libpcap: pcap-common.c

"Fossies" - the Free Open Source Software Archive

Member "libpcap-1.10.5/./pcap-common.c" (30 Aug 2024, 51006 Bytes) of package /linux/misc/libpcap-1.10.5.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "pcap-common.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report:

1.10.4_vs_1.10.5.

1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * pcap-common.c - common code for pcap and pcapng files 22 */ 23 24 #include <config.h> 25 26 #include <pcap-types.h> 27 28 #include "pcap-int.h" 29 30 #include "pcap-common.h" 31 32 /* 33 * We don't write DLT_* values to capture files, because they're not the 34 * same on all platforms. 35 * 36 * Unfortunately, the various flavors of BSD have not always used the same 37 * numerical values for the same data types, and various patches to 38 * libpcap for non-BSD OSes have added their own DLT_* codes for link 39 * layer encapsulation types seen on those OSes, and those codes have had, 40 * in some cases, values that were also used, on other platforms, for other 41 * link layer encapsulation types. 42 * 43 * This means that capture files of a type whose numerical DLT_* code 44 * means different things on different BSDs, or with different versions 45 * of libpcap, can't always be read on systems other than those like 46 * the one running on the machine on which the capture was made. 47 * 48 * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes 49 * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_* 50 * codes to DLT_* codes when reading a savefile header. 51 * 52 * For those DLT_* codes that have, as far as we know, the same values on 53 * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as 54 * DLT_xxx; that way, captures of those types can still be read by 55 * versions of libpcap that map LINKTYPE_* values to DLT_* values, and 56 * captures of those types written by versions of libpcap that map DLT_ 57 * values to LINKTYPE_ values can still be read by older versions 58 * of libpcap. 59 * 60 * The other LINKTYPE_* codes are given values starting at 100, in the 61 * hopes that no DLT_* code will be given one of those values. 62 * 63 * In order to ensure that a given LINKTYPE_* code's value will refer to 64 * the same encapsulation type on all platforms, you should not allocate 65 * a new LINKTYPE_* value without consulting 66 * "tcpdump-workers@lists.tcpdump.org". The tcpdump developers will 67 * allocate a value for you, and will not subsequently allocate it to 68 * anybody else; that value will be added to the "pcap.h" in the 69 * tcpdump.org Git repository, so that a future libpcap release will 70 * include it. 71 * 72 * You should, if possible, also contribute patches to libpcap and tcpdump 73 * to handle the new encapsulation type, so that they can also be checked 74 * into the tcpdump.org Git repository and so that they will appear in 75 * future libpcap and tcpdump releases. 76 * 77 * Do *NOT* assume that any values after the largest value in this file 78 * are available; you might not have the most up-to-date version of this 79 * file, and new values after that one might have been assigned. Also, 80 * do *NOT* use any values below 100 - those might already have been 81 * taken by one (or more!) organizations. 82 * 83 * Any platform that defines additional DLT_* codes should: 84 * 85 * request a LINKTYPE_* code and value from tcpdump.org, 86 * as per the above; 87 * 88 * add, in their version of libpcap, an entry to map 89 * those DLT_* codes to the corresponding LINKTYPE_* 90 * code; 91 * 92 * redefine, in their "net/bpf.h", any DLT_* values 93 * that collide with the values used by their additional 94 * DLT_* codes, to remove those collisions (but without 95 * making them collide with any of the LINKTYPE_* 96 * values equal to 50 or above; they should also avoid 97 * defining DLT_* values that collide with those 98 * LINKTYPE_* values, either). 99 */ 100 101 /* 102 * These values the DLT_ values for which are the same on all platforms, 103 * and that have been defined by <net/bpf.h> for ages. 104 * 105 * For those, the LINKTYPE_ values are equal to the DLT_ values. 106 * 107 * LINKTYPE_LOW_MATCHING_MIN is the lowest such value; 108 * LINKTYPE_LOW_MATCHING_MAX is the highest such value. 109 */ 110 #define LINKTYPE_LOW_MATCHING_MIN 0 /* lowest value in this "matching" range */ 111 #define LINKTYPE_NULL DLT_NULL 112 #define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */ 113 #define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */ 114 #define LINKTYPE_AX25 DLT_AX25 115 #define LINKTYPE_PRONET DLT_PRONET 116 #define LINKTYPE_CHAOS DLT_CHAOS 117 #define LINKTYPE_IEEE802_5 DLT_IEEE802 /* DLT_IEEE802 is used for 802.5 Token Ring */ 118 #define LINKTYPE_ARCNET_BSD DLT_ARCNET /* BSD-style headers */ 119 #define LINKTYPE_SLIP DLT_SLIP 120 #define LINKTYPE_PPP DLT_PPP 121 #define LINKTYPE_FDDI DLT_FDDI 122 123 #define LINKTYPE_LOW_MATCHING_MAX LINKTYPE_FDDI /* highest value in this "matching" range */ 124 125 /* 126 * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662 127 * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol 128 * field) at the beginning of the packet. 129 * 130 * This is for use when there is always such a header; the address field 131 * might be 0xff, for regular PPP, or it might be an address field for Cisco 132 * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco 133 * HDLC"). This is, for example, what you get with NetBSD's DLT_PPP_SERIAL. 134 * 135 * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that 136 * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL 137 * captures will be written out with a link type that NetBSD's tcpdump 138 * can read. 139 */ 140 #define LINKTYPE_PPP_HDLC 50 /* PPP in HDLC-like framing */ 141 142 #define LINKTYPE_PPP_ETHER 51 /* NetBSD PPP-over-Ethernet */ 143 144 #define LINKTYPE_SYMANTEC_FIREWALL 99 /* Symantec Enterprise Firewall */ 145 146 /* 147 * These correspond to DLT_s that have different values on different 148 * platforms; we map between these values in capture files and 149 * the DLT_ values as returned by pcap_datalink() and passed to 150 * pcap_open_dead(). 151 */ 152 #define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */ 153 #define LINKTYPE_RAW 101 /* raw IP */ 154 #define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */ 155 #define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */ 156 157 /* 158 * Values starting with 104 are used for newly-assigned link-layer 159 * header type values; for those link-layer header types, the DLT_ 160 * value returned by pcap_datalink() and passed to pcap_open_dead(), 161 * and the LINKTYPE_ value that appears in capture files, are the 162 * same. 163 * 164 * LINKTYPE_HIGH_MATCHING_MIN is the lowest such value; 165 * LINKTYPE_HIGH_MATCHING_MAX is the highest such value. 166 */ 167 #define LINKTYPE_HIGH_MATCHING_MIN 104 /* lowest value in the "matching" range */ 168 169 #define LINKTYPE_C_HDLC 104 /* Cisco HDLC */ 170 #define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */ 171 #define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */ 172 #define LINKTYPE_FRELAY 107 /* Frame Relay */ 173 #define LINKTYPE_LOOP 108 /* OpenBSD loopback */ 174 #define LINKTYPE_ENC 109 /* OpenBSD IPSEC enc */ 175 176 /* 177 * These two types are reserved for future use. 178 */ 179 #define LINKTYPE_LANE8023 110 /* ATM LANE + 802.3 */ 180 #define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */ 181 182 /* 183 * Used for NetBSD DLT_HDLC; from looking at the one driver in NetBSD 184 * that uses it, it's Cisco HDLC, so it's the same as DLT_C_HDLC/ 185 * LINKTYPE_C_HDLC, but we define a separate value to avoid some 186 * compatibility issues with programs on NetBSD. 187 * 188 * All code should treat LINKTYPE_NETBSD_HDLC and LINKTYPE_C_HDLC the same. 189 */ 190 #define LINKTYPE_NETBSD_HDLC 112 /* NetBSD HDLC framing */ 191 192 #define LINKTYPE_LINUX_SLL 113 /* Linux cooked socket capture */ 193 #define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */ 194 #define LINKTYPE_ECONET 115 /* Acorn Econet */ 195 196 /* 197 * Reserved for use with OpenBSD ipfilter. 198 */ 199 #define LINKTYPE_IPFILTER 116 200 201 #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ 202 #define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */ 203 #define LINKTYPE_IEEE802_11_PRISM 119 /* 802.11 plus Prism II monitor mode radio metadata header */ 204 #define LINKTYPE_IEEE802_11_AIRONET 120 /* 802.11 plus FreeBSD Aironet driver radio metadata header */ 205 206 /* 207 * Reserved for Siemens HiPath HDLC. 208 */ 209 #define LINKTYPE_HHDLC 121 210 211 #define LINKTYPE_IP_OVER_FC 122 /* RFC 2625 IP-over-Fibre Channel */ 212 #define LINKTYPE_SUNATM 123 /* Solaris+SunATM */ 213 214 /* 215 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 216 * for private use. 217 */ 218 #define LINKTYPE_RIO 124 /* RapidIO */ 219 #define LINKTYPE_PCI_EXP 125 /* PCI Express */ 220 #define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */ 221 222 #define LINKTYPE_IEEE802_11_RADIOTAP 127 /* 802.11 plus radiotap radio metadata header */ 223 224 /* 225 * Reserved for the TZSP encapsulation, as per request from 226 * Chris Waters <chris.waters@networkchemistry.com> 227 * TZSP is a generic encapsulation for any other link type, 228 * which includes a means to include meta-information 229 * with the packet, e.g. signal strength and channel 230 * for 802.11 packets. 231 */ 232 #define LINKTYPE_TZSP 128 /* Tazmen Sniffer Protocol */ 233 234 #define LINKTYPE_ARCNET_LINUX 129 /* Linux-style headers */ 235 236 /* 237 * Juniper-private data link types, as per request from 238 * Hannes Gredler <hannes@juniper.net>. The corresponding 239 * DLT_s are used for passing on chassis-internal 240 * metainformation such as QOS profiles, etc.. 241 */ 242 #define LINKTYPE_JUNIPER_MLPPP 130 243 #define LINKTYPE_JUNIPER_MLFR 131 244 #define LINKTYPE_JUNIPER_ES 132 245 #define LINKTYPE_JUNIPER_GGSN 133 246 #define LINKTYPE_JUNIPER_MFR 134 247 #define LINKTYPE_JUNIPER_ATM2 135 248 #define LINKTYPE_JUNIPER_SERVICES 136 249 #define LINKTYPE_JUNIPER_ATM1 137 250 251 #define LINKTYPE_APPLE_IP_OVER_IEEE1394 138 /* Apple IP-over-IEEE 1394 cooked header */ 252 253 #define LINKTYPE_MTP2_WITH_PHDR 139 254 #define LINKTYPE_MTP2 140 255 #define LINKTYPE_MTP3 141 256 #define LINKTYPE_SCCP 142 257 258 #define LINKTYPE_DOCSIS 143 /* DOCSIS MAC frames */ 259 260 #define LINKTYPE_LINUX_IRDA 144 /* Linux-IrDA */ 261 262 /* 263 * Reserved for IBM SP switch and IBM Next Federation switch. 264 */ 265 #define LINKTYPE_IBM_SP 145 266 #define LINKTYPE_IBM_SN 146 267 268 /* 269 * Reserved for private use. If you have some link-layer header type 270 * that you want to use within your organization, with the capture files 271 * using that link-layer header type not ever be sent outside your 272 * organization, you can use these values. 273 * 274 * No libpcap release will use these for any purpose, nor will any 275 * tcpdump release use them, either. 276 * 277 * Do *NOT* use these in capture files that you expect anybody not using 278 * your private versions of capture-file-reading tools to read; in 279 * particular, do *NOT* use them in products, otherwise you may find that 280 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 281 * read capture files from your firewall/intrusion detection/traffic 282 * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value, 283 * and you may also find that the developers of those applications will 284 * not accept patches to let them read those files. 285 * 286 * Also, do not use them if somebody might send you a capture using them 287 * for *their* private type and tools using them for *your* private type 288 * would have to read them. 289 * 290 * Instead, in those cases, ask "tcpdump-workers@lists.tcpdump.org" for a 291 * new DLT_ and LINKTYPE_ value, as per the comment in pcap/bpf.h, and use 292 * the type you're given. 293 */ 294 #define LINKTYPE_USER0 147 295 #define LINKTYPE_USER1 148 296 #define LINKTYPE_USER2 149 297 #define LINKTYPE_USER3 150 298 #define LINKTYPE_USER4 151 299 #define LINKTYPE_USER5 152 300 #define LINKTYPE_USER6 153 301 #define LINKTYPE_USER7 154 302 #define LINKTYPE_USER8 155 303 #define LINKTYPE_USER9 156 304 #define LINKTYPE_USER10 157 305 #define LINKTYPE_USER11 158 306 #define LINKTYPE_USER12 159 307 #define LINKTYPE_USER13 160 308 #define LINKTYPE_USER14 161 309 #define LINKTYPE_USER15 162 310 311 /* 312 * For future use with 802.11 captures - defined by AbsoluteValue 313 * Systems to store a number of bits of link-layer information 314 * including radio information: 315 * 316 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 317 */ 318 #define LINKTYPE_IEEE802_11_AVS 163 /* 802.11 plus AVS radio metadata header */ 319 320 /* 321 * Juniper-private data link type, as per request from 322 * Hannes Gredler <hannes@juniper.net>. The corresponding 323 * DLT_s are used for passing on chassis-internal 324 * metainformation such as QOS profiles, etc.. 325 */ 326 #define LINKTYPE_JUNIPER_MONITOR 164 327 328 /* 329 * BACnet MS/TP frames. 330 */ 331 #define LINKTYPE_BACNET_MS_TP 165 332 333 /* 334 * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>. 335 * 336 * This is used in some OSes to allow a kernel socket filter to distinguish 337 * between incoming and outgoing packets, on a socket intended to 338 * supply pppd with outgoing packets so it can do dial-on-demand and 339 * hangup-on-lack-of-demand; incoming packets are filtered out so they 340 * don't cause pppd to hold the connection up (you don't want random 341 * input packets such as port scans, packets from old lost connections, 342 * etc. to force the connection to stay up). 343 * 344 * The first byte of the PPP header (0xff03) is modified to accommodate 345 * the direction - 0x00 = IN, 0x01 = OUT. 346 */ 347 #define LINKTYPE_PPP_PPPD 166 348 349 /* 350 * Juniper-private data link type, as per request from 351 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 352 * for passing on chassis-internal metainformation such as 353 * QOS profiles, cookies, etc.. 354 */ 355 #define LINKTYPE_JUNIPER_PPPOE 167 356 #define LINKTYPE_JUNIPER_PPPOE_ATM 168 357 358 #define LINKTYPE_GPRS_LLC 169 /* GPRS LLC */ 359 #define LINKTYPE_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 360 #define LINKTYPE_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */ 361 362 /* 363 * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line 364 * monitoring equipment. 365 */ 366 #define LINKTYPE_GCOM_T1E1 172 367 #define LINKTYPE_GCOM_SERIAL 173 368 369 /* 370 * Juniper-private data link type, as per request from 371 * Hannes Gredler <hannes@juniper.net>. The DLT_ is used 372 * for internal communication to Physical Interface Cards (PIC) 373 */ 374 #define LINKTYPE_JUNIPER_PIC_PEER 174 375 376 /* 377 * Link types requested by Gregor Maier <gregor@endace.com> of Endace 378 * Measurement Systems. They add an ERF header (see 379 * https://www.endace.com/support/EndaceRecordFormat.pdf) in front of 380 * the link-layer header. 381 */ 382 #define LINKTYPE_ERF_ETH 175 /* Ethernet */ 383 #define LINKTYPE_ERF_POS 176 /* Packet-over-SONET */ 384 385 /* 386 * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD 387 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 388 * includes additional information before the LAPD header, so it's 389 * not necessarily a generic LAPD header. 390 */ 391 #define LINKTYPE_LINUX_LAPD 177 392 393 /* 394 * Juniper-private data link type, as per request from 395 * Hannes Gredler <hannes@juniper.net>. 396 * The Link Types are used for prepending meta-information 397 * like interface index, interface name 398 * before standard Ethernet, PPP, Frelay & C-HDLC Frames 399 */ 400 #define LINKTYPE_JUNIPER_ETHER 178 401 #define LINKTYPE_JUNIPER_PPP 179 402 #define LINKTYPE_JUNIPER_FRELAY 180 403 #define LINKTYPE_JUNIPER_CHDLC 181 404 405 /* 406 * Multi Link Frame Relay (FRF.16) 407 */ 408 #define LINKTYPE_MFR 182 409 410 /* 411 * Juniper-private data link type, as per request from 412 * Hannes Gredler <hannes@juniper.net>. 413 * The DLT_ is used for internal communication with a 414 * voice Adapter Card (PIC) 415 */ 416 #define LINKTYPE_JUNIPER_VP 183 417 418 /* 419 * Arinc 429 frames. 420 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 421 * Every frame contains a 32bit A429 label. 422 * More documentation on Arinc 429 can be found at 423 * https://web.archive.org/web/20040616233302/https://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf 424 */ 425 #define LINKTYPE_A429 184 426 427 /* 428 * Arinc 653 Interpartition Communication messages. 429 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 430 * Please refer to the A653-1 standard for more information. 431 */ 432 #define LINKTYPE_A653_ICM 185 433 434 /* 435 * This used to be "USB packets, beginning with a USB setup header; 436 * requested by Paolo Abeni <paolo.abeni@email.it>." 437 * 438 * However, that header didn't work all that well - it left out some 439 * useful information - and was abandoned in favor of the DLT_USB_LINUX 440 * header. 441 * 442 * This is now used by FreeBSD for its BPF taps for USB; that has its 443 * own headers. So it is written, so it is done. 444 */ 445 #define LINKTYPE_USB_FREEBSD 186 446 447 /* 448 * Bluetooth HCI UART transport layer (part H:4); requested by 449 * Paolo Abeni. 450 */ 451 #define LINKTYPE_BLUETOOTH_HCI_H4 187 452 453 /* 454 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz 455 * <cruz_petagay@bah.com>. 456 */ 457 #define LINKTYPE_IEEE802_16_MAC_CPS 188 458 459 /* 460 * USB packets, beginning with a Linux USB header; requested by 461 * Paolo Abeni <paolo.abeni@email.it>. 462 */ 463 #define LINKTYPE_USB_LINUX 189 464 465 /* 466 * Controller Area Network (CAN) v. 2.0B packets. 467 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 468 * Used to dump CAN packets coming from a CAN Vector board. 469 * More documentation on the CAN v2.0B frames can be found at 470 * http://www.can-cia.org/downloads/?269 471 */ 472 #define LINKTYPE_CAN20B 190 473 474 /* 475 * IEEE 802.15.4, with address fields padded, as is done by Linux 476 * drivers; requested by Juergen Schimmer. 477 */ 478 #define LINKTYPE_IEEE802_15_4_LINUX 191 479 480 /* 481 * Per Packet Information encapsulated packets. 482 * LINKTYPE_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 483 */ 484 #define LINKTYPE_PPI 192 485 486 /* 487 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; 488 * requested by Charles Clancy. 489 */ 490 #define LINKTYPE_IEEE802_16_MAC_CPS_RADIO 193 491 492 /* 493 * Juniper-private data link type, as per request from 494 * Hannes Gredler <hannes@juniper.net>. 495 * The DLT_ is used for internal communication with a 496 * integrated service module (ISM). 497 */ 498 #define LINKTYPE_JUNIPER_ISM 194 499 500 /* 501 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 502 * nothing), and with the FCS at the end of the frame; requested by 503 * Mikko Saarnivala <mikko.saarnivala@sensinode.com>. 504 * 505 * This should only be used if the FCS is present at the end of the 506 * frame; if the frame has no FCS, DLT_IEEE802_15_4_NOFCS should be 507 * used. 508 */ 509 #define LINKTYPE_IEEE802_15_4_WITHFCS 195 510 511 /* 512 * Various link-layer types, with a pseudo-header, for SITA 513 * (https://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com). 514 */ 515 #define LINKTYPE_SITA 196 516 517 /* 518 * Various link-layer types, with a pseudo-header, for Endace DAG cards; 519 * encapsulates Endace ERF records. Requested by Stephen Donnelly 520 * <stephen@endace.com>. 521 */ 522 #define LINKTYPE_ERF 197 523 524 /* 525 * Special header prepended to Ethernet packets when capturing from a 526 * u10 Networks board. Requested by Phil Mulholland 527 * <phil@u10networks.com>. 528 */ 529 #define LINKTYPE_RAIF1 198 530 531 /* 532 * IPMB packet for IPMI, beginning with a 2-byte header, followed by 533 * the I2C slave address, followed by the netFn and LUN, etc.. 534 * Requested by Chanthy Toeung <chanthy.toeung@ca.kontron.com>. 535 * 536 * XXX - its DLT_ value used to be called DLT_IPMB, back when we got the 537 * impression from the email thread requesting it that the packet 538 * had no extra 2-byte header. We've renamed it; if anybody used 539 * DLT_IPMB and assumed no 2-byte header, this will cause the compile 540 * to fail, at which point we'll have to figure out what to do about 541 * the two header types using the same DLT_/LINKTYPE_ value. If that 542 * doesn't happen, we'll assume nobody used it and that the redefinition 543 * is safe. 544 */ 545 #define LINKTYPE_IPMB_KONTRON 199 546 547 /* 548 * Juniper-private data link type, as per request from 549 * Hannes Gredler <hannes@juniper.net>. 550 * The DLT_ is used for capturing data on a secure tunnel interface. 551 */ 552 #define LINKTYPE_JUNIPER_ST 200 553 554 /* 555 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header 556 * that includes direction information; requested by Paolo Abeni. 557 */ 558 #define LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR 201 559 560 /* 561 * AX.25 packet with a 1-byte KISS header; see 562 * 563 * http://www.ax25.net/kiss.htm 564 * 565 * as per Richard Stearn <richard@rns-stearn.demon.co.uk>. 566 */ 567 #define LINKTYPE_AX25_KISS 202 568 569 /* 570 * LAPD packets from an ISDN channel, starting with the address field, 571 * with no pseudo-header. 572 * Requested by Varuna De Silva <varunax@gmail.com>. 573 */ 574 #define LINKTYPE_LAPD 203 575 576 /* 577 * PPP, with a one-byte direction pseudo-header prepended - zero means 578 * "received by this host", non-zero (any non-zero value) means "sent by 579 * this host" - as per Will Barker <w.barker@zen.co.uk>. 580 */ 581 #define LINKTYPE_PPP_WITH_DIR 204 /* Don't confuse with LINKTYPE_PPP_PPPD */ 582 583 /* 584 * Cisco HDLC, with a one-byte direction pseudo-header prepended - zero 585 * means "received by this host", non-zero (any non-zero value) means 586 * "sent by this host" - as per Will Barker <w.barker@zen.co.uk>. 587 */ 588 #define LINKTYPE_C_HDLC_WITH_DIR 205 /* Cisco HDLC */ 589 590 /* 591 * Frame Relay, with a one-byte direction pseudo-header prepended - zero 592 * means "received by this host" (DCE -> DTE), non-zero (any non-zero 593 * value) means "sent by this host" (DTE -> DCE) - as per Will Barker 594 * <w.barker@zen.co.uk>. 595 */ 596 #define LINKTYPE_FRELAY_WITH_DIR 206 /* Frame Relay */ 597 598 /* 599 * LAPB, with a one-byte direction pseudo-header prepended - zero means 600 * "received by this host" (DCE -> DTE), non-zero (any non-zero value) 601 * means "sent by this host" (DTE -> DCE)- as per Will Barker 602 * <w.barker@zen.co.uk>. 603 */ 604 #define LINKTYPE_LAPB_WITH_DIR 207 /* LAPB */ 605 606 /* 607 * 208 is reserved for an as-yet-unspecified proprietary link-layer 608 * type, as requested by Will Barker. 609 */ 610 611 /* 612 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman 613 * <avn@pigeonpoint.com>. 614 */ 615 #define LINKTYPE_IPMB_LINUX 209 616 617 /* 618 * FlexRay automotive bus - http://www.flexray.com/ - as requested 619 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 620 */ 621 #define LINKTYPE_FLEXRAY 210 622 623 /* 624 * Media Oriented Systems Transport (MOST) bus for multimedia 625 * transport - https://www.mostcooperation.com/ - as requested 626 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 627 */ 628 #define LINKTYPE_MOST 211 629 630 /* 631 * Local Interconnect Network (LIN) bus for vehicle networks - 632 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber 633 * <hannes.kaelber@x2e.de>. 634 */ 635 #define LINKTYPE_LIN 212 636 637 /* 638 * X2E-private data link type used for serial line capture, 639 * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 640 */ 641 #define LINKTYPE_X2E_SERIAL 213 642 643 /* 644 * X2E-private data link type used for the Xoraya data logger 645 * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 646 */ 647 #define LINKTYPE_X2E_XORAYA 214 648 649 /* 650 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 651 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets 652 * of 0 as preamble, one octet of SFD, one octet of frame length+ 653 * reserved bit, and then the MAC-layer data, starting with the 654 * frame control field). 655 * 656 * Requested by Max Filippov <jcmvbkbc@gmail.com>. 657 */ 658 #define LINKTYPE_IEEE802_15_4_NONASK_PHY 215 659 660 /* 661 * David Gibson <david@gibson.dropbear.id.au> requested this for 662 * captures from the Linux kernel /dev/input/eventN devices. This 663 * is used to communicate keystrokes and mouse movements from the 664 * Linux kernel to display systems, such as Xorg. 665 */ 666 #define LINKTYPE_LINUX_EVDEV 216 667 668 /* 669 * GSM Um and Abis interfaces, preceded by a "gsmtap" header. 670 * 671 * Requested by Harald Welte <laforge@gnumonks.org>. 672 */ 673 #define LINKTYPE_GSMTAP_UM 217 674 #define LINKTYPE_GSMTAP_ABIS 218 675 676 /* 677 * MPLS, with an MPLS label as the link-layer header. 678 * Requested by Michele Marchetto <michele@openbsd.org> on behalf 679 * of OpenBSD. 680 */ 681 #define LINKTYPE_MPLS 219 682 683 /* 684 * USB packets, beginning with a Linux USB header, with the USB header 685 * padded to 64 bytes; required for memory-mapped access. 686 */ 687 #define LINKTYPE_USB_LINUX_MMAPPED 220 688 689 /* 690 * DECT packets, with a pseudo-header; requested by 691 * Matthias Wenzel <tcpdump@mazzoo.de>. 692 */ 693 #define LINKTYPE_DECT 221 694 695 /* 696 * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov> 697 * Date: Mon, 11 May 2009 11:18:30 -0500 698 * 699 * DLT_AOS. We need it for AOS Space Data Link Protocol. 700 * I have already written dissectors for but need an OK from 701 * legal before I can submit a patch. 702 * 703 */ 704 #define LINKTYPE_AOS 222 705 706 /* 707 * WirelessHART (Highway Addressable Remote Transducer) 708 * From the HART Communication Foundation 709 * IEC/PAS 62591 710 * 711 * Requested by Sam Roberts <vieuxtech@gmail.com>. 712 */ 713 #define LINKTYPE_WIHART 223 714 715 /* 716 * Fibre Channel FC-2 frames, beginning with a Frame_Header. 717 * Requested by Kahou Lei <kahou82@gmail.com>. 718 */ 719 #define LINKTYPE_FC_2 224 720 721 /* 722 * Fibre Channel FC-2 frames, beginning with an encoding of the 723 * SOF, and ending with an encoding of the EOF. 724 * 725 * The encodings represent the frame delimiters as 4-byte sequences 726 * representing the corresponding ordered sets, with K28.5 727 * represented as 0xBC, and the D symbols as the corresponding 728 * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, 729 * is represented as 0xBC 0xB5 0x55 0x55. 730 * 731 * Requested by Kahou Lei <kahou82@gmail.com>. 732 */ 733 #define LINKTYPE_FC_2_WITH_FRAME_DELIMS 225 734 735 /* 736 * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>. 737 * 738 * The pseudo-header starts with a one-byte version number; for version 2, 739 * the pseudo-header is: 740 * 741 * struct dl_ipnetinfo { 742 * uint8_t dli_version; 743 * uint8_t dli_family; 744 * uint16_t dli_htype; 745 * uint32_t dli_pktlen; 746 * uint32_t dli_ifindex; 747 * uint32_t dli_grifindex; 748 * uint32_t dli_zsrc; 749 * uint32_t dli_zdst; 750 * }; 751 * 752 * dli_version is 2 for the current version of the pseudo-header. 753 * 754 * dli_family is a Solaris address family value, so it's 2 for IPv4 755 * and 26 for IPv6. 756 * 757 * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing 758 * packets, and 2 for packets arriving from another zone on the same 759 * machine. 760 * 761 * dli_pktlen is the length of the packet data following the pseudo-header 762 * (so the captured length minus dli_pktlen is the length of the 763 * pseudo-header, assuming the entire pseudo-header was captured). 764 * 765 * dli_ifindex is the interface index of the interface on which the 766 * packet arrived. 767 * 768 * dli_grifindex is the group interface index number (for IPMP interfaces). 769 * 770 * dli_zsrc is the zone identifier for the source of the packet. 771 * 772 * dli_zdst is the zone identifier for the destination of the packet. 773 * 774 * A zone number of 0 is the global zone; a zone number of 0xffffffff 775 * means that the packet arrived from another host on the network, not 776 * from another zone on the same machine. 777 * 778 * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates 779 * which of those it is. 780 */ 781 #define LINKTYPE_IPNET 226 782 783 /* 784 * CAN (Controller Area Network) frames, with a pseudo-header as supplied 785 * by Linux SocketCAN, and with multi-byte numerical fields in that header 786 * in big-endian byte order. 787 * 788 * See Documentation/networking/can.txt in the Linux source. 789 * 790 * Requested by Felix Obenhuber <felix@obenhuber.de>. 791 */ 792 #define LINKTYPE_CAN_SOCKETCAN 227 793 794 /* 795 * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies 796 * whether it's v4 or v6. Requested by Darren Reed <Darren.Reed@Sun.COM>. 797 */ 798 #define LINKTYPE_IPV4 228 799 #define LINKTYPE_IPV6 229 800 801 /* 802 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 803 * nothing), and with no FCS at the end of the frame; requested by 804 * Jon Smirl <jonsmirl@gmail.com>. 805 */ 806 #define LINKTYPE_IEEE802_15_4_NOFCS 230 807 808 /* 809 * Raw D-Bus: 810 * 811 * https://www.freedesktop.org/wiki/Software/dbus 812 * 813 * messages: 814 * 815 * https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages 816 * 817 * starting with the endianness flag, followed by the message type, etc., 818 * but without the authentication handshake before the message sequence: 819 * 820 * https://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol 821 * 822 * Requested by Martin Vidner <martin@vidner.net>. 823 */ 824 #define LINKTYPE_DBUS 231 825 826 /* 827 * Juniper-private data link type, as per request from 828 * Hannes Gredler <hannes@juniper.net>. 829 */ 830 #define LINKTYPE_JUNIPER_VS 232 831 #define LINKTYPE_JUNIPER_SRX_E2E 233 832 #define LINKTYPE_JUNIPER_FIBRECHANNEL 234 833 834 /* 835 * DVB-CI (DVB Common Interface for communication between a PC Card 836 * module and a DVB receiver). See 837 * 838 * https://www.kaiser.cx/pcap-dvbci.html 839 * 840 * for the specification. 841 * 842 * Requested by Martin Kaiser <martin@kaiser.cx>. 843 */ 844 #define LINKTYPE_DVB_CI 235 845 846 /* 847 * Variant of 3GPP TS 27.010 multiplexing protocol. Requested 848 * by Hans-Christoph Schemmel <hans-christoph.schemmel@cinterion.com>. 849 */ 850 #define LINKTYPE_MUX27010 236 851 852 /* 853 * STANAG 5066 D_PDUs. Requested by M. Baris Demiray 854 * <barisdemiray@gmail.com>. 855 */ 856 #define LINKTYPE_STANAG_5066_D_PDU 237 857 858 /* 859 * Juniper-private data link type, as per request from 860 * Hannes Gredler <hannes@juniper.net>. 861 */ 862 #define LINKTYPE_JUNIPER_ATM_CEMIC 238 863 864 /* 865 * NetFilter LOG messages 866 * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets) 867 * 868 * Requested by Jakub Zawadzki <darkjames-ws@darkjames.pl> 869 */ 870 #define LINKTYPE_NFLOG 239 871 872 /* 873 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 874 * for Ethernet packets with a 4-byte pseudo-header and always 875 * with the payload including the FCS, as supplied by their 876 * netANALYZER hardware and software. 877 * 878 * Requested by Holger P. Frommer <HPfrommer@hilscher.com> 879 */ 880 #define LINKTYPE_NETANALYZER 240 881 882 /* 883 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 884 * for Ethernet packets with a 4-byte pseudo-header and FCS and 885 * 1 byte of SFD, as supplied by their netANALYZER hardware and 886 * software. 887 * 888 * Requested by Holger P. Frommer <HPfrommer@hilscher.com> 889 */ 890 #define LINKTYPE_NETANALYZER_TRANSPARENT 241 891 892 /* 893 * IP-over-InfiniBand, as specified by RFC 4391. 894 * 895 * Requested by Petr Sumbera <petr.sumbera@oracle.com>. 896 */ 897 #define LINKTYPE_IPOIB 242 898 899 /* 900 * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0). 901 * 902 * Requested by Guy Martin <gmsoft@tuxicoman.be>. 903 */ 904 #define LINKTYPE_MPEG_2_TS 243 905 906 /* 907 * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as 908 * used by their ng40 protocol tester. 909 * 910 * Requested by Jens Grimmer <jens.grimmer@ng4t.com>. 911 */ 912 #define LINKTYPE_NG40 244 913 914 /* 915 * Pseudo-header giving adapter number and flags, followed by an NFC 916 * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU, 917 * as specified by NFC Forum Logical Link Control Protocol Technical 918 * Specification LLCP 1.1. 919 * 920 * Requested by Mike Wakerly <mikey@google.com>. 921 */ 922 #define LINKTYPE_NFC_LLCP 245 923 924 /* 925 * pfsync output; DLT_PFSYNC is 18, which collides with DLT_CIP in 926 * SuSE 6.3, on OpenBSD, NetBSD, DragonFly BSD, and macOS, and 927 * is 121, which collides with DLT_HHDLC, in FreeBSD. We pick a 928 * shiny new link-layer header type value that doesn't collide with 929 * anything, in the hopes that future pfsync savefiles, if any, 930 * won't require special hacks to distinguish from other savefiles. 931 */ 932 #define LINKTYPE_PFSYNC 246 933 934 /* 935 * Raw InfiniBand packets, starting with the Local Routing Header. 936 * 937 * Requested by Oren Kladnitsky <orenk@mellanox.com>. 938 */ 939 #define LINKTYPE_INFINIBAND 247 940 941 /* 942 * SCTP, with no lower-level protocols (i.e., no IPv4 or IPv6). 943 * 944 * Requested by Michael Tuexen <Michael.Tuexen@lurchi.franken.de>. 945 */ 946 #define LINKTYPE_SCTP 248 947 948 /* 949 * USB packets, beginning with a USBPcap header. 950 * 951 * Requested by Tomasz Mon <desowin@gmail.com> 952 */ 953 #define LINKTYPE_USBPCAP 249 954 955 /* 956 * Schweitzer Engineering Laboratories "RTAC" product serial-line 957 * packets. 958 * 959 * Requested by Chris Bontje <chris_bontje@selinc.com>. 960 */ 961 #define LINKTYPE_RTAC_SERIAL 250 962 963 /* 964 * Bluetooth Low Energy air interface link-layer packets. 965 * 966 * Requested by Mike Kershaw <dragorn@kismetwireless.net>. 967 */ 968 #define LINKTYPE_BLUETOOTH_LE_LL 251 969 970 /* 971 * Link-layer header type for upper-protocol layer PDU saves from wireshark. 972 * 973 * the actual contents are determined by two TAGs, one or more of 974 * which is stored with each packet: 975 * 976 * EXP_PDU_TAG_DISSECTOR_NAME the name of the Wireshark dissector 977 * that can make sense of the data stored. 978 * 979 * EXP_PDU_TAG_HEUR_DISSECTOR_NAME the name of the Wireshark heuristic 980 * dissector that can make sense of the 981 * data stored. 982 */ 983 #define LINKTYPE_WIRESHARK_UPPER_PDU 252 984 985 /* 986 * Link-layer header type for the netlink protocol (nlmon devices). 987 */ 988 #define LINKTYPE_NETLINK 253 989 990 /* 991 * Bluetooth Linux Monitor headers for the BlueZ stack. 992 */ 993 #define LINKTYPE_BLUETOOTH_LINUX_MONITOR 254 994 995 /* 996 * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as 997 * captured by Ubertooth. 998 */ 999 #define LINKTYPE_BLUETOOTH_BREDR_BB 255 1000 1001 /* 1002 * Bluetooth Low Energy link layer packets, as captured by Ubertooth. 1003 */ 1004 #define LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR 256 1005 1006 /* 1007 * PROFIBUS data link layer. 1008 */ 1009 #define LINKTYPE_PROFIBUS_DL 257 1010 1011 /* 1012 * Apple's DLT_PKTAP headers. 1013 * 1014 * Sadly, the folks at Apple either had no clue that the DLT_USERn values 1015 * are for internal use within an organization and partners only, and 1016 * didn't know that the right way to get a link-layer header type is to 1017 * ask tcpdump.org for one, or knew and didn't care, so they just 1018 * used DLT_USER2, which causes problems for everything except for 1019 * their version of tcpdump. 1020 * 1021 * So I'll just give them one; hopefully this will show up in a 1022 * libpcap release in time for them to get this into 10.10 Big Sur 1023 * or whatever Mavericks' successor is called. LINKTYPE_PKTAP 1024 * will be 258 *even on macOS*; that is *intentional*, so that 1025 * PKTAP files look the same on *all* OSes (different OSes can have 1026 * different numerical values for a given DLT_, but *MUST NOT* have 1027 * different values for what goes in a file, as files can be moved 1028 * between OSes!). 1029 */ 1030 #define LINKTYPE_PKTAP 258 1031 1032 /* 1033 * Ethernet packets preceded by a header giving the last 6 octets 1034 * of the preamble specified by 802.3-2012 Clause 65, section 1035 * 65.1.3.2 "Transmit". 1036 */ 1037 #define LINKTYPE_EPON 259 1038 1039 /* 1040 * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format" 1041 * in the PICMG HPM.2 specification. 1042 */ 1043 #define LINKTYPE_IPMI_HPM_2 260 1044 1045 /* 1046 * per Joshua Wright <jwright@hasborg.com>, formats for Zwave captures. 1047 */ 1048 #define LINKTYPE_ZWAVE_R1_R2 261 1049 #define LINKTYPE_ZWAVE_R3 262 1050 1051 /* 1052 * per Steve Karg <skarg@users.sourceforge.net>, formats for Wattstopper 1053 * Digital Lighting Management room bus serial protocol captures. 1054 */ 1055 #define LINKTYPE_WATTSTOPPER_DLM 263 1056 1057 /* 1058 * ISO 14443 contactless smart card messages. 1059 */ 1060 #define LINKTYPE_ISO_14443 264 1061 1062 /* 1063 * Radio data system (RDS) groups. IEC 62106. 1064 * Per Jonathan Brucker <jonathan.brucke@gmail.com>. 1065 */ 1066 #define LINKTYPE_RDS 265 1067 1068 /* 1069 * USB packets, beginning with a Darwin (macOS, etc.) header. 1070 */ 1071 #define LINKTYPE_USB_DARWIN 266 1072 1073 /* 1074 * OpenBSD DLT_OPENFLOW. 1075 */ 1076 #define LINKTYPE_OPENFLOW 267 1077 1078 /* 1079 * SDLC frames containing SNA PDUs. 1080 */ 1081 #define LINKTYPE_SDLC 268 1082 1083 /* 1084 * per "Selvig, Bjorn" <b.selvig@ti.com> used for 1085 * TI protocol sniffer. 1086 */ 1087 #define LINKTYPE_TI_LLN_SNIFFER 269 1088 1089 /* 1090 * per: Erik de Jong <erikdejong at gmail.com> for 1091 * https://github.com/eriknl/LoRaTap/releases/tag/v0.1 1092 */ 1093 #define LINKTYPE_LORATAP 270 1094 1095 /* 1096 * per: Stefanha at gmail.com for 1097 * https://lists.sandelman.ca/pipermail/tcpdump-workers/2017-May/000772.html 1098 * and: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/vsockmon.h 1099 * for: https://qemu-project.org/Features/VirtioVsock 1100 */ 1101 #define LINKTYPE_VSOCK 271 1102 1103 /* 1104 * Nordic Semiconductor Bluetooth LE sniffer. 1105 */ 1106 #define LINKTYPE_NORDIC_BLE 272 1107 1108 /* 1109 * Excentis DOCSIS 3.1 RF sniffer (XRA-31) 1110 * per: bruno.verstuyft at excentis.com 1111 * https://www.xra31.com/xra-header 1112 */ 1113 #define LINKTYPE_DOCSIS31_XRA31 273 1114 1115 /* 1116 * mPackets, as specified by IEEE 802.3br Figure 99-4, starting 1117 * with the preamble and always ending with a CRC field. 1118 */ 1119 #define LINKTYPE_ETHERNET_MPACKET 274 1120 1121 /* 1122 * DisplayPort AUX channel monitoring data as specified by VESA 1123 * DisplayPort(DP) Standard preceded by a pseudo-header. 1124 * per dirk.eibach at gdsys.cc 1125 */ 1126 #define LINKTYPE_DISPLAYPORT_AUX 275 1127 1128 /* 1129 * Linux cooked sockets v2. 1130 */ 1131 #define LINKTYPE_LINUX_SLL2 276 1132 1133 /* 1134 * Sercos Monitor, per Manuel Jacob <manuel.jacob at steinbeis-stg.de> 1135 */ 1136 #define LINKTYPE_SERCOS_MONITOR 277 1137 1138 /* 1139 * OpenVizsla http://openvizsla.org is open source USB analyzer hardware. 1140 * It consists of FPGA with attached USB phy and FTDI chip for streaming 1141 * the data to the host PC. 1142 * 1143 * Current OpenVizsla data encapsulation format is described here: 1144 * https://github.com/matwey/libopenvizsla/wiki/OpenVizsla-protocol-description 1145 * 1146 */ 1147 #define LINKTYPE_OPENVIZSLA 278 1148 1149 /* 1150 * The Elektrobit High Speed Capture and Replay (EBHSCR) protocol is produced 1151 * by a PCIe Card for interfacing high speed automotive interfaces. 1152 * 1153 * The specification for this frame format can be found at: 1154 * https://www.elektrobit.com/ebhscr 1155 * 1156 * for Guenter.Ebermann at elektrobit.com 1157 * 1158 */ 1159 #define LINKTYPE_EBHSCR 279 1160 1161 /* 1162 * The https://fd.io vpp graph dispatch tracer produces pcap trace files 1163 * in the format documented here: 1164 * https://fdio-vpp.readthedocs.io/en/latest/gettingstarted/developers/vnet.html#graph-dispatcher-pcap-tracing 1165 */ 1166 #define LINKTYPE_VPP_DISPATCH 280 1167 1168 /* 1169 * Broadcom Ethernet switches (ROBO switch) 4 bytes proprietary tagging format. 1170 */ 1171 #define LINKTYPE_DSA_TAG_BRCM 281 1172 #define LINKTYPE_DSA_TAG_BRCM_PREPEND 282 1173 1174 /* 1175 * IEEE 802.15.4 with pseudo-header and optional meta-data TLVs, PHY payload 1176 * exactly as it appears in the spec (no padding, no nothing), and FCS if 1177 * specified by FCS Type TLV; requested by James Ko <jck@exegin.com>. 1178 * Specification at https://github.com/jkcko/ieee802.15.4-tap 1179 */ 1180 #define LINKTYPE_IEEE802_15_4_TAP 283 1181 1182 /* 1183 * Marvell (Ethertype) Distributed Switch Architecture proprietary tagging format. 1184 */ 1185 #define LINKTYPE_DSA_TAG_DSA 284 1186 #define LINKTYPE_DSA_TAG_EDSA 285 1187 1188 /* 1189 * Payload of lawful intercept packets using the ELEE protocol; 1190 * https://socket.hr/draft-dfranusic-opsawg-elee-00.xml 1191 * https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://socket.hr/draft-dfranusic-opsawg-elee-00.xml&modeAsFormat=html/ascii 1192 */ 1193 #define LINKTYPE_ELEE 286 1194 1195 /* 1196 * Serial frames transmitted between a host and a Z-Wave chip. 1197 */ 1198 #define LINKTYPE_Z_WAVE_SERIAL 287 1199 1200 /* 1201 * USB 2.0, 1.1, and 1.0 packets as transmitted over the cable. 1202 */ 1203 #define LINKTYPE_USB_2_0 288 1204 1205 /* 1206 * ATSC Link-Layer Protocol (A/330) packets. 1207 */ 1208 #define LINKTYPE_ATSC_ALP 289 1209 1210 #define LINKTYPE_HIGH_MATCHING_MAX 289 /* highest value in the "matching" range */ 1211 1212 /* 1213 * The DLT_ and LINKTYPE_ values in the "matching" range should be the 1214 * same, so DLT_HIGH_MATCHING_MAX and LINKTYPE_HIGH_MATCHING_MAX should be the 1215 * same. 1216 */ 1217 #if LINKTYPE_HIGH_MATCHING_MAX != DLT_HIGH_MATCHING_MAX 1218 #error The LINKTYPE_ high matching range does not match the DLT_ matching range 1219 #endif 1220 1221 /* 1222 * Map a DLT_* code to the corresponding LINKTYPE_* code. 1223 * Used to generate link-layer types written to savefiles. 1224 */ 1225 int 1226 dlt_to_linktype(int dlt) 1227 { 1228 /* 1229 * All values in the low matching range were handed out before 1230 * assigning DLT_* codes became a free-for-all, so they're the 1231 * same on all platforms, and thus are given LINKTYPE_* codes 1232 * with the same numerical values as the corresponding DLT_* 1233 * code. 1234 */ 1235 if (dlt >= DLT_LOW_MATCHING_MIN && dlt <= DLT_LOW_MATCHING_MAX) 1236 return (dlt); 1237 1238 #if DLT_PFSYNC != LINKTYPE_PFSYNC 1239 /* 1240 * DLT_PFSYNC has a code on several platforms that's in the 1241 * non-matching range, a code on FreeBSD that's in the high 1242 * matching range and that's *not* equal to LINKTYPE_PFSYNC, 1243 * and has a code on the rmaining platforms that's equal 1244 * to LINKTYPE_PFSYNC, which is in the high matching range. 1245 * 1246 * Map it to LINKTYPE_PFSYNC if it's not equal to LINKTYPE_PFSYNC. 1247 */ 1248 if (dlt == DLT_PFSYNC) 1249 return (LINKTYPE_PFSYNC); 1250 #endif 1251 1252 /* 1253 * DLT_PKTAP is defined as DLT_USER2 - which is in the high 1254 * matching range - on Darwin because Apple used DLT_USER2 1255 * on systems that users ran, not just as an internal thing. 1256 * 1257 * We map it to LINKTYPE_PKTAP if it's not equal to LINKTYPE_PKTAP 1258 * so that DLT_PKTAP captures from Apple machines can be read by 1259 * software that either doesn't handle DLT_USER2 or that handles it 1260 * as something other than Apple PKTAP. 1261 */ 1262 #if DLT_PKTAP != LINKTYPE_PKTAP 1263 if (dlt == DLT_PKTAP) 1264 return (LINKTYPE_PKTAP); 1265 #endif 1266 1267 /* 1268 * For all other DLT_* codes in the high matching range, the DLT 1269 * code value is the same as the LINKTYPE_* code value. 1270 */ 1271 if (dlt >= DLT_HIGH_MATCHING_MIN && dlt <= DLT_HIGH_MATCHING_MAX) 1272 return (dlt); 1273 1274 /* 1275 * These DLT_* codes have different values on different 1276 * platforms, so we assigned them LINKTYPE_* codes just 1277 * below the lower bound of the high matchig range; 1278 * those values should never be equal to any DLT_* 1279 * code, so that should avoid collisions. 1280 * 1281 * That way, for example, "raw IP" packets will have 1282 * LINKTYPE_RAW as the code in all savefiles for 1283 * which the code that writes them maps to that 1284 * value, regardless of the platform on which they 1285 * were written, so they should be readable on all 1286 * platforms without having to determine on which 1287 * platform they were written. 1288 * 1289 * We map the DLT_* codes on this platform, whatever 1290 * it might be, to the corresponding LINKTYPE_* codes. 1291 */ 1292 if (dlt == DLT_ATM_RFC1483) 1293 return (LINKTYPE_ATM_RFC1483); 1294 if (dlt == DLT_RAW) 1295 return (LINKTYPE_RAW); 1296 if (dlt == DLT_SLIP_BSDOS) 1297 return (LINKTYPE_SLIP_BSDOS); 1298 if (dlt == DLT_PPP_BSDOS) 1299 return (LINKTYPE_PPP_BSDOS); 1300 1301 /* 1302 * These DLT_* codes were originally defined on some platform, 1303 * and weren't defined on other platforms. 1304 * 1305 * At least some of them have values, on at least one platform, 1306 * that collide with other DLT_* codes on other platforms, e.g. 1307 * DLT_LOOP, so we don't just define them, on all platforms, 1308 * as having the same value as on the original platform. 1309 * 1310 * Therefore, we assigned new LINKTYPE_* codes to them, and, 1311 * on the platforms where they weren't originally defined, 1312 * define the DLT_* codes to have the same value as the 1313 * corresponding LINKTYPE_* codes. 1314 * 1315 * This means that, for capture files with the original 1316 * platform's DLT_* code rather than the LINKTYPE_* code 1317 * as a link-layer type, we will recognize those types 1318 * on that platform, but not on other platforms. 1319 */ 1320 #ifdef DLT_FR 1321 /* BSD/OS Frame Relay */ 1322 if (dlt == DLT_FR) 1323 return (LINKTYPE_FRELAY); 1324 #endif 1325 #if DLT_HDLC != LINKTYPE_NETBSD_HDLC 1326 /* NetBSD HDLC */ 1327 if (dlt == DLT_HDLC) 1328 return (LINKTYPE_NETBSD_HDLC); 1329 #endif 1330 #if DLT_C_HDLC != LINKTYPE_C_HDLC 1331 /* BSD/OS Cisco HDLC */ 1332 if (dlt == DLT_C_HDLC) 1333 return (LINKTYPE_C_HDLC); 1334 #endif 1335 #if DLT_LOOP != LINKTYPE_LOOP 1336 /* OpenBSD DLT_LOOP */ 1337 if (dlt == DLT_LOOP) 1338 return (LINKTYPE_LOOP); 1339 #endif 1340 #if DLT_ENC != LINKTYPE_ENC 1341 /* OpenBSD DLT_ENC */ 1342 if (dlt == DLT_ENC) 1343 return (LINKTYPE_ENC); 1344 #endif 1345 1346 /* 1347 * These DLT_* codes are not on all platforms, but, so far, 1348 * there don't appear to be any platforms that define 1349 * other codes with those values; we map them to 1350 * different LINKTYPE_* codes anyway, just in case. 1351 */ 1352 /* Linux ATM Classical IP */ 1353 if (dlt == DLT_ATM_CLIP) 1354 return (LINKTYPE_ATM_CLIP); 1355 1356 /* 1357 * A few other values, defined on some platforms, not in 1358 * either matching range, but not colliding with anything 1359 * else, so they're given the same LINKTYPE_* code as 1360 * their DLT_* code. 1361 */ 1362 if (dlt == DLT_REDBACK_SMARTEDGE || dlt == DLT_PPP_SERIAL || 1363 dlt == DLT_PPP_ETHER || dlt == DLT_SYMANTEC_FIREWALL) 1364 return (dlt); 1365 1366 /* 1367 * If we don't have a mapping for this DLT_* code, return an 1368 * error; that means that this is a DLT_* value with no 1369 * corresponding LINKTYPE_ value, and we need to assign one. 1370 */ 1371 return (-1); 1372 } 1373 1374 /* 1375 * Map a LINKTYPE_* code to the corresponding DLT_* code. 1376 * Used to translate link-layer types in savefiles to the 1377 * DLT_* codes to provide to callers of libpcap. 1378 */ 1379 int 1380 linktype_to_dlt(int linktype) 1381 { 1382 /* 1383 * All values in the low matching range were handed out before 1384 * assigning DLT_* codes became a free-for-all, so they're the 1385 * same on all platforms, and are thus used as the LINKTYPE_* 1386 * codes in capture files. 1387 */ 1388 if (linktype >= LINKTYPE_LOW_MATCHING_MIN && 1389 linktype <= LINKTYPE_LOW_MATCHING_MAX) 1390 return (linktype); 1391 1392 #if LINKTYPE_PFSYNC != DLT_PFSYNC 1393 /* 1394 * DLT_PFSYNC has a code on several platforms that's in the 1395 * non-matching range, a code on FreeBSD that's in the high 1396 * matching range and that's *not* equal to LINKTYPE_PFSYNC, 1397 * and has a code on the rmaining platforms that's equal 1398 * to LINKTYPE_PFSYNC, which is in the high matching range. 1399 * 1400 * Map LINKTYPE_PFSYNC to whatever DLT_PFSYNC is on this 1401 * platform, if the two aren't equal. 1402 */ 1403 if (linktype == LINKTYPE_PFSYNC) 1404 return (DLT_PFSYNC); 1405 #endif 1406 1407 /* 1408 * DLT_PKTAP is defined as DLT_USER2 - which is in the high 1409 * matching range - on Darwin because Apple used DLT_USER2 1410 * on systems that users ran, not just as an internal thing. 1411 * 1412 * We map LINKTYPE_PKTAP to the platform's DLT_PKTAP for 1413 * the benefit of software that's expecting DLT_PKTAP 1414 * (even if that's DLT_USER2) for an Apple PKTAP capture. 1415 * 1416 * (Yes, this is an annoyance if you want to read a 1417 * LINKTYPE_USER2 packet as something other than DLT_PKTAP 1418 * on a Darwin-based OS, as, on that OS, DLT_PKTAP and DLT_USER2 1419 * are the same. Feel free to complain to Apple about this.) 1420 */ 1421 #if LINKTYPE_PKTAP != DLT_PKTAP 1422 if (linktype == LINKTYPE_PKTAP) 1423 return (DLT_PKTAP); 1424 #endif 1425 1426 /* 1427 * These DLT_* codes have different values on different 1428 * platforms, so we assigned them LINKTYPE_* codes just 1429 * below the lower bound of the high matchig range; 1430 * those values should never be equal to any DLT_* 1431 * code, so that should avoid collisions. 1432 * 1433 * That way, for example, "raw IP" packets will have 1434 * LINKTYPE_RAW as the code in all savefiles for 1435 * which the code that writes them maps to that 1436 * value, regardless of the platform on which they 1437 * were written, so they should be readable on all 1438 * platforms without having to determine on which 1439 * platform they were written. 1440 * 1441 * We map the LINKTYPE_* codes to the corresponding 1442 * DLT_* code on this platform. 1443 */ 1444 if (linktype == LINKTYPE_ATM_RFC1483) 1445 return (DLT_ATM_RFC1483); 1446 if (linktype == LINKTYPE_RAW) 1447 return (DLT_RAW); 1448 if (linktype == LINKTYPE_SLIP_BSDOS) 1449 return (DLT_SLIP_BSDOS); 1450 if (linktype == LINKTYPE_PPP_BSDOS) 1451 return (DLT_PPP_BSDOS); 1452 1453 /* 1454 * These DLT_* codes were originally defined on some platform, 1455 * and weren't defined on other platforms. 1456 * 1457 * At least some of them have values, on at least one platform, 1458 * that collide with other DLT_* codes on other platforms, e.g. 1459 * DLT_LOOP, so we don't just define them, on all platforms, 1460 * as having the same value as on the original platform. 1461 * 1462 * Therefore, we assigned new LINKTYPE_* codes to them, and, 1463 * on the platforms where they weren't originally defined, 1464 * define the DLT_* codes to have the same value as the 1465 * corresponding LINKTYPE_* codes. 1466 * 1467 * This means that, for capture files with the original 1468 * platform's DLT_* code rather than the LINKTYPE_* code 1469 * as a link-layer type, we will recognize those types 1470 * on that platform, but not on other platforms. 1471 * 1472 * We map the LINKTYPE_* codes to the corresponding 1473 * DLT_* code on platforms where the two codes differ.. 1474 */ 1475 #ifdef DLT_FR 1476 /* BSD/OS Frame Relay */ 1477 if (linktype == LINKTYPE_FRELAY) 1478 return (DLT_FR); 1479 #endif 1480 #if LINKTYPE_NETBSD_HDLC != DLT_HDLC 1481 /* NetBSD HDLC */ 1482 if (linktype == LINKTYPE_NETBSD_HDLC) 1483 return (DLT_HDLC); 1484 #endif 1485 #if LINKTYPE_C_HDLC != DLT_C_HDLC 1486 /* BSD/OS Cisco HDLC */ 1487 if (linktype == LINKTYPE_C_HDLC) 1488 return (DLT_C_HDLC); 1489 #endif 1490 #if LINKTYPE_LOOP != DLT_LOOP 1491 /* OpenBSD DLT_LOOP */ 1492 if (linktype == LINKTYPE_LOOP) 1493 return (DLT_LOOP); 1494 #endif 1495 #if LINKTYPE_ENC != DLT_ENC 1496 /* OpenBSD DLT_ENC */ 1497 if (linktype == LINKTYPE_ENC) 1498 return (DLT_ENC); 1499 #endif 1500 1501 /* 1502 * These DLT_* codes are not on all platforms, but, so far, 1503 * there don't appear to be any platforms that define 1504 * other codes with those values; we map them to 1505 * different LINKTYPE_* values anyway, just in case. 1506 * 1507 * LINKTYPE_ATM_CLIP is a special case. DLT_ATM_CLIP is 1508 * not on all platforms, but, so far, there don't appear 1509 * to be any platforms that define it as anything other 1510 * than 19; we define LINKTYPE_ATM_CLIP as something 1511 * other than 19, just in case. That value is in the 1512 * high matching range, so we have to check for it. 1513 */ 1514 /* Linux ATM Classical IP */ 1515 if (linktype == LINKTYPE_ATM_CLIP) 1516 return (DLT_ATM_CLIP); 1517 1518 /* 1519 * For all other values, return the linktype code as the 1520 * DLT_* code. 1521 * 1522 * If the code is in the high matching range, the 1523 * DLT_* code is the same as the LINKTYPE_* code. 1524 * 1525 * If the code is greater than the maximum value in 1526 * the high matching range, it may be a value from 1527 * a newer version of libpcap; we provide it in case 1528 * the program' capable of handling it. 1529 * 1530 * If the code is less than the minimum value in the 1531 * high matching range, it might be from a capture 1532 * written by code that doesn't map non-matching range 1533 * DLT_* codes to the appropriate LINKTYPE_* code, so 1534 * we'll just pass it through, so that *if it was written 1535 * on this platform* it will be interpreted correctly. 1536 * (We don't know whether it was written on this platform, 1537 * but at least this way there's *some* chance that it 1538 * can be read.) 1539 */ 1540 return linktype; 1541 } 1542 1543 /* 1544 * Return the maximum snapshot length for a given DLT_ value. 1545 * 1546 * For most link-layer types, we use MAXIMUM_SNAPLEN. 1547 * 1548 * For DLT_DBUS, the maximum is 128MiB, as per 1549 * 1550 * https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages 1551 * 1552 * For DLT_EBHSCR, the maximum is 8MiB, as per 1553 * 1554 * https://www.elektrobit.com/ebhscr 1555 * 1556 * For DLT_USBPCAP, the maximum is 1MiB, as per 1557 * 1558 * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15985 1559 */ 1560 u_int 1561 max_snaplen_for_dlt(int dlt) 1562 { 1563 switch (dlt) { 1564 1565 case DLT_DBUS: 1566 return 128*1024*1024; 1567 1568 case DLT_EBHSCR: 1569 return 8*1024*1024; 1570 1571 case DLT_USBPCAP: 1572 return 1024*1024; 1573 1574 default: 1575 return MAXIMUM_SNAPLEN; 1576 } 1577 }