1 /*- 2 * Copyright (c) 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * This code is derived from the Stanford/CMU enet packet filter, 6 * (net/enet.c) distributed as part of 4.3BSD, and code contributed 7 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 8 * Berkeley Laboratory. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 4. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * @(#)bpf.h 8.1 (Berkeley) 6/10/93 35 * @(#)bpf.h 1.34 (LBL) 6/16/96 36 * 37 * $FreeBSD$ 38 */ 39 40 #ifndef _NET_BPF_H_ 41 #define _NET_BPF_H_ 42 43 /* BSD style release date */ 44 #define BPF_RELEASE 199606 45 46 typedef int32_t bpf_int32; 47 typedef u_int32_t bpf_u_int32; 48 typedef int64_t bpf_int64; 49 typedef u_int64_t bpf_u_int64; 50 51 /* 52 * Alignment macros. BPF_WORDALIGN rounds up to the next 53 * even multiple of BPF_ALIGNMENT. 54 */ 55 #define BPF_ALIGNMENT sizeof(long) 56 #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) 57 58 #define BPF_MAXINSNS 512 59 #define BPF_MAXBUFSIZE 0x80000 60 #define BPF_MINBUFSIZE 32 61 62 /* 63 * Structure for BIOCSETF. 64 */ 65 struct bpf_program { 66 u_int bf_len; 67 struct bpf_insn *bf_insns; 68 }; 69 70 /* 71 * Struct returned by BIOCGSTATS. 72 */ 73 struct bpf_stat { 74 u_int bs_recv; /* number of packets received */ 75 u_int bs_drop; /* number of packets dropped */ 76 }; 77 78 /* 79 * Struct return by BIOCVERSION. This represents the version number of 80 * the filter language described by the instruction encodings below. 81 * bpf understands a program iff kernel_major == filter_major && 82 * kernel_minor >= filter_minor, that is, if the value returned by the 83 * running kernel has the same major number and a minor number equal 84 * equal to or less than the filter being downloaded. Otherwise, the 85 * results are undefined, meaning an error may be returned or packets 86 * may be accepted haphazardly. 87 * It has nothing to do with the source code version. 88 */ 89 struct bpf_version { 90 u_short bv_major; 91 u_short bv_minor; 92 }; 93 /* Current version number of filter architecture. */ 94 #define BPF_MAJOR_VERSION 1 95 #define BPF_MINOR_VERSION 1 96 97 /* 98 * Historically, BPF has supported a single buffering model, first using mbuf 99 * clusters in kernel, and later using malloc(9) buffers in kernel. We now 100 * support multiple buffering modes, which may be queried and set using 101 * BIOCGETBUFMODE and BIOCSETBUFMODE. So as to avoid handling the complexity 102 * of changing modes while sniffing packets, the mode becomes fixed once an 103 * interface has been attached to the BPF descriptor. 104 */ 105 #define BPF_BUFMODE_BUFFER 1 /* Kernel buffers with read(). */ 106 #define BPF_BUFMODE_ZBUF 2 /* Zero-copy buffers. */ 107 108 /*- 109 * Struct used by BIOCSETZBUF, BIOCROTZBUF: describes up to two zero-copy 110 * buffer as used by BPF. 111 */ 112 struct bpf_zbuf { 113 void *bz_bufa; /* Location of 'a' zero-copy buffer. */ 114 void *bz_bufb; /* Location of 'b' zero-copy buffer. */ 115 size_t bz_buflen; /* Size of zero-copy buffers. */ 116 }; 117 118 #define BIOCGBLEN _IOR('B', 102, u_int) 119 #define BIOCSBLEN _IOWR('B', 102, u_int) 120 #define BIOCSETF _IOW('B', 103, struct bpf_program) 121 #define BIOCFLUSH _IO('B', 104) 122 #define BIOCPROMISC _IO('B', 105) 123 #define BIOCGDLT _IOR('B', 106, u_int) 124 #define BIOCGETIF _IOR('B', 107, struct ifreq) 125 #define BIOCSETIF _IOW('B', 108, struct ifreq) 126 #define BIOCSRTIMEOUT _IOW('B', 109, struct timeval) 127 #define BIOCGRTIMEOUT _IOR('B', 110, struct timeval) 128 #define BIOCGSTATS _IOR('B', 111, struct bpf_stat) 129 #define BIOCIMMEDIATE _IOW('B', 112, u_int) 130 #define BIOCVERSION _IOR('B', 113, struct bpf_version) 131 #define BIOCGRSIG _IOR('B', 114, u_int) 132 #define BIOCSRSIG _IOW('B', 115, u_int) 133 #define BIOCGHDRCMPLT _IOR('B', 116, u_int) 134 #define BIOCSHDRCMPLT _IOW('B', 117, u_int) 135 #define BIOCGDIRECTION _IOR('B', 118, u_int) 136 #define BIOCSDIRECTION _IOW('B', 119, u_int) 137 #define BIOCSDLT _IOW('B', 120, u_int) 138 #define BIOCGDLTLIST _IOWR('B', 121, struct bpf_dltlist) 139 #define BIOCLOCK _IO('B', 122) 140 #define BIOCSETWF _IOW('B', 123, struct bpf_program) 141 #define BIOCFEEDBACK _IOW('B', 124, u_int) 142 #define BIOCGETBUFMODE _IOR('B', 125, u_int) 143 #define BIOCSETBUFMODE _IOW('B', 126, u_int) 144 #define BIOCGETZMAX _IOR('B', 127, size_t) 145 #define BIOCROTZBUF _IOR('B', 128, struct bpf_zbuf) 146 #define BIOCSETZBUF _IOW('B', 129, struct bpf_zbuf) 147 #define BIOCSETFNR _IOW('B', 130, struct bpf_program) 148 #define BIOCGTSTAMP _IOR('B', 131, u_int) 149 #define BIOCSTSTAMP _IOW('B', 132, u_int) 150 151 /* Obsolete */ 152 #define BIOCGSEESENT BIOCGDIRECTION 153 #define BIOCSSEESENT BIOCSDIRECTION 154 155 /* Packet directions */ 156 enum bpf_direction { 157 BPF_D_IN, /* See incoming packets */ 158 BPF_D_INOUT, /* See incoming and outgoing packets */ 159 BPF_D_OUT /* See outgoing packets */ 160 }; 161 162 /* Time stamping functions */ 163 #define BPF_T_MICROTIME 0x0000 164 #define BPF_T_NANOTIME 0x0001 165 #define BPF_T_BINTIME 0x0002 166 #define BPF_T_NONE 0x0003 167 #define BPF_T_FORMAT_MASK 0x0003 168 #define BPF_T_NORMAL 0x0000 169 #define BPF_T_FAST 0x0100 170 #define BPF_T_MONOTONIC 0x0200 171 #define BPF_T_MONOTONIC_FAST (BPF_T_FAST | BPF_T_MONOTONIC) 172 #define BPF_T_FLAG_MASK 0x0300 173 #define BPF_T_FORMAT(t) ((t) & BPF_T_FORMAT_MASK) 174 #define BPF_T_FLAG(t) ((t) & BPF_T_FLAG_MASK) 175 #define BPF_T_VALID(t) \ 176 ((t) == BPF_T_NONE || (BPF_T_FORMAT(t) != BPF_T_NONE && \ 177 ((t) & ~(BPF_T_FORMAT_MASK | BPF_T_FLAG_MASK)) == 0)) 178 179 #define BPF_T_MICROTIME_FAST (BPF_T_MICROTIME | BPF_T_FAST) 180 #define BPF_T_NANOTIME_FAST (BPF_T_NANOTIME | BPF_T_FAST) 181 #define BPF_T_BINTIME_FAST (BPF_T_BINTIME | BPF_T_FAST) 182 #define BPF_T_MICROTIME_MONOTONIC (BPF_T_MICROTIME | BPF_T_MONOTONIC) 183 #define BPF_T_NANOTIME_MONOTONIC (BPF_T_NANOTIME | BPF_T_MONOTONIC) 184 #define BPF_T_BINTIME_MONOTONIC (BPF_T_BINTIME | BPF_T_MONOTONIC) 185 #define BPF_T_MICROTIME_MONOTONIC_FAST (BPF_T_MICROTIME | BPF_T_MONOTONIC_FAST) 186 #define BPF_T_NANOTIME_MONOTONIC_FAST (BPF_T_NANOTIME | BPF_T_MONOTONIC_FAST) 187 #define BPF_T_BINTIME_MONOTONIC_FAST (BPF_T_BINTIME | BPF_T_MONOTONIC_FAST) 188 189 /* 190 * Structure prepended to each packet. 191 */ 192 struct bpf_ts { 193 bpf_int64 bt_sec; /* seconds */ 194 bpf_u_int64 bt_frac; /* fraction */ 195 }; 196 struct bpf_xhdr { 197 struct bpf_ts bh_tstamp; /* time stamp */ 198 bpf_u_int32 bh_caplen; /* length of captured portion */ 199 bpf_u_int32 bh_datalen; /* original length of packet */ 200 u_short bh_hdrlen; /* length of bpf header (this struct 201 plus alignment padding) */ 202 }; 203 /* Obsolete */ 204 struct bpf_hdr { 205 struct timeval bh_tstamp; /* time stamp */ 206 bpf_u_int32 bh_caplen; /* length of captured portion */ 207 bpf_u_int32 bh_datalen; /* original length of packet */ 208 u_short bh_hdrlen; /* length of bpf header (this struct 209 plus alignment padding) */ 210 }; 211 #ifdef _KERNEL 212 #define MTAG_BPF 0x627066 213 #define MTAG_BPF_TIMESTAMP 0 214 #endif 215 216 /* 217 * When using zero-copy BPF buffers, a shared memory header is present 218 * allowing the kernel BPF implementation and user process to synchronize 219 * without using system calls. This structure defines that header. When 220 * accessing these fields, appropriate atomic operation and memory barriers 221 * are required in order not to see stale or out-of-order data; see bpf(4) 222 * for reference code to access these fields from userspace. 223 * 224 * The layout of this structure is critical, and must not be changed; if must 225 * fit in a single page on all architectures. 226 */ 227 struct bpf_zbuf_header { 228 volatile u_int bzh_kernel_gen; /* Kernel generation number. */ 229 volatile u_int bzh_kernel_len; /* Length of data in the buffer. */ 230 volatile u_int bzh_user_gen; /* User generation number. */ 231 u_int _bzh_pad[5]; 232 }; 233 234 /* 235 * Data-link level type codes. 236 */ 237 #define DLT_NULL 0 /* BSD loopback encapsulation */ 238 #define DLT_EN10MB 1 /* Ethernet (10Mb) */ 239 #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ 240 #define DLT_AX25 3 /* Amateur Radio AX.25 */ 241 #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ 242 #define DLT_CHAOS 5 /* Chaos */ 243 #define DLT_IEEE802 6 /* IEEE 802 Networks */ 244 #define DLT_ARCNET 7 /* ARCNET */ 245 #define DLT_SLIP 8 /* Serial Line IP */ 246 #define DLT_PPP 9 /* Point-to-point Protocol */ 247 #define DLT_FDDI 10 /* FDDI */ 248 #define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ 249 #define DLT_RAW 12 /* raw IP */ 250 251 /* 252 * These are values from BSD/OS's "bpf.h". 253 * These are not the same as the values from the traditional libpcap 254 * "bpf.h"; however, these values shouldn't be generated by any 255 * OS other than BSD/OS, so the correct values to use here are the 256 * BSD/OS values. 257 * 258 * Platforms that have already assigned these values to other 259 * DLT_ codes, however, should give these codes the values 260 * from that platform, so that programs that use these codes will 261 * continue to compile - even though they won't correctly read 262 * files of these types. 263 */ 264 #define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ 265 #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ 266 267 #define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ 268 269 /* 270 * These values are defined by NetBSD; other platforms should refrain from 271 * using them for other purposes, so that NetBSD savefiles with link 272 * types of 50 or 51 can be read as this type on all platforms. 273 */ 274 #define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ 275 #define DLT_PPP_ETHER 51 /* PPP over Ethernet */ 276 277 /* 278 * Reserved for the Symantec Enterprise Firewall. 279 */ 280 #define DLT_SYMANTEC_FIREWALL 99 281 282 /* 283 * Values between 100 and 103 are used in capture file headers as 284 * link-layer header type LINKTYPE_ values corresponding to DLT_ types 285 * that differ between platforms; don't use those values for new DLT_ 286 * new types. 287 */ 288 289 /* 290 * Values starting with 104 are used for newly-assigned link-layer 291 * header type values; for those link-layer header types, the DLT_ 292 * value returned by pcap_datalink() and passed to pcap_open_dead(), 293 * and the LINKTYPE_ value that appears in capture files, are the 294 * same. 295 * 296 * DLT_MATCHING_MIN is the lowest such value; DLT_MATCHING_MAX is 297 * the highest such value. 298 */ 299 #define DLT_MATCHING_MIN 104 300 301 /* 302 * This value was defined by libpcap 0.5; platforms that have defined 303 * it with a different value should define it here with that value - 304 * a link type of 104 in a save file will be mapped to DLT_C_HDLC, 305 * whatever value that happens to be, so programs will correctly 306 * handle files with that link type regardless of the value of 307 * DLT_C_HDLC. 308 * 309 * The name DLT_C_HDLC was used by BSD/OS; we use that name for source 310 * compatibility with programs written for BSD/OS. 311 * 312 * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, 313 * for source compatibility with programs written for libpcap 0.5. 314 */ 315 #define DLT_C_HDLC 104 /* Cisco HDLC */ 316 #define DLT_CHDLC DLT_C_HDLC 317 318 #define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ 319 320 /* 321 * Values between 106 and 107 are used in capture file headers as 322 * link-layer types corresponding to DLT_ types that might differ 323 * between platforms; don't use those values for new DLT_ new types. 324 */ 325 326 /* 327 * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides 328 * with other values. 329 * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header 330 * (DLCI, etc.). 331 */ 332 #define DLT_FRELAY 107 333 334 /* 335 * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except 336 * that the AF_ type in the link-layer header is in network byte order. 337 * 338 * OpenBSD defines it as 12, but that collides with DLT_RAW, so we 339 * define it as 108 here. If OpenBSD picks up this file, it should 340 * define DLT_LOOP as 12 in its version, as per the comment above - 341 * and should not use 108 as a DLT_ value. 342 */ 343 #define DLT_LOOP 108 344 345 /* 346 * Values between 109 and 112 are used in capture file headers as 347 * link-layer types corresponding to DLT_ types that might differ 348 * between platforms; don't use those values for new DLT_ new types. 349 */ 350 351 /* 352 * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's 353 * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other 354 * than OpenBSD. 355 */ 356 #define DLT_ENC 109 357 358 /* 359 * This is for Linux cooked sockets. 360 */ 361 #define DLT_LINUX_SLL 113 362 363 /* 364 * Apple LocalTalk hardware. 365 */ 366 #define DLT_LTALK 114 367 368 /* 369 * Acorn Econet. 370 */ 371 #define DLT_ECONET 115 372 373 /* 374 * Reserved for use with OpenBSD ipfilter. 375 */ 376 #define DLT_IPFILTER 116 377 378 /* 379 * Reserved for use in capture-file headers as a link-layer type 380 * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, 381 * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it 382 * in capture-file headers. 383 */ 384 #define DLT_PFLOG 117 385 386 /* 387 * Registered for Cisco-internal use. 388 */ 389 #define DLT_CISCO_IOS 118 390 391 /* 392 * Reserved for 802.11 cards using the Prism II chips, with a link-layer 393 * header including Prism monitor mode information plus an 802.11 394 * header. 395 */ 396 #define DLT_PRISM_HEADER 119 397 398 /* 399 * Reserved for Aironet 802.11 cards, with an Aironet link-layer header 400 * (see Doug Ambrisko's FreeBSD patches). 401 */ 402 #define DLT_AIRONET_HEADER 120 403 404 /* 405 * Reserved for use by OpenBSD's pfsync device. 406 */ 407 #define DLT_PFSYNC 121 408 409 /* 410 * Reserved for Siemens HiPath HDLC. XXX 411 */ 412 #define DLT_HHDLC 121 413 414 /* 415 * Reserved for RFC 2625 IP-over-Fibre Channel. 416 */ 417 #define DLT_IP_OVER_FC 122 418 419 /* 420 * Reserved for Full Frontal ATM on Solaris. 421 */ 422 #define DLT_SUNATM 123 423 424 /* 425 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 426 * for private use. 427 */ 428 #define DLT_RIO 124 /* RapidIO */ 429 #define DLT_PCI_EXP 125 /* PCI Express */ 430 #define DLT_AURORA 126 /* Xilinx Aurora link layer */ 431 432 /* 433 * BSD header for 802.11 plus a number of bits of link-layer information 434 * including radio information. 435 */ 436 #ifndef DLT_IEEE802_11_RADIO 437 #define DLT_IEEE802_11_RADIO 127 438 #endif 439 440 /* 441 * Reserved for TZSP encapsulation. 442 */ 443 #define DLT_TZSP 128 /* Tazmen Sniffer Protocol */ 444 445 /* 446 * Reserved for Linux ARCNET. 447 */ 448 #define DLT_ARCNET_LINUX 129 449 450 /* 451 * Juniper-private data link types. 452 */ 453 #define DLT_JUNIPER_MLPPP 130 454 #define DLT_JUNIPER_MLFR 131 455 #define DLT_JUNIPER_ES 132 456 #define DLT_JUNIPER_GGSN 133 457 #define DLT_JUNIPER_MFR 134 458 #define DLT_JUNIPER_ATM2 135 459 #define DLT_JUNIPER_SERVICES 136 460 #define DLT_JUNIPER_ATM1 137 461 462 /* 463 * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund 464 * <dieter@apple.com>. The header that's presented is an Ethernet-like 465 * header: 466 * 467 * #define FIREWIRE_EUI64_LEN 8 468 * struct firewire_header { 469 * u_char firewire_dhost[FIREWIRE_EUI64_LEN]; 470 * u_char firewire_shost[FIREWIRE_EUI64_LEN]; 471 * u_short firewire_type; 472 * }; 473 * 474 * with "firewire_type" being an Ethernet type value, rather than, 475 * for example, raw GASP frames being handed up. 476 */ 477 #define DLT_APPLE_IP_OVER_IEEE1394 138 478 479 /* 480 * Various SS7 encapsulations, as per a request from Jeff Morriss 481 * <jeff.morriss[AT]ulticom.com> and subsequent discussions. 482 */ 483 #define DLT_MTP2_WITH_PHDR 139 /* pseudo-header with various info, followed by MTP2 */ 484 #define DLT_MTP2 140 /* MTP2, without pseudo-header */ 485 #define DLT_MTP3 141 /* MTP3, without pseudo-header or MTP2 */ 486 #define DLT_SCCP 142 /* SCCP, without pseudo-header or MTP2 or MTP3 */ 487 488 /* 489 * Reserved for DOCSIS. 490 */ 491 #define DLT_DOCSIS 143 492 493 /* 494 * Reserved for Linux IrDA. 495 */ 496 #define DLT_LINUX_IRDA 144 497 498 /* 499 * Reserved for IBM SP switch and IBM Next Federation switch. 500 */ 501 #define DLT_IBM_SP 145 502 #define DLT_IBM_SN 146 503 504 /* 505 * Reserved for private use. If you have some link-layer header type 506 * that you want to use within your organization, with the capture files 507 * using that link-layer header type not ever be sent outside your 508 * organization, you can use these values. 509 * 510 * No libpcap release will use these for any purpose, nor will any 511 * tcpdump release use them, either. 512 * 513 * Do *NOT* use these in capture files that you expect anybody not using 514 * your private versions of capture-file-reading tools to read; in 515 * particular, do *NOT* use them in products, otherwise you may find that 516 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 517 * read capture files from your firewall/intrusion detection/traffic 518 * monitoring/etc. appliance, or whatever product uses that DLT_ value, 519 * and you may also find that the developers of those applications will 520 * not accept patches to let them read those files. 521 * 522 * Also, do not use them if somebody might send you a capture using them 523 * for *their* private type and tools using them for *your* private type 524 * would have to read them. 525 * 526 * Instead, ask "tcpdump-workers@tcpdump.org" for a new DLT_ value, 527 * as per the comment above, and use the type you're given. 528 */ 529 #define DLT_USER0 147 530 #define DLT_USER1 148 531 #define DLT_USER2 149 532 #define DLT_USER3 150 533 #define DLT_USER4 151 534 #define DLT_USER5 152 535 #define DLT_USER6 153 536 #define DLT_USER7 154 537 #define DLT_USER8 155 538 #define DLT_USER9 156 539 #define DLT_USER10 157 540 #define DLT_USER11 158 541 #define DLT_USER12 159 542 #define DLT_USER13 160 543 #define DLT_USER14 161 544 #define DLT_USER15 162 545 546 /* 547 * For future use with 802.11 captures - defined by AbsoluteValue 548 * Systems to store a number of bits of link-layer information 549 * including radio information: 550 * 551 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 552 * 553 * but it might be used by some non-AVS drivers now or in the 554 * future. 555 */ 556 #define DLT_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 557 558 /* 559 * Juniper-private data link type, as per request from 560 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 561 * for passing on chassis-internal metainformation such as 562 * QOS profiles, etc.. 563 */ 564 #define DLT_JUNIPER_MONITOR 164 565 566 /* 567 * Reserved for BACnet MS/TP. 568 */ 569 #define DLT_BACNET_MS_TP 165 570 571 /* 572 * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>. 573 * 574 * This is used in some OSes to allow a kernel socket filter to distinguish 575 * between incoming and outgoing packets, on a socket intended to 576 * supply pppd with outgoing packets so it can do dial-on-demand and 577 * hangup-on-lack-of-demand; incoming packets are filtered out so they 578 * don't cause pppd to hold the connection up (you don't want random 579 * input packets such as port scans, packets from old lost connections, 580 * etc. to force the connection to stay up). 581 * 582 * The first byte of the PPP header (0xff03) is modified to accommodate 583 * the direction - 0x00 = IN, 0x01 = OUT. 584 */ 585 #define DLT_PPP_PPPD 166 586 587 /* 588 * Names for backwards compatibility with older versions of some PPP 589 * software; new software should use DLT_PPP_PPPD. 590 */ 591 #define DLT_PPP_WITH_DIRECTION DLT_PPP_PPPD 592 #define DLT_LINUX_PPP_WITHDIRECTION DLT_PPP_PPPD 593 594 /* 595 * Juniper-private data link type, as per request from 596 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 597 * for passing on chassis-internal metainformation such as 598 * QOS profiles, cookies, etc.. 599 */ 600 #define DLT_JUNIPER_PPPOE 167 601 #define DLT_JUNIPER_PPPOE_ATM 168 602 603 #define DLT_GPRS_LLC 169 /* GPRS LLC */ 604 #define DLT_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 605 #define DLT_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */ 606 607 /* 608 * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line 609 * monitoring equipment. 610 */ 611 #define DLT_GCOM_T1E1 172 612 #define DLT_GCOM_SERIAL 173 613 614 /* 615 * Juniper-private data link type, as per request from 616 * Hannes Gredler <hannes@juniper.net>. The DLT_ is used 617 * for internal communication to Physical Interface Cards (PIC) 618 */ 619 #define DLT_JUNIPER_PIC_PEER 174 620 621 /* 622 * Link types requested by Gregor Maier <gregor@endace.com> of Endace 623 * Measurement Systems. They add an ERF header (see 624 * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of 625 * the link-layer header. 626 */ 627 #define DLT_ERF_ETH 175 /* Ethernet */ 628 #define DLT_ERF_POS 176 /* Packet-over-SONET */ 629 630 /* 631 * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD 632 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 633 * includes additional information before the LAPD header, so it's 634 * not necessarily a generic LAPD header. 635 */ 636 #define DLT_LINUX_LAPD 177 637 638 /* 639 * Juniper-private data link type, as per request from 640 * Hannes Gredler <hannes@juniper.net>. 641 * The DLT_ are used for prepending meta-information 642 * like interface index, interface name 643 * before standard Ethernet, PPP, Frelay & C-HDLC Frames 644 */ 645 #define DLT_JUNIPER_ETHER 178 646 #define DLT_JUNIPER_PPP 179 647 #define DLT_JUNIPER_FRELAY 180 648 #define DLT_JUNIPER_CHDLC 181 649 650 /* 651 * Multi Link Frame Relay (FRF.16) 652 */ 653 #define DLT_MFR 182 654 655 /* 656 * Juniper-private data link type, as per request from 657 * Hannes Gredler <hannes@juniper.net>. 658 * The DLT_ is used for internal communication with a 659 * voice Adapter Card (PIC) 660 */ 661 #define DLT_JUNIPER_VP 183 662 663 /* 664 * Arinc 429 frames. 665 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 666 * Every frame contains a 32bit A429 label. 667 * More documentation on Arinc 429 can be found at 668 * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf 669 */ 670 #define DLT_A429 184 671 672 /* 673 * Arinc 653 Interpartition Communication messages. 674 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 675 * Please refer to the A653-1 standard for more information. 676 */ 677 #define DLT_A653_ICM 185 678 679 /* 680 * USB packets, beginning with a USB setup header; requested by 681 * Paolo Abeni <paolo.abeni@email.it>. 682 */ 683 #define DLT_USB 186 684 685 /* 686 * Bluetooth HCI UART transport layer (part H:4); requested by 687 * Paolo Abeni. 688 */ 689 #define DLT_BLUETOOTH_HCI_H4 187 690 691 /* 692 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz 693 * <cruz_petagay@bah.com>. 694 */ 695 #define DLT_IEEE802_16_MAC_CPS 188 696 697 /* 698 * USB packets, beginning with a Linux USB header; requested by 699 * Paolo Abeni <paolo.abeni@email.it>. 700 */ 701 #define DLT_USB_LINUX 189 702 703 /* 704 * Controller Area Network (CAN) v. 2.0B packets. 705 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 706 * Used to dump CAN packets coming from a CAN Vector board. 707 * More documentation on the CAN v2.0B frames can be found at 708 * http://www.can-cia.org/downloads/?269 709 */ 710 #define DLT_CAN20B 190 711 712 /* 713 * IEEE 802.15.4, with address fields padded, as is done by Linux 714 * drivers; requested by Juergen Schimmer. 715 */ 716 #define DLT_IEEE802_15_4_LINUX 191 717 718 /* 719 * Per Packet Information encapsulated packets. 720 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 721 */ 722 #define DLT_PPI 192 723 724 /* 725 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; 726 * requested by Charles Clancy. 727 */ 728 #define DLT_IEEE802_16_MAC_CPS_RADIO 193 729 730 /* 731 * Juniper-private data link type, as per request from 732 * Hannes Gredler <hannes@juniper.net>. 733 * The DLT_ is used for internal communication with a 734 * integrated service module (ISM). 735 */ 736 #define DLT_JUNIPER_ISM 194 737 738 /* 739 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 740 * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>. 741 */ 742 #define DLT_IEEE802_15_4 195 743 744 /* 745 * Various link-layer types, with a pseudo-header, for SITA 746 * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com). 747 */ 748 #define DLT_SITA 196 749 750 /* 751 * Various link-layer types, with a pseudo-header, for Endace DAG cards; 752 * encapsulates Endace ERF records. Requested by Stephen Donnelly 753 * <stephen@endace.com>. 754 */ 755 #define DLT_ERF 197 756 757 /* 758 * Special header prepended to Ethernet packets when capturing from a 759 * u10 Networks board. Requested by Phil Mulholland 760 * <phil@u10networks.com>. 761 */ 762 #define DLT_RAIF1 198 763 764 /* 765 * IPMB packet for IPMI, beginning with the I2C slave address, followed 766 * by the netFn and LUN, etc.. Requested by Chanthy Toeung 767 * <chanthy.toeung@ca.kontron.com>. 768 */ 769 #define DLT_IPMB 199 770 771 /* 772 * Juniper-private data link type, as per request from 773 * Hannes Gredler <hannes@juniper.net>. 774 * The DLT_ is used for capturing data on a secure tunnel interface. 775 */ 776 #define DLT_JUNIPER_ST 200 777 778 /* 779 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header 780 * that includes direction information; requested by Paolo Abeni. 781 */ 782 #define DLT_BLUETOOTH_HCI_H4_WITH_PHDR 201 783 784 /* 785 * AX.25 packet with a 1-byte KISS header; see 786 * 787 * http://www.ax25.net/kiss.htm 788 * 789 * as per Richard Stearn <richard@rns-stearn.demon.co.uk>. 790 */ 791 #define DLT_AX25_KISS 202 792 793 /* 794 * LAPD packets from an ISDN channel, starting with the address field, 795 * with no pseudo-header. 796 * Requested by Varuna De Silva <varunax@gmail.com>. 797 */ 798 #define DLT_LAPD 203 799 800 /* 801 * Variants of various link-layer headers, with a one-byte direction 802 * pseudo-header prepended - zero means "received by this host", 803 * non-zero (any non-zero value) means "sent by this host" - as per 804 * Will Barker <w.barker@zen.co.uk>. 805 */ 806 #define DLT_PPP_WITH_DIR 204 /* PPP - don't confuse with DLT_PPP_WITH_DIRECTION */ 807 #define DLT_C_HDLC_WITH_DIR 205 /* Cisco HDLC */ 808 #define DLT_FRELAY_WITH_DIR 206 /* Frame Relay */ 809 #define DLT_LAPB_WITH_DIR 207 /* LAPB */ 810 811 /* 812 * 208 is reserved for an as-yet-unspecified proprietary link-layer 813 * type, as requested by Will Barker. 814 */ 815 816 /* 817 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman 818 * <avn@pigeonpoint.com>. 819 */ 820 #define DLT_IPMB_LINUX 209 821 822 /* 823 * FlexRay automotive bus - http://www.flexray.com/ - as requested 824 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 825 */ 826 #define DLT_FLEXRAY 210 827 828 /* 829 * Media Oriented Systems Transport (MOST) bus for multimedia 830 * transport - http://www.mostcooperation.com/ - as requested 831 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 832 */ 833 #define DLT_MOST 211 834 835 /* 836 * Local Interconnect Network (LIN) bus for vehicle networks - 837 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber 838 * <hannes.kaelber@x2e.de>. 839 */ 840 #define DLT_LIN 212 841 842 /* 843 * X2E-private data link type used for serial line capture, 844 * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 845 */ 846 #define DLT_X2E_SERIAL 213 847 848 /* 849 * X2E-private data link type used for the Xoraya data logger 850 * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 851 */ 852 #define DLT_X2E_XORAYA 214 853 854 /* 855 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 856 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets 857 * of 0 as preamble, one octet of SFD, one octet of frame length+ 858 * reserved bit, and then the MAC-layer data, starting with the 859 * frame control field). 860 * 861 * Requested by Max Filippov <jcmvbkbc@gmail.com>. 862 */ 863 #define DLT_IEEE802_15_4_NONASK_PHY 215 864 865 /* 866 * David Gibson <david@gibson.dropbear.id.au> requested this for 867 * captures from the Linux kernel /dev/input/eventN devices. This 868 * is used to communicate keystrokes and mouse movements from the 869 * Linux kernel to display systems, such as Xorg. 870 */ 871 #define DLT_LINUX_EVDEV 216 872 873 /* 874 * GSM Um and Abis interfaces, preceded by a "gsmtap" header. 875 * 876 * Requested by Harald Welte <laforge@gnumonks.org>. 877 */ 878 #define DLT_GSMTAP_UM 217 879 #define DLT_GSMTAP_ABIS 218 880 881 /* 882 * MPLS, with an MPLS label as the link-layer header. 883 * Requested by Michele Marchetto <michele@openbsd.org> on behalf 884 * of OpenBSD. 885 */ 886 #define DLT_MPLS 219 887 888 /* 889 * USB packets, beginning with a Linux USB header, with the USB header 890 * padded to 64 bytes; required for memory-mapped access. 891 */ 892 #define DLT_USB_LINUX_MMAPPED 220 893 894 /* 895 * DECT packets, with a pseudo-header; requested by 896 * Matthias Wenzel <tcpdump@mazzoo.de>. 897 */ 898 #define DLT_DECT 221 899 /* 900 * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov> 901 * Date: Mon, 11 May 2009 11:18:30 -0500 902 * 903 * DLT_AOS. We need it for AOS Space Data Link Protocol. 904 * I have already written dissectors for but need an OK from 905 * legal before I can submit a patch. 906 * 907 */ 908 #define DLT_AOS 222 909 910 /* 911 * Wireless HART (Highway Addressable Remote Transducer) 912 * From the HART Communication Foundation 913 * IES/PAS 62591 914 * 915 * Requested by Sam Roberts <vieuxtech@gmail.com>. 916 */ 917 #define DLT_WIHART 223 918 919 /* 920 * Fibre Channel FC-2 frames, beginning with a Frame_Header. 921 * Requested by Kahou Lei <kahou82@gmail.com>. 922 */ 923 #define DLT_FC_2 224 924 925 /* 926 * Fibre Channel FC-2 frames, beginning with an encoding of the 927 * SOF, and ending with an encoding of the EOF. 928 * 929 * The encodings represent the frame delimiters as 4-byte sequences 930 * representing the corresponding ordered sets, with K28.5 931 * represented as 0xBC, and the D symbols as the corresponding 932 * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, 933 * is represented as 0xBC 0xB5 0x55 0x55. 934 * 935 * Requested by Kahou Lei <kahou82@gmail.com>. 936 */ 937 #define DLT_FC_2_WITH_FRAME_DELIMS 225 938 /* 939 * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>. 940 * 941 * The pseudo-header starts with a one-byte version number; for version 2, 942 * the pseudo-header is: 943 * 944 * struct dl_ipnetinfo { 945 * u_int8_t dli_version; 946 * u_int8_t dli_family; 947 * u_int16_t dli_htype; 948 * u_int32_t dli_pktlen; 949 * u_int32_t dli_ifindex; 950 * u_int32_t dli_grifindex; 951 * u_int32_t dli_zsrc; 952 * u_int32_t dli_zdst; 953 * }; 954 * 955 * dli_version is 2 for the current version of the pseudo-header. 956 * 957 * dli_family is a Solaris address family value, so it's 2 for IPv4 958 * and 26 for IPv6. 959 * 960 * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing 961 * packets, and 2 for packets arriving from another zone on the same 962 * machine. 963 * 964 * dli_pktlen is the length of the packet data following the pseudo-header 965 * (so the captured length minus dli_pktlen is the length of the 966 * pseudo-header, assuming the entire pseudo-header was captured). 967 * 968 * dli_ifindex is the interface index of the interface on which the 969 * packet arrived. 970 * 971 * dli_grifindex is the group interface index number (for IPMP interfaces). 972 * 973 * dli_zsrc is the zone identifier for the source of the packet. 974 * 975 * dli_zdst is the zone identifier for the destination of the packet. 976 * 977 * A zone number of 0 is the global zone; a zone number of 0xffffffff 978 * means that the packet arrived from another host on the network, not 979 * from another zone on the same machine. 980 * 981 * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates 982 * which of those it is. 983 */ 984 #define DLT_IPNET 226 985 986 /* 987 * CAN (Controller Area Network) frames, with a pseudo-header as supplied 988 * by Linux SocketCAN. See Documentation/networking/can.txt in the Linux 989 * source. 990 * 991 * Requested by Felix Obenhuber <felix@obenhuber.de>. 992 */ 993 #define DLT_CAN_SOCKETCAN 227 994 995 /* 996 * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies 997 * whether it's v4 or v6. Requested by Darren Reed <Darren.Reed@Sun.COM>. 998 */ 999 #define DLT_IPV4 228 1000 #define DLT_IPV6 229 1001 1002 /* 1003 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 1004 * nothing), and with no FCS at the end of the frame; requested by 1005 * Jon Smirl <jonsmirl@gmail.com>. 1006 */ 1007 #define DLT_IEEE802_15_4_NOFCS 230 1008 1009 /* 1010 * Raw D-Bus: 1011 * 1012 * http://www.freedesktop.org/wiki/Software/dbus 1013 * 1014 * messages: 1015 * 1016 * http://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages 1017 * 1018 * starting with the endianness flag, followed by the message type, etc., 1019 * but without the authentication handshake before the message sequence: 1020 * 1021 * http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol 1022 * 1023 * Requested by Martin Vidner <martin@vidner.net>. 1024 */ 1025 #define DLT_DBUS 231 1026 1027 /* 1028 * Juniper-private data link type, as per request from 1029 * Hannes Gredler <hannes@juniper.net>. 1030 */ 1031 #define DLT_JUNIPER_VS 232 1032 #define DLT_JUNIPER_SRX_E2E 233 1033 #define DLT_JUNIPER_FIBRECHANNEL 234 1034 1035 /* 1036 * DVB-CI (DVB Common Interface for communication between a PC Card 1037 * module and a DVB receiver). See 1038 * 1039 * http://www.kaiser.cx/pcap-dvbci.html 1040 * 1041 * for the specification. 1042 * 1043 * Requested by Martin Kaiser <martin@kaiser.cx>. 1044 */ 1045 #define DLT_DVB_CI 235 1046 1047 /* 1048 * Variant of 3GPP TS 27.010 multiplexing protocol (similar to, but 1049 * *not* the same as, 27.010). Requested by Hans-Christoph Schemmel 1050 * <hans-christoph.schemmel@cinterion.com>. 1051 */ 1052 #define DLT_MUX27010 236 1053 1054 /* 1055 * STANAG 5066 D_PDUs. Requested by M. Baris Demiray 1056 * <barisdemiray@gmail.com>. 1057 */ 1058 #define DLT_STANAG_5066_D_PDU 237 1059 1060 /* 1061 * Juniper-private data link type, as per request from 1062 * Hannes Gredler <hannes@juniper.net>. 1063 */ 1064 #define DLT_JUNIPER_ATM_CEMIC 238 1065 1066 /* 1067 * NetFilter LOG messages 1068 * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets) 1069 * 1070 * Requested by Jakub Zawadzki <darkjames-ws@darkjames.pl> 1071 */ 1072 #define DLT_NFLOG 239 1073 1074 /* 1075 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 1076 * for Ethernet packets with a 4-byte pseudo-header and always 1077 * with the payload including the FCS, as supplied by their 1078 * netANALYZER hardware and software. 1079 * 1080 * Requested by Holger P. Frommer <HPfrommer@hilscher.com> 1081 */ 1082 #define DLT_NETANALYZER 240 1083 1084 /* 1085 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 1086 * for Ethernet packets with a 4-byte pseudo-header and FCS and 1087 * with the Ethernet header preceded by 7 bytes of preamble and 1088 * 1 byte of SFD, as supplied by their netANALYZER hardware and 1089 * software. 1090 * 1091 * Requested by Holger P. Frommer <HPfrommer@hilscher.com> 1092 */ 1093 #define DLT_NETANALYZER_TRANSPARENT 241 1094 1095 /* 1096 * IP-over-InfiniBand, as specified by RFC 4391. 1097 * 1098 * Requested by Petr Sumbera <petr.sumbera@oracle.com>. 1099 */ 1100 #define DLT_IPOIB 242 1101 1102 /* 1103 * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0). 1104 * 1105 * Requested by Guy Martin <gmsoft@tuxicoman.be>. 1106 */ 1107 #define DLT_MPEG_2_TS 243 1108 1109 /* 1110 * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as 1111 * used by their ng40 protocol tester. 1112 * 1113 * Requested by Jens Grimmer <jens.grimmer@ng4t.com>. 1114 */ 1115 #define DLT_NG40 244 1116 1117 /* 1118 * Pseudo-header giving adapter number and flags, followed by an NFC 1119 * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU, 1120 * as specified by NFC Forum Logical Link Control Protocol Technical 1121 * Specification LLCP 1.1. 1122 * 1123 * Requested by Mike Wakerly <mikey@google.com>. 1124 */ 1125 #define DLT_NFC_LLCP 245 1126 1127 /* 1128 * 245 is used as LINKTYPE_PFSYNC; do not use it for any other purpose. 1129 * 1130 * DLT_PFSYNC has different values on different platforms, and all of 1131 * them collide with something used elsewhere. On platforms that 1132 * don't already define it, define it as 245. 1133 */ 1134 #if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && !defined(__DragonFly__) && !defined(__APPLE__) 1135 #define DLT_PFSYNC 246 1136 #endif 1137 1138 /* 1139 * Raw InfiniBand packets, starting with the Local Routing Header. 1140 * 1141 * Requested by Oren Kladnitsky <orenk@mellanox.com>. 1142 */ 1143 #define DLT_INFINIBAND 247 1144 1145 /* 1146 * SCTP, with no lower-level protocols (i.e., no IPv4 or IPv6). 1147 * 1148 * Requested by Michael Tuexen <Michael.Tuexen@lurchi.franken.de>. 1149 */ 1150 #define DLT_SCTP 248 1151 1152 /* 1153 * USB packets, beginning with a USBPcap header. 1154 * 1155 * Requested by Tomasz Mon <desowin@gmail.com> 1156 */ 1157 #define DLT_USBPCAP 249 1158 1159 /* 1160 * Schweitzer Engineering Laboratories "RTAC" product serial-line 1161 * packets. 1162 * 1163 * Requested by Chris Bontje <chris_bontje@selinc.com>. 1164 */ 1165 #define DLT_RTAC_SERIAL 250 1166 1167 /* 1168 * Bluetooth Low Energy air interface link-layer packets. 1169 * 1170 * Requested by Mike Kershaw <dragorn@kismetwireless.net>. 1171 */ 1172 #define DLT_BLUETOOTH_LE_LL 251 1173 1174 /* 1175 * DLT type for upper-protocol layer PDU saves from wireshark. 1176 * 1177 * the actual contents are determined by two TAGs stored with each 1178 * packet: 1179 * EXP_PDU_TAG_LINKTYPE the link type (LINKTYPE_ value) of the 1180 * original packet. 1181 * 1182 * EXP_PDU_TAG_PROTO_NAME the name of the wireshark dissector 1183 * that can make sense of the data stored. 1184 */ 1185 #define DLT_WIRESHARK_UPPER_PDU 252 1186 1187 /* 1188 * DLT type for the netlink protocol (nlmon devices). 1189 */ 1190 #define DLT_NETLINK 253 1191 1192 /* 1193 * Bluetooth Linux Monitor headers for the BlueZ stack. 1194 */ 1195 #define DLT_BLUETOOTH_LINUX_MONITOR 254 1196 1197 /* 1198 * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as 1199 * captured by Ubertooth. 1200 */ 1201 #define DLT_BLUETOOTH_BREDR_BB 255 1202 1203 /* 1204 * Bluetooth Low Energy link layer packets, as captured by Ubertooth. 1205 */ 1206 #define DLT_BLUETOOTH_LE_LL_WITH_PHDR 256 1207 1208 /* 1209 * PROFIBUS data link layer. 1210 */ 1211 #define DLT_PROFIBUS_DL 257 1212 1213 /* 1214 * Apple's DLT_PKTAP headers. 1215 * 1216 * Sadly, the folks at Apple either had no clue that the DLT_USERn values 1217 * are for internal use within an organization and partners only, and 1218 * didn't know that the right way to get a link-layer header type is to 1219 * ask tcpdump.org for one, or knew and didn't care, so they just 1220 * used DLT_USER2, which causes problems for everything except for 1221 * their version of tcpdump. 1222 * 1223 * So I'll just give them one; hopefully this will show up in a 1224 * libpcap release in time for them to get this into 10.10 Big Sur 1225 * or whatever Mavericks' successor is called. LINKTYPE_PKTAP 1226 * will be 258 *even on OS X*; that is *intentional*, so that 1227 * PKTAP files look the same on *all* OSes (different OSes can have 1228 * different numerical values for a given DLT_, but *MUST NOT* have 1229 * different values for what goes in a file, as files can be moved 1230 * between OSes!). 1231 * 1232 * When capturing, on a system with a Darwin-based OS, on a device 1233 * that returns 149 (DLT_USER2 and Apple's DLT_PKTAP) with this 1234 * version of libpcap, the DLT_ value for the pcap_t will be DLT_PKTAP, 1235 * and that will continue to be DLT_USER2 on Darwin-based OSes. That way, 1236 * binary compatibility with Mavericks is preserved for programs using 1237 * this version of libpcap. This does mean that if you were using 1238 * DLT_USER2 for some capture device on OS X, you can't do so with 1239 * this version of libpcap, just as you can't with Apple's libpcap - 1240 * on OS X, they define DLT_PKTAP to be DLT_USER2, so programs won't 1241 * be able to distinguish between PKTAP and whatever you were using 1242 * DLT_USER2 for. 1243 * 1244 * If the program saves the capture to a file using this version of 1245 * libpcap's pcap_dump code, the LINKTYPE_ value in the file will be 1246 * LINKTYPE_PKTAP, which will be 258, even on Darwin-based OSes. 1247 * That way, the file will *not* be a DLT_USER2 file. That means 1248 * that the latest version of tcpdump, when built with this version 1249 * of libpcap, and sufficiently recent versions of Wireshark will 1250 * be able to read those files and interpret them correctly; however, 1251 * Apple's version of tcpdump in OS X 10.9 won't be able to handle 1252 * them. (Hopefully, Apple will pick up this version of libpcap, 1253 * and the corresponding version of tcpdump, so that tcpdump will 1254 * be able to handle the old LINKTYPE_USER2 captures *and* the new 1255 * LINKTYPE_PKTAP captures.) 1256 */ 1257 #ifdef __APPLE__ 1258 #define DLT_PKTAP DLT_USER2 1259 #else 1260 #define DLT_PKTAP 258 1261 #endif 1262 1263 /* 1264 * Ethernet packets preceded by a header giving the last 6 octets 1265 * of the preamble specified by 802.3-2012 Clause 65, section 1266 * 65.1.3.2 "Transmit". 1267 */ 1268 #define DLT_EPON 259 1269 1270 /* 1271 * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format" 1272 * in the PICMG HPM.2 specification. 1273 */ 1274 #define DLT_IPMI_HPM_2 260 1275 1276 #define DLT_MATCHING_MAX 260 /* highest value in the "matching" range */ 1277 1278 /* 1279 * DLT and savefile link type values are split into a class and 1280 * a member of that class. A class value of 0 indicates a regular 1281 * DLT_/LINKTYPE_ value. 1282 */ 1283 #define DLT_CLASS(x) ((x) & 0x03ff0000) 1284 1285 /* 1286 * The instruction encodings. 1287 * 1288 * Please inform tcpdump-workers@lists.tcpdump.org if you use any 1289 * of the reserved values, so that we can note that they're used 1290 * (and perhaps implement it in the reference BPF implementation 1291 * and encourage its implementation elsewhere). 1292 */ 1293 1294 /* 1295 * The upper 8 bits of the opcode aren't used. BSD/OS used 0x8000. 1296 */ 1297 1298 /* instruction classes */ 1299 #define BPF_CLASS(code) ((code) & 0x07) 1300 #define BPF_LD 0x00 1301 #define BPF_LDX 0x01 1302 #define BPF_ST 0x02 1303 #define BPF_STX 0x03 1304 #define BPF_ALU 0x04 1305 #define BPF_JMP 0x05 1306 #define BPF_RET 0x06 1307 #define BPF_MISC 0x07 1308 1309 /* ld/ldx fields */ 1310 #define BPF_SIZE(code) ((code) & 0x18) 1311 #define BPF_W 0x00 1312 #define BPF_H 0x08 1313 #define BPF_B 0x10 1314 /* 0x18 reserved; used by BSD/OS */ 1315 #define BPF_MODE(code) ((code) & 0xe0) 1316 #define BPF_IMM 0x00 1317 #define BPF_ABS 0x20 1318 #define BPF_IND 0x40 1319 #define BPF_MEM 0x60 1320 #define BPF_LEN 0x80 1321 #define BPF_MSH 0xa0 1322 /* 0xc0 reserved; used by BSD/OS */ 1323 /* 0xe0 reserved; used by BSD/OS */ 1324 1325 /* alu/jmp fields */ 1326 #define BPF_OP(code) ((code) & 0xf0) 1327 #define BPF_ADD 0x00 1328 #define BPF_SUB 0x10 1329 #define BPF_MUL 0x20 1330 #define BPF_DIV 0x30 1331 #define BPF_OR 0x40 1332 #define BPF_AND 0x50 1333 #define BPF_LSH 0x60 1334 #define BPF_RSH 0x70 1335 #define BPF_NEG 0x80 1336 #define BPF_MOD 0x90 1337 #define BPF_XOR 0xa0 1338 /* 0xb0 reserved */ 1339 /* 0xc0 reserved */ 1340 /* 0xd0 reserved */ 1341 /* 0xe0 reserved */ 1342 /* 0xf0 reserved */ 1343 1344 #define BPF_JA 0x00 1345 #define BPF_JEQ 0x10 1346 #define BPF_JGT 0x20 1347 #define BPF_JGE 0x30 1348 #define BPF_JSET 0x40 1349 /* 0x50 reserved; used on BSD/OS */ 1350 /* 0x60 reserved */ 1351 /* 0x70 reserved */ 1352 /* 0x80 reserved */ 1353 /* 0x90 reserved */ 1354 /* 0xa0 reserved */ 1355 /* 0xb0 reserved */ 1356 /* 0xc0 reserved */ 1357 /* 0xd0 reserved */ 1358 /* 0xe0 reserved */ 1359 /* 0xf0 reserved */ 1360 #define BPF_SRC(code) ((code) & 0x08) 1361 #define BPF_K 0x00 1362 #define BPF_X 0x08 1363 1364 /* ret - BPF_K and BPF_X also apply */ 1365 #define BPF_RVAL(code) ((code) & 0x18) 1366 #define BPF_A 0x10 1367 /* 0x18 reserved */ 1368 1369 /* misc */ 1370 #define BPF_MISCOP(code) ((code) & 0xf8) 1371 #define BPF_TAX 0x00 1372 /* 0x08 reserved */ 1373 /* 0x10 reserved */ 1374 /* 0x18 reserved */ 1375 /* #define BPF_COP 0x20 NetBSD "coprocessor" extensions */ 1376 /* 0x28 reserved */ 1377 /* 0x30 reserved */ 1378 /* 0x38 reserved */ 1379 /* #define BPF_COPX 0x40 NetBSD "coprocessor" extensions */ 1380 /* also used on BSD/OS */ 1381 /* 0x48 reserved */ 1382 /* 0x50 reserved */ 1383 /* 0x58 reserved */ 1384 /* 0x60 reserved */ 1385 /* 0x68 reserved */ 1386 /* 0x70 reserved */ 1387 /* 0x78 reserved */ 1388 #define BPF_TXA 0x80 1389 /* 0x88 reserved */ 1390 /* 0x90 reserved */ 1391 /* 0x98 reserved */ 1392 /* 0xa0 reserved */ 1393 /* 0xa8 reserved */ 1394 /* 0xb0 reserved */ 1395 /* 0xb8 reserved */ 1396 /* 0xc0 reserved; used on BSD/OS */ 1397 /* 0xc8 reserved */ 1398 /* 0xd0 reserved */ 1399 /* 0xd8 reserved */ 1400 /* 0xe0 reserved */ 1401 /* 0xe8 reserved */ 1402 /* 0xf0 reserved */ 1403 /* 0xf8 reserved */ 1404 1405 /* 1406 * The instruction data structure. 1407 */ 1408 struct bpf_insn { 1409 u_short code; 1410 u_char jt; 1411 u_char jf; 1412 bpf_u_int32 k; 1413 }; 1414 1415 /* 1416 * Macros for insn array initializers. 1417 */ 1418 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } 1419 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } 1420 1421 /* 1422 * Structure to retrieve available DLTs for the interface. 1423 */ 1424 struct bpf_dltlist { 1425 u_int bfl_len; /* number of bfd_list array */ 1426 u_int *bfl_list; /* array of DLTs */ 1427 }; 1428 1429 #ifdef _KERNEL 1430 #ifdef MALLOC_DECLARE 1431 MALLOC_DECLARE(M_BPF); 1432 #endif 1433 #ifdef SYSCTL_DECL 1434 SYSCTL_DECL(_net_bpf); 1435 #endif 1436 1437 /* 1438 * Rotate the packet buffers in descriptor d. Move the store buffer into the 1439 * hold slot, and the free buffer into the store slot. Zero the length of the 1440 * new store buffer. Descriptor lock should be held. One must be careful to 1441 * not rotate the buffers twice, i.e. if fbuf != NULL. 1442 */ 1443 #define ROTATE_BUFFERS(d) do { \ 1444 (d)->bd_hbuf = (d)->bd_sbuf; \ 1445 (d)->bd_hlen = (d)->bd_slen; \ 1446 (d)->bd_sbuf = (d)->bd_fbuf; \ 1447 (d)->bd_slen = 0; \ 1448 (d)->bd_fbuf = NULL; \ 1449 bpf_bufheld(d); \ 1450 } while (0) 1451 1452 /* 1453 * Descriptor associated with each attached hardware interface. 1454 * Part of this structure is exposed to external callers to speed up 1455 * bpf_peers_present() calls. 1456 */ 1457 struct bpf_if; 1458 1459 struct bpf_if_ext { 1460 LIST_ENTRY(bpf_if) bif_next; /* list of all interfaces */ 1461 LIST_HEAD(, bpf_d) bif_dlist; /* descriptor list */ 1462 }; 1463 1464 void bpf_bufheld(struct bpf_d *d); 1465 int bpf_validate(const struct bpf_insn *, int); 1466 void bpf_tap(struct bpf_if *, u_char *, u_int); 1467 void bpf_mtap(struct bpf_if *, struct mbuf *); 1468 void bpf_mtap2(struct bpf_if *, void *, u_int, struct mbuf *); 1469 void bpfattach(struct ifnet *, u_int, u_int); 1470 void bpfattach2(struct ifnet *, u_int, u_int, struct bpf_if **); 1471 void bpfdetach(struct ifnet *); 1472 #ifdef VIMAGE 1473 int bpf_get_bp_params(struct bpf_if *, u_int *, u_int *); 1474 #endif 1475 1476 void bpfilterattach(int); 1477 u_int bpf_filter(const struct bpf_insn *, u_char *, u_int, u_int); 1478 1479 static __inline int 1480 bpf_peers_present(struct bpf_if *bpf) 1481 { 1482 struct bpf_if_ext *ext; 1483 1484 ext = (struct bpf_if_ext *)bpf; 1485 if (!LIST_EMPTY(&ext->bif_dlist)) 1486 return (1); 1487 return (0); 1488 } 1489 1490 #define BPF_TAP(_ifp,_pkt,_pktlen) do { \ 1491 if (bpf_peers_present((_ifp)->if_bpf)) \ 1492 bpf_tap((_ifp)->if_bpf, (_pkt), (_pktlen)); \ 1493 } while (0) 1494 #define BPF_MTAP(_ifp,_m) do { \ 1495 if (bpf_peers_present((_ifp)->if_bpf)) { \ 1496 M_ASSERTVALID(_m); \ 1497 bpf_mtap((_ifp)->if_bpf, (_m)); \ 1498 } \ 1499 } while (0) 1500 #define BPF_MTAP2(_ifp,_data,_dlen,_m) do { \ 1501 if (bpf_peers_present((_ifp)->if_bpf)) { \ 1502 M_ASSERTVALID(_m); \ 1503 bpf_mtap2((_ifp)->if_bpf,(_data),(_dlen),(_m)); \ 1504 } \ 1505 } while (0) 1506 #endif 1507 1508 /* 1509 * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). 1510 */ 1511 #define BPF_MEMWORDS 16 1512 1513 #ifdef _SYS_EVENTHANDLER_H_ 1514 /* BPF attach/detach events */ 1515 struct ifnet; 1516 typedef void (*bpf_track_fn)(void *, struct ifnet *, int /* dlt */, 1517 int /* 1 =>'s attach */); 1518 EVENTHANDLER_DECLARE(bpf_track, bpf_track_fn); 1519 #endif /* _SYS_EVENTHANDLER_H_ */ 1520 1521 #endif /* _NET_BPF_H_ */ 1522