xref: /freebsd/sys/net/bpf.h (revision b9c36cc755002809a7d7c7109e3425fdfca036d2)
1 /*-
2  * Copyright (c) 1990, 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * This code is derived from the Stanford/CMU enet packet filter,
6  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
7  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
8  * Berkeley Laboratory.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 4. Neither the name of the University nor the names of its contributors
19  *    may be used to endorse or promote products derived from this software
20  *    without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  *
34  *      @(#)bpf.h	8.1 (Berkeley) 6/10/93
35  *	@(#)bpf.h	1.34 (LBL)     6/16/96
36  *
37  * $FreeBSD$
38  */
39 
40 #ifndef _NET_BPF_H_
41 #define _NET_BPF_H_
42 
43 /* BSD style release date */
44 #define	BPF_RELEASE 199606
45 
46 typedef	int32_t	  bpf_int32;
47 typedef	u_int32_t bpf_u_int32;
48 typedef	int64_t	  bpf_int64;
49 typedef	u_int64_t bpf_u_int64;
50 
51 /*
52  * Alignment macros.  BPF_WORDALIGN rounds up to the next
53  * even multiple of BPF_ALIGNMENT.
54  */
55 #define BPF_ALIGNMENT sizeof(long)
56 #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
57 
58 #define BPF_MAXINSNS 512
59 #define BPF_MAXBUFSIZE 0x80000
60 #define BPF_MINBUFSIZE 32
61 
62 /*
63  *  Structure for BIOCSETF.
64  */
65 struct bpf_program {
66 	u_int bf_len;
67 	struct bpf_insn *bf_insns;
68 };
69 
70 /*
71  * Struct returned by BIOCGSTATS.
72  */
73 struct bpf_stat {
74 	u_int bs_recv;		/* number of packets received */
75 	u_int bs_drop;		/* number of packets dropped */
76 };
77 
78 /*
79  * Struct return by BIOCVERSION.  This represents the version number of
80  * the filter language described by the instruction encodings below.
81  * bpf understands a program iff kernel_major == filter_major &&
82  * kernel_minor >= filter_minor, that is, if the value returned by the
83  * running kernel has the same major number and a minor number equal
84  * equal to or less than the filter being downloaded.  Otherwise, the
85  * results are undefined, meaning an error may be returned or packets
86  * may be accepted haphazardly.
87  * It has nothing to do with the source code version.
88  */
89 struct bpf_version {
90 	u_short bv_major;
91 	u_short bv_minor;
92 };
93 /* Current version number of filter architecture. */
94 #define BPF_MAJOR_VERSION 1
95 #define BPF_MINOR_VERSION 1
96 
97 /*
98  * Historically, BPF has supported a single buffering model, first using mbuf
99  * clusters in kernel, and later using malloc(9) buffers in kernel.  We now
100  * support multiple buffering modes, which may be queried and set using
101  * BIOCGETBUFMODE and BIOCSETBUFMODE.  So as to avoid handling the complexity
102  * of changing modes while sniffing packets, the mode becomes fixed once an
103  * interface has been attached to the BPF descriptor.
104  */
105 #define	BPF_BUFMODE_BUFFER	1	/* Kernel buffers with read(). */
106 #define	BPF_BUFMODE_ZBUF	2	/* Zero-copy buffers. */
107 
108 /*-
109  * Struct used by BIOCSETZBUF, BIOCROTZBUF: describes up to two zero-copy
110  * buffer as used by BPF.
111  */
112 struct bpf_zbuf {
113 	void	*bz_bufa;	/* Location of 'a' zero-copy buffer. */
114 	void	*bz_bufb;	/* Location of 'b' zero-copy buffer. */
115 	size_t	 bz_buflen;	/* Size of zero-copy buffers. */
116 };
117 
118 #define	BIOCGBLEN	_IOR('B', 102, u_int)
119 #define	BIOCSBLEN	_IOWR('B', 102, u_int)
120 #define	BIOCSETF	_IOW('B', 103, struct bpf_program)
121 #define	BIOCFLUSH	_IO('B', 104)
122 #define	BIOCPROMISC	_IO('B', 105)
123 #define	BIOCGDLT	_IOR('B', 106, u_int)
124 #define	BIOCGETIF	_IOR('B', 107, struct ifreq)
125 #define	BIOCSETIF	_IOW('B', 108, struct ifreq)
126 #define	BIOCSRTIMEOUT	_IOW('B', 109, struct timeval)
127 #define	BIOCGRTIMEOUT	_IOR('B', 110, struct timeval)
128 #define	BIOCGSTATS	_IOR('B', 111, struct bpf_stat)
129 #define	BIOCIMMEDIATE	_IOW('B', 112, u_int)
130 #define	BIOCVERSION	_IOR('B', 113, struct bpf_version)
131 #define	BIOCGRSIG	_IOR('B', 114, u_int)
132 #define	BIOCSRSIG	_IOW('B', 115, u_int)
133 #define	BIOCGHDRCMPLT	_IOR('B', 116, u_int)
134 #define	BIOCSHDRCMPLT	_IOW('B', 117, u_int)
135 #define	BIOCGDIRECTION	_IOR('B', 118, u_int)
136 #define	BIOCSDIRECTION	_IOW('B', 119, u_int)
137 #define	BIOCSDLT	_IOW('B', 120, u_int)
138 #define	BIOCGDLTLIST	_IOWR('B', 121, struct bpf_dltlist)
139 #define	BIOCLOCK	_IO('B', 122)
140 #define	BIOCSETWF	_IOW('B', 123, struct bpf_program)
141 #define	BIOCFEEDBACK	_IOW('B', 124, u_int)
142 #define	BIOCGETBUFMODE	_IOR('B', 125, u_int)
143 #define	BIOCSETBUFMODE	_IOW('B', 126, u_int)
144 #define	BIOCGETZMAX	_IOR('B', 127, size_t)
145 #define	BIOCROTZBUF	_IOR('B', 128, struct bpf_zbuf)
146 #define	BIOCSETZBUF	_IOW('B', 129, struct bpf_zbuf)
147 #define	BIOCSETFNR	_IOW('B', 130, struct bpf_program)
148 #define	BIOCGTSTAMP	_IOR('B', 131, u_int)
149 #define	BIOCSTSTAMP	_IOW('B', 132, u_int)
150 
151 /* Obsolete */
152 #define	BIOCGSEESENT	BIOCGDIRECTION
153 #define	BIOCSSEESENT	BIOCSDIRECTION
154 
155 /* Packet directions */
156 enum bpf_direction {
157 	BPF_D_IN,	/* See incoming packets */
158 	BPF_D_INOUT,	/* See incoming and outgoing packets */
159 	BPF_D_OUT	/* See outgoing packets */
160 };
161 
162 /* Time stamping functions */
163 #define	BPF_T_MICROTIME		0x0000
164 #define	BPF_T_NANOTIME		0x0001
165 #define	BPF_T_BINTIME		0x0002
166 #define	BPF_T_NONE		0x0003
167 #define	BPF_T_FORMAT_MASK	0x0003
168 #define	BPF_T_NORMAL		0x0000
169 #define	BPF_T_FAST		0x0100
170 #define	BPF_T_MONOTONIC		0x0200
171 #define	BPF_T_MONOTONIC_FAST	(BPF_T_FAST | BPF_T_MONOTONIC)
172 #define	BPF_T_FLAG_MASK		0x0300
173 #define	BPF_T_FORMAT(t)		((t) & BPF_T_FORMAT_MASK)
174 #define	BPF_T_FLAG(t)		((t) & BPF_T_FLAG_MASK)
175 #define	BPF_T_VALID(t)						\
176     ((t) == BPF_T_NONE || (BPF_T_FORMAT(t) != BPF_T_NONE &&	\
177     ((t) & ~(BPF_T_FORMAT_MASK | BPF_T_FLAG_MASK)) == 0))
178 
179 #define	BPF_T_MICROTIME_FAST		(BPF_T_MICROTIME | BPF_T_FAST)
180 #define	BPF_T_NANOTIME_FAST		(BPF_T_NANOTIME | BPF_T_FAST)
181 #define	BPF_T_BINTIME_FAST		(BPF_T_BINTIME | BPF_T_FAST)
182 #define	BPF_T_MICROTIME_MONOTONIC	(BPF_T_MICROTIME | BPF_T_MONOTONIC)
183 #define	BPF_T_NANOTIME_MONOTONIC	(BPF_T_NANOTIME | BPF_T_MONOTONIC)
184 #define	BPF_T_BINTIME_MONOTONIC		(BPF_T_BINTIME | BPF_T_MONOTONIC)
185 #define	BPF_T_MICROTIME_MONOTONIC_FAST	(BPF_T_MICROTIME | BPF_T_MONOTONIC_FAST)
186 #define	BPF_T_NANOTIME_MONOTONIC_FAST	(BPF_T_NANOTIME | BPF_T_MONOTONIC_FAST)
187 #define	BPF_T_BINTIME_MONOTONIC_FAST	(BPF_T_BINTIME | BPF_T_MONOTONIC_FAST)
188 
189 /*
190  * Structure prepended to each packet.
191  */
192 struct bpf_ts {
193 	bpf_int64	bt_sec;		/* seconds */
194 	bpf_u_int64	bt_frac;	/* fraction */
195 };
196 struct bpf_xhdr {
197 	struct bpf_ts	bh_tstamp;	/* time stamp */
198 	bpf_u_int32	bh_caplen;	/* length of captured portion */
199 	bpf_u_int32	bh_datalen;	/* original length of packet */
200 	u_short		bh_hdrlen;	/* length of bpf header (this struct
201 					   plus alignment padding) */
202 };
203 /* Obsolete */
204 struct bpf_hdr {
205 	struct timeval	bh_tstamp;	/* time stamp */
206 	bpf_u_int32	bh_caplen;	/* length of captured portion */
207 	bpf_u_int32	bh_datalen;	/* original length of packet */
208 	u_short		bh_hdrlen;	/* length of bpf header (this struct
209 					   plus alignment padding) */
210 };
211 #ifdef _KERNEL
212 #define	MTAG_BPF		0x627066
213 #define	MTAG_BPF_TIMESTAMP	0
214 #endif
215 
216 /*
217  * When using zero-copy BPF buffers, a shared memory header is present
218  * allowing the kernel BPF implementation and user process to synchronize
219  * without using system calls.  This structure defines that header.  When
220  * accessing these fields, appropriate atomic operation and memory barriers
221  * are required in order not to see stale or out-of-order data; see bpf(4)
222  * for reference code to access these fields from userspace.
223  *
224  * The layout of this structure is critical, and must not be changed; if must
225  * fit in a single page on all architectures.
226  */
227 struct bpf_zbuf_header {
228 	volatile u_int	bzh_kernel_gen;	/* Kernel generation number. */
229 	volatile u_int	bzh_kernel_len;	/* Length of data in the buffer. */
230 	volatile u_int	bzh_user_gen;	/* User generation number. */
231 	u_int _bzh_pad[5];
232 };
233 
234 /*
235  * Data-link level type codes.
236  */
237 #define DLT_NULL	0	/* BSD loopback encapsulation */
238 #define DLT_EN10MB	1	/* Ethernet (10Mb) */
239 #define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
240 #define DLT_AX25	3	/* Amateur Radio AX.25 */
241 #define DLT_PRONET	4	/* Proteon ProNET Token Ring */
242 #define DLT_CHAOS	5	/* Chaos */
243 #define DLT_IEEE802	6	/* IEEE 802 Networks */
244 #define DLT_ARCNET	7	/* ARCNET */
245 #define DLT_SLIP	8	/* Serial Line IP */
246 #define DLT_PPP		9	/* Point-to-point Protocol */
247 #define DLT_FDDI	10	/* FDDI */
248 #define DLT_ATM_RFC1483	11	/* LLC/SNAP encapsulated atm */
249 #define DLT_RAW		12	/* raw IP */
250 
251 /*
252  * These are values from BSD/OS's "bpf.h".
253  * These are not the same as the values from the traditional libpcap
254  * "bpf.h"; however, these values shouldn't be generated by any
255  * OS other than BSD/OS, so the correct values to use here are the
256  * BSD/OS values.
257  *
258  * Platforms that have already assigned these values to other
259  * DLT_ codes, however, should give these codes the values
260  * from that platform, so that programs that use these codes will
261  * continue to compile - even though they won't correctly read
262  * files of these types.
263  */
264 #define DLT_SLIP_BSDOS	15	/* BSD/OS Serial Line IP */
265 #define DLT_PPP_BSDOS	16	/* BSD/OS Point-to-point Protocol */
266 
267 #define DLT_ATM_CLIP	19	/* Linux Classical-IP over ATM */
268 
269 /*
270  * These values are defined by NetBSD; other platforms should refrain from
271  * using them for other purposes, so that NetBSD savefiles with link
272  * types of 50 or 51 can be read as this type on all platforms.
273  */
274 #define DLT_PPP_SERIAL	50	/* PPP over serial with HDLC encapsulation */
275 #define DLT_PPP_ETHER	51	/* PPP over Ethernet */
276 
277 /*
278  * Reserved for the Symantec Enterprise Firewall.
279  */
280 #define DLT_SYMANTEC_FIREWALL	99
281 
282 /*
283  * Values between 100 and 103 are used in capture file headers as
284  * link-layer header type LINKTYPE_ values corresponding to DLT_ types
285  * that differ between platforms; don't use those values for new DLT_
286  * new types.
287  */
288 
289 /*
290  * Values starting with 104 are used for newly-assigned link-layer
291  * header type values; for those link-layer header types, the DLT_
292  * value returned by pcap_datalink() and passed to pcap_open_dead(),
293  * and the LINKTYPE_ value that appears in capture files, are the
294  * same.
295  *
296  * DLT_MATCHING_MIN is the lowest such value; DLT_MATCHING_MAX is
297  * the highest such value.
298  */
299 #define DLT_MATCHING_MIN	104
300 
301 /*
302  * This value was defined by libpcap 0.5; platforms that have defined
303  * it with a different value should define it here with that value -
304  * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
305  * whatever value that happens to be, so programs will correctly
306  * handle files with that link type regardless of the value of
307  * DLT_C_HDLC.
308  *
309  * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
310  * compatibility with programs written for BSD/OS.
311  *
312  * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
313  * for source compatibility with programs written for libpcap 0.5.
314  */
315 #define DLT_C_HDLC	104	/* Cisco HDLC */
316 #define DLT_CHDLC	DLT_C_HDLC
317 
318 #define DLT_IEEE802_11	105	/* IEEE 802.11 wireless */
319 
320 /*
321  * Values between 106 and 107 are used in capture file headers as
322  * link-layer types corresponding to DLT_ types that might differ
323  * between platforms; don't use those values for new DLT_ new types.
324  */
325 
326 /*
327  * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides
328  * with other values.
329  * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header
330  * (DLCI, etc.).
331  */
332 #define DLT_FRELAY	107
333 
334 /*
335  * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
336  * that the AF_ type in the link-layer header is in network byte order.
337  *
338  * OpenBSD defines it as 12, but that collides with DLT_RAW, so we
339  * define it as 108 here.  If OpenBSD picks up this file, it should
340  * define DLT_LOOP as 12 in its version, as per the comment above -
341  * and should not use 108 as a DLT_ value.
342  */
343 #define DLT_LOOP	108
344 
345 /*
346  * Values between 109 and 112 are used in capture file headers as
347  * link-layer types corresponding to DLT_ types that might differ
348  * between platforms; don't use those values for new DLT_ new types.
349  */
350 
351 /*
352  * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's
353  * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other
354  * than OpenBSD.
355  */
356 #define DLT_ENC	109
357 
358 /*
359  * This is for Linux cooked sockets.
360  */
361 #define DLT_LINUX_SLL	113
362 
363 /*
364  * Apple LocalTalk hardware.
365  */
366 #define DLT_LTALK	114
367 
368 /*
369  * Acorn Econet.
370  */
371 #define DLT_ECONET	115
372 
373 /*
374  * Reserved for use with OpenBSD ipfilter.
375  */
376 #define DLT_IPFILTER	116
377 
378 /*
379  * Reserved for use in capture-file headers as a link-layer type
380  * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD,
381  * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it
382  * in capture-file headers.
383  */
384 #define DLT_PFLOG	117
385 
386 /*
387  * Registered for Cisco-internal use.
388  */
389 #define DLT_CISCO_IOS	118
390 
391 /*
392  * Reserved for 802.11 cards using the Prism II chips, with a link-layer
393  * header including Prism monitor mode information plus an 802.11
394  * header.
395  */
396 #define DLT_PRISM_HEADER	119
397 
398 /*
399  * Reserved for Aironet 802.11 cards, with an Aironet link-layer header
400  * (see Doug Ambrisko's FreeBSD patches).
401  */
402 #define DLT_AIRONET_HEADER	120
403 
404 /*
405  * Reserved for use by OpenBSD's pfsync device.
406  */
407 #define DLT_PFSYNC	121
408 
409 /*
410  * Reserved for Siemens HiPath HDLC. XXX
411  */
412 #define DLT_HHDLC	121
413 
414 /*
415  * Reserved for RFC 2625 IP-over-Fibre Channel.
416  */
417 #define DLT_IP_OVER_FC	122
418 
419 /*
420  * Reserved for Full Frontal ATM on Solaris.
421  */
422 #define DLT_SUNATM	123
423 
424 /*
425  * Reserved as per request from Kent Dahlgren <kent@praesum.com>
426  * for private use.
427  */
428 #define DLT_RIO		124	/* RapidIO */
429 #define DLT_PCI_EXP	125	/* PCI Express */
430 #define DLT_AURORA	126	/* Xilinx Aurora link layer */
431 
432 /*
433  * BSD header for 802.11 plus a number of bits of link-layer information
434  * including radio information.
435  */
436 #ifndef DLT_IEEE802_11_RADIO
437 #define DLT_IEEE802_11_RADIO	127
438 #endif
439 
440 /*
441  * Reserved for TZSP encapsulation.
442  */
443 #define DLT_TZSP		128	/* Tazmen Sniffer Protocol */
444 
445 /*
446  * Reserved for Linux ARCNET.
447  */
448 #define DLT_ARCNET_LINUX	129
449 
450 /*
451  * Juniper-private data link types.
452  */
453 #define DLT_JUNIPER_MLPPP	130
454 #define DLT_JUNIPER_MLFR	131
455 #define DLT_JUNIPER_ES		132
456 #define DLT_JUNIPER_GGSN	133
457 #define DLT_JUNIPER_MFR		134
458 #define DLT_JUNIPER_ATM2	135
459 #define DLT_JUNIPER_SERVICES	136
460 #define DLT_JUNIPER_ATM1	137
461 
462 /*
463  * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund
464  * <dieter@apple.com>.  The header that's presented is an Ethernet-like
465  * header:
466  *
467  *	#define FIREWIRE_EUI64_LEN	8
468  *	struct firewire_header {
469  *		u_char  firewire_dhost[FIREWIRE_EUI64_LEN];
470  *		u_char  firewire_shost[FIREWIRE_EUI64_LEN];
471  *		u_short firewire_type;
472  *	};
473  *
474  * with "firewire_type" being an Ethernet type value, rather than,
475  * for example, raw GASP frames being handed up.
476  */
477 #define DLT_APPLE_IP_OVER_IEEE1394	138
478 
479 /*
480  * Various SS7 encapsulations, as per a request from Jeff Morriss
481  * <jeff.morriss[AT]ulticom.com> and subsequent discussions.
482  */
483 #define DLT_MTP2_WITH_PHDR	139	/* pseudo-header with various info, followed by MTP2 */
484 #define DLT_MTP2		140	/* MTP2, without pseudo-header */
485 #define DLT_MTP3		141	/* MTP3, without pseudo-header or MTP2 */
486 #define DLT_SCCP		142	/* SCCP, without pseudo-header or MTP2 or MTP3 */
487 
488 /*
489  * Reserved for DOCSIS.
490  */
491 #define DLT_DOCSIS	143
492 
493 /*
494  * Reserved for Linux IrDA.
495  */
496 #define DLT_LINUX_IRDA	144
497 
498 /*
499  * Reserved for IBM SP switch and IBM Next Federation switch.
500  */
501 #define DLT_IBM_SP	145
502 #define DLT_IBM_SN	146
503 
504 /*
505  * Reserved for private use.  If you have some link-layer header type
506  * that you want to use within your organization, with the capture files
507  * using that link-layer header type not ever be sent outside your
508  * organization, you can use these values.
509  *
510  * No libpcap release will use these for any purpose, nor will any
511  * tcpdump release use them, either.
512  *
513  * Do *NOT* use these in capture files that you expect anybody not using
514  * your private versions of capture-file-reading tools to read; in
515  * particular, do *NOT* use them in products, otherwise you may find that
516  * people won't be able to use tcpdump, or snort, or Ethereal, or... to
517  * read capture files from your firewall/intrusion detection/traffic
518  * monitoring/etc. appliance, or whatever product uses that DLT_ value,
519  * and you may also find that the developers of those applications will
520  * not accept patches to let them read those files.
521  *
522  * Also, do not use them if somebody might send you a capture using them
523  * for *their* private type and tools using them for *your* private type
524  * would have to read them.
525  *
526  * Instead, ask "tcpdump-workers@tcpdump.org" for a new DLT_ value,
527  * as per the comment above, and use the type you're given.
528  */
529 #define DLT_USER0		147
530 #define DLT_USER1		148
531 #define DLT_USER2		149
532 #define DLT_USER3		150
533 #define DLT_USER4		151
534 #define DLT_USER5		152
535 #define DLT_USER6		153
536 #define DLT_USER7		154
537 #define DLT_USER8		155
538 #define DLT_USER9		156
539 #define DLT_USER10		157
540 #define DLT_USER11		158
541 #define DLT_USER12		159
542 #define DLT_USER13		160
543 #define DLT_USER14		161
544 #define DLT_USER15		162
545 
546 /*
547  * For future use with 802.11 captures - defined by AbsoluteValue
548  * Systems to store a number of bits of link-layer information
549  * including radio information:
550  *
551  *	http://www.shaftnet.org/~pizza/software/capturefrm.txt
552  *
553  * but it might be used by some non-AVS drivers now or in the
554  * future.
555  */
556 #define DLT_IEEE802_11_RADIO_AVS 163	/* 802.11 plus AVS radio header */
557 
558 /*
559  * Juniper-private data link type, as per request from
560  * Hannes Gredler <hannes@juniper.net>.  The DLT_s are used
561  * for passing on chassis-internal metainformation such as
562  * QOS profiles, etc..
563  */
564 #define DLT_JUNIPER_MONITOR     164
565 
566 /*
567  * Reserved for BACnet MS/TP.
568  */
569 #define DLT_BACNET_MS_TP	165
570 
571 /*
572  * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>.
573  *
574  * This is used in some OSes to allow a kernel socket filter to distinguish
575  * between incoming and outgoing packets, on a socket intended to
576  * supply pppd with outgoing packets so it can do dial-on-demand and
577  * hangup-on-lack-of-demand; incoming packets are filtered out so they
578  * don't cause pppd to hold the connection up (you don't want random
579  * input packets such as port scans, packets from old lost connections,
580  * etc. to force the connection to stay up).
581  *
582  * The first byte of the PPP header (0xff03) is modified to accommodate
583  * the direction - 0x00 = IN, 0x01 = OUT.
584  */
585 #define DLT_PPP_PPPD		166
586 
587 /*
588  * Names for backwards compatibility with older versions of some PPP
589  * software; new software should use DLT_PPP_PPPD.
590  */
591 #define DLT_PPP_WITH_DIRECTION	DLT_PPP_PPPD
592 #define DLT_LINUX_PPP_WITHDIRECTION	DLT_PPP_PPPD
593 
594 /*
595  * Juniper-private data link type, as per request from
596  * Hannes Gredler <hannes@juniper.net>.  The DLT_s are used
597  * for passing on chassis-internal metainformation such as
598  * QOS profiles, cookies, etc..
599  */
600 #define DLT_JUNIPER_PPPOE       167
601 #define DLT_JUNIPER_PPPOE_ATM   168
602 
603 #define DLT_GPRS_LLC		169	/* GPRS LLC */
604 #define DLT_GPF_T		170	/* GPF-T (ITU-T G.7041/Y.1303) */
605 #define DLT_GPF_F		171	/* GPF-F (ITU-T G.7041/Y.1303) */
606 
607 /*
608  * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line
609  * monitoring equipment.
610  */
611 #define DLT_GCOM_T1E1		172
612 #define DLT_GCOM_SERIAL		173
613 
614 /*
615  * Juniper-private data link type, as per request from
616  * Hannes Gredler <hannes@juniper.net>.  The DLT_ is used
617  * for internal communication to Physical Interface Cards (PIC)
618  */
619 #define DLT_JUNIPER_PIC_PEER    174
620 
621 /*
622  * Link types requested by Gregor Maier <gregor@endace.com> of Endace
623  * Measurement Systems.  They add an ERF header (see
624  * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of
625  * the link-layer header.
626  */
627 #define DLT_ERF_ETH		175	/* Ethernet */
628 #define DLT_ERF_POS		176	/* Packet-over-SONET */
629 
630 /*
631  * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD
632  * for vISDN (http://www.orlandi.com/visdn/).  Its link-layer header
633  * includes additional information before the LAPD header, so it's
634  * not necessarily a generic LAPD header.
635  */
636 #define DLT_LINUX_LAPD		177
637 
638 /*
639  * Juniper-private data link type, as per request from
640  * Hannes Gredler <hannes@juniper.net>.
641  * The DLT_ are used for prepending meta-information
642  * like interface index, interface name
643  * before standard Ethernet, PPP, Frelay & C-HDLC Frames
644  */
645 #define DLT_JUNIPER_ETHER       178
646 #define DLT_JUNIPER_PPP         179
647 #define DLT_JUNIPER_FRELAY      180
648 #define DLT_JUNIPER_CHDLC       181
649 
650 /*
651  * Multi Link Frame Relay (FRF.16)
652  */
653 #define DLT_MFR                 182
654 
655 /*
656  * Juniper-private data link type, as per request from
657  * Hannes Gredler <hannes@juniper.net>.
658  * The DLT_ is used for internal communication with a
659  * voice Adapter Card (PIC)
660  */
661 #define DLT_JUNIPER_VP          183
662 
663 /*
664  * Arinc 429 frames.
665  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
666  * Every frame contains a 32bit A429 label.
667  * More documentation on Arinc 429 can be found at
668  * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf
669  */
670 #define DLT_A429                184
671 
672 /*
673  * Arinc 653 Interpartition Communication messages.
674  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
675  * Please refer to the A653-1 standard for more information.
676  */
677 #define DLT_A653_ICM            185
678 
679 /*
680  * USB packets, beginning with a USB setup header; requested by
681  * Paolo Abeni <paolo.abeni@email.it>.
682  */
683 #define DLT_USB			186
684 
685 /*
686  * Bluetooth HCI UART transport layer (part H:4); requested by
687  * Paolo Abeni.
688  */
689 #define DLT_BLUETOOTH_HCI_H4	187
690 
691 /*
692  * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz
693  * <cruz_petagay@bah.com>.
694  */
695 #define DLT_IEEE802_16_MAC_CPS	188
696 
697 /*
698  * USB packets, beginning with a Linux USB header; requested by
699  * Paolo Abeni <paolo.abeni@email.it>.
700  */
701 #define DLT_USB_LINUX		189
702 
703 /*
704  * Controller Area Network (CAN) v. 2.0B packets.
705  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
706  * Used to dump CAN packets coming from a CAN Vector board.
707  * More documentation on the CAN v2.0B frames can be found at
708  * http://www.can-cia.org/downloads/?269
709  */
710 #define DLT_CAN20B              190
711 
712 /*
713  * IEEE 802.15.4, with address fields padded, as is done by Linux
714  * drivers; requested by Juergen Schimmer.
715  */
716 #define DLT_IEEE802_15_4_LINUX	191
717 
718 /*
719  * Per Packet Information encapsulated packets.
720  * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
721  */
722 #define DLT_PPI			192
723 
724 /*
725  * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header;
726  * requested by Charles Clancy.
727  */
728 #define DLT_IEEE802_16_MAC_CPS_RADIO	193
729 
730 /*
731  * Juniper-private data link type, as per request from
732  * Hannes Gredler <hannes@juniper.net>.
733  * The DLT_ is used for internal communication with a
734  * integrated service module (ISM).
735  */
736 #define DLT_JUNIPER_ISM         194
737 
738 /*
739  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
740  * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>.
741  */
742 #define DLT_IEEE802_15_4	195
743 
744 /*
745  * Various link-layer types, with a pseudo-header, for SITA
746  * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com).
747  */
748 #define DLT_SITA		196
749 
750 /*
751  * Various link-layer types, with a pseudo-header, for Endace DAG cards;
752  * encapsulates Endace ERF records.  Requested by Stephen Donnelly
753  * <stephen@endace.com>.
754  */
755 #define DLT_ERF			197
756 
757 /*
758  * Special header prepended to Ethernet packets when capturing from a
759  * u10 Networks board.  Requested by Phil Mulholland
760  * <phil@u10networks.com>.
761  */
762 #define DLT_RAIF1		198
763 
764 /*
765  * IPMB packet for IPMI, beginning with the I2C slave address, followed
766  * by the netFn and LUN, etc..  Requested by Chanthy Toeung
767  * <chanthy.toeung@ca.kontron.com>.
768  */
769 #define DLT_IPMB		199
770 
771 /*
772  * Juniper-private data link type, as per request from
773  * Hannes Gredler <hannes@juniper.net>.
774  * The DLT_ is used for capturing data on a secure tunnel interface.
775  */
776 #define DLT_JUNIPER_ST          200
777 
778 /*
779  * Bluetooth HCI UART transport layer (part H:4), with pseudo-header
780  * that includes direction information; requested by Paolo Abeni.
781  */
782 #define DLT_BLUETOOTH_HCI_H4_WITH_PHDR	201
783 
784 /*
785  * AX.25 packet with a 1-byte KISS header; see
786  *
787  *      http://www.ax25.net/kiss.htm
788  *
789  * as per Richard Stearn <richard@rns-stearn.demon.co.uk>.
790  */
791 #define DLT_AX25_KISS           202
792 
793 /*
794  * LAPD packets from an ISDN channel, starting with the address field,
795  * with no pseudo-header.
796  * Requested by Varuna De Silva <varunax@gmail.com>.
797  */
798 #define DLT_LAPD                203
799 
800 /*
801  * Variants of various link-layer headers, with a one-byte direction
802  * pseudo-header prepended - zero means "received by this host",
803  * non-zero (any non-zero value) means "sent by this host" - as per
804  * Will Barker <w.barker@zen.co.uk>.
805  */
806 #define DLT_PPP_WITH_DIR        204     /* PPP - don't confuse with DLT_PPP_WITH_DIRECTION */
807 #define DLT_C_HDLC_WITH_DIR     205     /* Cisco HDLC */
808 #define DLT_FRELAY_WITH_DIR     206     /* Frame Relay */
809 #define DLT_LAPB_WITH_DIR       207     /* LAPB */
810 
811 /*
812  * 208 is reserved for an as-yet-unspecified proprietary link-layer
813  * type, as requested by Will Barker.
814  */
815 
816 /*
817  * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman
818  * <avn@pigeonpoint.com>.
819  */
820 #define DLT_IPMB_LINUX          209
821 
822 /*
823  * FlexRay automotive bus - http://www.flexray.com/ - as requested
824  * by Hannes Kaelber <hannes.kaelber@x2e.de>.
825  */
826 #define DLT_FLEXRAY             210
827 
828 /*
829  * Media Oriented Systems Transport (MOST) bus for multimedia
830  * transport - http://www.mostcooperation.com/ - as requested
831  * by Hannes Kaelber <hannes.kaelber@x2e.de>.
832  */
833 #define DLT_MOST                211
834 
835 /*
836  * Local Interconnect Network (LIN) bus for vehicle networks -
837  * http://www.lin-subbus.org/ - as requested by Hannes Kaelber
838  * <hannes.kaelber@x2e.de>.
839  */
840 #define DLT_LIN                 212
841 
842 /*
843  * X2E-private data link type used for serial line capture,
844  * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
845  */
846 #define DLT_X2E_SERIAL          213
847 
848 /*
849  * X2E-private data link type used for the Xoraya data logger
850  * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
851  */
852 #define DLT_X2E_XORAYA          214
853 
854 /*
855  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
856  * nothing), but with the PHY-level data for non-ASK PHYs (4 octets
857  * of 0 as preamble, one octet of SFD, one octet of frame length+
858  * reserved bit, and then the MAC-layer data, starting with the
859  * frame control field).
860  *
861  * Requested by Max Filippov <jcmvbkbc@gmail.com>.
862  */
863 #define DLT_IEEE802_15_4_NONASK_PHY     215
864 
865 /*
866  * David Gibson <david@gibson.dropbear.id.au> requested this for
867  * captures from the Linux kernel /dev/input/eventN devices. This
868  * is used to communicate keystrokes and mouse movements from the
869  * Linux kernel to display systems, such as Xorg.
870  */
871 #define	DLT_LINUX_EVDEV		216
872 
873 /*
874  * GSM Um and Abis interfaces, preceded by a "gsmtap" header.
875  *
876  * Requested by Harald Welte <laforge@gnumonks.org>.
877  */
878 #define	DLT_GSMTAP_UM		217
879 #define	DLT_GSMTAP_ABIS		218
880 
881 /*
882  * MPLS, with an MPLS label as the link-layer header.
883  * Requested by Michele Marchetto <michele@openbsd.org> on behalf
884  * of OpenBSD.
885  */
886 #define	DLT_MPLS		219
887 
888 /*
889  * USB packets, beginning with a Linux USB header, with the USB header
890  * padded to 64 bytes; required for memory-mapped access.
891  */
892 #define	DLT_USB_LINUX_MMAPPED	220
893 
894 /*
895  * DECT packets, with a pseudo-header; requested by
896  * Matthias Wenzel <tcpdump@mazzoo.de>.
897  */
898 #define	DLT_DECT		221
899 /*
900  * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov>
901  * Date: Mon, 11 May 2009 11:18:30 -0500
902  *
903  * DLT_AOS. We need it for AOS Space Data Link Protocol.
904  *   I have already written dissectors for but need an OK from
905  *   legal before I can submit a patch.
906  *
907  */
908 #define	DLT_AOS			222
909 
910 /*
911  * Wireless HART (Highway Addressable Remote Transducer)
912  * From the HART Communication Foundation
913  * IES/PAS 62591
914  *
915  * Requested by Sam Roberts <vieuxtech@gmail.com>.
916  */
917 #define	DLT_WIHART		223
918 
919 /*
920  * Fibre Channel FC-2 frames, beginning with a Frame_Header.
921  * Requested by Kahou Lei <kahou82@gmail.com>.
922  */
923 #define	DLT_FC_2		224
924 
925 /*
926  * Fibre Channel FC-2 frames, beginning with an encoding of the
927  * SOF, and ending with an encoding of the EOF.
928  *
929  * The encodings represent the frame delimiters as 4-byte sequences
930  * representing the corresponding ordered sets, with K28.5
931  * represented as 0xBC, and the D symbols as the corresponding
932  * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2,
933  * is represented as 0xBC 0xB5 0x55 0x55.
934  *
935  * Requested by Kahou Lei <kahou82@gmail.com>.
936  */
937 #define	DLT_FC_2_WITH_FRAME_DELIMS	225
938 /*
939  * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>.
940  *
941  * The pseudo-header starts with a one-byte version number; for version 2,
942  * the pseudo-header is:
943  *
944  * struct dl_ipnetinfo {
945  *     u_int8_t   dli_version;
946  *     u_int8_t   dli_family;
947  *     u_int16_t  dli_htype;
948  *     u_int32_t  dli_pktlen;
949  *     u_int32_t  dli_ifindex;
950  *     u_int32_t  dli_grifindex;
951  *     u_int32_t  dli_zsrc;
952  *     u_int32_t  dli_zdst;
953  * };
954  *
955  * dli_version is 2 for the current version of the pseudo-header.
956  *
957  * dli_family is a Solaris address family value, so it's 2 for IPv4
958  * and 26 for IPv6.
959  *
960  * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing
961  * packets, and 2 for packets arriving from another zone on the same
962  * machine.
963  *
964  * dli_pktlen is the length of the packet data following the pseudo-header
965  * (so the captured length minus dli_pktlen is the length of the
966  * pseudo-header, assuming the entire pseudo-header was captured).
967  *
968  * dli_ifindex is the interface index of the interface on which the
969  * packet arrived.
970  *
971  * dli_grifindex is the group interface index number (for IPMP interfaces).
972  *
973  * dli_zsrc is the zone identifier for the source of the packet.
974  *
975  * dli_zdst is the zone identifier for the destination of the packet.
976  *
977  * A zone number of 0 is the global zone; a zone number of 0xffffffff
978  * means that the packet arrived from another host on the network, not
979  * from another zone on the same machine.
980  *
981  * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates
982  * which of those it is.
983  */
984 #define	DLT_IPNET			226
985 
986 /*
987  * CAN (Controller Area Network) frames, with a pseudo-header as supplied
988  * by Linux SocketCAN.  See Documentation/networking/can.txt in the Linux
989  * source.
990  *
991  * Requested by Felix Obenhuber <felix@obenhuber.de>.
992  */
993 #define	DLT_CAN_SOCKETCAN		227
994 
995 /*
996  * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies
997  * whether it's v4 or v6.  Requested by Darren Reed <Darren.Reed@Sun.COM>.
998  */
999 #define DLT_IPV4		228
1000 #define DLT_IPV6		229
1001 
1002 /*
1003  * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
1004  * nothing), and with no FCS at the end of the frame; requested by
1005  * Jon Smirl <jonsmirl@gmail.com>.
1006  */
1007 #define DLT_IEEE802_15_4_NOFCS	230
1008 
1009 /*
1010  * Raw D-Bus:
1011  *
1012  *	http://www.freedesktop.org/wiki/Software/dbus
1013  *
1014  * messages:
1015  *
1016  *	http://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages
1017  *
1018  * starting with the endianness flag, followed by the message type, etc.,
1019  * but without the authentication handshake before the message sequence:
1020  *
1021  *	http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
1022  *
1023  * Requested by Martin Vidner <martin@vidner.net>.
1024  */
1025 #define DLT_DBUS		231
1026 
1027 /*
1028  * Juniper-private data link type, as per request from
1029  * Hannes Gredler <hannes@juniper.net>.
1030  */
1031 #define DLT_JUNIPER_VS			232
1032 #define DLT_JUNIPER_SRX_E2E		233
1033 #define DLT_JUNIPER_FIBRECHANNEL	234
1034 
1035 /*
1036  * DVB-CI (DVB Common Interface for communication between a PC Card
1037  * module and a DVB receiver).  See
1038  *
1039  *	http://www.kaiser.cx/pcap-dvbci.html
1040  *
1041  * for the specification.
1042  *
1043  * Requested by Martin Kaiser <martin@kaiser.cx>.
1044  */
1045 #define DLT_DVB_CI		235
1046 
1047 /*
1048  * Variant of 3GPP TS 27.010 multiplexing protocol (similar to, but
1049  * *not* the same as, 27.010).  Requested by Hans-Christoph Schemmel
1050  * <hans-christoph.schemmel@cinterion.com>.
1051  */
1052 #define DLT_MUX27010		236
1053 
1054 /*
1055  * STANAG 5066 D_PDUs.  Requested by M. Baris Demiray
1056  * <barisdemiray@gmail.com>.
1057  */
1058 #define DLT_STANAG_5066_D_PDU	237
1059 
1060 /*
1061  * Juniper-private data link type, as per request from
1062  * Hannes Gredler <hannes@juniper.net>.
1063  */
1064 #define DLT_JUNIPER_ATM_CEMIC	238
1065 
1066 /*
1067  * NetFilter LOG messages
1068  * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets)
1069  *
1070  * Requested by Jakub Zawadzki <darkjames-ws@darkjames.pl>
1071  */
1072 #define DLT_NFLOG		239
1073 
1074 /*
1075  * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
1076  * for Ethernet packets with a 4-byte pseudo-header and always
1077  * with the payload including the FCS, as supplied by their
1078  * netANALYZER hardware and software.
1079  *
1080  * Requested by Holger P. Frommer <HPfrommer@hilscher.com>
1081  */
1082 #define DLT_NETANALYZER		240
1083 
1084 /*
1085  * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
1086  * for Ethernet packets with a 4-byte pseudo-header and FCS and
1087  * with the Ethernet header preceded by 7 bytes of preamble and
1088  * 1 byte of SFD, as supplied by their netANALYZER hardware and
1089  * software.
1090  *
1091  * Requested by Holger P. Frommer <HPfrommer@hilscher.com>
1092  */
1093 #define DLT_NETANALYZER_TRANSPARENT	241
1094 
1095 /*
1096  * IP-over-InfiniBand, as specified by RFC 4391.
1097  *
1098  * Requested by Petr Sumbera <petr.sumbera@oracle.com>.
1099  */
1100 #define DLT_IPOIB		242
1101 
1102 /*
1103  * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0).
1104  *
1105  * Requested by Guy Martin <gmsoft@tuxicoman.be>.
1106  */
1107 #define DLT_MPEG_2_TS		243
1108 
1109 /*
1110  * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as
1111  * used by their ng40 protocol tester.
1112  *
1113  * Requested by Jens Grimmer <jens.grimmer@ng4t.com>.
1114  */
1115 #define DLT_NG40		244
1116 
1117 /*
1118  * Pseudo-header giving adapter number and flags, followed by an NFC
1119  * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU,
1120  * as specified by NFC Forum Logical Link Control Protocol Technical
1121  * Specification LLCP 1.1.
1122  *
1123  * Requested by Mike Wakerly <mikey@google.com>.
1124  */
1125 #define DLT_NFC_LLCP		245
1126 
1127 /*
1128  * 245 is used as LINKTYPE_PFSYNC; do not use it for any other purpose.
1129  *
1130  * DLT_PFSYNC has different values on different platforms, and all of
1131  * them collide with something used elsewhere.  On platforms that
1132  * don't already define it, define it as 245.
1133  */
1134 #if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && !defined(__DragonFly__) && !defined(__APPLE__)
1135 #define DLT_PFSYNC		246
1136 #endif
1137 
1138 /*
1139  * Raw InfiniBand packets, starting with the Local Routing Header.
1140  *
1141  * Requested by Oren Kladnitsky <orenk@mellanox.com>.
1142  */
1143 #define DLT_INFINIBAND		247
1144 
1145 /*
1146  * SCTP, with no lower-level protocols (i.e., no IPv4 or IPv6).
1147  *
1148  * Requested by Michael Tuexen <Michael.Tuexen@lurchi.franken.de>.
1149  */
1150 #define DLT_SCTP		248
1151 
1152 /*
1153  * USB packets, beginning with a USBPcap header.
1154  *
1155  * Requested by Tomasz Mon <desowin@gmail.com>
1156  */
1157 #define DLT_USBPCAP		249
1158 
1159 /*
1160  * Schweitzer Engineering Laboratories "RTAC" product serial-line
1161  * packets.
1162  *
1163  * Requested by Chris Bontje <chris_bontje@selinc.com>.
1164  */
1165 #define DLT_RTAC_SERIAL		250
1166 
1167 /*
1168  * Bluetooth Low Energy air interface link-layer packets.
1169  *
1170  * Requested by Mike Kershaw <dragorn@kismetwireless.net>.
1171  */
1172 #define DLT_BLUETOOTH_LE_LL	251
1173 
1174 /*
1175  * DLT type for upper-protocol layer PDU saves from wireshark.
1176  *
1177  * the actual contents are determined by two TAGs stored with each
1178  * packet:
1179  *   EXP_PDU_TAG_LINKTYPE          the link type (LINKTYPE_ value) of the
1180  *				   original packet.
1181  *
1182  *   EXP_PDU_TAG_PROTO_NAME        the name of the wireshark dissector
1183  * 				   that can make sense of the data stored.
1184  */
1185 #define DLT_WIRESHARK_UPPER_PDU	252
1186 
1187 /*
1188  * DLT type for the netlink protocol (nlmon devices).
1189  */
1190 #define DLT_NETLINK		253
1191 
1192 /*
1193  * Bluetooth Linux Monitor headers for the BlueZ stack.
1194  */
1195 #define DLT_BLUETOOTH_LINUX_MONITOR	254
1196 
1197 /*
1198  * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as
1199  * captured by Ubertooth.
1200  */
1201 #define DLT_BLUETOOTH_BREDR_BB	255
1202 
1203 /*
1204  * Bluetooth Low Energy link layer packets, as captured by Ubertooth.
1205  */
1206 #define DLT_BLUETOOTH_LE_LL_WITH_PHDR	256
1207 
1208 /*
1209  * PROFIBUS data link layer.
1210  */
1211 #define DLT_PROFIBUS_DL		257
1212 
1213 /*
1214  * Apple's DLT_PKTAP headers.
1215  *
1216  * Sadly, the folks at Apple either had no clue that the DLT_USERn values
1217  * are for internal use within an organization and partners only, and
1218  * didn't know that the right way to get a link-layer header type is to
1219  * ask tcpdump.org for one, or knew and didn't care, so they just
1220  * used DLT_USER2, which causes problems for everything except for
1221  * their version of tcpdump.
1222  *
1223  * So I'll just give them one; hopefully this will show up in a
1224  * libpcap release in time for them to get this into 10.10 Big Sur
1225  * or whatever Mavericks' successor is called.  LINKTYPE_PKTAP
1226  * will be 258 *even on OS X*; that is *intentional*, so that
1227  * PKTAP files look the same on *all* OSes (different OSes can have
1228  * different numerical values for a given DLT_, but *MUST NOT* have
1229  * different values for what goes in a file, as files can be moved
1230  * between OSes!).
1231  *
1232  * When capturing, on a system with a Darwin-based OS, on a device
1233  * that returns 149 (DLT_USER2 and Apple's DLT_PKTAP) with this
1234  * version of libpcap, the DLT_ value for the pcap_t  will be DLT_PKTAP,
1235  * and that will continue to be DLT_USER2 on Darwin-based OSes. That way,
1236  * binary compatibility with Mavericks is preserved for programs using
1237  * this version of libpcap.  This does mean that if you were using
1238  * DLT_USER2 for some capture device on OS X, you can't do so with
1239  * this version of libpcap, just as you can't with Apple's libpcap -
1240  * on OS X, they define DLT_PKTAP to be DLT_USER2, so programs won't
1241  * be able to distinguish between PKTAP and whatever you were using
1242  * DLT_USER2 for.
1243  *
1244  * If the program saves the capture to a file using this version of
1245  * libpcap's pcap_dump code, the LINKTYPE_ value in the file will be
1246  * LINKTYPE_PKTAP, which will be 258, even on Darwin-based OSes.
1247  * That way, the file will *not* be a DLT_USER2 file.  That means
1248  * that the latest version of tcpdump, when built with this version
1249  * of libpcap, and sufficiently recent versions of Wireshark will
1250  * be able to read those files and interpret them correctly; however,
1251  * Apple's version of tcpdump in OS X 10.9 won't be able to handle
1252  * them.  (Hopefully, Apple will pick up this version of libpcap,
1253  * and the corresponding version of tcpdump, so that tcpdump will
1254  * be able to handle the old LINKTYPE_USER2 captures *and* the new
1255  * LINKTYPE_PKTAP captures.)
1256  */
1257 #ifdef __APPLE__
1258 #define DLT_PKTAP	DLT_USER2
1259 #else
1260 #define DLT_PKTAP	258
1261 #endif
1262 
1263 /*
1264  * Ethernet packets preceded by a header giving the last 6 octets
1265  * of the preamble specified by 802.3-2012 Clause 65, section
1266  * 65.1.3.2 "Transmit".
1267  */
1268 #define DLT_EPON	259
1269 
1270 /*
1271  * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format"
1272  * in the PICMG HPM.2 specification.
1273  */
1274 #define DLT_IPMI_HPM_2	260
1275 
1276 #define DLT_MATCHING_MAX	260	/* highest value in the "matching" range */
1277 
1278 /*
1279  * DLT and savefile link type values are split into a class and
1280  * a member of that class.  A class value of 0 indicates a regular
1281  * DLT_/LINKTYPE_ value.
1282  */
1283 #define DLT_CLASS(x)            ((x) & 0x03ff0000)
1284 
1285 /*
1286  * The instruction encodings.
1287  *
1288  * Please inform tcpdump-workers@lists.tcpdump.org if you use any
1289  * of the reserved values, so that we can note that they're used
1290  * (and perhaps implement it in the reference BPF implementation
1291  * and encourage its implementation elsewhere).
1292  */
1293 
1294 /*
1295  * The upper 8 bits of the opcode aren't used. BSD/OS used 0x8000.
1296  */
1297 
1298 /* instruction classes */
1299 #define BPF_CLASS(code) ((code) & 0x07)
1300 #define		BPF_LD		0x00
1301 #define		BPF_LDX		0x01
1302 #define		BPF_ST		0x02
1303 #define		BPF_STX		0x03
1304 #define		BPF_ALU		0x04
1305 #define		BPF_JMP		0x05
1306 #define		BPF_RET		0x06
1307 #define		BPF_MISC	0x07
1308 
1309 /* ld/ldx fields */
1310 #define BPF_SIZE(code)	((code) & 0x18)
1311 #define		BPF_W		0x00
1312 #define		BPF_H		0x08
1313 #define		BPF_B		0x10
1314 /*				0x18	reserved; used by BSD/OS */
1315 #define BPF_MODE(code)	((code) & 0xe0)
1316 #define		BPF_IMM 	0x00
1317 #define		BPF_ABS		0x20
1318 #define		BPF_IND		0x40
1319 #define		BPF_MEM		0x60
1320 #define		BPF_LEN		0x80
1321 #define		BPF_MSH		0xa0
1322 /*				0xc0	reserved; used by BSD/OS */
1323 /*				0xe0	reserved; used by BSD/OS */
1324 
1325 /* alu/jmp fields */
1326 #define BPF_OP(code)	((code) & 0xf0)
1327 #define		BPF_ADD		0x00
1328 #define		BPF_SUB		0x10
1329 #define		BPF_MUL		0x20
1330 #define		BPF_DIV		0x30
1331 #define		BPF_OR		0x40
1332 #define		BPF_AND		0x50
1333 #define		BPF_LSH		0x60
1334 #define		BPF_RSH		0x70
1335 #define		BPF_NEG		0x80
1336 #define		BPF_MOD		0x90
1337 #define		BPF_XOR		0xa0
1338 /*				0xb0	reserved */
1339 /*				0xc0	reserved */
1340 /*				0xd0	reserved */
1341 /*				0xe0	reserved */
1342 /*				0xf0	reserved */
1343 
1344 #define		BPF_JA		0x00
1345 #define		BPF_JEQ		0x10
1346 #define		BPF_JGT		0x20
1347 #define		BPF_JGE		0x30
1348 #define		BPF_JSET	0x40
1349 /*				0x50	reserved; used on BSD/OS */
1350 /*				0x60	reserved */
1351 /*				0x70	reserved */
1352 /*				0x80	reserved */
1353 /*				0x90	reserved */
1354 /*				0xa0	reserved */
1355 /*				0xb0	reserved */
1356 /*				0xc0	reserved */
1357 /*				0xd0	reserved */
1358 /*				0xe0	reserved */
1359 /*				0xf0	reserved */
1360 #define BPF_SRC(code)	((code) & 0x08)
1361 #define		BPF_K		0x00
1362 #define		BPF_X		0x08
1363 
1364 /* ret - BPF_K and BPF_X also apply */
1365 #define BPF_RVAL(code)	((code) & 0x18)
1366 #define		BPF_A		0x10
1367 /*				0x18	reserved */
1368 
1369 /* misc */
1370 #define BPF_MISCOP(code) ((code) & 0xf8)
1371 #define		BPF_TAX		0x00
1372 /*				0x08	reserved */
1373 /*				0x10	reserved */
1374 /*				0x18	reserved */
1375 /* #define	BPF_COP		0x20	NetBSD "coprocessor" extensions */
1376 /*				0x28	reserved */
1377 /*				0x30	reserved */
1378 /*				0x38	reserved */
1379 /* #define	BPF_COPX	0x40	NetBSD "coprocessor" extensions */
1380 /*					also used on BSD/OS */
1381 /*				0x48	reserved */
1382 /*				0x50	reserved */
1383 /*				0x58	reserved */
1384 /*				0x60	reserved */
1385 /*				0x68	reserved */
1386 /*				0x70	reserved */
1387 /*				0x78	reserved */
1388 #define		BPF_TXA		0x80
1389 /*				0x88	reserved */
1390 /*				0x90	reserved */
1391 /*				0x98	reserved */
1392 /*				0xa0	reserved */
1393 /*				0xa8	reserved */
1394 /*				0xb0	reserved */
1395 /*				0xb8	reserved */
1396 /*				0xc0	reserved; used on BSD/OS */
1397 /*				0xc8	reserved */
1398 /*				0xd0	reserved */
1399 /*				0xd8	reserved */
1400 /*				0xe0	reserved */
1401 /*				0xe8	reserved */
1402 /*				0xf0	reserved */
1403 /*				0xf8	reserved */
1404 
1405 /*
1406  * The instruction data structure.
1407  */
1408 struct bpf_insn {
1409 	u_short		code;
1410 	u_char		jt;
1411 	u_char		jf;
1412 	bpf_u_int32	k;
1413 };
1414 
1415 /*
1416  * Macros for insn array initializers.
1417  */
1418 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
1419 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
1420 
1421 /*
1422  * Structure to retrieve available DLTs for the interface.
1423  */
1424 struct bpf_dltlist {
1425 	u_int	bfl_len;	/* number of bfd_list array */
1426 	u_int	*bfl_list;	/* array of DLTs */
1427 };
1428 
1429 #ifdef _KERNEL
1430 #ifdef MALLOC_DECLARE
1431 MALLOC_DECLARE(M_BPF);
1432 #endif
1433 #ifdef SYSCTL_DECL
1434 SYSCTL_DECL(_net_bpf);
1435 #endif
1436 
1437 /*
1438  * Rotate the packet buffers in descriptor d.  Move the store buffer into the
1439  * hold slot, and the free buffer into the store slot.  Zero the length of the
1440  * new store buffer.  Descriptor lock should be held.  One must be careful to
1441  * not rotate the buffers twice, i.e. if fbuf != NULL.
1442  */
1443 #define	ROTATE_BUFFERS(d)	do {					\
1444 	(d)->bd_hbuf = (d)->bd_sbuf;					\
1445 	(d)->bd_hlen = (d)->bd_slen;					\
1446 	(d)->bd_sbuf = (d)->bd_fbuf;					\
1447 	(d)->bd_slen = 0;						\
1448 	(d)->bd_fbuf = NULL;						\
1449 	bpf_bufheld(d);							\
1450 } while (0)
1451 
1452 /*
1453  * Descriptor associated with each attached hardware interface.
1454  * Part of this structure is exposed to external callers to speed up
1455  * bpf_peers_present() calls.
1456  */
1457 struct bpf_if;
1458 
1459 struct bpf_if_ext {
1460 	LIST_ENTRY(bpf_if)	bif_next;	/* list of all interfaces */
1461 	LIST_HEAD(, bpf_d)	bif_dlist;	/* descriptor list */
1462 };
1463 
1464 void	 bpf_bufheld(struct bpf_d *d);
1465 int	 bpf_validate(const struct bpf_insn *, int);
1466 void	 bpf_tap(struct bpf_if *, u_char *, u_int);
1467 void	 bpf_mtap(struct bpf_if *, struct mbuf *);
1468 void	 bpf_mtap2(struct bpf_if *, void *, u_int, struct mbuf *);
1469 void	 bpfattach(struct ifnet *, u_int, u_int);
1470 void	 bpfattach2(struct ifnet *, u_int, u_int, struct bpf_if **);
1471 void	 bpfdetach(struct ifnet *);
1472 #ifdef VIMAGE
1473 int	 bpf_get_bp_params(struct bpf_if *, u_int *, u_int *);
1474 #endif
1475 
1476 void	 bpfilterattach(int);
1477 u_int	 bpf_filter(const struct bpf_insn *, u_char *, u_int, u_int);
1478 
1479 static __inline int
1480 bpf_peers_present(struct bpf_if *bpf)
1481 {
1482 	struct bpf_if_ext *ext;
1483 
1484 	ext = (struct bpf_if_ext *)bpf;
1485 	if (!LIST_EMPTY(&ext->bif_dlist))
1486 		return (1);
1487 	return (0);
1488 }
1489 
1490 #define	BPF_TAP(_ifp,_pkt,_pktlen) do {				\
1491 	if (bpf_peers_present((_ifp)->if_bpf))			\
1492 		bpf_tap((_ifp)->if_bpf, (_pkt), (_pktlen));	\
1493 } while (0)
1494 #define	BPF_MTAP(_ifp,_m) do {					\
1495 	if (bpf_peers_present((_ifp)->if_bpf)) {		\
1496 		M_ASSERTVALID(_m);				\
1497 		bpf_mtap((_ifp)->if_bpf, (_m));			\
1498 	}							\
1499 } while (0)
1500 #define	BPF_MTAP2(_ifp,_data,_dlen,_m) do {			\
1501 	if (bpf_peers_present((_ifp)->if_bpf)) {		\
1502 		M_ASSERTVALID(_m);				\
1503 		bpf_mtap2((_ifp)->if_bpf,(_data),(_dlen),(_m));	\
1504 	}							\
1505 } while (0)
1506 #endif
1507 
1508 /*
1509  * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
1510  */
1511 #define BPF_MEMWORDS 16
1512 
1513 #ifdef _SYS_EVENTHANDLER_H_
1514 /* BPF attach/detach events */
1515 struct ifnet;
1516 typedef void (*bpf_track_fn)(void *, struct ifnet *, int /* dlt */,
1517     int /* 1 =>'s attach */);
1518 EVENTHANDLER_DECLARE(bpf_track, bpf_track_fn);
1519 #endif /* _SYS_EVENTHANDLER_H_ */
1520 
1521 #endif /* _NET_BPF_H_ */
1522