.25 packet with a 1-byte KISS header; see
    823  *
    824  *	http://www.ax25.net/kiss.htm
    825  *
    826  * as per Richard Stearn <richard (at) rns-stearn.demon.co.uk>.
    827  */
    828 #define DLT_AX25_KISS		202
    829 
    830 /*
    831  * LAPD packets from an ISDN channel, starting with the address field,
    832  * with no pseudo-header.
    833  * Requested by Varuna De Silva <varunax (at) gmail.com>.
    834  */
    835 #define DLT_LAPD		203
    836 
    837 /*
    838  * Variants of various link-layer headers, with a one-byte direction
    839  * pseudo-header prepended - zero means "received by this host",
    840  * non-zero (any non-zero value) means "sent by this host" - as per
    841  * Will Barker <w.barker (at) zen.co.uk>.
    842  */
    843 #define DLT_PPP_WITH_DIR	204	/* PPP - don't confuse with DLT_PPP_WITH_DIRECTION */
    844 #define DLT_C_HDLC_WITH_DIR	205	/* Cisco HDLC */
    845 #define DLT_FRELAY_WITH_DIR	206	/* Frame Relay */
    846 #define DLT_LAPB_WITH_DIR	207	/* LAPB */
    847 
    848 /*
    849  * 208 is reserved for an as-yet-unspecified proprietary link-layer
    850  * type, as requested by Will Barker.
    851  */
    852 
    853 /*
    854  * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman
    855  * <avn (at) pigeonpoint.com>.
    856  */
    857 #define DLT_IPMB_LINUX		209
    858 
    859 /*
    860  * FlexRay automotive bus - http://www.flexray.com/ - as requested
    861  * by Hannes Kaelber <hannes.kaelber (at) x2e.de>.
    862  */
    863 #define DLT_FLEXRAY		210
    864 
    865 /*
    866  * Media Oriented Systems Transport (MOST) bus for multimedia
    867  * transport - http://www.mostcooperation.com/ - as requested
    868  * by Hannes Kaelber <hannes.kaelber (at) x2e.de>.
    869  */
    870 #define DLT_MOST		211
    871 
    872 /*
    873  * Local Interconnect Network (LIN) bus for vehicle networks -
    874  * http://www.lin-subbus.org/ - as requested by Hannes Kaelber
    875  * <hannes.kaelber (at) x2e.de>.
    876  */
    877 #define DLT_LIN			212
    878 
    879 /*
    880  * X2E-private data link type used for serial line capture,
    881  * as requested by Hannes Kaelber <hannes.kaelber (at) x2e.de>.
    882  */
    883 #define DLT_X2E_SERIAL		213
    884 
    885 /*
    886  * X2E-private data link type used for the Xoraya data logger
    887  * family, as requested by Hannes Kaelber <hannes.kaelber (at) x2e.de>.
    888  */
    889 #define DLT_X2E_XORAYA		214
    890 
    891 /*
    892  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
    893  * nothing), but with the PHY-level data for non-ASK PHYs (4 octets
    894  * of 0 as preamble, one octet of SFD, one octet of frame length+
    895  * reserved bit, and then the MAC-layer data, starting with the
    896  * frame control field).
    897  *
    898  * Requested by Max Filippov <jcmvbkbc (at) gmail.com>.
    899  */
    900 #define DLT_IEEE802_15_4_NONASK_PHY	215
    901 
    902 /*
    903  * David Gibson <david (at) gibson.dropbear.id.au> requested this for
    904  * captures from the Linux kernel /dev/input/eventN devices. This
    905  * is used to communicate keystrokes and mouse movements from the
    906  * Linux kernel to display systems, such as Xorg.
    907  */
    908 #define DLT_LINUX_EVDEV		216
    909 
    910 /*
    911  * GSM Um and Abis interfaces, preceded by a "gsmtap" header.
    912  *
    913  * Requested by Harald Welte <laforge (at) gnumonks.org>.
    914  */
    915 #define DLT_GSMTAP_UM		217
    916 #define DLT_GSMTAP_ABIS		218
    917 
    918 /*
    919  * MPLS, with an MPLS label as the link-layer header.
    920  * Requested by Michele Marchetto <michele (at) openbsd.org> on behalf
    921  * of OpenBSD.
    922  */
    923 #define DLT_MPLS		219
    924 
    925 /*
    926  * USB packets, beginning with a Linux USB header, with the USB header
    927  * padded to 64 bytes; required for memory-mapped access.
    928  */
    929 #define DLT_USB_LINUX_MMAPPED	220
    930 
    931 /*
    932  * DECT packets, with a pseudo-header; requested by
    933  * Matthias Wenzel <tcpdump (at) mazzoo.de>.
    934  */
    935 #define DLT_DECT		221
    936 
    937 /*
    938  * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1 (at) nasa.gov>
    939  * Date: Mon, 11 May 2009 11:18:30 -0500
    940  *
    941  * DLT_AOS. We need it for AOS Space Data Link Protocol.
    942  *   I have already written dissectors for but need an OK from
    943  *   legal before I can submit a patch.
    944  *
    945  */
    946 #define DLT_AOS                 222
    947 
    948 /*
    949  * Wireless HART (Highway Addressable Remote Transducer)
    950  * From the HART Communication Foundation
    951  * IES/PAS 62591
    952  *
    953  * Requested by Sam Roberts <vieuxtech (at) gmail.com>.
    954  */
    955 #define DLT_WIHART		223
    956 
    957 /*
    958  * Fibre Channel FC-2 frames, beginning with a Frame_Header.
    959  * Requested by Kahou Lei <kahou82 (at) gmail.com>.
    960  */
    961 #define DLT_FC_2		224
    962 
    963 /*
    964  * Fibre Channel FC-2 frames, beginning with an encoding of the
    965  * SOF, and ending with an encoding of the EOF.
    966  *
    967  * The encodings represent the frame delimiters as 4-byte sequences
    968  * representing the corresponding ordered sets, with K28.5
    969  * represented as 0xBC, and the D symbols as the corresponding
    970  * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2,
    971  * is represented as 0xBC 0xB5 0x55 0x55.
    972  *
    973  * Requested by Kahou Lei <kahou82 (at) gmail.com>.
    974  */
    975 #define DLT_FC_2_WITH_FRAME_DELIMS	225
    976 
    977 /*
    978  * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed (at) Sun.COM>.
    979  *
    980  * The pseudo-header starts with a one-byte version number; for version 2,
    981  * the pseudo-header is:
    982  *
    983  * struct dl_ipnetinfo {
    984  *     u_int8_t   dli_version;
    985  *     u_int8_t   dli_family;
    986  *     u_int16_t  dli_htype;
    987  *     u_int32_t  dli_pktlen;
    988  *     u_int32_t  dli_ifindex;
    989  *     u_int32_t  dli_grifindex;
    990  *     u_int32_t  dli_zsrc;
    991  *     u_int32_t  dli_zdst;
    992  * };
    993  *
    994  * dli_version is 2 for the current version of the pseudo-header.
    995  *
    996  * dli_family is a Solaris address family value, so it's 2 for IPv4
    997  * and 26 for IPv6.
    998  *
    999  * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing
   1000  * packets, and 2 for packets arriving from another zone on the same
   1001  * machine.
   1002  *
   1003  * dli_pktlen is the length of the packet data following the pseudo-header
   1004  * (so the captured length minus dli_pktlen is the length of the
   1005  * pseudo-header, assuming the entire pseudo-header was captured).
   1006  *
   1007  * dli_ifindex is the interface index of the interface on which the
   1008  * packet arrived.
   1009  *
   1010  * dli_grifindex is the group interface index number (for IPMP interfaces).
   1011  *
   1012  * dli_zsrc is the zone identifier for the source of the packet.
   1013  *
   1014  * dli_zdst is the zone identifier for the destination of the packet.
   1015  *
   1016  * A zone number of 0 is the global zone; a zone number of 0xffffffff
   1017  * means that the packet arrived from another host on the network, not
   1018  * from another zone on the same machine.
   1019  *
   1020  * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates
   1021  * which of those it is.
   1022  */
   1023 #define DLT_IPNET		226
   1024 
   1025 /*
   1026  * CAN (Controller Area Network) frames, with a pseudo-header as supplied
   1027  * by Linux SocketCAN.  See Documentation/networking/can.txt in the Linux
   1028  * source.
   1029  *
   1030  * Requested by Felix Obenhuber <felix (at) obenhuber.de>.
   1031  */
   1032 #define DLT_CAN_SOCKETCAN	227
   1033 
   1034 /*
   1035  * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies
   1036  * whether it's v4 or v6.  Requested by Darren Reed <Darren.Reed (at) Sun.COM>.
   1037  */
   1038 #define DLT_IPV4		228
   1039 #define DLT_IPV6		229
   1040 
   1041 /*
   1042  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
   1043  * nothing), and with no FCS at the end of the frame; requested by
   1044  * Jon Smirl <jonsmirl (at) gmail.com>.
   1045  */
   1046 #define DLT_IEEE802_15_4_NOFCS	230
   1047 
   1048 /*
   1049  * Raw D-Bus:
   1050  *
   1051  *	http://www.freedesktop.org/wiki/Software/dbus
   1052  *
   1053  * messages:
   1054  *
   1055  *	http://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages
   1056  *
   1057  * starting with the endianness flag, followed by the message type, etc.,
   1058  * but without the authentication handshake before the message sequence:
   1059  *
   1060  *	http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
   1061  *
   1062  * Requested by Martin Vidner <martin (at) vidner.net>.
   1063  */
   1064 #define DLT_DBUS		231
   1065 
   1066 /*
   1067  * Juniper-private data link type, as per request from
   1068  * Hannes Gredler <hannes (at) juniper.net>.
   1069  */
   1070 #define DLT_JUNIPER_VS			232
   1071 #define DLT_JUNIPER_SRX_E2E		233
   1072 #define DLT_JUNIPER_FIBRECHANNEL	234
   1073 
   1074 /*
   1075  * DVB-CI (DVB Common Interface for communication between a PC Card
   1076  * module and a DVB receiver).  See
   1077  *
   1078  *	http://www.kaiser.cx/pcap-dvbci.html
   1079  *
   1080  * for the specification.
   1081  *
   1082  * Requested by Martin Kaiser <martin (at) kaiser.cx>.
   1083  */
   1084 #define DLT_DVB_CI		235
   1085 
   1086 /*
   1087  * Variant of 3GPP TS 27.010 multiplexing protocol (similar to, but
   1088  * *not* the same as, 27.010).  Requested by Hans-Christoph Schemmel
   1089  * <hans-christoph.schemmel (at) cinterion.com>.
   1090  */
   1091 #define DLT_MUX27010		236
   1092 
   1093 /*
   1094  * STANAG 5066 D_PDUs.  Requested by M. Baris Demiray
   1095  * <barisdemiray (at) gmail.com>.
   1096  */
   1097 #define DLT_STANAG_5066_D_PDU	237
   1098 
   1099 /*
   1100  * Juniper-private data link type, as per request from
   1101  * Hannes Gredler <hannes (at) juniper.net>.
   1102  */
   1103 #define DLT_JUNIPER_ATM_CEMIC	238
   1104 
   1105 /*
   1106  * NetFilter LOG messages
   1107  * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets)
   1108  *
   1109  * Requested by Jakub Zawadzki <darkjames-ws (at) darkjames.pl>
   1110  */
   1111 #define DLT_NFLOG		239
   1112 
   1113 /*
   1114  * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
   1115  * for Ethernet packets with a 4-byte pseudo-header and always
   1116  * with the payload including the FCS, as supplied by their
   1117  * netANALYZER hardware and software.
   1118  *
   1119  * Requested by Holger P. Frommer <HPfrommer (at) hilscher.com>
   1120  */
   1121 #define DLT_NETANALYZER		240
   1122 
   1123 /*
   1124  * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
   1125  * for Ethernet packets with a 4-byte pseudo-header and FCS and
   1126  * with the Ethernet header preceded by 7 bytes of preamble and
   1127  * 1 byte of SFD, as supplied by their netANALYZER hardware and
   1128  * software.
   1129  *
   1130  * Requested by Holger P. Frommer <HPfrommer (at) hilscher.com>
   1131  */
   1132 #define DLT_NETANALYZER_TRANSPARENT	241
   1133 
   1134 /*
   1135  * IP-over-InfiniBand, as specified by RFC 4391.
   1136  *
   1137  * Requested by Petr Sumbera <petr.sumbera (at) oracle.com>.
   1138  */
   1139 #define DLT_IPOIB		242
   1140 
   1141 /*
   1142  * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0).
   1143  *
   1144  * Requested by Guy Martin <gmsoft (at) tuxicoman.be>.
   1145  */
   1146 #define DLT_MPEG_2_TS		243
   1147 
   1148 /*
   1149  * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as
   1150  * used by their ng40 protocol tester.
   1151  *
   1152  * Requested by Jens Grimmer <jens.grimmer (at) ng4t.com>.
   1153  */
   1154 #define DLT_NG40		244
   1155 
   1156 /*
   1157  * Pseudo-header giving adapter number and flags, followed by an NFC
   1158  * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU,
   1159  * as specified by NFC Forum Logical Link Control Protocol Technical
   1160  * Specification LLCP 1.1.
   1161  *
   1162  * Requested by Mike Wakerly <mikey (at) google.com>.
   1163  */
   1164 #define DLT_NFC_LLCP		245
   1165 
   1166 /*
   1167  * 245 is used as LINKTYPE_PFSYNC; do not use it for any other purpose.
   1168  *
   1169  * DLT_PFSYNC has different values on different platforms, and all of
   1170  * them collide with something used elsewhere.  On platforms that
   1171  * don't already define it, define it as 245.
   1172  */
   1173 #if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && !defined(__DragonFly__) && !defined(__APPLE__)
   1174 #define DLT_PFSYNC		246
   1175 #endif
   1176 
   1177 /*
   1178  * Raw InfiniBand packets, starting with the Local Routing Header.
   1179  *
   1180  * Requested by Oren Kladnitsky <orenk (at) mellanox.com>.
   1181  */
   1182 #define DLT_INFINIBAND		247
   1183 
   1184 /*
   1185  * SCTP, with no lower-level protocols (i.e., no IPv4 or IPv6).
   1186  *
   1187  * Requested by Michael Tuexen <Michael.Tuexen (at) lurchi.franken.de>.
   1188  */
   1189 #define DLT_SCTP		248
   1190 
   1191 /*
   1192  * USB packets, beginning with a USBPcap header.
   1193  *
   1194  * Requested by Tomasz Mon <desowin (at) gmail.com>
   1195  */
   1196 #define DLT_USBPCAP		249
   1197 
   1198 /*
   1199  * Schweitzer Engineering Laboratories "RTAC" product serial-line
   1200  * packets.
   1201  *
   1202  * Requested by Chris Bontje <chris_bontje (at) selinc.com>.
   1203  */
   1204 #define DLT_RTAC_SERIAL		250
   1205 
   1206 /*
   1207  * Bluetooth Low Energy air interface link-layer packets.
   1208  *
   1209  * Requested by Mike Kershaw <dragorn (at) kismetwireless.net>.
   1210  */
   1211 #define DLT_BLUETOOTH_LE_LL	251
   1212 
   1213 /*
   1214  * DLT type for upper-protocol layer PDU saves from wireshark.
   1215  *
   1216  * the actual contents are determined by two TAGs stored with each
   1217  * packet:
   1218  *   EXP_PDU_TAG_LINKTYPE          the link type (LINKTYPE_ value) of the
   1219  *				   original packet.
   1220  *
   1221  *   EXP_PDU_TAG_PROTO_NAME        the name of the wireshark dissector
   1222  * 				   that can make sense of the data stored.
   1223  */
   1224 #define DLT_WIRESHARK_UPPER_PDU	252
   1225 
   1226 /*
   1227  * DLT type for the netlink protocol (nlmon devices).
   1228  */
   1229 #define DLT_NETLINK		253
   1230 
   1231 /*
   1232  * Bluetooth Linux Monitor headers for the BlueZ stack.
   1233  */
   1234 #define DLT_BLUETOOTH_LINUX_MONITOR	254
   1235 
   1236 /*
   1237  * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as
   1238  * captured by Ubertooth.
   1239  */
   1240 #define DLT_BLUETOOTH_BREDR_BB	255
   1241 
   1242 /*
   1243  * Bluetooth Low Energy link layer packets, as captured by Ubertooth.
   1244  */
   1245 #define DLT_BLUETOOTH_LE_LL_WITH_PHDR	256
   1246 
   1247 /*
   1248  * PROFIBUS data link layer.
   1249  */
   1250 #define DLT_PROFIBUS_DL		257
   1251 
   1252 /*
   1253  * Apple's DLT_PKTAP headers.
   1254  *
   1255  * Sadly, the folks at Apple either had no clue that the DLT_USERn values
   1256  * are for internal use within an organization and partners only, and
   1257  * didn't know that the right way to get a link-layer header type is to
   1258  * ask tcpdump.org for one, or knew and didn't care, so they just
   1259  * used DLT_USER2, which causes problems for everything except for
   1260  * their version of tcpdump.
   1261  *
   1262  * So I'll just give them one; hopefully this will show up in a
   1263  * libpcap release in time for them to get this into 10.10 Big Sur
   1264  * or whatever Mavericks' successor is called.  LINKTYPE_PKTAP
   1265  * will be 258 *even on OS X*; that is *intentional*, so that
   1266  * PKTAP files look the same on *all* OSes (different OSes can have
   1267  * different numerical values for a given DLT_, but *MUST NOT* have
   1268  * different values for what goes in a file, as files can be moved
   1269  * between OSes!).
   1270  *
   1271  * When capturing, on a system with a Darwin-based OS, on a device
   1272  * that returns 149 (DLT_USER2 and Apple's DLT_PKTAP) with this
   1273  * version of libpcap, the DLT_ value for the pcap_t  will be DLT_PKTAP,
   1274  * and that will continue to be DLT_USER2 on Darwin-based OSes. That way,
   1275  * binary compatibility with Mavericks is preserved for programs using
   1276  * this version of libpcap.  This does mean that if you were using
   1277  * DLT_USER2 for some capture device on OS X, you can't do so with
   1278  * this version of libpcap, just as you can't with Apple's libpcap -
   1279  * on OS X, they define DLT_PKTAP to be DLT_USER2, so programs won't
   1280  * be able to distinguish between PKTAP and whatever you were using
   1281  * DLT_USER2 for.
   1282  *
   1283  * If the program saves the capture to a file using this version of
   1284  * libpcap's pcap_dump code, the LINKTYPE_ value in the file will be
   1285  * LINKTYPE_PKTAP, which will be 258, even on Darwin-based OSes.
   1286  * That way, the file will *not* be a DLT_USER2 file.  That means
   1287  * that the latest version of tcpdump, when built with this version
   1288  * of libpcap, and sufficiently recent versions of Wireshark will
   1289  * be able to read those files and interpret them correctly; however,
   1290  * Apple's version of tcpdump in OS X 10.9 won't be able to handle
   1291  * them.  (Hopefully, Apple will pick up this version of libpcap,
   1292  * and the corresponding version of tcpdump, so that tcpdump will
   1293  * be able to handle the old LINKTYPE_USER2 captures *and* the new
   1294  * LINKTYPE_PKTAP captures.)
   1295  */
   1296 #ifdef __APPLE__
   1297 #define DLT_PKTAP	DLT_USER2
   1298 #else
   1299 #define DLT_PKTAP	258
   1300 #endif
   1301 
   1302 /*
   1303  * Ethernet packets preceded by a header giving the last 6 octets
   1304  * of the preamble specified by 802.3-2012 Clause 65, section
   1305  * 65.1.3.2 "Transmit".
   1306  */
   1307 #define DLT_EPON	259
   1308 
   1309 /*
   1310  * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format"
   1311  * in the PICMG HPM.2 specification.
   1312  */
   1313 #define DLT_IPMI_HPM_2	260
   1314 
   1315 /*
   1316  * per  Joshua Wright <jwright (at) hasborg.com>, formats for Zwave captures.
   1317  */
   1318 #define DLT_ZWAVE_R1_R2  261
   1319 #define DLT_ZWAVE_R3     262
   1320 
   1321 /*
   1322  * per Steve Karg <skarg (at) users.sourceforge.net>, formats for Wattstopper
   1323  * Digital Lighting Management room bus serial protocol captures.
   1324  */
   1325 #define DLT_WATTSTOPPER_DLM     263
   1326 
   1327 #define DLT_MATCHING_MAX	263	/* highest value in the "matching" range */
   1328 
   1329 /*
   1330  * DLT and savefile link type values are split into a class and
   1331  * a member of that class.  A class value of 0 indicates a regular
   1332  * DLT_/LINKTYPE_ value.
   1333  */
   1334 #define DLT_CLASS(x)		((x) & 0x03ff0000)
   1335 
   1336 /*
   1337  * NetBSD-specific generic "raw" link type.  The class value indicates
   1338  * that this is the generic raw type, and the lower 16 bits are the
   1339  * address family we're dealing with.  Those values are NetBSD-specific;
   1340  * do not assume that they correspond to AF_ values for your operating
   1341  * system.
   1342  */
   1343 #define	DLT_CLASS_NETBSD_RAWAF	0x02240000
   1344 #define	DLT_NETBSD_RAWAF(af)	(DLT_CLASS_NETBSD_RAWAF | (af))
   1345 #define	DLT_NETBSD_RAWAF_AF(x)	((x) & 0x0000ffff)
   1346 #define	DLT_IS_NETBSD_RAWAF(x)	(DLT_CLASS(x) == DLT_CLASS_NETBSD_RAWAF)
   1347 
   1348 
   1349 /*
   1350  * The instruction encodings.
   1351  *
   1352  * Please inform tcpdump-workers (at) lists.tcpdump.org if you use any
   1353  * of the reserved values, so that we can note that they're used
   1354  * (and perhaps implement it in the reference BPF implementation
   1355  * and encourage its implementation elsewhere).
   1356  */
   1357 
   1358 /*
   1359  * The upper 8 bits of the opcode aren't used. BSD/OS used 0x8000.
   1360  */
   1361 
   1362 /* instruction classes */
   1363 #define BPF_CLASS(code) ((code) & 0x07)
   1364 #define		BPF_LD		0x00
   1365 #define		BPF_LDX		0x01
   1366 #define		BPF_ST		0x02
   1367 #define		BPF_STX		0x03
   1368 #define		BPF_ALU		0x04
   1369 #define		BPF_JMP		0x05
   1370 #define		BPF_RET		0x06
   1371 #define		BPF_MISC	0x07
   1372 
   1373 /* ld/ldx fields */
   1374 #define BPF_SIZE(code)	((code) & 0x18)
   1375 #define		BPF_W		0x00
   1376 #define		BPF_H		0x08
   1377 #define		BPF_B		0x10
   1378 /*				0x18	reserved; used by BSD/OS */
   1379 #define BPF_MODE(code)	((code) & 0xe0)
   1380 #define		BPF_IMM 	0x00
   1381 #define		BPF_ABS		0x20
   1382 #define		BPF_IND		0x40
   1383 #define		BPF_MEM		0x60
   1384 #define		BPF_LEN		0x80
   1385 #define		BPF_MSH		0xa0
   1386 /*				0xc0	reserved; used by BSD/OS */
   1387 /*				0xe0	reserved; used by BSD/OS */
   1388 
   1389 /* alu/jmp fields */
   1390 #define BPF_OP(code)	((code) & 0xf0)
   1391 #define		BPF_ADD		0x00
   1392 #define		BPF_SUB		0x10
   1393 #define		BPF_MUL		0x20
   1394 #define		BPF_DIV		0x30
   1395 #define		BPF_OR		0x40
   1396 #define		BPF_AND		0x50
   1397 #define		BPF_LSH		0x60
   1398 #define		BPF_RSH		0x70
   1399 #define		BPF_NEG		0x80
   1400 #define		BPF_MOD		0x90
   1401 #define		BPF_XOR		0xa0
   1402 /*				0xb0	reserved */
   1403 /*				0xc0	reserved */
   1404 /*				0xd0	reserved */
   1405 /*				0xe0	reserved */
   1406 /*				0xf0	reserved */
   1407 
   1408 #define		BPF_JA		0x00
   1409 #define		BPF_JEQ		0x10
   1410 #define		BPF_JGT		0x20
   1411 #define		BPF_JGE		0x30
   1412 #define		BPF_JSET	0x40
   1413 /*				0x50	reserved; used on BSD/OS */
   1414 /*				0x60	reserved */
   1415 /*				0x70	reserved */
   1416 /*				0x80	reserved */
   1417 /*				0x90	reserved */
   1418 /*				0xa0	reserved */
   1419 /*				0xb0	reserved */
   1420 /*				0xc0	reserved */
   1421 /*				0xd0	reserved */
   1422 /*				0xe0	reserved */
   1423 /*				0xf0	reserved */
   1424 #define BPF_SRC(code)	((code) & 0x08)
   1425 #define		BPF_K		0x00
   1426 #define		BPF_X		0x08
   1427 
   1428 /* ret - BPF_K and BPF_X also apply */
   1429 #define BPF_RVAL(code)	((code) & 0x18)
   1430 #define		BPF_A		0x10
   1431 /*				0x18	reserved */
   1432 
   1433 /* misc */
   1434 #define BPF_MISCOP(code) ((code) & 0xf8)
   1435 #define		BPF_TAX		0x00
   1436 /*				0x08	reserved */
   1437 /*				0x10	reserved */
   1438 /*				0x18	reserved */
   1439 /* #define	BPF_COP		0x20	NetBSD "coprocessor" extensions */
   1440 /*				0x28	reserved */
   1441 /*				0x30	reserved */
   1442 /*				0x38	reserved */
   1443 /* #define	BPF_COPX	0x40	NetBSD "coprocessor" extensions */
   1444 /*					also used on BSD/OS */
   1445 /*				0x48	reserved */
   1446 /*				0x50	reserved */
   1447 /*				0x58	reserved */
   1448 /*				0x60	reserved */
   1449 /*				0x68	reserved */
   1450 /*				0x70	reserved */
   1451 /*				0x78	reserved */
   1452 #define		BPF_TXA		0x80
   1453 /*				0x88	reserved */
   1454 /*				0x90	reserved */
   1455 /*				0x98	reserved */
   1456 /*				0xa0	reserved */
   1457 /*				0xa8	reserved */
   1458 /*				0xb0	reserved */
   1459 /*				0xb8	reserved */
   1460 /*				0xc0	reserved; used on BSD/OS */
   1461 /*				0xc8	reserved */
   1462 /*				0xd0	reserved */
   1463 /*				0xd8	reserved */
   1464 /*				0xe0	reserved */
   1465 /*				0xe8	reserved */
   1466 /*				0xf0	reserved */
   1467 /*				0xf8	reserved */
   1468 
   1469 /*
   1470  * The instruction data structure.
   1471  */
   1472 struct bpf_insn {
   1473 	u_short	code;
   1474 	u_char 	jt;
   1475 	u_char 	jf;
   1476 	bpf_u_int32 k;
   1477 };
   1478 
   1479 /*
   1480  * Auxiliary data, for use when interpreting a filter intended for the
   1481  * Linux kernel when the kernel rejects the filter (requiring us to
   1482  * run it in userland).  It contains VLAN tag information.
   1483  */
   1484 struct bpf_aux_data {
   1485 	u_short vlan_tag_present;
   1486 	u_short vlan_tag;
   1487 };
   1488 
   1489 /*
   1490  * Macros for insn array initializers.
   1491  */
   1492 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
   1493 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
   1494 
   1495 #if __STDC__ || defined(__cplusplus)
   1496 extern int bpf_validate(const struct bpf_insn *, int);
   1497 extern u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);
   1498 extern u_int bpf_filter_with_aux_data(const struct bpf_insn *, const u_char *, u_int, u_int, const struct bpf_aux_data *);
   1499 #else
   1500 extern int bpf_validate();
   1501 extern u_int bpf_filter();
   1502 extern u_int bpf_filter();
   1503 #endif
   1504 
   1505 /*
   1506  * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
   1507  */
   1508 #define BPF_MEMWORDS 16
   1509 
   1510 #ifdef __cplusplus
   1511 }
   1512 #endif
   1513 
   1514 #endif /* !defined(_NET_BPF_H_) && !defined(_BPF_H_) && !defined(_H_BPF) && !defined(lib_pcap_bpf_h) */
   1515