1 /*- 2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * This code is derived from the Stanford/CMU enet packet filter, 6 * (net/enet.c) distributed as part of 4.3BSD, and code contributed 7 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 8 * Berkeley Laboratory. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the University of 21 * California, Berkeley and its contributors. 22 * 4. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * @(#)bpf.h 7.1 (Berkeley) 5/7/91 39 * 40 * @(#) $Header: /tcpdump/master/libpcap/pcap/bpf.h,v 1.32 2008-12-23 20:13:29 guy Exp $ (LBL) 41 */ 42 43 /* 44 * This is libpcap's cut-down version of bpf.h; it includes only 45 * the stuff needed for the code generator and the userland BPF 46 * interpreter, and the libpcap APIs for setting filters, etc.. 47 * 48 * "pcap-bpf.c" will include the native OS version, as it deals with 49 * the OS's BPF implementation. 50 * 51 * XXX - should this all just be moved to "pcap.h"? 52 */ 53 54 #ifndef BPF_MAJOR_VERSION 55 56 #ifdef __cplusplus 57 extern "C" { 58 #endif 59 60 /* BSD style release date */ 61 #define BPF_RELEASE 199606 62 63 #ifdef MSDOS /* must be 32-bit */ 64 typedef long bpf_int32; 65 typedef unsigned long bpf_u_int32; 66 #else 67 typedef int bpf_int32; 68 typedef u_int bpf_u_int32; 69 #endif 70 71 /* 72 * Alignment macros. BPF_WORDALIGN rounds up to the next 73 * even multiple of BPF_ALIGNMENT. 74 */ 75 #ifndef __NetBSD__ 76 #define BPF_ALIGNMENT sizeof(bpf_int32) 77 #else 78 #define BPF_ALIGNMENT sizeof(long) 79 #endif 80 #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) 81 82 #define BPF_MAXBUFSIZE 0x8000 83 #define BPF_MINBUFSIZE 32 84 85 /* 86 * Structure for "pcap_compile()", "pcap_setfilter()", etc.. 87 */ 88 struct bpf_program { 89 u_int bf_len; 90 struct bpf_insn *bf_insns; 91 }; 92 93 /* 94 * Struct return by BIOCVERSION. This represents the version number of 95 * the filter language described by the instruction encodings below. 96 * bpf understands a program iff kernel_major == filter_major && 97 * kernel_minor >= filter_minor, that is, if the value returned by the 98 * running kernel has the same major number and a minor number equal 99 * equal to or less than the filter being downloaded. Otherwise, the 100 * results are undefined, meaning an error may be returned or packets 101 * may be accepted haphazardly. 102 * It has nothing to do with the source code version. 103 */ 104 struct bpf_version { 105 u_short bv_major; 106 u_short bv_minor; 107 }; 108 /* Current version number of filter architecture. */ 109 #define BPF_MAJOR_VERSION 1 110 #define BPF_MINOR_VERSION 1 111 112 /* 113 * Data-link level type codes. 114 * 115 * Do *NOT* add new values to this list without asking 116 * "tcpdump-workers@lists.tcpdump.org" for a value. Otherwise, you run 117 * the risk of using a value that's already being used for some other 118 * purpose, and of having tools that read libpcap-format captures not 119 * being able to handle captures with your new DLT_ value, with no hope 120 * that they will ever be changed to do so (as that would destroy their 121 * ability to read captures using that value for that other purpose). 122 */ 123 124 /* 125 * These are the types that are the same on all platforms, and that 126 * have been defined by <net/bpf.h> for ages. 127 */ 128 #define DLT_NULL 0 /* BSD loopback encapsulation */ 129 #define DLT_EN10MB 1 /* Ethernet (10Mb) */ 130 #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ 131 #define DLT_AX25 3 /* Amateur Radio AX.25 */ 132 #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ 133 #define DLT_CHAOS 5 /* Chaos */ 134 #define DLT_IEEE802 6 /* 802.5 Token Ring */ 135 #define DLT_ARCNET 7 /* ARCNET, with BSD-style header */ 136 #define DLT_SLIP 8 /* Serial Line IP */ 137 #define DLT_PPP 9 /* Point-to-point Protocol */ 138 #define DLT_FDDI 10 /* FDDI */ 139 140 /* 141 * These are types that are different on some platforms, and that 142 * have been defined by <net/bpf.h> for ages. We use #ifdefs to 143 * detect the BSDs that define them differently from the traditional 144 * libpcap <net/bpf.h> 145 * 146 * XXX - DLT_ATM_RFC1483 is 13 in BSD/OS, and DLT_RAW is 14 in BSD/OS, 147 * but I don't know what the right #define is for BSD/OS. 148 */ 149 #define DLT_ATM_RFC1483 11 /* LLC-encapsulated ATM */ 150 151 #ifdef __OpenBSD__ 152 #define DLT_RAW 14 /* raw IP */ 153 #else 154 #define DLT_RAW 12 /* raw IP */ 155 #endif 156 157 /* 158 * Given that the only OS that currently generates BSD/OS SLIP or PPP 159 * is, well, BSD/OS, arguably everybody should have chosen its values 160 * for DLT_SLIP_BSDOS and DLT_PPP_BSDOS, which are 15 and 16, but they 161 * didn't. So it goes. 162 */ 163 #if defined(__NetBSD__) || defined(__FreeBSD__) 164 #ifndef DLT_SLIP_BSDOS 165 #define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ 166 #define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ 167 #endif 168 #else 169 #define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ 170 #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ 171 #endif 172 173 /* 174 * 17 is used for DLT_OLD_PFLOG in OpenBSD; 175 * OBSOLETE: DLT_PFLOG is 117 in OpenBSD now as well. See below. 176 * 18 is used for DLT_PFSYNC in OpenBSD; don't use it for anything else. 177 */ 178 179 #define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ 180 181 /* 182 * Apparently Redback uses this for its SmartEdge 400/800. I hope 183 * nobody else decided to use it, too. 184 */ 185 #define DLT_REDBACK_SMARTEDGE 32 186 187 /* 188 * These values are defined by NetBSD; other platforms should refrain from 189 * using them for other purposes, so that NetBSD savefiles with link 190 * types of 50 or 51 can be read as this type on all platforms. 191 */ 192 #define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ 193 #define DLT_PPP_ETHER 51 /* PPP over Ethernet */ 194 195 /* 196 * The Axent Raptor firewall - now the Symantec Enterprise Firewall - uses 197 * a link-layer type of 99 for the tcpdump it supplies. The link-layer 198 * header has 6 bytes of unknown data, something that appears to be an 199 * Ethernet type, and 36 bytes that appear to be 0 in at least one capture 200 * I've seen. 201 */ 202 #define DLT_SYMANTEC_FIREWALL 99 203 204 /* 205 * Values between 100 and 103 are used in capture file headers as 206 * link-layer types corresponding to DLT_ types that differ 207 * between platforms; don't use those values for new DLT_ new types. 208 */ 209 210 /* 211 * This value was defined by libpcap 0.5; platforms that have defined 212 * it with a different value should define it here with that value - 213 * a link type of 104 in a save file will be mapped to DLT_C_HDLC, 214 * whatever value that happens to be, so programs will correctly 215 * handle files with that link type regardless of the value of 216 * DLT_C_HDLC. 217 * 218 * The name DLT_C_HDLC was used by BSD/OS; we use that name for source 219 * compatibility with programs written for BSD/OS. 220 * 221 * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, 222 * for source compatibility with programs written for libpcap 0.5. 223 */ 224 #define DLT_C_HDLC 104 /* Cisco HDLC */ 225 #define DLT_CHDLC DLT_C_HDLC 226 227 #define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ 228 229 /* 230 * 106 is reserved for Linux Classical IP over ATM; it's like DLT_RAW, 231 * except when it isn't. (I.e., sometimes it's just raw IP, and 232 * sometimes it isn't.) We currently handle it as DLT_LINUX_SLL, 233 * so that we don't have to worry about the link-layer header.) 234 */ 235 236 /* 237 * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides 238 * with other values. 239 * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header 240 * (DLCI, etc.). 241 */ 242 #define DLT_FRELAY 107 243 244 /* 245 * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except 246 * that the AF_ type in the link-layer header is in network byte order. 247 * 248 * DLT_LOOP is 12 in OpenBSD, but that's DLT_RAW in other OSes, so 249 * we don't use 12 for it in OSes other than OpenBSD. 250 */ 251 #ifdef __OpenBSD__ 252 #define DLT_LOOP 12 253 #else 254 #define DLT_LOOP 108 255 #endif 256 257 /* 258 * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's 259 * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other 260 * than OpenBSD. 261 */ 262 #ifdef __OpenBSD__ 263 #define DLT_ENC 13 264 #else 265 #define DLT_ENC 109 266 #endif 267 268 /* 269 * Values between 110 and 112 are reserved for use in capture file headers 270 * as link-layer types corresponding to DLT_ types that might differ 271 * between platforms; don't use those values for new DLT_ types 272 * other than the corresponding DLT_ types. 273 */ 274 275 /* 276 * This is for Linux cooked sockets. 277 */ 278 #define DLT_LINUX_SLL 113 279 280 /* 281 * Apple LocalTalk hardware. 282 */ 283 #define DLT_LTALK 114 284 285 /* 286 * Acorn Econet. 287 */ 288 #define DLT_ECONET 115 289 290 /* 291 * Reserved for use with OpenBSD ipfilter. 292 */ 293 #define DLT_IPFILTER 116 294 295 /* 296 * OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, but that's DLT_LANE8023 297 * in SuSE 6.3, so we can't use 17 for it in capture-file headers. 298 * 299 * XXX: is there a conflict with DLT_PFSYNC 18 as well? 300 */ 301 #ifdef __OpenBSD__ 302 #define DLT_OLD_PFLOG 17 303 #define DLT_PFSYNC 18 304 #endif 305 #define DLT_PFLOG 117 306 307 /* 308 * Registered for Cisco-internal use. 309 */ 310 #define DLT_CISCO_IOS 118 311 312 /* 313 * For 802.11 cards using the Prism II chips, with a link-layer 314 * header including Prism monitor mode information plus an 802.11 315 * header. 316 */ 317 #define DLT_PRISM_HEADER 119 318 319 /* 320 * Reserved for Aironet 802.11 cards, with an Aironet link-layer header 321 * (see Doug Ambrisko's FreeBSD patches). 322 */ 323 #define DLT_AIRONET_HEADER 120 324 325 /* 326 * Reserved for Siemens HiPath HDLC. 327 */ 328 #define DLT_HHDLC 121 329 330 /* 331 * This is for RFC 2625 IP-over-Fibre Channel. 332 * 333 * This is not for use with raw Fibre Channel, where the link-layer 334 * header starts with a Fibre Channel frame header; it's for IP-over-FC, 335 * where the link-layer header starts with an RFC 2625 Network_Header 336 * field. 337 */ 338 #define DLT_IP_OVER_FC 122 339 340 /* 341 * This is for Full Frontal ATM on Solaris with SunATM, with a 342 * pseudo-header followed by an AALn PDU. 343 * 344 * There may be other forms of Full Frontal ATM on other OSes, 345 * with different pseudo-headers. 346 * 347 * If ATM software returns a pseudo-header with VPI/VCI information 348 * (and, ideally, packet type information, e.g. signalling, ILMI, 349 * LANE, LLC-multiplexed traffic, etc.), it should not use 350 * DLT_ATM_RFC1483, but should get a new DLT_ value, so tcpdump 351 * and the like don't have to infer the presence or absence of a 352 * pseudo-header and the form of the pseudo-header. 353 */ 354 #define DLT_SUNATM 123 /* Solaris+SunATM */ 355 356 /* 357 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 358 * for private use. 359 */ 360 #define DLT_RIO 124 /* RapidIO */ 361 #define DLT_PCI_EXP 125 /* PCI Express */ 362 #define DLT_AURORA 126 /* Xilinx Aurora link layer */ 363 364 /* 365 * Header for 802.11 plus a number of bits of link-layer information 366 * including radio information, used by some recent BSD drivers as 367 * well as the madwifi Atheros driver for Linux. 368 */ 369 #define DLT_IEEE802_11_RADIO 127 /* 802.11 plus radiotap radio header */ 370 371 /* 372 * Reserved for the TZSP encapsulation, as per request from 373 * Chris Waters <chris.waters@networkchemistry.com> 374 * TZSP is a generic encapsulation for any other link type, 375 * which includes a means to include meta-information 376 * with the packet, e.g. signal strength and channel 377 * for 802.11 packets. 378 */ 379 #define DLT_TZSP 128 /* Tazmen Sniffer Protocol */ 380 381 /* 382 * BSD's ARCNET headers have the source host, destination host, 383 * and type at the beginning of the packet; that's what's handed 384 * up to userland via BPF. 385 * 386 * Linux's ARCNET headers, however, have a 2-byte offset field 387 * between the host IDs and the type; that's what's handed up 388 * to userland via PF_PACKET sockets. 389 * 390 * We therefore have to have separate DLT_ values for them. 391 */ 392 #define DLT_ARCNET_LINUX 129 /* ARCNET */ 393 394 /* 395 * Juniper-private data link types, as per request from 396 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 397 * for passing on chassis-internal metainformation such as 398 * QOS profiles, etc.. 399 */ 400 #define DLT_JUNIPER_MLPPP 130 401 #define DLT_JUNIPER_MLFR 131 402 #define DLT_JUNIPER_ES 132 403 #define DLT_JUNIPER_GGSN 133 404 #define DLT_JUNIPER_MFR 134 405 #define DLT_JUNIPER_ATM2 135 406 #define DLT_JUNIPER_SERVICES 136 407 #define DLT_JUNIPER_ATM1 137 408 409 /* 410 * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund 411 * <dieter@apple.com>. The header that's presented is an Ethernet-like 412 * header: 413 * 414 * #define FIREWIRE_EUI64_LEN 8 415 * struct firewire_header { 416 * u_char firewire_dhost[FIREWIRE_EUI64_LEN]; 417 * u_char firewire_shost[FIREWIRE_EUI64_LEN]; 418 * u_short firewire_type; 419 * }; 420 * 421 * with "firewire_type" being an Ethernet type value, rather than, 422 * for example, raw GASP frames being handed up. 423 */ 424 #define DLT_APPLE_IP_OVER_IEEE1394 138 425 426 /* 427 * Various SS7 encapsulations, as per a request from Jeff Morriss 428 * <jeff.morriss[AT]ulticom.com> and subsequent discussions. 429 */ 430 #define DLT_MTP2_WITH_PHDR 139 /* pseudo-header with various info, followed by MTP2 */ 431 #define DLT_MTP2 140 /* MTP2, without pseudo-header */ 432 #define DLT_MTP3 141 /* MTP3, without pseudo-header or MTP2 */ 433 #define DLT_SCCP 142 /* SCCP, without pseudo-header or MTP2 or MTP3 */ 434 435 /* 436 * DOCSIS MAC frames. 437 */ 438 #define DLT_DOCSIS 143 439 440 /* 441 * Linux-IrDA packets. Protocol defined at http://www.irda.org. 442 * Those packets include IrLAP headers and above (IrLMP...), but 443 * don't include Phy framing (SOF/EOF/CRC & byte stuffing), because Phy 444 * framing can be handled by the hardware and depend on the bitrate. 445 * This is exactly the format you would get capturing on a Linux-IrDA 446 * interface (irdaX), but not on a raw serial port. 447 * Note the capture is done in "Linux-cooked" mode, so each packet include 448 * a fake packet header (struct sll_header). This is because IrDA packet 449 * decoding is dependant on the direction of the packet (incomming or 450 * outgoing). 451 * When/if other platform implement IrDA capture, we may revisit the 452 * issue and define a real DLT_IRDA... 453 * Jean II 454 */ 455 #define DLT_LINUX_IRDA 144 456 457 /* 458 * Reserved for IBM SP switch and IBM Next Federation switch. 459 */ 460 #define DLT_IBM_SP 145 461 #define DLT_IBM_SN 146 462 463 /* 464 * Reserved for private use. If you have some link-layer header type 465 * that you want to use within your organization, with the capture files 466 * using that link-layer header type not ever be sent outside your 467 * organization, you can use these values. 468 * 469 * No libpcap release will use these for any purpose, nor will any 470 * tcpdump release use them, either. 471 * 472 * Do *NOT* use these in capture files that you expect anybody not using 473 * your private versions of capture-file-reading tools to read; in 474 * particular, do *NOT* use them in products, otherwise you may find that 475 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 476 * read capture files from your firewall/intrusion detection/traffic 477 * monitoring/etc. appliance, or whatever product uses that DLT_ value, 478 * and you may also find that the developers of those applications will 479 * not accept patches to let them read those files. 480 * 481 * Also, do not use them if somebody might send you a capture using them 482 * for *their* private type and tools using them for *your* private type 483 * would have to read them. 484 * 485 * Instead, ask "tcpdump-workers@lists.tcpdump.org" for a new DLT_ value, 486 * as per the comment above, and use the type you're given. 487 */ 488 #define DLT_USER0 147 489 #define DLT_USER1 148 490 #define DLT_USER2 149 491 #define DLT_USER3 150 492 #define DLT_USER4 151 493 #define DLT_USER5 152 494 #define DLT_USER6 153 495 #define DLT_USER7 154 496 #define DLT_USER8 155 497 #define DLT_USER9 156 498 #define DLT_USER10 157 499 #define DLT_USER11 158 500 #define DLT_USER12 159 501 #define DLT_USER13 160 502 #define DLT_USER14 161 503 #define DLT_USER15 162 504 505 /* 506 * For future use with 802.11 captures - defined by AbsoluteValue 507 * Systems to store a number of bits of link-layer information 508 * including radio information: 509 * 510 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 511 * 512 * but it might be used by some non-AVS drivers now or in the 513 * future. 514 */ 515 #define DLT_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 516 517 /* 518 * Juniper-private data link type, as per request from 519 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 520 * for passing on chassis-internal metainformation such as 521 * QOS profiles, etc.. 522 */ 523 #define DLT_JUNIPER_MONITOR 164 524 525 /* 526 * Reserved for BACnet MS/TP. 527 */ 528 #define DLT_BACNET_MS_TP 165 529 530 /* 531 * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>. 532 * 533 * This is used in some OSes to allow a kernel socket filter to distinguish 534 * between incoming and outgoing packets, on a socket intended to 535 * supply pppd with outgoing packets so it can do dial-on-demand and 536 * hangup-on-lack-of-demand; incoming packets are filtered out so they 537 * don't cause pppd to hold the connection up (you don't want random 538 * input packets such as port scans, packets from old lost connections, 539 * etc. to force the connection to stay up). 540 * 541 * The first byte of the PPP header (0xff03) is modified to accomodate 542 * the direction - 0x00 = IN, 0x01 = OUT. 543 */ 544 #define DLT_PPP_PPPD 166 545 546 /* 547 * Names for backwards compatibility with older versions of some PPP 548 * software; new software should use DLT_PPP_PPPD. 549 */ 550 #define DLT_PPP_WITH_DIRECTION DLT_PPP_PPPD 551 #define DLT_LINUX_PPP_WITHDIRECTION DLT_PPP_PPPD 552 553 /* 554 * Juniper-private data link type, as per request from 555 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 556 * for passing on chassis-internal metainformation such as 557 * QOS profiles, cookies, etc.. 558 */ 559 #define DLT_JUNIPER_PPPOE 167 560 #define DLT_JUNIPER_PPPOE_ATM 168 561 562 #define DLT_GPRS_LLC 169 /* GPRS LLC */ 563 #define DLT_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 564 #define DLT_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */ 565 566 /* 567 * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line 568 * monitoring equipment. 569 */ 570 #define DLT_GCOM_T1E1 172 571 #define DLT_GCOM_SERIAL 173 572 573 /* 574 * Juniper-private data link type, as per request from 575 * Hannes Gredler <hannes@juniper.net>. The DLT_ is used 576 * for internal communication to Physical Interface Cards (PIC) 577 */ 578 #define DLT_JUNIPER_PIC_PEER 174 579 580 /* 581 * Link types requested by Gregor Maier <gregor@endace.com> of Endace 582 * Measurement Systems. They add an ERF header (see 583 * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of 584 * the link-layer header. 585 */ 586 #define DLT_ERF_ETH 175 /* Ethernet */ 587 #define DLT_ERF_POS 176 /* Packet-over-SONET */ 588 589 /* 590 * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD 591 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 592 * includes additional information before the LAPD header, so it's 593 * not necessarily a generic LAPD header. 594 */ 595 #define DLT_LINUX_LAPD 177 596 597 /* 598 * Juniper-private data link type, as per request from 599 * Hannes Gredler <hannes@juniper.net>. 600 * The DLT_ are used for prepending meta-information 601 * like interface index, interface name 602 * before standard Ethernet, PPP, Frelay & C-HDLC Frames 603 */ 604 #define DLT_JUNIPER_ETHER 178 605 #define DLT_JUNIPER_PPP 179 606 #define DLT_JUNIPER_FRELAY 180 607 #define DLT_JUNIPER_CHDLC 181 608 609 /* 610 * Multi Link Frame Relay (FRF.16) 611 */ 612 #define DLT_MFR 182 613 614 /* 615 * Juniper-private data link type, as per request from 616 * Hannes Gredler <hannes@juniper.net>. 617 * The DLT_ is used for internal communication with a 618 * voice Adapter Card (PIC) 619 */ 620 #define DLT_JUNIPER_VP 183 621 622 /* 623 * Arinc 429 frames. 624 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 625 * Every frame contains a 32bit A429 label. 626 * More documentation on Arinc 429 can be found at 627 * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf 628 */ 629 #define DLT_A429 184 630 631 /* 632 * Arinc 653 Interpartition Communication messages. 633 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 634 * Please refer to the A653-1 standard for more information. 635 */ 636 #define DLT_A653_ICM 185 637 638 /* 639 * USB packets, beginning with a USB setup header; requested by 640 * Paolo Abeni <paolo.abeni@email.it>. 641 */ 642 #define DLT_USB 186 643 644 /* 645 * Bluetooth HCI UART transport layer (part H:4); requested by 646 * Paolo Abeni. 647 */ 648 #define DLT_BLUETOOTH_HCI_H4 187 649 650 /* 651 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz 652 * <cruz_petagay@bah.com>. 653 */ 654 #define DLT_IEEE802_16_MAC_CPS 188 655 656 /* 657 * USB packets, beginning with a Linux USB header; requested by 658 * Paolo Abeni <paolo.abeni@email.it>. 659 */ 660 #define DLT_USB_LINUX 189 661 662 /* 663 * Controller Area Network (CAN) v. 2.0B packets. 664 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 665 * Used to dump CAN packets coming from a CAN Vector board. 666 * More documentation on the CAN v2.0B frames can be found at 667 * http://www.can-cia.org/downloads/?269 668 */ 669 #define DLT_CAN20B 190 670 671 /* 672 * IEEE 802.15.4, with address fields padded, as is done by Linux 673 * drivers; requested by Juergen Schimmer. 674 */ 675 #define DLT_IEEE802_15_4_LINUX 191 676 677 /* 678 * Per Packet Information encapsulated packets. 679 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 680 */ 681 #define DLT_PPI 192 682 683 /* 684 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; 685 * requested by Charles Clancy. 686 */ 687 #define DLT_IEEE802_16_MAC_CPS_RADIO 193 688 689 /* 690 * Juniper-private data link type, as per request from 691 * Hannes Gredler <hannes@juniper.net>. 692 * The DLT_ is used for internal communication with a 693 * integrated service module (ISM). 694 */ 695 #define DLT_JUNIPER_ISM 194 696 697 /* 698 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 699 * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>. 700 */ 701 #define DLT_IEEE802_15_4 195 702 703 /* 704 * Various link-layer types, with a pseudo-header, for SITA 705 * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com). 706 */ 707 #define DLT_SITA 196 708 709 /* 710 * Various link-layer types, with a pseudo-header, for Endace DAG cards; 711 * encapsulates Endace ERF records. Requested by Stephen Donnelly 712 * <stephen@endace.com>. 713 */ 714 #define DLT_ERF 197 715 716 /* 717 * Special header prepended to Ethernet packets when capturing from a 718 * u10 Networks board. Requested by Phil Mulholland 719 * <phil@u10networks.com>. 720 */ 721 #define DLT_RAIF1 198 722 723 /* 724 * IPMB packet for IPMI, beginning with the I2C slave address, followed 725 * by the netFn and LUN, etc.. Requested by Chanthy Toeung 726 * <chanthy.toeung@ca.kontron.com>. 727 */ 728 #define DLT_IPMB 199 729 730 /* 731 * Juniper-private data link type, as per request from 732 * Hannes Gredler <hannes@juniper.net>. 733 * The DLT_ is used for capturing data on a secure tunnel interface. 734 */ 735 #define DLT_JUNIPER_ST 200 736 737 /* 738 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header 739 * that includes direction information; requested by Paolo Abeni. 740 */ 741 #define DLT_BLUETOOTH_HCI_H4_WITH_PHDR 201 742 743 /* 744 * AX.25 packet with a 1-byte KISS header; see 745 * 746 * http://www.ax25.net/kiss.htm 747 * 748 * as per Richard Stearn <richard@rns-stearn.demon.co.uk>. 749 */ 750 #define DLT_AX25_KISS 202 751 752 /* 753 * LAPD packets from an ISDN channel, starting with the address field, 754 * with no pseudo-header. 755 * Requested by Varuna De Silva <varunax@gmail.com>. 756 */ 757 #define DLT_LAPD 203 758 759 /* 760 * Variants of various link-layer headers, with a one-byte direction 761 * pseudo-header prepended - zero means "received by this host", 762 * non-zero (any non-zero value) means "sent by this host" - as per 763 * Will Barker <w.barker@zen.co.uk>. 764 */ 765 #define DLT_PPP_WITH_DIR 204 /* PPP - don't confuse with DLT_PPP_WITH_DIRECTION */ 766 #define DLT_C_HDLC_WITH_DIR 205 /* Cisco HDLC */ 767 #define DLT_FRELAY_WITH_DIR 206 /* Frame Relay */ 768 #define DLT_LAPB_WITH_DIR 207 /* LAPB */ 769 770 /* 771 * 208 is reserved for an as-yet-unspecified proprietary link-layer 772 * type, as requested by Will Barker. 773 */ 774 775 /* 776 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman 777 * <avn@pigeonpoint.com>. 778 */ 779 #define DLT_IPMB_LINUX 209 780 781 /* 782 * FlexRay automotive bus - http://www.flexray.com/ - as requested 783 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 784 */ 785 #define DLT_FLEXRAY 210 786 787 /* 788 * Media Oriented Systems Transport (MOST) bus for multimedia 789 * transport - http://www.mostcooperation.com/ - as requested 790 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 791 */ 792 #define DLT_MOST 211 793 794 /* 795 * Local Interconnect Network (LIN) bus for vehicle networks - 796 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber 797 * <hannes.kaelber@x2e.de>. 798 */ 799 #define DLT_LIN 212 800 801 /* 802 * X2E-private data link type used for serial line capture, 803 * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 804 */ 805 #define DLT_X2E_SERIAL 213 806 807 /* 808 * X2E-private data link type used for the Xoraya data logger 809 * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 810 */ 811 #define DLT_X2E_XORAYA 214 812 813 /* 814 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 815 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets 816 * of 0 as preamble, one octet of SFD, one octet of frame length+ 817 * reserved bit, and then the MAC-layer data, starting with the 818 * frame control field). 819 * 820 * Requested by Max Filippov <jcmvbkbc@gmail.com>. 821 */ 822 #define DLT_IEEE802_15_4_NONASK_PHY 215 823 824 /* 825 * David Gibson <david@gibson.dropbear.id.au> requested this for 826 * captures from the Linux kernel /dev/input/eventN devices. This 827 * is used to communicate keystrokes and mouse movements from the 828 * Linux kernel to display systems, such as Xorg. 829 */ 830 #define DLT_LINUX_EVDEV 216 831 832 /* 833 * GSM Um and Abis interfaces, preceded by a "gsmtap" header. 834 * 835 * Requested by Harald Welte <laforge@gnumonks.org>. 836 */ 837 #define DLT_GSMTAP_UM 217 838 #define DLT_GSMTAP_ABIS 218 839 840 /* 841 * MPLS, with an MPLS label as the link-layer header. 842 * Requested by Michele Marchetto <michele@openbsd.org> on behalf 843 * of OpenBSD. 844 */ 845 #define DLT_MPLS 219 846 847 /* 848 * USB packets, beginning with a Linux USB header, with the USB header 849 * padded to 64 bytes; required for memory-mapped access. 850 */ 851 #define DLT_USB_LINUX_MMAPPED 220 852 853 /* 854 * DECT packets, with a pseudo-header; requested by 855 * Matthias Wenzel <tcpdump@mazzoo.de>. 856 */ 857 #define DLT_DECT 221 858 859 /* 860 * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov> 861 * Date: Mon, 11 May 2009 11:18:30 -0500 862 * 863 * DLT_AOS. We need it for AOS Space Data Link Protocol. 864 * I have already written dissectors for but need an OK from 865 * legal before I can submit a patch. 866 * 867 */ 868 #define DLT_AOS 222 869 870 /* 871 * Wireless HART (Highway Addressable Remote Transducer) 872 * From the HART Communication Foundation 873 * IES/PAS 62591 874 * 875 * Requested by Sam Roberts <vieuxtech@gmail.com>. 876 */ 877 #define DLT_WIHART 223 878 879 /* 880 * Fibre Channel FC-2 frames, beginning with a Frame_Header. 881 * Requested by Kahou Lei <kahou82@gmail.com>. 882 */ 883 #define DLT_FC_2 224 884 885 /* 886 * Fibre Channel FC-2 frames, beginning with an encoding of the 887 * SOF, and ending with an encoding of the EOF. 888 * 889 * The encodings represent the frame delimiters as 4-byte sequences 890 * representing the corresponding ordered sets, with K28.5 891 * represented as 0xBC, and the D symbols as the corresponding 892 * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, 893 * is represented as 0xBC 0xB5 0x55 0x55. 894 * 895 * Requested by Kahou Lei <kahou82@gmail.com>. 896 */ 897 #define DLT_FC_2_WITH_FRAME_DELIMS 225 898 899 /* 900 * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>. 901 * 902 * The pseudo-header starts with a one-byte version number; for version 2, 903 * the pseudo-header is: 904 * 905 * struct dl_ipnetinfo { 906 * u_int8_t dli_version; 907 * u_int8_t dli_family; 908 * u_int16_t dli_htype; 909 * u_int32_t dli_pktlen; 910 * u_int32_t dli_ifindex; 911 * u_int32_t dli_grifindex; 912 * u_int32_t dli_zsrc; 913 * u_int32_t dli_zdst; 914 * }; 915 * 916 * dli_version is 2 for the current version of the pseudo-header. 917 * 918 * dli_family is a Solaris address family value, so it's 2 for IPv4 919 * and 26 for IPv6. 920 * 921 * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing 922 * packets, and 2 for packets arriving from another zone on the same 923 * machine. 924 * 925 * dli_pktlen is the length of the packet data following the pseudo-header 926 * (so the captured length minus dli_pktlen is the length of the 927 * pseudo-header, assuming the entire pseudo-header was captured). 928 * 929 * dli_ifindex is the interface index of the interface on which the 930 * packet arrived. 931 * 932 * dli_grifindex is the group interface index number (for IPMP interfaces). 933 * 934 * dli_zsrc is the zone identifier for the source of the packet. 935 * 936 * dli_zdst is the zone identifier for the destination of the packet. 937 * 938 * A zone number of 0 is the global zone; a zone number of 0xffffffff 939 * means that the packet arrived from another host on the network, not 940 * from another zone on the same machine. 941 * 942 * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates 943 * which of those it is. 944 */ 945 #define DLT_IPNET 226 946 947 /* 948 * CAN (Controller Area Network) frames, with a pseudo-header as supplied 949 * by Linux SocketCAN. See Documentation/networking/can.txt in the Linux 950 * source. 951 * 952 * Requested by Felix Obenhuber <felix@obenhuber.de>. 953 */ 954 #define DLT_CAN_SOCKETCAN 227 955 956 /* 957 * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies 958 * whether it's v4 or v6. Requested by Darren Reed <Darren.Reed@Sun.COM>. 959 */ 960 #define DLT_IPV4 228 961 #define DLT_IPV6 229 962 963 /* 964 * DLT and savefile link type values are split into a class and 965 * a member of that class. A class value of 0 indicates a regular 966 * DLT_/LINKTYPE_ value. 967 */ 968 #define DLT_CLASS(x) ((x) & 0x03ff0000) 969 970 /* 971 * NetBSD-specific generic "raw" link type. The class value indicates 972 * that this is the generic raw type, and the lower 16 bits are the 973 * address family we're dealing with. Those values are NetBSD-specific; 974 * do not assume that they correspond to AF_ values for your operating 975 * system. 976 */ 977 #define DLT_CLASS_NETBSD_RAWAF 0x02240000 978 #define DLT_NETBSD_RAWAF(af) (DLT_CLASS_NETBSD_RAWAF | (af)) 979 #define DLT_NETBSD_RAWAF_AF(x) ((x) & 0x0000ffff) 980 #define DLT_IS_NETBSD_RAWAF(x) (DLT_CLASS(x) == DLT_CLASS_NETBSD_RAWAF) 981 982 983 /* 984 * The instruction encodings. 985 */ 986 /* instruction classes */ 987 #define BPF_CLASS(code) ((code) & 0x07) 988 #define BPF_LD 0x00 989 #define BPF_LDX 0x01 990 #define BPF_ST 0x02 991 #define BPF_STX 0x03 992 #define BPF_ALU 0x04 993 #define BPF_JMP 0x05 994 #define BPF_RET 0x06 995 #define BPF_MISC 0x07 996 997 /* ld/ldx fields */ 998 #define BPF_SIZE(code) ((code) & 0x18) 999 #define BPF_W 0x00 1000 #define BPF_H 0x08 1001 #define BPF_B 0x10 1002 #define BPF_MODE(code) ((code) & 0xe0) 1003 #define BPF_IMM 0x00 1004 #define BPF_ABS 0x20 1005 #define BPF_IND 0x40 1006 #define BPF_MEM 0x60 1007 #define BPF_LEN 0x80 1008 #define BPF_MSH 0xa0 1009 1010 /* alu/jmp fields */ 1011 #define BPF_OP(code) ((code) & 0xf0) 1012 #define BPF_ADD 0x00 1013 #define BPF_SUB 0x10 1014 #define BPF_MUL 0x20 1015 #define BPF_DIV 0x30 1016 #define BPF_OR 0x40 1017 #define BPF_AND 0x50 1018 #define BPF_LSH 0x60 1019 #define BPF_RSH 0x70 1020 #define BPF_NEG 0x80 1021 #define BPF_JA 0x00 1022 #define BPF_JEQ 0x10 1023 #define BPF_JGT 0x20 1024 #define BPF_JGE 0x30 1025 #define BPF_JSET 0x40 1026 #define BPF_SRC(code) ((code) & 0x08) 1027 #define BPF_K 0x00 1028 #define BPF_X 0x08 1029 1030 /* ret - BPF_K and BPF_X also apply */ 1031 #define BPF_RVAL(code) ((code) & 0x18) 1032 #define BPF_A 0x10 1033 1034 /* misc */ 1035 #define BPF_MISCOP(code) ((code) & 0xf8) 1036 #define BPF_TAX 0x00 1037 #define BPF_TXA 0x80 1038 1039 /* 1040 * The instruction data structure. 1041 */ 1042 struct bpf_insn { 1043 u_short code; 1044 u_char jt; 1045 u_char jf; 1046 bpf_u_int32 k; 1047 }; 1048 1049 /* 1050 * Macros for insn array initializers. 1051 */ 1052 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } 1053 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } 1054 1055 #if __STDC__ || defined(__cplusplus) 1056 extern int bpf_validate(const struct bpf_insn *, int); 1057 extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); 1058 #else 1059 extern int bpf_validate(); 1060 extern u_int bpf_filter(); 1061 #endif 1062 1063 /* 1064 * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). 1065 */ 1066 #define BPF_MEMWORDS 16 1067 1068 #ifdef __cplusplus 1069 } 1070 #endif 1071 1072 #endif 1073