xref: /freebsd/sys/net/bpf.h (revision 6472ac3d8a86336899b6cfb789a4cd9897e3fab5)
1 /*-
2  * Copyright (c) 1990, 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * This code is derived from the Stanford/CMU enet packet filter,
6  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
7  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
8  * Berkeley Laboratory.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 4. Neither the name of the University nor the names of its contributors
19  *    may be used to endorse or promote products derived from this software
20  *    without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  *
34  *      @(#)bpf.h	8.1 (Berkeley) 6/10/93
35  *	@(#)bpf.h	1.34 (LBL)     6/16/96
36  *
37  * $FreeBSD$
38  */
39 
40 #ifndef _NET_BPF_H_
41 #define _NET_BPF_H_
42 
43 /* BSD style release date */
44 #define	BPF_RELEASE 199606
45 
46 typedef	int32_t	  bpf_int32;
47 typedef	u_int32_t bpf_u_int32;
48 typedef	int64_t	  bpf_int64;
49 typedef	u_int64_t bpf_u_int64;
50 
51 /*
52  * Alignment macros.  BPF_WORDALIGN rounds up to the next
53  * even multiple of BPF_ALIGNMENT.
54  */
55 #define BPF_ALIGNMENT sizeof(long)
56 #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
57 
58 #define BPF_MAXINSNS 512
59 #define BPF_MAXBUFSIZE 0x80000
60 #define BPF_MINBUFSIZE 32
61 
62 /*
63  *  Structure for BIOCSETF.
64  */
65 struct bpf_program {
66 	u_int bf_len;
67 	struct bpf_insn *bf_insns;
68 };
69 
70 /*
71  * Struct returned by BIOCGSTATS.
72  */
73 struct bpf_stat {
74 	u_int bs_recv;		/* number of packets received */
75 	u_int bs_drop;		/* number of packets dropped */
76 };
77 
78 /*
79  * Struct return by BIOCVERSION.  This represents the version number of
80  * the filter language described by the instruction encodings below.
81  * bpf understands a program iff kernel_major == filter_major &&
82  * kernel_minor >= filter_minor, that is, if the value returned by the
83  * running kernel has the same major number and a minor number equal
84  * equal to or less than the filter being downloaded.  Otherwise, the
85  * results are undefined, meaning an error may be returned or packets
86  * may be accepted haphazardly.
87  * It has nothing to do with the source code version.
88  */
89 struct bpf_version {
90 	u_short bv_major;
91 	u_short bv_minor;
92 };
93 /* Current version number of filter architecture. */
94 #define BPF_MAJOR_VERSION 1
95 #define BPF_MINOR_VERSION 1
96 
97 /*
98  * Historically, BPF has supported a single buffering model, first using mbuf
99  * clusters in kernel, and later using malloc(9) buffers in kernel.  We now
100  * support multiple buffering modes, which may be queried and set using
101  * BIOCGETBUFMODE and BIOCSETBUFMODE.  So as to avoid handling the complexity
102  * of changing modes while sniffing packets, the mode becomes fixed once an
103  * interface has been attached to the BPF descriptor.
104  */
105 #define	BPF_BUFMODE_BUFFER	1	/* Kernel buffers with read(). */
106 #define	BPF_BUFMODE_ZBUF	2	/* Zero-copy buffers. */
107 
108 /*-
109  * Struct used by BIOCSETZBUF, BIOCROTZBUF: describes up to two zero-copy
110  * buffer as used by BPF.
111  */
112 struct bpf_zbuf {
113 	void	*bz_bufa;	/* Location of 'a' zero-copy buffer. */
114 	void	*bz_bufb;	/* Location of 'b' zero-copy buffer. */
115 	size_t	 bz_buflen;	/* Size of zero-copy buffers. */
116 };
117 
118 #define	BIOCGBLEN	_IOR('B', 102, u_int)
119 #define	BIOCSBLEN	_IOWR('B', 102, u_int)
120 #define	BIOCSETF	_IOW('B', 103, struct bpf_program)
121 #define	BIOCFLUSH	_IO('B', 104)
122 #define	BIOCPROMISC	_IO('B', 105)
123 #define	BIOCGDLT	_IOR('B', 106, u_int)
124 #define	BIOCGETIF	_IOR('B', 107, struct ifreq)
125 #define	BIOCSETIF	_IOW('B', 108, struct ifreq)
126 #define	BIOCSRTIMEOUT	_IOW('B', 109, struct timeval)
127 #define	BIOCGRTIMEOUT	_IOR('B', 110, struct timeval)
128 #define	BIOCGSTATS	_IOR('B', 111, struct bpf_stat)
129 #define	BIOCIMMEDIATE	_IOW('B', 112, u_int)
130 #define	BIOCVERSION	_IOR('B', 113, struct bpf_version)
131 #define	BIOCGRSIG	_IOR('B', 114, u_int)
132 #define	BIOCSRSIG	_IOW('B', 115, u_int)
133 #define	BIOCGHDRCMPLT	_IOR('B', 116, u_int)
134 #define	BIOCSHDRCMPLT	_IOW('B', 117, u_int)
135 #define	BIOCGDIRECTION	_IOR('B', 118, u_int)
136 #define	BIOCSDIRECTION	_IOW('B', 119, u_int)
137 #define	BIOCSDLT	_IOW('B', 120, u_int)
138 #define	BIOCGDLTLIST	_IOWR('B', 121, struct bpf_dltlist)
139 #define	BIOCLOCK	_IO('B', 122)
140 #define	BIOCSETWF	_IOW('B', 123, struct bpf_program)
141 #define	BIOCFEEDBACK	_IOW('B', 124, u_int)
142 #define	BIOCGETBUFMODE	_IOR('B', 125, u_int)
143 #define	BIOCSETBUFMODE	_IOW('B', 126, u_int)
144 #define	BIOCGETZMAX	_IOR('B', 127, size_t)
145 #define	BIOCROTZBUF	_IOR('B', 128, struct bpf_zbuf)
146 #define	BIOCSETZBUF	_IOW('B', 129, struct bpf_zbuf)
147 #define	BIOCSETFNR	_IOW('B', 130, struct bpf_program)
148 #define	BIOCGTSTAMP	_IOR('B', 131, u_int)
149 #define	BIOCSTSTAMP	_IOW('B', 132, u_int)
150 
151 /* Obsolete */
152 #define	BIOCGSEESENT	BIOCGDIRECTION
153 #define	BIOCSSEESENT	BIOCSDIRECTION
154 
155 /* Packet directions */
156 enum bpf_direction {
157 	BPF_D_IN,	/* See incoming packets */
158 	BPF_D_INOUT,	/* See incoming and outgoing packets */
159 	BPF_D_OUT	/* See outgoing packets */
160 };
161 
162 /* Time stamping functions */
163 #define	BPF_T_MICROTIME		0x0000
164 #define	BPF_T_NANOTIME		0x0001
165 #define	BPF_T_BINTIME		0x0002
166 #define	BPF_T_NONE		0x0003
167 #define	BPF_T_FORMAT_MASK	0x0003
168 #define	BPF_T_NORMAL		0x0000
169 #define	BPF_T_FAST		0x0100
170 #define	BPF_T_MONOTONIC		0x0200
171 #define	BPF_T_MONOTONIC_FAST	(BPF_T_FAST | BPF_T_MONOTONIC)
172 #define	BPF_T_FLAG_MASK		0x0300
173 #define	BPF_T_FORMAT(t)		((t) & BPF_T_FORMAT_MASK)
174 #define	BPF_T_FLAG(t)		((t) & BPF_T_FLAG_MASK)
175 #define	BPF_T_VALID(t)						\
176     ((t) == BPF_T_NONE || (BPF_T_FORMAT(t) != BPF_T_NONE &&	\
177     ((t) & ~(BPF_T_FORMAT_MASK | BPF_T_FLAG_MASK)) == 0))
178 
179 #define	BPF_T_MICROTIME_FAST		(BPF_T_MICROTIME | BPF_T_FAST)
180 #define	BPF_T_NANOTIME_FAST		(BPF_T_NANOTIME | BPF_T_FAST)
181 #define	BPF_T_BINTIME_FAST		(BPF_T_BINTIME | BPF_T_FAST)
182 #define	BPF_T_MICROTIME_MONOTONIC	(BPF_T_MICROTIME | BPF_T_MONOTONIC)
183 #define	BPF_T_NANOTIME_MONOTONIC	(BPF_T_NANOTIME | BPF_T_MONOTONIC)
184 #define	BPF_T_BINTIME_MONOTONIC		(BPF_T_BINTIME | BPF_T_MONOTONIC)
185 #define	BPF_T_MICROTIME_MONOTONIC_FAST	(BPF_T_MICROTIME | BPF_T_MONOTONIC_FAST)
186 #define	BPF_T_NANOTIME_MONOTONIC_FAST	(BPF_T_NANOTIME | BPF_T_MONOTONIC_FAST)
187 #define	BPF_T_BINTIME_MONOTONIC_FAST	(BPF_T_BINTIME | BPF_T_MONOTONIC_FAST)
188 
189 /*
190  * Structure prepended to each packet.
191  */
192 struct bpf_ts {
193 	bpf_int64	bt_sec;		/* seconds */
194 	bpf_u_int64	bt_frac;	/* fraction */
195 };
196 struct bpf_xhdr {
197 	struct bpf_ts	bh_tstamp;	/* time stamp */
198 	bpf_u_int32	bh_caplen;	/* length of captured portion */
199 	bpf_u_int32	bh_datalen;	/* original length of packet */
200 	u_short		bh_hdrlen;	/* length of bpf header (this struct
201 					   plus alignment padding) */
202 };
203 /* Obsolete */
204 struct bpf_hdr {
205 	struct timeval	bh_tstamp;	/* time stamp */
206 	bpf_u_int32	bh_caplen;	/* length of captured portion */
207 	bpf_u_int32	bh_datalen;	/* original length of packet */
208 	u_short		bh_hdrlen;	/* length of bpf header (this struct
209 					   plus alignment padding) */
210 };
211 #ifdef _KERNEL
212 #define	MTAG_BPF		0x627066
213 #define	MTAG_BPF_TIMESTAMP	0
214 #endif
215 
216 /*
217  * When using zero-copy BPF buffers, a shared memory header is present
218  * allowing the kernel BPF implementation and user process to synchronize
219  * without using system calls.  This structure defines that header.  When
220  * accessing these fields, appropriate atomic operation and memory barriers
221  * are required in order not to see stale or out-of-order data; see bpf(4)
222  * for reference code to access these fields from userspace.
223  *
224  * The layout of this structure is critical, and must not be changed; if must
225  * fit in a single page on all architectures.
226  */
227 struct bpf_zbuf_header {
228 	volatile u_int	bzh_kernel_gen;	/* Kernel generation number. */
229 	volatile u_int	bzh_kernel_len;	/* Length of data in the buffer. */
230 	volatile u_int	bzh_user_gen;	/* User generation number. */
231 	u_int _bzh_pad[5];
232 };
233 
234 /*
235  * Data-link level type codes.
236  */
237 #define DLT_NULL	0	/* BSD loopback encapsulation */
238 #define DLT_EN10MB	1	/* Ethernet (10Mb) */
239 #define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
240 #define DLT_AX25	3	/* Amateur Radio AX.25 */
241 #define DLT_PRONET	4	/* Proteon ProNET Token Ring */
242 #define DLT_CHAOS	5	/* Chaos */
243 #define DLT_IEEE802	6	/* IEEE 802 Networks */
244 #define DLT_ARCNET	7	/* ARCNET */
245 #define DLT_SLIP	8	/* Serial Line IP */
246 #define DLT_PPP		9	/* Point-to-point Protocol */
247 #define DLT_FDDI	10	/* FDDI */
248 #define DLT_ATM_RFC1483	11	/* LLC/SNAP encapsulated atm */
249 #define DLT_RAW		12	/* raw IP */
250 
251 /*
252  * These are values from BSD/OS's "bpf.h".
253  * These are not the same as the values from the traditional libpcap
254  * "bpf.h"; however, these values shouldn't be generated by any
255  * OS other than BSD/OS, so the correct values to use here are the
256  * BSD/OS values.
257  *
258  * Platforms that have already assigned these values to other
259  * DLT_ codes, however, should give these codes the values
260  * from that platform, so that programs that use these codes will
261  * continue to compile - even though they won't correctly read
262  * files of these types.
263  */
264 #define DLT_SLIP_BSDOS	15	/* BSD/OS Serial Line IP */
265 #define DLT_PPP_BSDOS	16	/* BSD/OS Point-to-point Protocol */
266 
267 #define DLT_ATM_CLIP	19	/* Linux Classical-IP over ATM */
268 
269 /*
270  * These values are defined by NetBSD; other platforms should refrain from
271  * using them for other purposes, so that NetBSD savefiles with link
272  * types of 50 or 51 can be read as this type on all platforms.
273  */
274 #define DLT_PPP_SERIAL	50	/* PPP over serial with HDLC encapsulation */
275 #define DLT_PPP_ETHER	51	/* PPP over Ethernet */
276 
277 /*
278  * Reserved for the Symantec Enterprise Firewall.
279  */
280 #define DLT_SYMANTEC_FIREWALL	99
281 
282 
283 /*
284  * This value was defined by libpcap 0.5; platforms that have defined
285  * it with a different value should define it here with that value -
286  * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
287  * whatever value that happens to be, so programs will correctly
288  * handle files with that link type regardless of the value of
289  * DLT_C_HDLC.
290  *
291  * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
292  * compatibility with programs written for BSD/OS.
293  *
294  * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
295  * for source compatibility with programs written for libpcap 0.5.
296  */
297 #define DLT_C_HDLC	104	/* Cisco HDLC */
298 #define DLT_CHDLC	DLT_C_HDLC
299 
300 #define DLT_IEEE802_11	105	/* IEEE 802.11 wireless */
301 
302 /*
303  * Values between 106 and 107 are used in capture file headers as
304  * link-layer types corresponding to DLT_ types that might differ
305  * between platforms; don't use those values for new DLT_ new types.
306  */
307 
308 /*
309  * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides
310  * with other values.
311  * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header
312  * (DLCI, etc.).
313  */
314 #define DLT_FRELAY	107
315 
316 /*
317  * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
318  * that the AF_ type in the link-layer header is in network byte order.
319  *
320  * OpenBSD defines it as 12, but that collides with DLT_RAW, so we
321  * define it as 108 here.  If OpenBSD picks up this file, it should
322  * define DLT_LOOP as 12 in its version, as per the comment above -
323  * and should not use 108 as a DLT_ value.
324  */
325 #define DLT_LOOP	108
326 
327 /*
328  * Values between 109 and 112 are used in capture file headers as
329  * link-layer types corresponding to DLT_ types that might differ
330  * between platforms; don't use those values for new DLT_ new types.
331  */
332 
333 /*
334  * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's
335  * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other
336  * than OpenBSD.
337  */
338 #define DLT_ENC	109
339 
340 /*
341  * This is for Linux cooked sockets.
342  */
343 #define DLT_LINUX_SLL	113
344 
345 /*
346  * Apple LocalTalk hardware.
347  */
348 #define DLT_LTALK	114
349 
350 /*
351  * Acorn Econet.
352  */
353 #define DLT_ECONET	115
354 
355 /*
356  * Reserved for use with OpenBSD ipfilter.
357  */
358 #define DLT_IPFILTER	116
359 
360 /*
361  * Reserved for use in capture-file headers as a link-layer type
362  * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD,
363  * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it
364  * in capture-file headers.
365  */
366 #define DLT_PFLOG	117
367 
368 /*
369  * Registered for Cisco-internal use.
370  */
371 #define DLT_CISCO_IOS	118
372 
373 /*
374  * Reserved for 802.11 cards using the Prism II chips, with a link-layer
375  * header including Prism monitor mode information plus an 802.11
376  * header.
377  */
378 #define DLT_PRISM_HEADER	119
379 
380 /*
381  * Reserved for Aironet 802.11 cards, with an Aironet link-layer header
382  * (see Doug Ambrisko's FreeBSD patches).
383  */
384 #define DLT_AIRONET_HEADER	120
385 
386 /*
387  * Reserved for use by OpenBSD's pfsync device.
388  */
389 #define DLT_PFSYNC	121
390 
391 /*
392  * Reserved for Siemens HiPath HDLC. XXX
393  */
394 #define DLT_HHDLC	121
395 
396 /*
397  * Reserved for RFC 2625 IP-over-Fibre Channel.
398  */
399 #define DLT_IP_OVER_FC	122
400 
401 /*
402  * Reserved for Full Frontal ATM on Solaris.
403  */
404 #define DLT_SUNATM	123
405 
406 /*
407  * Reserved as per request from Kent Dahlgren <kent@praesum.com>
408  * for private use.
409  */
410 #define DLT_RIO		124	/* RapidIO */
411 #define DLT_PCI_EXP	125	/* PCI Express */
412 #define DLT_AURORA	126	/* Xilinx Aurora link layer */
413 
414 /*
415  * BSD header for 802.11 plus a number of bits of link-layer information
416  * including radio information.
417  */
418 #ifndef DLT_IEEE802_11_RADIO
419 #define DLT_IEEE802_11_RADIO	127
420 #endif
421 
422 /*
423  * Reserved for TZSP encapsulation.
424  */
425 #define DLT_TZSP		128	/* Tazmen Sniffer Protocol */
426 
427 /*
428  * Reserved for Linux ARCNET.
429  */
430 #define DLT_ARCNET_LINUX	129
431 
432 /*
433  * Juniper-private data link types.
434  */
435 #define DLT_JUNIPER_MLPPP	130
436 #define DLT_JUNIPER_MLFR	131
437 #define DLT_JUNIPER_ES		132
438 #define DLT_JUNIPER_GGSN	133
439 #define DLT_JUNIPER_MFR		134
440 #define DLT_JUNIPER_ATM2	135
441 #define DLT_JUNIPER_SERVICES	136
442 #define DLT_JUNIPER_ATM1	137
443 
444 /*
445  * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund
446  * <dieter@apple.com>.  The header that's presented is an Ethernet-like
447  * header:
448  *
449  *	#define FIREWIRE_EUI64_LEN	8
450  *	struct firewire_header {
451  *		u_char  firewire_dhost[FIREWIRE_EUI64_LEN];
452  *		u_char  firewire_shost[FIREWIRE_EUI64_LEN];
453  *		u_short firewire_type;
454  *	};
455  *
456  * with "firewire_type" being an Ethernet type value, rather than,
457  * for example, raw GASP frames being handed up.
458  */
459 #define DLT_APPLE_IP_OVER_IEEE1394	138
460 
461 /*
462  * Various SS7 encapsulations, as per a request from Jeff Morriss
463  * <jeff.morriss[AT]ulticom.com> and subsequent discussions.
464  */
465 #define DLT_MTP2_WITH_PHDR	139	/* pseudo-header with various info, followed by MTP2 */
466 #define DLT_MTP2		140	/* MTP2, without pseudo-header */
467 #define DLT_MTP3		141	/* MTP3, without pseudo-header or MTP2 */
468 #define DLT_SCCP		142	/* SCCP, without pseudo-header or MTP2 or MTP3 */
469 
470 /*
471  * Reserved for DOCSIS.
472  */
473 #define DLT_DOCSIS	143
474 
475 /*
476  * Reserved for Linux IrDA.
477  */
478 #define DLT_LINUX_IRDA	144
479 
480 /*
481  * Reserved for IBM SP switch and IBM Next Federation switch.
482  */
483 #define DLT_IBM_SP	145
484 #define DLT_IBM_SN	146
485 
486 /*
487  * Reserved for private use.  If you have some link-layer header type
488  * that you want to use within your organization, with the capture files
489  * using that link-layer header type not ever be sent outside your
490  * organization, you can use these values.
491  *
492  * No libpcap release will use these for any purpose, nor will any
493  * tcpdump release use them, either.
494  *
495  * Do *NOT* use these in capture files that you expect anybody not using
496  * your private versions of capture-file-reading tools to read; in
497  * particular, do *NOT* use them in products, otherwise you may find that
498  * people won't be able to use tcpdump, or snort, or Ethereal, or... to
499  * read capture files from your firewall/intrusion detection/traffic
500  * monitoring/etc. appliance, or whatever product uses that DLT_ value,
501  * and you may also find that the developers of those applications will
502  * not accept patches to let them read those files.
503  *
504  * Also, do not use them if somebody might send you a capture using them
505  * for *their* private type and tools using them for *your* private type
506  * would have to read them.
507  *
508  * Instead, ask "tcpdump-workers@tcpdump.org" for a new DLT_ value,
509  * as per the comment above, and use the type you're given.
510  */
511 #define DLT_USER0		147
512 #define DLT_USER1		148
513 #define DLT_USER2		149
514 #define DLT_USER3		150
515 #define DLT_USER4		151
516 #define DLT_USER5		152
517 #define DLT_USER6		153
518 #define DLT_USER7		154
519 #define DLT_USER8		155
520 #define DLT_USER9		156
521 #define DLT_USER10		157
522 #define DLT_USER11		158
523 #define DLT_USER12		159
524 #define DLT_USER13		160
525 #define DLT_USER14		161
526 #define DLT_USER15		162
527 
528 /*
529  * For future use with 802.11 captures - defined by AbsoluteValue
530  * Systems to store a number of bits of link-layer information
531  * including radio information:
532  *
533  *	http://www.shaftnet.org/~pizza/software/capturefrm.txt
534  *
535  * but it might be used by some non-AVS drivers now or in the
536  * future.
537  */
538 #define DLT_IEEE802_11_RADIO_AVS 163	/* 802.11 plus AVS radio header */
539 
540 /*
541  * Juniper-private data link type, as per request from
542  * Hannes Gredler <hannes@juniper.net>.  The DLT_s are used
543  * for passing on chassis-internal metainformation such as
544  * QOS profiles, etc..
545  */
546 #define DLT_JUNIPER_MONITOR     164
547 
548 /*
549  * Reserved for BACnet MS/TP.
550  */
551 #define DLT_BACNET_MS_TP	165
552 
553 /*
554  * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>.
555  *
556  * This is used in some OSes to allow a kernel socket filter to distinguish
557  * between incoming and outgoing packets, on a socket intended to
558  * supply pppd with outgoing packets so it can do dial-on-demand and
559  * hangup-on-lack-of-demand; incoming packets are filtered out so they
560  * don't cause pppd to hold the connection up (you don't want random
561  * input packets such as port scans, packets from old lost connections,
562  * etc. to force the connection to stay up).
563  *
564  * The first byte of the PPP header (0xff03) is modified to accomodate
565  * the direction - 0x00 = IN, 0x01 = OUT.
566  */
567 #define DLT_PPP_PPPD		166
568 
569 /*
570  * Names for backwards compatibility with older versions of some PPP
571  * software; new software should use DLT_PPP_PPPD.
572  */
573 #define DLT_PPP_WITH_DIRECTION	DLT_PPP_PPPD
574 #define DLT_LINUX_PPP_WITHDIRECTION	DLT_PPP_PPPD
575 
576 /*
577  * Juniper-private data link type, as per request from
578  * Hannes Gredler <hannes@juniper.net>.  The DLT_s are used
579  * for passing on chassis-internal metainformation such as
580  * QOS profiles, cookies, etc..
581  */
582 #define DLT_JUNIPER_PPPOE       167
583 #define DLT_JUNIPER_PPPOE_ATM   168
584 
585 #define DLT_GPRS_LLC		169	/* GPRS LLC */
586 #define DLT_GPF_T		170	/* GPF-T (ITU-T G.7041/Y.1303) */
587 #define DLT_GPF_F		171	/* GPF-F (ITU-T G.7041/Y.1303) */
588 
589 /*
590  * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line
591  * monitoring equipment.
592  */
593 #define DLT_GCOM_T1E1		172
594 #define DLT_GCOM_SERIAL		173
595 
596 /*
597  * Juniper-private data link type, as per request from
598  * Hannes Gredler <hannes@juniper.net>.  The DLT_ is used
599  * for internal communication to Physical Interface Cards (PIC)
600  */
601 #define DLT_JUNIPER_PIC_PEER    174
602 
603 /*
604  * Link types requested by Gregor Maier <gregor@endace.com> of Endace
605  * Measurement Systems.  They add an ERF header (see
606  * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of
607  * the link-layer header.
608  */
609 #define DLT_ERF_ETH		175	/* Ethernet */
610 #define DLT_ERF_POS		176	/* Packet-over-SONET */
611 
612 /*
613  * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD
614  * for vISDN (http://www.orlandi.com/visdn/).  Its link-layer header
615  * includes additional information before the LAPD header, so it's
616  * not necessarily a generic LAPD header.
617  */
618 #define DLT_LINUX_LAPD		177
619 
620 /*
621  * Juniper-private data link type, as per request from
622  * Hannes Gredler <hannes@juniper.net>.
623  * The DLT_ are used for prepending meta-information
624  * like interface index, interface name
625  * before standard Ethernet, PPP, Frelay & C-HDLC Frames
626  */
627 #define DLT_JUNIPER_ETHER       178
628 #define DLT_JUNIPER_PPP         179
629 #define DLT_JUNIPER_FRELAY      180
630 #define DLT_JUNIPER_CHDLC       181
631 
632 /*
633  * Multi Link Frame Relay (FRF.16)
634  */
635 #define DLT_MFR                 182
636 
637 /*
638  * Juniper-private data link type, as per request from
639  * Hannes Gredler <hannes@juniper.net>.
640  * The DLT_ is used for internal communication with a
641  * voice Adapter Card (PIC)
642  */
643 #define DLT_JUNIPER_VP          183
644 
645 /*
646  * Arinc 429 frames.
647  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
648  * Every frame contains a 32bit A429 label.
649  * More documentation on Arinc 429 can be found at
650  * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf
651  */
652 #define DLT_A429                184
653 
654 /*
655  * Arinc 653 Interpartition Communication messages.
656  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
657  * Please refer to the A653-1 standard for more information.
658  */
659 #define DLT_A653_ICM            185
660 
661 /*
662  * USB packets, beginning with a USB setup header; requested by
663  * Paolo Abeni <paolo.abeni@email.it>.
664  */
665 #define DLT_USB			186
666 
667 /*
668  * Bluetooth HCI UART transport layer (part H:4); requested by
669  * Paolo Abeni.
670  */
671 #define DLT_BLUETOOTH_HCI_H4	187
672 
673 /*
674  * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz
675  * <cruz_petagay@bah.com>.
676  */
677 #define DLT_IEEE802_16_MAC_CPS	188
678 
679 /*
680  * USB packets, beginning with a Linux USB header; requested by
681  * Paolo Abeni <paolo.abeni@email.it>.
682  */
683 #define DLT_USB_LINUX		189
684 
685 /*
686  * Controller Area Network (CAN) v. 2.0B packets.
687  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
688  * Used to dump CAN packets coming from a CAN Vector board.
689  * More documentation on the CAN v2.0B frames can be found at
690  * http://www.can-cia.org/downloads/?269
691  */
692 #define DLT_CAN20B              190
693 
694 /*
695  * IEEE 802.15.4, with address fields padded, as is done by Linux
696  * drivers; requested by Juergen Schimmer.
697  */
698 #define DLT_IEEE802_15_4_LINUX	191
699 
700 /*
701  * Per Packet Information encapsulated packets.
702  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
703  */
704 #define DLT_PPI			192
705 
706 /*
707  * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header;
708  * requested by Charles Clancy.
709  */
710 #define DLT_IEEE802_16_MAC_CPS_RADIO	193
711 
712 /*
713  * Juniper-private data link type, as per request from
714  * Hannes Gredler <hannes@juniper.net>.
715  * The DLT_ is used for internal communication with a
716  * integrated service module (ISM).
717  */
718 #define DLT_JUNIPER_ISM         194
719 
720 /*
721  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
722  * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>.
723  */
724 #define DLT_IEEE802_15_4	195
725 
726 /*
727  * Various link-layer types, with a pseudo-header, for SITA
728  * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com).
729  */
730 #define DLT_SITA		196
731 
732 /*
733  * Various link-layer types, with a pseudo-header, for Endace DAG cards;
734  * encapsulates Endace ERF records.  Requested by Stephen Donnelly
735  * <stephen@endace.com>.
736  */
737 #define DLT_ERF			197
738 
739 /*
740  * Special header prepended to Ethernet packets when capturing from a
741  * u10 Networks board.  Requested by Phil Mulholland
742  * <phil@u10networks.com>.
743  */
744 #define DLT_RAIF1		198
745 
746 /*
747  * IPMB packet for IPMI, beginning with the I2C slave address, followed
748  * by the netFn and LUN, etc..  Requested by Chanthy Toeung
749  * <chanthy.toeung@ca.kontron.com>.
750  */
751 #define DLT_IPMB		199
752 
753 /*
754  * Juniper-private data link type, as per request from
755  * Hannes Gredler <hannes@juniper.net>.
756  * The DLT_ is used for capturing data on a secure tunnel interface.
757  */
758 #define DLT_JUNIPER_ST          200
759 
760 /*
761  * Bluetooth HCI UART transport layer (part H:4), with pseudo-header
762  * that includes direction information; requested by Paolo Abeni.
763  */
764 #define DLT_BLUETOOTH_HCI_H4_WITH_PHDR	201
765 
766 /*
767  * AX.25 packet with a 1-byte KISS header; see
768  *
769  *      http://www.ax25.net/kiss.htm
770  *
771  * as per Richard Stearn <richard@rns-stearn.demon.co.uk>.
772  */
773 #define DLT_AX25_KISS           202
774 
775 /*
776  * LAPD packets from an ISDN channel, starting with the address field,
777  * with no pseudo-header.
778  * Requested by Varuna De Silva <varunax@gmail.com>.
779  */
780 #define DLT_LAPD                203
781 
782 /*
783  * Variants of various link-layer headers, with a one-byte direction
784  * pseudo-header prepended - zero means "received by this host",
785  * non-zero (any non-zero value) means "sent by this host" - as per
786  * Will Barker <w.barker@zen.co.uk>.
787  */
788 #define DLT_PPP_WITH_DIR        204     /* PPP - don't confuse with DLT_PPP_WITH_DIRECTION */
789 #define DLT_C_HDLC_WITH_DIR     205     /* Cisco HDLC */
790 #define DLT_FRELAY_WITH_DIR     206     /* Frame Relay */
791 #define DLT_LAPB_WITH_DIR       207     /* LAPB */
792 
793 /*
794  * 208 is reserved for an as-yet-unspecified proprietary link-layer
795  * type, as requested by Will Barker.
796  */
797 
798 /*
799  * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman
800  * <avn@pigeonpoint.com>.
801  */
802 #define DLT_IPMB_LINUX          209
803 
804 /*
805  * FlexRay automotive bus - http://www.flexray.com/ - as requested
806  * by Hannes Kaelber <hannes.kaelber@x2e.de>.
807  */
808 #define DLT_FLEXRAY             210
809 
810 /*
811  * Media Oriented Systems Transport (MOST) bus for multimedia
812  * transport - http://www.mostcooperation.com/ - as requested
813  * by Hannes Kaelber <hannes.kaelber@x2e.de>.
814  */
815 #define DLT_MOST                211
816 
817 /*
818  * Local Interconnect Network (LIN) bus for vehicle networks -
819  * http://www.lin-subbus.org/ - as requested by Hannes Kaelber
820  * <hannes.kaelber@x2e.de>.
821  */
822 #define DLT_LIN                 212
823 
824 /*
825  * X2E-private data link type used for serial line capture,
826  * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
827  */
828 #define DLT_X2E_SERIAL          213
829 
830 /*
831  * X2E-private data link type used for the Xoraya data logger
832  * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
833  */
834 #define DLT_X2E_XORAYA          214
835 
836 /*
837  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
838  * nothing), but with the PHY-level data for non-ASK PHYs (4 octets
839  * of 0 as preamble, one octet of SFD, one octet of frame length+
840  * reserved bit, and then the MAC-layer data, starting with the
841  * frame control field).
842  *
843  * Requested by Max Filippov <jcmvbkbc@gmail.com>.
844  */
845 #define DLT_IEEE802_15_4_NONASK_PHY     215
846 
847 /*
848  * David Gibson <david@gibson.dropbear.id.au> requested this for
849  * captures from the Linux kernel /dev/input/eventN devices. This
850  * is used to communicate keystrokes and mouse movements from the
851  * Linux kernel to display systems, such as Xorg.
852  */
853 #define	DLT_LINUX_EVDEV		216
854 
855 /*
856  * GSM Um and Abis interfaces, preceded by a "gsmtap" header.
857  *
858  * Requested by Harald Welte <laforge@gnumonks.org>.
859  */
860 #define	DLT_GSMTAP_UM		217
861 #define	DLT_GSMTAP_ABIS		218
862 
863 /*
864  * MPLS, with an MPLS label as the link-layer header.
865  * Requested by Michele Marchetto <michele@openbsd.org> on behalf
866  * of OpenBSD.
867  */
868 #define	DLT_MPLS		219
869 
870 /*
871  * USB packets, beginning with a Linux USB header, with the USB header
872  * padded to 64 bytes; required for memory-mapped access.
873  */
874 #define	DLT_USB_LINUX_MMAPPED	220
875 
876 /*
877  * DECT packets, with a pseudo-header; requested by
878  * Matthias Wenzel <tcpdump@mazzoo.de>.
879  */
880 #define	DLT_DECT		221
881 /*
882  * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov>
883  * Date: Mon, 11 May 2009 11:18:30 -0500
884  *
885  * DLT_AOS. We need it for AOS Space Data Link Protocol.
886  *   I have already written dissectors for but need an OK from
887  *   legal before I can submit a patch.
888  *
889  */
890 #define	DLT_AOS			222
891 
892 /*
893  * Wireless HART (Highway Addressable Remote Transducer)
894  * From the HART Communication Foundation
895  * IES/PAS 62591
896  *
897  * Requested by Sam Roberts <vieuxtech@gmail.com>.
898  */
899 #define	DLT_WIHART		223
900 
901 /*
902  * Fibre Channel FC-2 frames, beginning with a Frame_Header.
903  * Requested by Kahou Lei <kahou82@gmail.com>.
904  */
905 #define	DLT_FC_2		224
906 
907 /*
908  * Fibre Channel FC-2 frames, beginning with an encoding of the
909  * SOF, and ending with an encoding of the EOF.
910  *
911  * The encodings represent the frame delimiters as 4-byte sequences
912  * representing the corresponding ordered sets, with K28.5
913  * represented as 0xBC, and the D symbols as the corresponding
914  * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2,
915  * is represented as 0xBC 0xB5 0x55 0x55.
916  *
917  * Requested by Kahou Lei <kahou82@gmail.com>.
918  */
919 #define	DLT_FC_2_WITH_FRAME_DELIMS	225
920 /*
921  * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>.
922  *
923  * The pseudo-header starts with a one-byte version number; for version 2,
924  * the pseudo-header is:
925  *
926  * struct dl_ipnetinfo {
927  *     u_int8_t   dli_version;
928  *     u_int8_t   dli_family;
929  *     u_int16_t  dli_htype;
930  *     u_int32_t  dli_pktlen;
931  *     u_int32_t  dli_ifindex;
932  *     u_int32_t  dli_grifindex;
933  *     u_int32_t  dli_zsrc;
934  *     u_int32_t  dli_zdst;
935  * };
936  *
937  * dli_version is 2 for the current version of the pseudo-header.
938  *
939  * dli_family is a Solaris address family value, so it's 2 for IPv4
940  * and 26 for IPv6.
941  *
942  * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing
943  * packets, and 2 for packets arriving from another zone on the same
944  * machine.
945  *
946  * dli_pktlen is the length of the packet data following the pseudo-header
947  * (so the captured length minus dli_pktlen is the length of the
948  * pseudo-header, assuming the entire pseudo-header was captured).
949  *
950  * dli_ifindex is the interface index of the interface on which the
951  * packet arrived.
952  *
953  * dli_grifindex is the group interface index number (for IPMP interfaces).
954  *
955  * dli_zsrc is the zone identifier for the source of the packet.
956  *
957  * dli_zdst is the zone identifier for the destination of the packet.
958  *
959  * A zone number of 0 is the global zone; a zone number of 0xffffffff
960  * means that the packet arrived from another host on the network, not
961  * from another zone on the same machine.
962  *
963  * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates
964  * which of those it is.
965  */
966 #define	DLT_IPNET			226
967 
968 /*
969  * CAN (Controller Area Network) frames, with a pseudo-header as supplied
970  * by Linux SocketCAN.  See Documentation/networking/can.txt in the Linux
971  * source.
972  *
973  * Requested by Felix Obenhuber <felix@obenhuber.de>.
974  */
975 #define	DLT_CAN_SOCKETCAN		227
976 
977 /*
978  * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies
979  * whether it's v4 or v6.  Requested by Darren Reed <Darren.Reed@Sun.COM>.
980  */
981 #define	DLT_IPV4			228
982 #define	DLT_IPV6			229
983 
984 /*
985  * DLT and savefile link type values are split into a class and
986  * a member of that class.  A class value of 0 indicates a regular
987  * DLT_/LINKTYPE_ value.
988  */
989 #define DLT_CLASS(x)            ((x) & 0x03ff0000)
990 
991 /*
992  * The instruction encodings.
993  */
994 /* instruction classes */
995 #define BPF_CLASS(code) ((code) & 0x07)
996 #define		BPF_LD		0x00
997 #define		BPF_LDX		0x01
998 #define		BPF_ST		0x02
999 #define		BPF_STX		0x03
1000 #define		BPF_ALU		0x04
1001 #define		BPF_JMP		0x05
1002 #define		BPF_RET		0x06
1003 #define		BPF_MISC	0x07
1004 
1005 /* ld/ldx fields */
1006 #define BPF_SIZE(code)	((code) & 0x18)
1007 #define		BPF_W		0x00
1008 #define		BPF_H		0x08
1009 #define		BPF_B		0x10
1010 #define BPF_MODE(code)	((code) & 0xe0)
1011 #define		BPF_IMM 	0x00
1012 #define		BPF_ABS		0x20
1013 #define		BPF_IND		0x40
1014 #define		BPF_MEM		0x60
1015 #define		BPF_LEN		0x80
1016 #define		BPF_MSH		0xa0
1017 
1018 /* alu/jmp fields */
1019 #define BPF_OP(code)	((code) & 0xf0)
1020 #define		BPF_ADD		0x00
1021 #define		BPF_SUB		0x10
1022 #define		BPF_MUL		0x20
1023 #define		BPF_DIV		0x30
1024 #define		BPF_OR		0x40
1025 #define		BPF_AND		0x50
1026 #define		BPF_LSH		0x60
1027 #define		BPF_RSH		0x70
1028 #define		BPF_NEG		0x80
1029 #define		BPF_JA		0x00
1030 #define		BPF_JEQ		0x10
1031 #define		BPF_JGT		0x20
1032 #define		BPF_JGE		0x30
1033 #define		BPF_JSET	0x40
1034 #define BPF_SRC(code)	((code) & 0x08)
1035 #define		BPF_K		0x00
1036 #define		BPF_X		0x08
1037 
1038 /* ret - BPF_K and BPF_X also apply */
1039 #define BPF_RVAL(code)	((code) & 0x18)
1040 #define		BPF_A		0x10
1041 
1042 /* misc */
1043 #define BPF_MISCOP(code) ((code) & 0xf8)
1044 #define		BPF_TAX		0x00
1045 #define		BPF_TXA		0x80
1046 
1047 /*
1048  * The instruction data structure.
1049  */
1050 struct bpf_insn {
1051 	u_short		code;
1052 	u_char		jt;
1053 	u_char		jf;
1054 	bpf_u_int32	k;
1055 };
1056 
1057 /*
1058  * Macros for insn array initializers.
1059  */
1060 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
1061 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
1062 
1063 /*
1064  * Structure to retrieve available DLTs for the interface.
1065  */
1066 struct bpf_dltlist {
1067 	u_int	bfl_len;	/* number of bfd_list array */
1068 	u_int	*bfl_list;	/* array of DLTs */
1069 };
1070 
1071 #ifdef _KERNEL
1072 #ifdef MALLOC_DECLARE
1073 MALLOC_DECLARE(M_BPF);
1074 #endif
1075 #ifdef SYSCTL_DECL
1076 SYSCTL_DECL(_net_bpf);
1077 #endif
1078 
1079 /*
1080  * Rotate the packet buffers in descriptor d.  Move the store buffer into the
1081  * hold slot, and the free buffer ino the store slot.  Zero the length of the
1082  * new store buffer.  Descriptor lock should be held.
1083  */
1084 #define	ROTATE_BUFFERS(d)	do {					\
1085 	(d)->bd_hbuf = (d)->bd_sbuf;					\
1086 	(d)->bd_hlen = (d)->bd_slen;					\
1087 	(d)->bd_sbuf = (d)->bd_fbuf;					\
1088 	(d)->bd_slen = 0;						\
1089 	(d)->bd_fbuf = NULL;						\
1090 	bpf_bufheld(d);							\
1091 } while (0)
1092 
1093 /*
1094  * Descriptor associated with each attached hardware interface.
1095  */
1096 struct bpf_if {
1097 	LIST_ENTRY(bpf_if)	bif_next;	/* list of all interfaces */
1098 	LIST_HEAD(, bpf_d)	bif_dlist;	/* descriptor list */
1099 	u_int bif_dlt;				/* link layer type */
1100 	u_int bif_hdrlen;		/* length of link header */
1101 	struct ifnet *bif_ifp;		/* corresponding interface */
1102 	struct mtx	bif_mtx;	/* mutex for interface */
1103 };
1104 
1105 void	 bpf_bufheld(struct bpf_d *d);
1106 int	 bpf_validate(const struct bpf_insn *, int);
1107 void	 bpf_tap(struct bpf_if *, u_char *, u_int);
1108 void	 bpf_mtap(struct bpf_if *, struct mbuf *);
1109 void	 bpf_mtap2(struct bpf_if *, void *, u_int, struct mbuf *);
1110 void	 bpfattach(struct ifnet *, u_int, u_int);
1111 void	 bpfattach2(struct ifnet *, u_int, u_int, struct bpf_if **);
1112 void	 bpfdetach(struct ifnet *);
1113 
1114 void	 bpfilterattach(int);
1115 u_int	 bpf_filter(const struct bpf_insn *, u_char *, u_int, u_int);
1116 
1117 static __inline int
1118 bpf_peers_present(struct bpf_if *bpf)
1119 {
1120 
1121 	if (!LIST_EMPTY(&bpf->bif_dlist))
1122 		return (1);
1123 	return (0);
1124 }
1125 
1126 #define	BPF_TAP(_ifp,_pkt,_pktlen) do {				\
1127 	if (bpf_peers_present((_ifp)->if_bpf))			\
1128 		bpf_tap((_ifp)->if_bpf, (_pkt), (_pktlen));	\
1129 } while (0)
1130 #define	BPF_MTAP(_ifp,_m) do {					\
1131 	if (bpf_peers_present((_ifp)->if_bpf)) {		\
1132 		M_ASSERTVALID(_m);				\
1133 		bpf_mtap((_ifp)->if_bpf, (_m));			\
1134 	}							\
1135 } while (0)
1136 #define	BPF_MTAP2(_ifp,_data,_dlen,_m) do {			\
1137 	if (bpf_peers_present((_ifp)->if_bpf)) {		\
1138 		M_ASSERTVALID(_m);				\
1139 		bpf_mtap2((_ifp)->if_bpf,(_data),(_dlen),(_m));	\
1140 	}							\
1141 } while (0)
1142 #endif
1143 
1144 /*
1145  * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
1146  */
1147 #define BPF_MEMWORDS 16
1148 
1149 #endif /* _NET_BPF_H_ */
1150