1 /*- 2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * This code is derived from the Stanford/CMU enet packet filter, 6 * (net/enet.c) distributed as part of 4.3BSD, and code contributed 7 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 8 * Berkeley Laboratory. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the University of 21 * California, Berkeley and its contributors. 22 * 4. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * @(#)bpf.h 7.1 (Berkeley) 5/7/91 39 * 40 * @(#) $Header: /tcpdump/master/libpcap/pcap-bpf.h,v 1.9.2.9 2004/03/28 21:45:32 fenner Exp $ (LBL) 41 */ 42 43 /* 44 * This is libpcap's cut-down version of bpf.h; it includes only 45 * the stuff needed for the code generator and the userland BPF 46 * interpreter, and the libpcap APIs for setting filters, etc.. 47 * 48 * "pcap-bpf.c" will include the native OS version, as it deals with 49 * the OS's BPF implementation. 50 * 51 * XXX - should this all just be moved to "pcap.h"? 52 */ 53 54 #ifndef BPF_MAJOR_VERSION 55 56 #ifdef __cplusplus 57 extern "C" { 58 #endif 59 60 /* BSD style release date */ 61 #define BPF_RELEASE 199606 62 63 typedef int bpf_int32; 64 typedef u_int bpf_u_int32; 65 66 /* 67 * Alignment macros. BPF_WORDALIGN rounds up to the next 68 * even multiple of BPF_ALIGNMENT. 69 */ 70 #ifndef __NetBSD__ 71 #define BPF_ALIGNMENT sizeof(bpf_int32) 72 #else 73 #define BPF_ALIGNMENT sizeof(long) 74 #endif 75 #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) 76 77 #define BPF_MAXINSNS 512 78 #define BPF_MAXBUFSIZE 0x8000 79 #define BPF_MINBUFSIZE 32 80 81 /* 82 * Structure for "pcap_compile()", "pcap_setfilter()", etc.. 83 */ 84 struct bpf_program { 85 u_int bf_len; 86 struct bpf_insn *bf_insns; 87 }; 88 89 /* 90 * Struct return by BIOCVERSION. This represents the version number of 91 * the filter language described by the instruction encodings below. 92 * bpf understands a program iff kernel_major == filter_major && 93 * kernel_minor >= filter_minor, that is, if the value returned by the 94 * running kernel has the same major number and a minor number equal 95 * equal to or less than the filter being downloaded. Otherwise, the 96 * results are undefined, meaning an error may be returned or packets 97 * may be accepted haphazardly. 98 * It has nothing to do with the source code version. 99 */ 100 struct bpf_version { 101 u_short bv_major; 102 u_short bv_minor; 103 }; 104 /* Current version number of filter architecture. */ 105 #define BPF_MAJOR_VERSION 1 106 #define BPF_MINOR_VERSION 1 107 108 /* 109 * Data-link level type codes. 110 * 111 * Do *NOT* add new values to this list without asking 112 * "tcpdump-workers@tcpdump.org" for a value. Otherwise, you run the 113 * risk of using a value that's already being used for some other purpose, 114 * and of having tools that read libpcap-format captures not being able 115 * to handle captures with your new DLT_ value, with no hope that they 116 * will ever be changed to do so (as that would destroy their ability 117 * to read captures using that value for that other purpose). 118 */ 119 120 /* 121 * These are the types that are the same on all platforms, and that 122 * have been defined by <net/bpf.h> for ages. 123 */ 124 #define DLT_NULL 0 /* no link-layer encapsulation */ 125 #define DLT_EN10MB 1 /* Ethernet (10Mb) */ 126 #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ 127 #define DLT_AX25 3 /* Amateur Radio AX.25 */ 128 #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ 129 #define DLT_CHAOS 5 /* Chaos */ 130 #define DLT_IEEE802 6 /* IEEE 802 Networks */ 131 #define DLT_ARCNET 7 /* ARCNET, with BSD-style header */ 132 #define DLT_SLIP 8 /* Serial Line IP */ 133 #define DLT_PPP 9 /* Point-to-point Protocol */ 134 #define DLT_FDDI 10 /* FDDI */ 135 136 /* 137 * These are types that are different on some platforms, and that 138 * have been defined by <net/bpf.h> for ages. We use #ifdefs to 139 * detect the BSDs that define them differently from the traditional 140 * libpcap <net/bpf.h> 141 * 142 * XXX - DLT_ATM_RFC1483 is 13 in BSD/OS, and DLT_RAW is 14 in BSD/OS, 143 * but I don't know what the right #define is for BSD/OS. 144 */ 145 #define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ 146 147 #ifdef __OpenBSD__ 148 #define DLT_RAW 14 /* raw IP */ 149 #else 150 #define DLT_RAW 12 /* raw IP */ 151 #endif 152 153 /* 154 * Given that the only OS that currently generates BSD/OS SLIP or PPP 155 * is, well, BSD/OS, arguably everybody should have chosen its values 156 * for DLT_SLIP_BSDOS and DLT_PPP_BSDOS, which are 15 and 16, but they 157 * didn't. So it goes. 158 */ 159 #if defined(__NetBSD__) || defined(__FreeBSD__) 160 #ifndef DLT_SLIP_BSDOS 161 #define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ 162 #define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ 163 #endif 164 #else 165 #define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ 166 #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ 167 #endif 168 169 /* 170 * 17 is used for DLT_OLD_PFLOG in OpenBSD; 171 * OBSOLETE: DLT_PFLOG is 117 in OpenBSD now as well. See below. 172 * 18 is used for DLT_PFSYNC in OpenBSD; don't use it for anything else. 173 */ 174 175 #define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ 176 177 /* 178 * These values are defined by NetBSD; other platforms should refrain from 179 * using them for other purposes, so that NetBSD savefiles with link 180 * types of 50 or 51 can be read as this type on all platforms. 181 */ 182 #define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ 183 #define DLT_PPP_ETHER 51 /* PPP over Ethernet */ 184 185 /* 186 * The Axent Raptor firewall - now the Symantec Enterprise Firewall - uses 187 * a link-layer type of 99 for the tcpdump it supplies. The link-layer 188 * header has 6 bytes of unknown data, something that appears to be an 189 * Ethernet type, and 36 bytes that appear to be 0 in at least one capture 190 * I've seen. 191 */ 192 #define DLT_SYMANTEC_FIREWALL 99 193 194 /* 195 * Values between 100 and 103 are used in capture file headers as 196 * link-layer types corresponding to DLT_ types that differ 197 * between platforms; don't use those values for new DLT_ new types. 198 */ 199 200 /* 201 * This value was defined by libpcap 0.5; platforms that have defined 202 * it with a different value should define it here with that value - 203 * a link type of 104 in a save file will be mapped to DLT_C_HDLC, 204 * whatever value that happens to be, so programs will correctly 205 * handle files with that link type regardless of the value of 206 * DLT_C_HDLC. 207 * 208 * The name DLT_C_HDLC was used by BSD/OS; we use that name for source 209 * compatibility with programs written for BSD/OS. 210 * 211 * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, 212 * for source compatibility with programs written for libpcap 0.5. 213 */ 214 #define DLT_C_HDLC 104 /* Cisco HDLC */ 215 #define DLT_CHDLC DLT_C_HDLC 216 217 #define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ 218 219 /* 220 * 106 is reserved for Linux Classical IP over ATM; it's like DLT_RAW, 221 * except when it isn't. (I.e., sometimes it's just raw IP, and 222 * sometimes it isn't.) We currently handle it as DLT_LINUX_SLL, 223 * so that we don't have to worry about the link-layer header.) 224 */ 225 226 /* 227 * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides 228 * with other values. 229 * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header 230 * (DLCI, etc.). 231 */ 232 #define DLT_FRELAY 107 233 234 /* 235 * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except 236 * that the AF_ type in the link-layer header is in network byte order. 237 * 238 * OpenBSD defines it as 12, but that collides with DLT_RAW, so we 239 * define it as 108 here. If OpenBSD picks up this file, it should 240 * define DLT_LOOP as 12 in its version, as per the comment above - 241 * and should not use 108 as a DLT_ value. 242 */ 243 #define DLT_LOOP 108 244 245 /* 246 * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's 247 * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other 248 * than OpenBSD. 249 */ 250 #ifdef __OpenBSD__ 251 #define DLT_ENC 13 252 #else 253 #define DLT_ENC 109 254 #endif 255 256 /* 257 * Values between 110 and 112 are reserved for use in capture file headers 258 * as link-layer types corresponding to DLT_ types that might differ 259 * between platforms; don't use those values for new DLT_ types 260 * other than the corresponding DLT_ types. 261 */ 262 263 /* 264 * This is for Linux cooked sockets. 265 */ 266 #define DLT_LINUX_SLL 113 267 268 /* 269 * Apple LocalTalk hardware. 270 */ 271 #define DLT_LTALK 114 272 273 /* 274 * Acorn Econet. 275 */ 276 #define DLT_ECONET 115 277 278 /* 279 * Reserved for use with OpenBSD ipfilter. 280 */ 281 #define DLT_IPFILTER 116 282 283 /* 284 * OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, but that's DLT_LANE8023 285 * in SuSE 6.3, so we can't use 17 for it in capture-file headers. 286 * 287 * XXX: is there a conflict with DLT_PFSYNC 18 as well? 288 */ 289 #ifdef __OpenBSD__ 290 #define DLT_OLD_PFLOG 17 291 #define DLT_PFSYNC 18 292 #endif 293 #define DLT_PFLOG 117 294 295 /* 296 * Registered for Cisco-internal use. 297 */ 298 #define DLT_CISCO_IOS 118 299 300 /* 301 * For 802.11 cards using the Prism II chips, with a link-layer 302 * header including Prism monitor mode information plus an 802.11 303 * header. 304 */ 305 #define DLT_PRISM_HEADER 119 306 307 /* 308 * Reserved for Aironet 802.11 cards, with an Aironet link-layer header 309 * (see Doug Ambrisko's FreeBSD patches). 310 */ 311 #define DLT_AIRONET_HEADER 120 312 313 /* 314 * Reserved for Siemens HiPath HDLC. 315 */ 316 #define DLT_HHDLC 121 317 318 /* 319 * This is for RFC 2625 IP-over-Fibre Channel. 320 * 321 * This is not for use with raw Fibre Channel, where the link-layer 322 * header starts with a Fibre Channel frame header; it's for IP-over-FC, 323 * where the link-layer header starts with an RFC 2625 Network_Header 324 * field. 325 */ 326 #define DLT_IP_OVER_FC 122 327 328 /* 329 * This is for Full Frontal ATM on Solaris with SunATM, with a 330 * pseudo-header followed by an AALn PDU. 331 * 332 * There may be other forms of Full Frontal ATM on other OSes, 333 * with different pseudo-headers. 334 * 335 * If ATM software returns a pseudo-header with VPI/VCI information 336 * (and, ideally, packet type information, e.g. signalling, ILMI, 337 * LANE, LLC-multiplexed traffic, etc.), it should not use 338 * DLT_ATM_RFC1483, but should get a new DLT_ value, so tcpdump 339 * and the like don't have to infer the presence or absence of a 340 * pseudo-header and the form of the pseudo-header. 341 */ 342 #define DLT_SUNATM 123 /* Solaris+SunATM */ 343 344 /* 345 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 346 * for private use. 347 */ 348 #define DLT_RIO 124 /* RapidIO */ 349 #define DLT_PCI_EXP 125 /* PCI Express */ 350 #define DLT_AURORA 126 /* Xilinx Aurora link layer */ 351 352 /* 353 * BSD header for 802.11 plus a number of bits of link-layer information 354 * including radio information. 355 */ 356 #define DLT_IEEE802_11_RADIO 127 /* 802.11 plus BSD radio header */ 357 358 /* 359 * Reserved for the TZSP encapsulation, as per request from 360 * Chris Waters <chris.waters@networkchemistry.com> 361 * TZSP is a generic encapsulation for any other link type, 362 * which includes a means to include meta-information 363 * with the packet, e.g. signal strength and channel 364 * for 802.11 packets. 365 */ 366 #define DLT_TZSP 128 /* Tazmen Sniffer Protocol */ 367 368 /* 369 * BSD's ARCNET headers have the source host, destination host, 370 * and type at the beginning of the packet; that's what's handed 371 * up to userland via BPF. 372 * 373 * Linux's ARCNET headers, however, have a 2-byte offset field 374 * between the host IDs and the type; that's what's handed up 375 * to userland via PF_PACKET sockets. 376 * 377 * We therefore have to have separate DLT_ values for them. 378 */ 379 #define DLT_ARCNET_LINUX 129 /* ARCNET */ 380 381 /* 382 * Juniper-private data link types, as per request from 383 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 384 * for passing on chassis-internal metainformation such as 385 * QOS profiles, etc.. 386 */ 387 #define DLT_JUNIPER_MLPPP 130 388 #define DLT_JUNIPER_MLFR 131 389 #define DLT_JUNIPER_ES 132 390 #define DLT_JUNIPER_GGSN 133 391 #define DLT_JUNIPER_MFR 134 392 #define DLT_JUNIPER_ATM2 135 393 #define DLT_JUNIPER_SERVICES 136 394 #define DLT_JUNIPER_ATM1 137 395 396 /* 397 * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund 398 * <dieter@apple.com>. The header that's presented is an Ethernet-like 399 * header: 400 * 401 * #define FIREWIRE_EUI64_LEN 8 402 * struct firewire_header { 403 * u_char firewire_dhost[FIREWIRE_EUI64_LEN]; 404 * u_char firewire_shost[FIREWIRE_EUI64_LEN]; 405 * u_short firewire_type; 406 * }; 407 * 408 * with "firewire_type" being an Ethernet type value, rather than, 409 * for example, raw GASP frames being handed up. 410 */ 411 #define DLT_APPLE_IP_OVER_IEEE1394 138 412 413 /* 414 * 139 through 142 are reserved for SS7. 415 */ 416 417 /* 418 * Reserved for DOCSIS MAC frames. 419 */ 420 #define DLT_DOCSIS 143 421 422 /* 423 * Linux-IrDA packets. Protocol defined at http://www.irda.org. 424 * Those packets include IrLAP headers and above (IrLMP...), but 425 * don't include Phy framing (SOF/EOF/CRC & byte stuffing), because Phy 426 * framing can be handled by the hardware and depend on the bitrate. 427 * This is exactly the format you would get capturing on a Linux-IrDA 428 * interface (irdaX), but not on a raw serial port. 429 * Note the capture is done in "Linux-cooked" mode, so each packet include 430 * a fake packet header (struct sll_header). This is because IrDA packet 431 * decoding is dependant on the direction of the packet (incomming or 432 * outgoing). 433 * When/if other platform implement IrDA capture, we may revisit the 434 * issue and define a real DLT_IRDA... 435 * Jean II 436 */ 437 #define DLT_LINUX_IRDA 144 438 439 /* 440 * Reserved for IBM SP switch and IBM Next Federation switch. 441 */ 442 #define DLT_IBM_SP 145 443 #define DLT_IBM_SN 146 444 445 /* 446 * Reserved for private use. If you have some link-layer header type 447 * that you want to use within your organization, with the capture files 448 * using that link-layer header type not ever be sent outside your 449 * organization, you can use these values. 450 * 451 * No libpcap release will use these for any purpose, nor will any 452 * tcpdump release use them, either. 453 * 454 * Do *NOT* use these in capture files that you expect anybody not using 455 * your private versions of capture-file-reading tools to read; in 456 * particular, do *NOT* use them in products, otherwise you may find that 457 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 458 * read capture files from your firewall/intrusion detection/traffic 459 * monitoring/etc. appliance, or whatever product uses that DLT_ value, 460 * and you may also find that the developers of those applications will 461 * not accept patches to let them read those files. 462 * 463 * Also, do not use them if somebody might send you a capture using them 464 * for *their* private type and tools using them for *your* private type 465 * would have to read them. 466 * 467 * Instead, ask "tcpdump-workers@tcpdump.org" for a new DLT_ value, 468 * as per the comment above, and use the type you're given. 469 */ 470 #define DLT_USER0 147 471 #define DLT_USER1 148 472 #define DLT_USER2 149 473 #define DLT_USER3 150 474 #define DLT_USER4 151 475 #define DLT_USER5 152 476 #define DLT_USER6 153 477 #define DLT_USER7 154 478 #define DLT_USER8 155 479 #define DLT_USER9 156 480 #define DLT_USER10 157 481 #define DLT_USER11 158 482 #define DLT_USER12 159 483 #define DLT_USER13 160 484 #define DLT_USER14 161 485 #define DLT_USER15 162 486 487 /* 488 * For future use with 802.11 captures - defined by AbsoluteValue 489 * Systems to store a number of bits of link-layer information 490 * including radio information: 491 * 492 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 493 * 494 * but could and arguably should also be used by non-AVS Linux 495 * 802.11 drivers; that may happen in the future. 496 */ 497 #define DLT_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 498 499 /* 500 * Juniper-private data link type, as per request from 501 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 502 * for passing on chassis-internal metainformation such as 503 * QOS profiles, etc.. 504 */ 505 #define DLT_JUNIPER_MONITOR 164 506 507 /* 508 * The instruction encodings. 509 */ 510 /* instruction classes */ 511 #define BPF_CLASS(code) ((code) & 0x07) 512 #define BPF_LD 0x00 513 #define BPF_LDX 0x01 514 #define BPF_ST 0x02 515 #define BPF_STX 0x03 516 #define BPF_ALU 0x04 517 #define BPF_JMP 0x05 518 #define BPF_RET 0x06 519 #define BPF_MISC 0x07 520 521 /* ld/ldx fields */ 522 #define BPF_SIZE(code) ((code) & 0x18) 523 #define BPF_W 0x00 524 #define BPF_H 0x08 525 #define BPF_B 0x10 526 #define BPF_MODE(code) ((code) & 0xe0) 527 #define BPF_IMM 0x00 528 #define BPF_ABS 0x20 529 #define BPF_IND 0x40 530 #define BPF_MEM 0x60 531 #define BPF_LEN 0x80 532 #define BPF_MSH 0xa0 533 534 /* alu/jmp fields */ 535 #define BPF_OP(code) ((code) & 0xf0) 536 #define BPF_ADD 0x00 537 #define BPF_SUB 0x10 538 #define BPF_MUL 0x20 539 #define BPF_DIV 0x30 540 #define BPF_OR 0x40 541 #define BPF_AND 0x50 542 #define BPF_LSH 0x60 543 #define BPF_RSH 0x70 544 #define BPF_NEG 0x80 545 #define BPF_JA 0x00 546 #define BPF_JEQ 0x10 547 #define BPF_JGT 0x20 548 #define BPF_JGE 0x30 549 #define BPF_JSET 0x40 550 #define BPF_SRC(code) ((code) & 0x08) 551 #define BPF_K 0x00 552 #define BPF_X 0x08 553 554 /* ret - BPF_K and BPF_X also apply */ 555 #define BPF_RVAL(code) ((code) & 0x18) 556 #define BPF_A 0x10 557 558 /* misc */ 559 #define BPF_MISCOP(code) ((code) & 0xf8) 560 #define BPF_TAX 0x00 561 #define BPF_TXA 0x80 562 563 /* 564 * The instruction data structure. 565 */ 566 struct bpf_insn { 567 u_short code; 568 u_char jt; 569 u_char jf; 570 bpf_int32 k; 571 }; 572 573 /* 574 * Macros for insn array initializers. 575 */ 576 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } 577 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } 578 579 #if __STDC__ || defined(__cplusplus) 580 extern int bpf_validate(struct bpf_insn *, int); 581 extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); 582 #else 583 extern int bpf_validate(); 584 extern u_int bpf_filter(); 585 #endif 586 587 /* 588 * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). 589 */ 590 #define BPF_MEMWORDS 16 591 592 #ifdef __cplusplus 593 } 594 #endif 595 596 #endif 597