xref: /freebsd/contrib/libpcap/pcap/bpf.h (revision bb15ca603fa442c72dde3f3cb8b46db6970e3950)
1 /*-
2  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * This code is derived from the Stanford/CMU enet packet filter,
6  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
7  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
8  * Berkeley Laboratory.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. All advertising materials mentioning features or use of this software
19  *    must display the following acknowledgement:
20  *      This product includes software developed by the University of
21  *      California, Berkeley and its contributors.
22  * 4. Neither the name of the University nor the names of its contributors
23  *    may be used to endorse or promote products derived from this software
24  *    without specific prior written permission.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36  * SUCH DAMAGE.
37  *
38  *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
39  *
40  * @(#) $Header: /tcpdump/master/libpcap/pcap/bpf.h,v 1.32 2008-12-23 20:13:29 guy Exp $ (LBL)
41  */
42 
43 /*
44  * This is libpcap's cut-down version of bpf.h; it includes only
45  * the stuff needed for the code generator and the userland BPF
46  * interpreter, and the libpcap APIs for setting filters, etc..
47  *
48  * "pcap-bpf.c" will include the native OS version, as it deals with
49  * the OS's BPF implementation.
50  *
51  * XXX - should this all just be moved to "pcap.h"?
52  */
53 
54 #ifndef BPF_MAJOR_VERSION
55 
56 #ifdef __cplusplus
57 extern "C" {
58 #endif
59 
60 /* BSD style release date */
61 #define BPF_RELEASE 199606
62 
63 #ifdef MSDOS /* must be 32-bit */
64 typedef long          bpf_int32;
65 typedef unsigned long bpf_u_int32;
66 #else
67 typedef	int bpf_int32;
68 typedef	u_int bpf_u_int32;
69 #endif
70 
71 /*
72  * Alignment macros.  BPF_WORDALIGN rounds up to the next
73  * even multiple of BPF_ALIGNMENT.
74  */
75 #ifndef __NetBSD__
76 #define BPF_ALIGNMENT sizeof(bpf_int32)
77 #else
78 #define BPF_ALIGNMENT sizeof(long)
79 #endif
80 #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
81 
82 #define BPF_MAXBUFSIZE 0x8000
83 #define BPF_MINBUFSIZE 32
84 
85 /*
86  * Structure for "pcap_compile()", "pcap_setfilter()", etc..
87  */
88 struct bpf_program {
89 	u_int bf_len;
90 	struct bpf_insn *bf_insns;
91 };
92 
93 /*
94  * Struct return by BIOCVERSION.  This represents the version number of
95  * the filter language described by the instruction encodings below.
96  * bpf understands a program iff kernel_major == filter_major &&
97  * kernel_minor >= filter_minor, that is, if the value returned by the
98  * running kernel has the same major number and a minor number equal
99  * equal to or less than the filter being downloaded.  Otherwise, the
100  * results are undefined, meaning an error may be returned or packets
101  * may be accepted haphazardly.
102  * It has nothing to do with the source code version.
103  */
104 struct bpf_version {
105 	u_short bv_major;
106 	u_short bv_minor;
107 };
108 /* Current version number of filter architecture. */
109 #define BPF_MAJOR_VERSION 1
110 #define BPF_MINOR_VERSION 1
111 
112 /*
113  * Data-link level type codes.
114  *
115  * Do *NOT* add new values to this list without asking
116  * "tcpdump-workers@lists.tcpdump.org" for a value.  Otherwise, you run
117  * the risk of using a value that's already being used for some other
118  * purpose, and of having tools that read libpcap-format captures not
119  * being able to handle captures with your new DLT_ value, with no hope
120  * that they will ever be changed to do so (as that would destroy their
121  * ability to read captures using that value for that other purpose).
122  */
123 
124 /*
125  * These are the types that are the same on all platforms, and that
126  * have been defined by <net/bpf.h> for ages.
127  */
128 #define DLT_NULL	0	/* BSD loopback encapsulation */
129 #define DLT_EN10MB	1	/* Ethernet (10Mb) */
130 #define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
131 #define DLT_AX25	3	/* Amateur Radio AX.25 */
132 #define DLT_PRONET	4	/* Proteon ProNET Token Ring */
133 #define DLT_CHAOS	5	/* Chaos */
134 #define DLT_IEEE802	6	/* 802.5 Token Ring */
135 #define DLT_ARCNET	7	/* ARCNET, with BSD-style header */
136 #define DLT_SLIP	8	/* Serial Line IP */
137 #define DLT_PPP		9	/* Point-to-point Protocol */
138 #define DLT_FDDI	10	/* FDDI */
139 
140 /*
141  * These are types that are different on some platforms, and that
142  * have been defined by <net/bpf.h> for ages.  We use #ifdefs to
143  * detect the BSDs that define them differently from the traditional
144  * libpcap <net/bpf.h>
145  *
146  * XXX - DLT_ATM_RFC1483 is 13 in BSD/OS, and DLT_RAW is 14 in BSD/OS,
147  * but I don't know what the right #define is for BSD/OS.
148  */
149 #define DLT_ATM_RFC1483	11	/* LLC-encapsulated ATM */
150 
151 #ifdef __OpenBSD__
152 #define DLT_RAW		14	/* raw IP */
153 #else
154 #define DLT_RAW		12	/* raw IP */
155 #endif
156 
157 /*
158  * Given that the only OS that currently generates BSD/OS SLIP or PPP
159  * is, well, BSD/OS, arguably everybody should have chosen its values
160  * for DLT_SLIP_BSDOS and DLT_PPP_BSDOS, which are 15 and 16, but they
161  * didn't.  So it goes.
162  */
163 #if defined(__NetBSD__) || defined(__FreeBSD__)
164 #ifndef DLT_SLIP_BSDOS
165 #define DLT_SLIP_BSDOS	13	/* BSD/OS Serial Line IP */
166 #define DLT_PPP_BSDOS	14	/* BSD/OS Point-to-point Protocol */
167 #endif
168 #else
169 #define DLT_SLIP_BSDOS	15	/* BSD/OS Serial Line IP */
170 #define DLT_PPP_BSDOS	16	/* BSD/OS Point-to-point Protocol */
171 #endif
172 
173 /*
174  * 17 is used for DLT_OLD_PFLOG in OpenBSD;
175  *     OBSOLETE: DLT_PFLOG is 117 in OpenBSD now as well. See below.
176  * 18 is used for DLT_PFSYNC in OpenBSD; don't use it for anything else.
177  */
178 
179 #define DLT_ATM_CLIP	19	/* Linux Classical-IP over ATM */
180 
181 /*
182  * Apparently Redback uses this for its SmartEdge 400/800.  I hope
183  * nobody else decided to use it, too.
184  */
185 #define DLT_REDBACK_SMARTEDGE	32
186 
187 /*
188  * These values are defined by NetBSD; other platforms should refrain from
189  * using them for other purposes, so that NetBSD savefiles with link
190  * types of 50 or 51 can be read as this type on all platforms.
191  */
192 #define DLT_PPP_SERIAL	50	/* PPP over serial with HDLC encapsulation */
193 #define DLT_PPP_ETHER	51	/* PPP over Ethernet */
194 
195 /*
196  * The Axent Raptor firewall - now the Symantec Enterprise Firewall - uses
197  * a link-layer type of 99 for the tcpdump it supplies.  The link-layer
198  * header has 6 bytes of unknown data, something that appears to be an
199  * Ethernet type, and 36 bytes that appear to be 0 in at least one capture
200  * I've seen.
201  */
202 #define DLT_SYMANTEC_FIREWALL	99
203 
204 /*
205  * Values between 100 and 103 are used in capture file headers as
206  * link-layer types corresponding to DLT_ types that differ
207  * between platforms; don't use those values for new DLT_ new types.
208  */
209 
210 /*
211  * This value was defined by libpcap 0.5; platforms that have defined
212  * it with a different value should define it here with that value -
213  * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
214  * whatever value that happens to be, so programs will correctly
215  * handle files with that link type regardless of the value of
216  * DLT_C_HDLC.
217  *
218  * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
219  * compatibility with programs written for BSD/OS.
220  *
221  * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
222  * for source compatibility with programs written for libpcap 0.5.
223  */
224 #define DLT_C_HDLC	104	/* Cisco HDLC */
225 #define DLT_CHDLC	DLT_C_HDLC
226 
227 #define DLT_IEEE802_11	105	/* IEEE 802.11 wireless */
228 
229 /*
230  * 106 is reserved for Linux Classical IP over ATM; it's like DLT_RAW,
231  * except when it isn't.  (I.e., sometimes it's just raw IP, and
232  * sometimes it isn't.)  We currently handle it as DLT_LINUX_SLL,
233  * so that we don't have to worry about the link-layer header.)
234  */
235 
236 /*
237  * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides
238  * with other values.
239  * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header
240  * (DLCI, etc.).
241  */
242 #define DLT_FRELAY	107
243 
244 /*
245  * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
246  * that the AF_ type in the link-layer header is in network byte order.
247  *
248  * DLT_LOOP is 12 in OpenBSD, but that's DLT_RAW in other OSes, so
249  * we don't use 12 for it in OSes other than OpenBSD.
250  */
251 #ifdef __OpenBSD__
252 #define DLT_LOOP	12
253 #else
254 #define DLT_LOOP	108
255 #endif
256 
257 /*
258  * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's
259  * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other
260  * than OpenBSD.
261  */
262 #ifdef __OpenBSD__
263 #define DLT_ENC		13
264 #else
265 #define DLT_ENC		109
266 #endif
267 
268 /*
269  * Values between 110 and 112 are reserved for use in capture file headers
270  * as link-layer types corresponding to DLT_ types that might differ
271  * between platforms; don't use those values for new DLT_ types
272  * other than the corresponding DLT_ types.
273  */
274 
275 /*
276  * This is for Linux cooked sockets.
277  */
278 #define DLT_LINUX_SLL	113
279 
280 /*
281  * Apple LocalTalk hardware.
282  */
283 #define DLT_LTALK	114
284 
285 /*
286  * Acorn Econet.
287  */
288 #define DLT_ECONET	115
289 
290 /*
291  * Reserved for use with OpenBSD ipfilter.
292  */
293 #define DLT_IPFILTER	116
294 
295 /*
296  * OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, but that's DLT_LANE8023
297  * in SuSE 6.3, so we can't use 17 for it in capture-file headers.
298  *
299  * XXX: is there a conflict with DLT_PFSYNC 18 as well?
300  */
301 #ifdef __OpenBSD__
302 #define DLT_OLD_PFLOG	17
303 #define DLT_PFSYNC	18
304 #endif
305 #define DLT_PFLOG	117
306 
307 /*
308  * Registered for Cisco-internal use.
309  */
310 #define DLT_CISCO_IOS	118
311 
312 /*
313  * For 802.11 cards using the Prism II chips, with a link-layer
314  * header including Prism monitor mode information plus an 802.11
315  * header.
316  */
317 #define DLT_PRISM_HEADER	119
318 
319 /*
320  * Reserved for Aironet 802.11 cards, with an Aironet link-layer header
321  * (see Doug Ambrisko's FreeBSD patches).
322  */
323 #define DLT_AIRONET_HEADER	120
324 
325 /*
326  * Reserved for Siemens HiPath HDLC.
327  */
328 #define DLT_HHDLC		121
329 
330 /*
331  * This is for RFC 2625 IP-over-Fibre Channel.
332  *
333  * This is not for use with raw Fibre Channel, where the link-layer
334  * header starts with a Fibre Channel frame header; it's for IP-over-FC,
335  * where the link-layer header starts with an RFC 2625 Network_Header
336  * field.
337  */
338 #define DLT_IP_OVER_FC		122
339 
340 /*
341  * This is for Full Frontal ATM on Solaris with SunATM, with a
342  * pseudo-header followed by an AALn PDU.
343  *
344  * There may be other forms of Full Frontal ATM on other OSes,
345  * with different pseudo-headers.
346  *
347  * If ATM software returns a pseudo-header with VPI/VCI information
348  * (and, ideally, packet type information, e.g. signalling, ILMI,
349  * LANE, LLC-multiplexed traffic, etc.), it should not use
350  * DLT_ATM_RFC1483, but should get a new DLT_ value, so tcpdump
351  * and the like don't have to infer the presence or absence of a
352  * pseudo-header and the form of the pseudo-header.
353  */
354 #define DLT_SUNATM		123	/* Solaris+SunATM */
355 
356 /*
357  * Reserved as per request from Kent Dahlgren <kent@praesum.com>
358  * for private use.
359  */
360 #define DLT_RIO                 124     /* RapidIO */
361 #define DLT_PCI_EXP             125     /* PCI Express */
362 #define DLT_AURORA              126     /* Xilinx Aurora link layer */
363 
364 /*
365  * Header for 802.11 plus a number of bits of link-layer information
366  * including radio information, used by some recent BSD drivers as
367  * well as the madwifi Atheros driver for Linux.
368  */
369 #define DLT_IEEE802_11_RADIO	127	/* 802.11 plus radiotap radio header */
370 
371 /*
372  * Reserved for the TZSP encapsulation, as per request from
373  * Chris Waters <chris.waters@networkchemistry.com>
374  * TZSP is a generic encapsulation for any other link type,
375  * which includes a means to include meta-information
376  * with the packet, e.g. signal strength and channel
377  * for 802.11 packets.
378  */
379 #define DLT_TZSP                128     /* Tazmen Sniffer Protocol */
380 
381 /*
382  * BSD's ARCNET headers have the source host, destination host,
383  * and type at the beginning of the packet; that's what's handed
384  * up to userland via BPF.
385  *
386  * Linux's ARCNET headers, however, have a 2-byte offset field
387  * between the host IDs and the type; that's what's handed up
388  * to userland via PF_PACKET sockets.
389  *
390  * We therefore have to have separate DLT_ values for them.
391  */
392 #define DLT_ARCNET_LINUX	129	/* ARCNET */
393 
394 /*
395  * Juniper-private data link types, as per request from
396  * Hannes Gredler <hannes@juniper.net>.  The DLT_s are used
397  * for passing on chassis-internal metainformation such as
398  * QOS profiles, etc..
399  */
400 #define DLT_JUNIPER_MLPPP       130
401 #define DLT_JUNIPER_MLFR        131
402 #define DLT_JUNIPER_ES          132
403 #define DLT_JUNIPER_GGSN        133
404 #define DLT_JUNIPER_MFR         134
405 #define DLT_JUNIPER_ATM2        135
406 #define DLT_JUNIPER_SERVICES    136
407 #define DLT_JUNIPER_ATM1        137
408 
409 /*
410  * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund
411  * <dieter@apple.com>.  The header that's presented is an Ethernet-like
412  * header:
413  *
414  *	#define FIREWIRE_EUI64_LEN	8
415  *	struct firewire_header {
416  *		u_char  firewire_dhost[FIREWIRE_EUI64_LEN];
417  *		u_char  firewire_shost[FIREWIRE_EUI64_LEN];
418  *		u_short firewire_type;
419  *	};
420  *
421  * with "firewire_type" being an Ethernet type value, rather than,
422  * for example, raw GASP frames being handed up.
423  */
424 #define DLT_APPLE_IP_OVER_IEEE1394	138
425 
426 /*
427  * Various SS7 encapsulations, as per a request from Jeff Morriss
428  * <jeff.morriss[AT]ulticom.com> and subsequent discussions.
429  */
430 #define DLT_MTP2_WITH_PHDR	139	/* pseudo-header with various info, followed by MTP2 */
431 #define DLT_MTP2		140	/* MTP2, without pseudo-header */
432 #define DLT_MTP3		141	/* MTP3, without pseudo-header or MTP2 */
433 #define DLT_SCCP		142	/* SCCP, without pseudo-header or MTP2 or MTP3 */
434 
435 /*
436  * DOCSIS MAC frames.
437  */
438 #define DLT_DOCSIS		143
439 
440 /*
441  * Linux-IrDA packets. Protocol defined at http://www.irda.org.
442  * Those packets include IrLAP headers and above (IrLMP...), but
443  * don't include Phy framing (SOF/EOF/CRC & byte stuffing), because Phy
444  * framing can be handled by the hardware and depend on the bitrate.
445  * This is exactly the format you would get capturing on a Linux-IrDA
446  * interface (irdaX), but not on a raw serial port.
447  * Note the capture is done in "Linux-cooked" mode, so each packet include
448  * a fake packet header (struct sll_header). This is because IrDA packet
449  * decoding is dependant on the direction of the packet (incomming or
450  * outgoing).
451  * When/if other platform implement IrDA capture, we may revisit the
452  * issue and define a real DLT_IRDA...
453  * Jean II
454  */
455 #define DLT_LINUX_IRDA		144
456 
457 /*
458  * Reserved for IBM SP switch and IBM Next Federation switch.
459  */
460 #define DLT_IBM_SP		145
461 #define DLT_IBM_SN		146
462 
463 /*
464  * Reserved for private use.  If you have some link-layer header type
465  * that you want to use within your organization, with the capture files
466  * using that link-layer header type not ever be sent outside your
467  * organization, you can use these values.
468  *
469  * No libpcap release will use these for any purpose, nor will any
470  * tcpdump release use them, either.
471  *
472  * Do *NOT* use these in capture files that you expect anybody not using
473  * your private versions of capture-file-reading tools to read; in
474  * particular, do *NOT* use them in products, otherwise you may find that
475  * people won't be able to use tcpdump, or snort, or Ethereal, or... to
476  * read capture files from your firewall/intrusion detection/traffic
477  * monitoring/etc. appliance, or whatever product uses that DLT_ value,
478  * and you may also find that the developers of those applications will
479  * not accept patches to let them read those files.
480  *
481  * Also, do not use them if somebody might send you a capture using them
482  * for *their* private type and tools using them for *your* private type
483  * would have to read them.
484  *
485  * Instead, ask "tcpdump-workers@lists.tcpdump.org" for a new DLT_ value,
486  * as per the comment above, and use the type you're given.
487  */
488 #define DLT_USER0		147
489 #define DLT_USER1		148
490 #define DLT_USER2		149
491 #define DLT_USER3		150
492 #define DLT_USER4		151
493 #define DLT_USER5		152
494 #define DLT_USER6		153
495 #define DLT_USER7		154
496 #define DLT_USER8		155
497 #define DLT_USER9		156
498 #define DLT_USER10		157
499 #define DLT_USER11		158
500 #define DLT_USER12		159
501 #define DLT_USER13		160
502 #define DLT_USER14		161
503 #define DLT_USER15		162
504 
505 /*
506  * For future use with 802.11 captures - defined by AbsoluteValue
507  * Systems to store a number of bits of link-layer information
508  * including radio information:
509  *
510  *	http://www.shaftnet.org/~pizza/software/capturefrm.txt
511  *
512  * but it might be used by some non-AVS drivers now or in the
513  * future.
514  */
515 #define DLT_IEEE802_11_RADIO_AVS 163	/* 802.11 plus AVS radio header */
516 
517 /*
518  * Juniper-private data link type, as per request from
519  * Hannes Gredler <hannes@juniper.net>.  The DLT_s are used
520  * for passing on chassis-internal metainformation such as
521  * QOS profiles, etc..
522  */
523 #define DLT_JUNIPER_MONITOR     164
524 
525 /*
526  * Reserved for BACnet MS/TP.
527  */
528 #define DLT_BACNET_MS_TP	165
529 
530 /*
531  * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>.
532  *
533  * This is used in some OSes to allow a kernel socket filter to distinguish
534  * between incoming and outgoing packets, on a socket intended to
535  * supply pppd with outgoing packets so it can do dial-on-demand and
536  * hangup-on-lack-of-demand; incoming packets are filtered out so they
537  * don't cause pppd to hold the connection up (you don't want random
538  * input packets such as port scans, packets from old lost connections,
539  * etc. to force the connection to stay up).
540  *
541  * The first byte of the PPP header (0xff03) is modified to accomodate
542  * the direction - 0x00 = IN, 0x01 = OUT.
543  */
544 #define DLT_PPP_PPPD		166
545 
546 /*
547  * Names for backwards compatibility with older versions of some PPP
548  * software; new software should use DLT_PPP_PPPD.
549  */
550 #define DLT_PPP_WITH_DIRECTION	DLT_PPP_PPPD
551 #define DLT_LINUX_PPP_WITHDIRECTION	DLT_PPP_PPPD
552 
553 /*
554  * Juniper-private data link type, as per request from
555  * Hannes Gredler <hannes@juniper.net>.  The DLT_s are used
556  * for passing on chassis-internal metainformation such as
557  * QOS profiles, cookies, etc..
558  */
559 #define DLT_JUNIPER_PPPOE       167
560 #define DLT_JUNIPER_PPPOE_ATM   168
561 
562 #define DLT_GPRS_LLC		169	/* GPRS LLC */
563 #define DLT_GPF_T		170	/* GPF-T (ITU-T G.7041/Y.1303) */
564 #define DLT_GPF_F		171	/* GPF-F (ITU-T G.7041/Y.1303) */
565 
566 /*
567  * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line
568  * monitoring equipment.
569  */
570 #define DLT_GCOM_T1E1		172
571 #define DLT_GCOM_SERIAL		173
572 
573 /*
574  * Juniper-private data link type, as per request from
575  * Hannes Gredler <hannes@juniper.net>.  The DLT_ is used
576  * for internal communication to Physical Interface Cards (PIC)
577  */
578 #define DLT_JUNIPER_PIC_PEER    174
579 
580 /*
581  * Link types requested by Gregor Maier <gregor@endace.com> of Endace
582  * Measurement Systems.  They add an ERF header (see
583  * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of
584  * the link-layer header.
585  */
586 #define DLT_ERF_ETH		175	/* Ethernet */
587 #define DLT_ERF_POS		176	/* Packet-over-SONET */
588 
589 /*
590  * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD
591  * for vISDN (http://www.orlandi.com/visdn/).  Its link-layer header
592  * includes additional information before the LAPD header, so it's
593  * not necessarily a generic LAPD header.
594  */
595 #define DLT_LINUX_LAPD		177
596 
597 /*
598  * Juniper-private data link type, as per request from
599  * Hannes Gredler <hannes@juniper.net>.
600  * The DLT_ are used for prepending meta-information
601  * like interface index, interface name
602  * before standard Ethernet, PPP, Frelay & C-HDLC Frames
603  */
604 #define DLT_JUNIPER_ETHER       178
605 #define DLT_JUNIPER_PPP         179
606 #define DLT_JUNIPER_FRELAY      180
607 #define DLT_JUNIPER_CHDLC       181
608 
609 /*
610  * Multi Link Frame Relay (FRF.16)
611  */
612 #define DLT_MFR                 182
613 
614 /*
615  * Juniper-private data link type, as per request from
616  * Hannes Gredler <hannes@juniper.net>.
617  * The DLT_ is used for internal communication with a
618  * voice Adapter Card (PIC)
619  */
620 #define DLT_JUNIPER_VP          183
621 
622 /*
623  * Arinc 429 frames.
624  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
625  * Every frame contains a 32bit A429 label.
626  * More documentation on Arinc 429 can be found at
627  * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf
628  */
629 #define DLT_A429                184
630 
631 /*
632  * Arinc 653 Interpartition Communication messages.
633  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
634  * Please refer to the A653-1 standard for more information.
635  */
636 #define DLT_A653_ICM            185
637 
638 /*
639  * USB packets, beginning with a USB setup header; requested by
640  * Paolo Abeni <paolo.abeni@email.it>.
641  */
642 #define DLT_USB			186
643 
644 /*
645  * Bluetooth HCI UART transport layer (part H:4); requested by
646  * Paolo Abeni.
647  */
648 #define DLT_BLUETOOTH_HCI_H4	187
649 
650 /*
651  * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz
652  * <cruz_petagay@bah.com>.
653  */
654 #define DLT_IEEE802_16_MAC_CPS	188
655 
656 /*
657  * USB packets, beginning with a Linux USB header; requested by
658  * Paolo Abeni <paolo.abeni@email.it>.
659  */
660 #define DLT_USB_LINUX		189
661 
662 /*
663  * Controller Area Network (CAN) v. 2.0B packets.
664  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
665  * Used to dump CAN packets coming from a CAN Vector board.
666  * More documentation on the CAN v2.0B frames can be found at
667  * http://www.can-cia.org/downloads/?269
668  */
669 #define DLT_CAN20B              190
670 
671 /*
672  * IEEE 802.15.4, with address fields padded, as is done by Linux
673  * drivers; requested by Juergen Schimmer.
674  */
675 #define DLT_IEEE802_15_4_LINUX	191
676 
677 /*
678  * Per Packet Information encapsulated packets.
679  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
680  */
681 #define DLT_PPI			192
682 
683 /*
684  * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header;
685  * requested by Charles Clancy.
686  */
687 #define DLT_IEEE802_16_MAC_CPS_RADIO	193
688 
689 /*
690  * Juniper-private data link type, as per request from
691  * Hannes Gredler <hannes@juniper.net>.
692  * The DLT_ is used for internal communication with a
693  * integrated service module (ISM).
694  */
695 #define DLT_JUNIPER_ISM         194
696 
697 /*
698  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
699  * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>.
700  */
701 #define DLT_IEEE802_15_4	195
702 
703 /*
704  * Various link-layer types, with a pseudo-header, for SITA
705  * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com).
706  */
707 #define DLT_SITA		196
708 
709 /*
710  * Various link-layer types, with a pseudo-header, for Endace DAG cards;
711  * encapsulates Endace ERF records.  Requested by Stephen Donnelly
712  * <stephen@endace.com>.
713  */
714 #define DLT_ERF			197
715 
716 /*
717  * Special header prepended to Ethernet packets when capturing from a
718  * u10 Networks board.  Requested by Phil Mulholland
719  * <phil@u10networks.com>.
720  */
721 #define DLT_RAIF1		198
722 
723 /*
724  * IPMB packet for IPMI, beginning with the I2C slave address, followed
725  * by the netFn and LUN, etc..  Requested by Chanthy Toeung
726  * <chanthy.toeung@ca.kontron.com>.
727  */
728 #define DLT_IPMB		199
729 
730 /*
731  * Juniper-private data link type, as per request from
732  * Hannes Gredler <hannes@juniper.net>.
733  * The DLT_ is used for capturing data on a secure tunnel interface.
734  */
735 #define DLT_JUNIPER_ST          200
736 
737 /*
738  * Bluetooth HCI UART transport layer (part H:4), with pseudo-header
739  * that includes direction information; requested by Paolo Abeni.
740  */
741 #define DLT_BLUETOOTH_HCI_H4_WITH_PHDR	201
742 
743 /*
744  * AX.25 packet with a 1-byte KISS header; see
745  *
746  *	http://www.ax25.net/kiss.htm
747  *
748  * as per Richard Stearn <richard@rns-stearn.demon.co.uk>.
749  */
750 #define DLT_AX25_KISS		202
751 
752 /*
753  * LAPD packets from an ISDN channel, starting with the address field,
754  * with no pseudo-header.
755  * Requested by Varuna De Silva <varunax@gmail.com>.
756  */
757 #define DLT_LAPD		203
758 
759 /*
760  * Variants of various link-layer headers, with a one-byte direction
761  * pseudo-header prepended - zero means "received by this host",
762  * non-zero (any non-zero value) means "sent by this host" - as per
763  * Will Barker <w.barker@zen.co.uk>.
764  */
765 #define DLT_PPP_WITH_DIR	204	/* PPP - don't confuse with DLT_PPP_WITH_DIRECTION */
766 #define DLT_C_HDLC_WITH_DIR	205	/* Cisco HDLC */
767 #define DLT_FRELAY_WITH_DIR	206	/* Frame Relay */
768 #define DLT_LAPB_WITH_DIR	207	/* LAPB */
769 
770 /*
771  * 208 is reserved for an as-yet-unspecified proprietary link-layer
772  * type, as requested by Will Barker.
773  */
774 
775 /*
776  * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman
777  * <avn@pigeonpoint.com>.
778  */
779 #define DLT_IPMB_LINUX		209
780 
781 /*
782  * FlexRay automotive bus - http://www.flexray.com/ - as requested
783  * by Hannes Kaelber <hannes.kaelber@x2e.de>.
784  */
785 #define DLT_FLEXRAY		210
786 
787 /*
788  * Media Oriented Systems Transport (MOST) bus for multimedia
789  * transport - http://www.mostcooperation.com/ - as requested
790  * by Hannes Kaelber <hannes.kaelber@x2e.de>.
791  */
792 #define DLT_MOST		211
793 
794 /*
795  * Local Interconnect Network (LIN) bus for vehicle networks -
796  * http://www.lin-subbus.org/ - as requested by Hannes Kaelber
797  * <hannes.kaelber@x2e.de>.
798  */
799 #define DLT_LIN			212
800 
801 /*
802  * X2E-private data link type used for serial line capture,
803  * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
804  */
805 #define DLT_X2E_SERIAL		213
806 
807 /*
808  * X2E-private data link type used for the Xoraya data logger
809  * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
810  */
811 #define DLT_X2E_XORAYA		214
812 
813 /*
814  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
815  * nothing), but with the PHY-level data for non-ASK PHYs (4 octets
816  * of 0 as preamble, one octet of SFD, one octet of frame length+
817  * reserved bit, and then the MAC-layer data, starting with the
818  * frame control field).
819  *
820  * Requested by Max Filippov <jcmvbkbc@gmail.com>.
821  */
822 #define DLT_IEEE802_15_4_NONASK_PHY	215
823 
824 /*
825  * David Gibson <david@gibson.dropbear.id.au> requested this for
826  * captures from the Linux kernel /dev/input/eventN devices. This
827  * is used to communicate keystrokes and mouse movements from the
828  * Linux kernel to display systems, such as Xorg.
829  */
830 #define DLT_LINUX_EVDEV		216
831 
832 /*
833  * GSM Um and Abis interfaces, preceded by a "gsmtap" header.
834  *
835  * Requested by Harald Welte <laforge@gnumonks.org>.
836  */
837 #define DLT_GSMTAP_UM		217
838 #define DLT_GSMTAP_ABIS		218
839 
840 /*
841  * MPLS, with an MPLS label as the link-layer header.
842  * Requested by Michele Marchetto <michele@openbsd.org> on behalf
843  * of OpenBSD.
844  */
845 #define DLT_MPLS		219
846 
847 /*
848  * USB packets, beginning with a Linux USB header, with the USB header
849  * padded to 64 bytes; required for memory-mapped access.
850  */
851 #define DLT_USB_LINUX_MMAPPED	220
852 
853 /*
854  * DECT packets, with a pseudo-header; requested by
855  * Matthias Wenzel <tcpdump@mazzoo.de>.
856  */
857 #define DLT_DECT		221
858 
859 /*
860  * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov>
861  * Date: Mon, 11 May 2009 11:18:30 -0500
862  *
863  * DLT_AOS. We need it for AOS Space Data Link Protocol.
864  *   I have already written dissectors for but need an OK from
865  *   legal before I can submit a patch.
866  *
867  */
868 #define DLT_AOS                 222
869 
870 /*
871  * Wireless HART (Highway Addressable Remote Transducer)
872  * From the HART Communication Foundation
873  * IES/PAS 62591
874  *
875  * Requested by Sam Roberts <vieuxtech@gmail.com>.
876  */
877 #define DLT_WIHART		223
878 
879 /*
880  * Fibre Channel FC-2 frames, beginning with a Frame_Header.
881  * Requested by Kahou Lei <kahou82@gmail.com>.
882  */
883 #define DLT_FC_2		224
884 
885 /*
886  * Fibre Channel FC-2 frames, beginning with an encoding of the
887  * SOF, and ending with an encoding of the EOF.
888  *
889  * The encodings represent the frame delimiters as 4-byte sequences
890  * representing the corresponding ordered sets, with K28.5
891  * represented as 0xBC, and the D symbols as the corresponding
892  * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2,
893  * is represented as 0xBC 0xB5 0x55 0x55.
894  *
895  * Requested by Kahou Lei <kahou82@gmail.com>.
896  */
897 #define DLT_FC_2_WITH_FRAME_DELIMS	225
898 
899 /*
900  * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>.
901  *
902  * The pseudo-header starts with a one-byte version number; for version 2,
903  * the pseudo-header is:
904  *
905  * struct dl_ipnetinfo {
906  *     u_int8_t   dli_version;
907  *     u_int8_t   dli_family;
908  *     u_int16_t  dli_htype;
909  *     u_int32_t  dli_pktlen;
910  *     u_int32_t  dli_ifindex;
911  *     u_int32_t  dli_grifindex;
912  *     u_int32_t  dli_zsrc;
913  *     u_int32_t  dli_zdst;
914  * };
915  *
916  * dli_version is 2 for the current version of the pseudo-header.
917  *
918  * dli_family is a Solaris address family value, so it's 2 for IPv4
919  * and 26 for IPv6.
920  *
921  * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing
922  * packets, and 2 for packets arriving from another zone on the same
923  * machine.
924  *
925  * dli_pktlen is the length of the packet data following the pseudo-header
926  * (so the captured length minus dli_pktlen is the length of the
927  * pseudo-header, assuming the entire pseudo-header was captured).
928  *
929  * dli_ifindex is the interface index of the interface on which the
930  * packet arrived.
931  *
932  * dli_grifindex is the group interface index number (for IPMP interfaces).
933  *
934  * dli_zsrc is the zone identifier for the source of the packet.
935  *
936  * dli_zdst is the zone identifier for the destination of the packet.
937  *
938  * A zone number of 0 is the global zone; a zone number of 0xffffffff
939  * means that the packet arrived from another host on the network, not
940  * from another zone on the same machine.
941  *
942  * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates
943  * which of those it is.
944  */
945 #define DLT_IPNET			226
946 
947 /*
948  * CAN (Controller Area Network) frames, with a pseudo-header as supplied
949  * by Linux SocketCAN.  See Documentation/networking/can.txt in the Linux
950  * source.
951  *
952  * Requested by Felix Obenhuber <felix@obenhuber.de>.
953  */
954 #define DLT_CAN_SOCKETCAN		227
955 
956 /*
957  * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies
958  * whether it's v4 or v6.  Requested by Darren Reed <Darren.Reed@Sun.COM>.
959  */
960 #define DLT_IPV4			228
961 #define DLT_IPV6			229
962 
963 /*
964  * DLT and savefile link type values are split into a class and
965  * a member of that class.  A class value of 0 indicates a regular
966  * DLT_/LINKTYPE_ value.
967  */
968 #define DLT_CLASS(x)		((x) & 0x03ff0000)
969 
970 /*
971  * NetBSD-specific generic "raw" link type.  The class value indicates
972  * that this is the generic raw type, and the lower 16 bits are the
973  * address family we're dealing with.  Those values are NetBSD-specific;
974  * do not assume that they correspond to AF_ values for your operating
975  * system.
976  */
977 #define	DLT_CLASS_NETBSD_RAWAF	0x02240000
978 #define	DLT_NETBSD_RAWAF(af)	(DLT_CLASS_NETBSD_RAWAF | (af))
979 #define	DLT_NETBSD_RAWAF_AF(x)	((x) & 0x0000ffff)
980 #define	DLT_IS_NETBSD_RAWAF(x)	(DLT_CLASS(x) == DLT_CLASS_NETBSD_RAWAF)
981 
982 
983 /*
984  * The instruction encodings.
985  */
986 /* instruction classes */
987 #define BPF_CLASS(code) ((code) & 0x07)
988 #define		BPF_LD		0x00
989 #define		BPF_LDX		0x01
990 #define		BPF_ST		0x02
991 #define		BPF_STX		0x03
992 #define		BPF_ALU		0x04
993 #define		BPF_JMP		0x05
994 #define		BPF_RET		0x06
995 #define		BPF_MISC	0x07
996 
997 /* ld/ldx fields */
998 #define BPF_SIZE(code)	((code) & 0x18)
999 #define		BPF_W		0x00
1000 #define		BPF_H		0x08
1001 #define		BPF_B		0x10
1002 #define BPF_MODE(code)	((code) & 0xe0)
1003 #define		BPF_IMM 	0x00
1004 #define		BPF_ABS		0x20
1005 #define		BPF_IND		0x40
1006 #define		BPF_MEM		0x60
1007 #define		BPF_LEN		0x80
1008 #define		BPF_MSH		0xa0
1009 
1010 /* alu/jmp fields */
1011 #define BPF_OP(code)	((code) & 0xf0)
1012 #define		BPF_ADD		0x00
1013 #define		BPF_SUB		0x10
1014 #define		BPF_MUL		0x20
1015 #define		BPF_DIV		0x30
1016 #define		BPF_OR		0x40
1017 #define		BPF_AND		0x50
1018 #define		BPF_LSH		0x60
1019 #define		BPF_RSH		0x70
1020 #define		BPF_NEG		0x80
1021 #define		BPF_JA		0x00
1022 #define		BPF_JEQ		0x10
1023 #define		BPF_JGT		0x20
1024 #define		BPF_JGE		0x30
1025 #define		BPF_JSET	0x40
1026 #define BPF_SRC(code)	((code) & 0x08)
1027 #define		BPF_K		0x00
1028 #define		BPF_X		0x08
1029 
1030 /* ret - BPF_K and BPF_X also apply */
1031 #define BPF_RVAL(code)	((code) & 0x18)
1032 #define		BPF_A		0x10
1033 
1034 /* misc */
1035 #define BPF_MISCOP(code) ((code) & 0xf8)
1036 #define		BPF_TAX		0x00
1037 #define		BPF_TXA		0x80
1038 
1039 /*
1040  * The instruction data structure.
1041  */
1042 struct bpf_insn {
1043 	u_short	code;
1044 	u_char 	jt;
1045 	u_char 	jf;
1046 	bpf_u_int32 k;
1047 };
1048 
1049 /*
1050  * Macros for insn array initializers.
1051  */
1052 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
1053 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
1054 
1055 #if __STDC__ || defined(__cplusplus)
1056 extern int bpf_validate(const struct bpf_insn *, int);
1057 extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
1058 #else
1059 extern int bpf_validate();
1060 extern u_int bpf_filter();
1061 #endif
1062 
1063 /*
1064  * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
1065  */
1066 #define BPF_MEMWORDS 16
1067 
1068 #ifdef __cplusplus
1069 }
1070 #endif
1071 
1072 #endif
1073