Coverage Report

Created: 2024-01-20 12:29

/src/libpcap/pcap-common.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3
 *  The Regents of the University of California.  All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that: (1) source code distributions
7
 * retain the above copyright notice and this paragraph in its entirety, (2)
8
 * distributions including binary code include the above copyright notice and
9
 * this paragraph in its entirety in the documentation or other materials
10
 * provided with the distribution, and (3) all advertising materials mentioning
11
 * features or use of this software display the following acknowledgement:
12
 * ``This product includes software developed by the University of California,
13
 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14
 * the University nor the names of its contributors may be used to endorse
15
 * or promote products derived from this software without specific prior
16
 * written permission.
17
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18
 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20
 *
21
 * pcap-common.c - common code for pcap and pcapng files
22
 */
23
24
#ifdef HAVE_CONFIG_H
25
#include <config.h>
26
#endif
27
28
#include <pcap-types.h>
29
30
#include "pcap-int.h"
31
32
#include "pcap-common.h"
33
34
/*
35
 * We don't write DLT_* values to capture files, because they're not the
36
 * same on all platforms.
37
 *
38
 * Unfortunately, the various flavors of BSD have not always used the same
39
 * numerical values for the same data types, and various patches to
40
 * libpcap for non-BSD OSes have added their own DLT_* codes for link
41
 * layer encapsulation types seen on those OSes, and those codes have had,
42
 * in some cases, values that were also used, on other platforms, for other
43
 * link layer encapsulation types.
44
 *
45
 * This means that capture files of a type whose numerical DLT_* code
46
 * means different things on different BSDs, or with different versions
47
 * of libpcap, can't always be read on systems other than those like
48
 * the one running on the machine on which the capture was made.
49
 *
50
 * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes
51
 * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_*
52
 * codes to DLT_* codes when reading a savefile header.
53
 *
54
 * For those DLT_* codes that have, as far as we know, the same values on
55
 * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as
56
 * DLT_xxx; that way, captures of those types can still be read by
57
 * versions of libpcap that map LINKTYPE_* values to DLT_* values, and
58
 * captures of those types written by versions of libpcap that map DLT_
59
 * values to LINKTYPE_ values can still be read by older versions
60
 * of libpcap.
61
 *
62
 * The other LINKTYPE_* codes are given values starting at 100, in the
63
 * hopes that no DLT_* code will be given one of those values.
64
 *
65
 * In order to ensure that a given LINKTYPE_* code's value will refer to
66
 * the same encapsulation type on all platforms, you should not allocate
67
 * a new LINKTYPE_* value without consulting
68
 * "tcpdump-workers@lists.tcpdump.org".  The tcpdump developers will
69
 * allocate a value for you, and will not subsequently allocate it to
70
 * anybody else; that value will be added to the "pcap.h" in the
71
 * tcpdump.org Git repository, so that a future libpcap release will
72
 * include it.
73
 *
74
 * You should, if possible, also contribute patches to libpcap and tcpdump
75
 * to handle the new encapsulation type, so that they can also be checked
76
 * into the tcpdump.org Git repository and so that they will appear in
77
 * future libpcap and tcpdump releases.
78
 *
79
 * Do *NOT* assume that any values after the largest value in this file
80
 * are available; you might not have the most up-to-date version of this
81
 * file, and new values after that one might have been assigned.  Also,
82
 * do *NOT* use any values below 100 - those might already have been
83
 * taken by one (or more!) organizations.
84
 *
85
 * Any platform that defines additional DLT_* codes should:
86
 *
87
 *  request a LINKTYPE_* code and value from tcpdump.org,
88
 *  as per the above;
89
 *
90
 *  add, in their version of libpcap, an entry to map
91
 *  those DLT_* codes to the corresponding LINKTYPE_*
92
 *  code;
93
 *
94
 *  redefine, in their "net/bpf.h", any DLT_* values
95
 *  that collide with the values used by their additional
96
 *  DLT_* codes, to remove those collisions (but without
97
 *  making them collide with any of the LINKTYPE_*
98
 *  values equal to 50 or above; they should also avoid
99
 *  defining DLT_* values that collide with those
100
 *  LINKTYPE_* values, either).
101
 */
102
#define LINKTYPE_NULL   DLT_NULL
103
#define LINKTYPE_ETHERNET DLT_EN10MB  /* also for 100Mb and up */
104
#define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */
105
#define LINKTYPE_AX25   DLT_AX25
106
#define LINKTYPE_PRONET   DLT_PRONET
107
#define LINKTYPE_CHAOS    DLT_CHAOS
108
#define LINKTYPE_IEEE802_5  DLT_IEEE802 /* DLT_IEEE802 is used for 802.5 Token Ring */
109
#define LINKTYPE_ARCNET_BSD DLT_ARCNET  /* BSD-style headers */
110
#define LINKTYPE_SLIP   DLT_SLIP
111
#define LINKTYPE_PPP    DLT_PPP
112
#define LINKTYPE_FDDI   DLT_FDDI
113
114
/*
115
 * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662
116
 * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol
117
 * field) at the beginning of the packet.
118
 *
119
 * This is for use when there is always such a header; the address field
120
 * might be 0xff, for regular PPP, or it might be an address field for Cisco
121
 * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco
122
 * HDLC").  This is, for example, what you get with NetBSD's DLT_PPP_SERIAL.
123
 *
124
 * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that
125
 * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL
126
 * captures will be written out with a link type that NetBSD's tcpdump
127
 * can read.
128
 */
129
#define LINKTYPE_PPP_HDLC 50    /* PPP in HDLC-like framing */
130
131
#define LINKTYPE_PPP_ETHER  51    /* NetBSD PPP-over-Ethernet */
132
133
#define LINKTYPE_SYMANTEC_FIREWALL 99   /* Symantec Enterprise Firewall */
134
135
/*
136
 * These correspond to DLT_s that have different values on different
137
 * platforms; we map between these values in capture files and
138
 * the DLT_ values as returned by pcap_datalink() and passed to
139
 * pcap_open_dead().
140
 */
141
#define LINKTYPE_ATM_RFC1483  100   /* LLC/SNAP-encapsulated ATM */
142
#define LINKTYPE_RAW    101   /* raw IP */
143
#define LINKTYPE_SLIP_BSDOS 102   /* BSD/OS SLIP BPF header */
144
#define LINKTYPE_PPP_BSDOS  103   /* BSD/OS PPP BPF header */
145
146
/*
147
 * Values starting with 104 are used for newly-assigned link-layer
148
 * header type values; for those link-layer header types, the DLT_
149
 * value returned by pcap_datalink() and passed to pcap_open_dead(),
150
 * and the LINKTYPE_ value that appears in capture files, are the
151
 * same.
152
 *
153
 * LINKTYPE_MATCHING_MIN is the lowest such value; LINKTYPE_MATCHING_MAX
154
 * is the highest such value.
155
 */
156
0
#define LINKTYPE_MATCHING_MIN 104    /* lowest value in the "matching" range */
157
158
#define LINKTYPE_C_HDLC   104   /* Cisco HDLC */
159
#define LINKTYPE_IEEE802_11 105   /* IEEE 802.11 (wireless) */
160
0
#define LINKTYPE_ATM_CLIP 106    /* Linux Classical IP over ATM */
161
#define LINKTYPE_FRELAY   107   /* Frame Relay */
162
#define LINKTYPE_LOOP   108   /* OpenBSD loopback */
163
#define LINKTYPE_ENC    109   /* OpenBSD IPSEC enc */
164
165
/*
166
 * These two types are reserved for future use.
167
 */
168
#define LINKTYPE_LANE8023 110   /* ATM LANE + 802.3 */
169
#define LINKTYPE_HIPPI    111   /* NetBSD HIPPI */
170
171
/*
172
 * Used for NetBSD DLT_HDLC; from looking at the one driver in NetBSD
173
 * that uses it, it's Cisco HDLC, so it's the same as DLT_C_HDLC/
174
 * LINKTYPE_C_HDLC, but we define a separate value to avoid some
175
 * compatibility issues with programs on NetBSD.
176
 *
177
 * All code should treat LINKTYPE_NETBSD_HDLC and LINKTYPE_C_HDLC the same.
178
 */
179
#define LINKTYPE_NETBSD_HDLC  112   /* NetBSD HDLC framing */
180
181
#define LINKTYPE_LINUX_SLL  113   /* Linux cooked socket capture */
182
#define LINKTYPE_LTALK    114   /* Apple LocalTalk hardware */
183
#define LINKTYPE_ECONET   115   /* Acorn Econet */
184
185
/*
186
 * Reserved for use with OpenBSD ipfilter.
187
 */
188
#define LINKTYPE_IPFILTER 116
189
190
#define LINKTYPE_PFLOG    117   /* OpenBSD DLT_PFLOG */
191
#define LINKTYPE_CISCO_IOS  118   /* For Cisco-internal use */
192
#define LINKTYPE_IEEE802_11_PRISM 119   /* 802.11 plus Prism II monitor mode radio metadata header */
193
#define LINKTYPE_IEEE802_11_AIRONET 120   /* 802.11 plus FreeBSD Aironet driver radio metadata header */
194
195
/*
196
 * Reserved for Siemens HiPath HDLC.
197
 */
198
#define LINKTYPE_HHDLC    121
199
200
#define LINKTYPE_IP_OVER_FC 122   /* RFC 2625 IP-over-Fibre Channel */
201
#define LINKTYPE_SUNATM   123   /* Solaris+SunATM */
202
203
/*
204
 * Reserved as per request from Kent Dahlgren <kent@praesum.com>
205
 * for private use.
206
 */
207
#define LINKTYPE_RIO    124   /* RapidIO */
208
#define LINKTYPE_PCI_EXP  125   /* PCI Express */
209
#define LINKTYPE_AURORA   126   /* Xilinx Aurora link layer */
210
211
#define LINKTYPE_IEEE802_11_RADIOTAP 127  /* 802.11 plus radiotap radio metadata header */
212
213
/*
214
 * Reserved for the TZSP encapsulation, as per request from
215
 * Chris Waters <chris.waters@networkchemistry.com>
216
 * TZSP is a generic encapsulation for any other link type,
217
 * which includes a means to include meta-information
218
 * with the packet, e.g. signal strength and channel
219
 * for 802.11 packets.
220
 */
221
#define LINKTYPE_TZSP   128   /* Tazmen Sniffer Protocol */
222
223
#define LINKTYPE_ARCNET_LINUX 129   /* Linux-style headers */
224
225
/*
226
 * Juniper-private data link types, as per request from
227
 * Hannes Gredler <hannes@juniper.net>.  The corresponding
228
 * DLT_s are used for passing on chassis-internal
229
 * metainformation such as QOS profiles, etc..
230
 */
231
#define LINKTYPE_JUNIPER_MLPPP  130
232
#define LINKTYPE_JUNIPER_MLFR   131
233
#define LINKTYPE_JUNIPER_ES     132
234
#define LINKTYPE_JUNIPER_GGSN   133
235
#define LINKTYPE_JUNIPER_MFR    134
236
#define LINKTYPE_JUNIPER_ATM2   135
237
#define LINKTYPE_JUNIPER_SERVICES 136
238
#define LINKTYPE_JUNIPER_ATM1   137
239
240
#define LINKTYPE_APPLE_IP_OVER_IEEE1394 138 /* Apple IP-over-IEEE 1394 cooked header */
241
242
#define LINKTYPE_MTP2_WITH_PHDR 139
243
#define LINKTYPE_MTP2   140
244
#define LINKTYPE_MTP3   141
245
#define LINKTYPE_SCCP   142
246
247
#define LINKTYPE_DOCSIS   143   /* DOCSIS MAC frames */
248
249
#define LINKTYPE_LINUX_IRDA 144   /* Linux-IrDA */
250
251
/*
252
 * Reserved for IBM SP switch and IBM Next Federation switch.
253
 */
254
#define LINKTYPE_IBM_SP   145
255
#define LINKTYPE_IBM_SN   146
256
257
/*
258
 * Reserved for private use.  If you have some link-layer header type
259
 * that you want to use within your organization, with the capture files
260
 * using that link-layer header type not ever be sent outside your
261
 * organization, you can use these values.
262
 *
263
 * No libpcap release will use these for any purpose, nor will any
264
 * tcpdump release use them, either.
265
 *
266
 * Do *NOT* use these in capture files that you expect anybody not using
267
 * your private versions of capture-file-reading tools to read; in
268
 * particular, do *NOT* use them in products, otherwise you may find that
269
 * people won't be able to use tcpdump, or snort, or Ethereal, or... to
270
 * read capture files from your firewall/intrusion detection/traffic
271
 * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value,
272
 * and you may also find that the developers of those applications will
273
 * not accept patches to let them read those files.
274
 *
275
 * Also, do not use them if somebody might send you a capture using them
276
 * for *their* private type and tools using them for *your* private type
277
 * would have to read them.
278
 *
279
 * Instead, in those cases, ask "tcpdump-workers@lists.tcpdump.org" for a
280
 * new DLT_ and LINKTYPE_ value, as per the comment in pcap/bpf.h, and use
281
 * the type you're given.
282
 */
283
#define LINKTYPE_USER0    147
284
#define LINKTYPE_USER1    148
285
#define LINKTYPE_USER2    149
286
#define LINKTYPE_USER3    150
287
#define LINKTYPE_USER4    151
288
#define LINKTYPE_USER5    152
289
#define LINKTYPE_USER6    153
290
#define LINKTYPE_USER7    154
291
#define LINKTYPE_USER8    155
292
#define LINKTYPE_USER9    156
293
#define LINKTYPE_USER10   157
294
#define LINKTYPE_USER11   158
295
#define LINKTYPE_USER12   159
296
#define LINKTYPE_USER13   160
297
#define LINKTYPE_USER14   161
298
#define LINKTYPE_USER15   162
299
300
/*
301
 * For future use with 802.11 captures - defined by AbsoluteValue
302
 * Systems to store a number of bits of link-layer information
303
 * including radio information:
304
 *
305
 *  http://www.shaftnet.org/~pizza/software/capturefrm.txt
306
 */
307
#define LINKTYPE_IEEE802_11_AVS 163 /* 802.11 plus AVS radio metadata header */
308
309
/*
310
 * Juniper-private data link type, as per request from
311
 * Hannes Gredler <hannes@juniper.net>.  The corresponding
312
 * DLT_s are used for passing on chassis-internal
313
 * metainformation such as QOS profiles, etc..
314
 */
315
#define LINKTYPE_JUNIPER_MONITOR 164
316
317
/*
318
 * BACnet MS/TP frames.
319
 */
320
#define LINKTYPE_BACNET_MS_TP 165
321
322
/*
323
 * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>.
324
 *
325
 * This is used in some OSes to allow a kernel socket filter to distinguish
326
 * between incoming and outgoing packets, on a socket intended to
327
 * supply pppd with outgoing packets so it can do dial-on-demand and
328
 * hangup-on-lack-of-demand; incoming packets are filtered out so they
329
 * don't cause pppd to hold the connection up (you don't want random
330
 * input packets such as port scans, packets from old lost connections,
331
 * etc. to force the connection to stay up).
332
 *
333
 * The first byte of the PPP header (0xff03) is modified to accommodate
334
 * the direction - 0x00 = IN, 0x01 = OUT.
335
 */
336
#define LINKTYPE_PPP_PPPD 166
337
338
/*
339
 * Juniper-private data link type, as per request from
340
 * Hannes Gredler <hannes@juniper.net>.  The DLT_s are used
341
 * for passing on chassis-internal metainformation such as
342
 * QOS profiles, cookies, etc..
343
 */
344
#define LINKTYPE_JUNIPER_PPPOE     167
345
#define LINKTYPE_JUNIPER_PPPOE_ATM 168
346
347
#define LINKTYPE_GPRS_LLC 169   /* GPRS LLC */
348
#define LINKTYPE_GPF_T    170   /* GPF-T (ITU-T G.7041/Y.1303) */
349
#define LINKTYPE_GPF_F    171   /* GPF-F (ITU-T G.7041/Y.1303) */
350
351
/*
352
 * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line
353
 * monitoring equipment.
354
 */
355
#define LINKTYPE_GCOM_T1E1  172
356
#define LINKTYPE_GCOM_SERIAL  173
357
358
/*
359
 * Juniper-private data link type, as per request from
360
 * Hannes Gredler <hannes@juniper.net>.  The DLT_ is used
361
 * for internal communication to Physical Interface Cards (PIC)
362
 */
363
#define LINKTYPE_JUNIPER_PIC_PEER    174
364
365
/*
366
 * Link types requested by Gregor Maier <gregor@endace.com> of Endace
367
 * Measurement Systems.  They add an ERF header (see
368
 * https://www.endace.com/support/EndaceRecordFormat.pdf) in front of
369
 * the link-layer header.
370
 */
371
#define LINKTYPE_ERF_ETH  175 /* Ethernet */
372
#define LINKTYPE_ERF_POS  176 /* Packet-over-SONET */
373
374
/*
375
 * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD
376
 * for vISDN (http://www.orlandi.com/visdn/).  Its link-layer header
377
 * includes additional information before the LAPD header, so it's
378
 * not necessarily a generic LAPD header.
379
 */
380
#define LINKTYPE_LINUX_LAPD 177
381
382
/*
383
 * Juniper-private data link type, as per request from
384
 * Hannes Gredler <hannes@juniper.net>.
385
 * The Link Types are used for prepending meta-information
386
 * like interface index, interface name
387
 * before standard Ethernet, PPP, Frelay & C-HDLC Frames
388
 */
389
#define LINKTYPE_JUNIPER_ETHER  178
390
#define LINKTYPE_JUNIPER_PPP    179
391
#define LINKTYPE_JUNIPER_FRELAY 180
392
#define LINKTYPE_JUNIPER_CHDLC  181
393
394
/*
395
 * Multi Link Frame Relay (FRF.16)
396
 */
397
#define LINKTYPE_MFR            182
398
399
/*
400
 * Juniper-private data link type, as per request from
401
 * Hannes Gredler <hannes@juniper.net>.
402
 * The DLT_ is used for internal communication with a
403
 * voice Adapter Card (PIC)
404
 */
405
#define LINKTYPE_JUNIPER_VP     183
406
407
/*
408
 * Arinc 429 frames.
409
 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
410
 * Every frame contains a 32bit A429 label.
411
 * More documentation on Arinc 429 can be found at
412
 * https://web.archive.org/web/20040616233302/https://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf
413
 */
414
#define LINKTYPE_A429           184
415
416
/*
417
 * Arinc 653 Interpartition Communication messages.
418
 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
419
 * Please refer to the A653-1 standard for more information.
420
 */
421
#define LINKTYPE_A653_ICM       185
422
423
/*
424
 * This used to be "USB packets, beginning with a USB setup header;
425
 * requested by Paolo Abeni <paolo.abeni@email.it>."
426
 *
427
 * However, that header didn't work all that well - it left out some
428
 * useful information - and was abandoned in favor of the DLT_USB_LINUX
429
 * header.
430
 *
431
 * This is now used by FreeBSD for its BPF taps for USB; that has its
432
 * own headers.  So it is written, so it is done.
433
 */
434
#define LINKTYPE_USB_FREEBSD  186
435
436
/*
437
 * Bluetooth HCI UART transport layer (part H:4); requested by
438
 * Paolo Abeni.
439
 */
440
#define LINKTYPE_BLUETOOTH_HCI_H4 187
441
442
/*
443
 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz
444
 * <cruz_petagay@bah.com>.
445
 */
446
#define LINKTYPE_IEEE802_16_MAC_CPS 188
447
448
/*
449
 * USB packets, beginning with a Linux USB header; requested by
450
 * Paolo Abeni <paolo.abeni@email.it>.
451
 */
452
#define LINKTYPE_USB_LINUX    189
453
454
/*
455
 * Controller Area Network (CAN) v. 2.0B packets.
456
 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
457
 * Used to dump CAN packets coming from a CAN Vector board.
458
 * More documentation on the CAN v2.0B frames can be found at
459
 * http://www.can-cia.org/downloads/?269
460
 */
461
#define LINKTYPE_CAN20B         190
462
463
/*
464
 * IEEE 802.15.4, with address fields padded, as is done by Linux
465
 * drivers; requested by Juergen Schimmer.
466
 */
467
#define LINKTYPE_IEEE802_15_4_LINUX 191
468
469
/*
470
 * Per Packet Information encapsulated packets.
471
 * LINKTYPE_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
472
 */
473
#define LINKTYPE_PPI      192
474
475
/*
476
 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header;
477
 * requested by Charles Clancy.
478
 */
479
#define LINKTYPE_IEEE802_16_MAC_CPS_RADIO 193
480
481
/*
482
 * Juniper-private data link type, as per request from
483
 * Hannes Gredler <hannes@juniper.net>.
484
 * The DLT_ is used for internal communication with a
485
 * integrated service module (ISM).
486
 */
487
#define LINKTYPE_JUNIPER_ISM    194
488
489
/*
490
 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
491
 * nothing), and with the FCS at the end of the frame; requested by
492
 * Mikko Saarnivala <mikko.saarnivala@sensinode.com>.
493
 *
494
 * This should only be used if the FCS is present at the end of the
495
 * frame; if the frame has no FCS, DLT_IEEE802_15_4_NOFCS should be
496
 * used.
497
 */
498
#define LINKTYPE_IEEE802_15_4_WITHFCS 195
499
500
/*
501
 * Various link-layer types, with a pseudo-header, for SITA
502
 * (https://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com).
503
 */
504
#define LINKTYPE_SITA   196
505
506
/*
507
 * Various link-layer types, with a pseudo-header, for Endace DAG cards;
508
 * encapsulates Endace ERF records.  Requested by Stephen Donnelly
509
 * <stephen@endace.com>.
510
 */
511
#define LINKTYPE_ERF    197
512
513
/*
514
 * Special header prepended to Ethernet packets when capturing from a
515
 * u10 Networks board.  Requested by Phil Mulholland
516
 * <phil@u10networks.com>.
517
 */
518
#define LINKTYPE_RAIF1    198
519
520
/*
521
 * IPMB packet for IPMI, beginning with a 2-byte header, followed by
522
 * the I2C slave address, followed by the netFn and LUN, etc..
523
 * Requested by Chanthy Toeung <chanthy.toeung@ca.kontron.com>.
524
 *
525
 * XXX - its DLT_ value used to be called DLT_IPMB, back when we got the
526
 * impression from the email thread requesting it that the packet
527
 * had no extra 2-byte header.  We've renamed it; if anybody used
528
 * DLT_IPMB and assumed no 2-byte header, this will cause the compile
529
 * to fail, at which point we'll have to figure out what to do about
530
 * the two header types using the same DLT_/LINKTYPE_ value.  If that
531
 * doesn't happen, we'll assume nobody used it and that the redefinition
532
 * is safe.
533
 */
534
#define LINKTYPE_IPMB_KONTRON 199
535
536
/*
537
 * Juniper-private data link type, as per request from
538
 * Hannes Gredler <hannes@juniper.net>.
539
 * The DLT_ is used for capturing data on a secure tunnel interface.
540
 */
541
#define LINKTYPE_JUNIPER_ST     200
542
543
/*
544
 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header
545
 * that includes direction information; requested by Paolo Abeni.
546
 */
547
#define LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR 201
548
549
/*
550
 * AX.25 packet with a 1-byte KISS header; see
551
 *
552
 *  http://www.ax25.net/kiss.htm
553
 *
554
 * as per Richard Stearn <richard@rns-stearn.demon.co.uk>.
555
 */
556
#define LINKTYPE_AX25_KISS  202
557
558
/*
559
 * LAPD packets from an ISDN channel, starting with the address field,
560
 * with no pseudo-header.
561
 * Requested by Varuna De Silva <varunax@gmail.com>.
562
 */
563
#define LINKTYPE_LAPD   203
564
565
/*
566
 * PPP, with a one-byte direction pseudo-header prepended - zero means
567
 * "received by this host", non-zero (any non-zero value) means "sent by
568
 * this host" - as per Will Barker <w.barker@zen.co.uk>.
569
 */
570
#define LINKTYPE_PPP_WITH_DIR 204 /* Don't confuse with LINKTYPE_PPP_PPPD */
571
572
/*
573
 * Cisco HDLC, with a one-byte direction pseudo-header prepended - zero
574
 * means "received by this host", non-zero (any non-zero value) means
575
 * "sent by this host" - as per Will Barker <w.barker@zen.co.uk>.
576
 */
577
#define LINKTYPE_C_HDLC_WITH_DIR 205  /* Cisco HDLC */
578
579
/*
580
 * Frame Relay, with a one-byte direction pseudo-header prepended - zero
581
 * means "received by this host" (DCE -> DTE), non-zero (any non-zero
582
 * value) means "sent by this host" (DTE -> DCE) - as per Will Barker
583
 * <w.barker@zen.co.uk>.
584
 */
585
#define LINKTYPE_FRELAY_WITH_DIR 206  /* Frame Relay */
586
587
/*
588
 * LAPB, with a one-byte direction pseudo-header prepended - zero means
589
 * "received by this host" (DCE -> DTE), non-zero (any non-zero value)
590
 * means "sent by this host" (DTE -> DCE)- as per Will Barker
591
 * <w.barker@zen.co.uk>.
592
 */
593
#define LINKTYPE_LAPB_WITH_DIR  207 /* LAPB */
594
595
/*
596
 * 208 is reserved for an as-yet-unspecified proprietary link-layer
597
 * type, as requested by Will Barker.
598
 */
599
600
/*
601
 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman
602
 * <avn@pigeonpoint.com>.
603
 */
604
#define LINKTYPE_IPMB_LINUX 209
605
606
/*
607
 * FlexRay automotive bus - http://www.flexray.com/ - as requested
608
 * by Hannes Kaelber <hannes.kaelber@x2e.de>.
609
 */
610
#define LINKTYPE_FLEXRAY  210
611
612
/*
613
 * Media Oriented Systems Transport (MOST) bus for multimedia
614
 * transport - https://www.mostcooperation.com/ - as requested
615
 * by Hannes Kaelber <hannes.kaelber@x2e.de>.
616
 */
617
#define LINKTYPE_MOST   211
618
619
/*
620
 * Local Interconnect Network (LIN) bus for vehicle networks -
621
 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber
622
 * <hannes.kaelber@x2e.de>.
623
 */
624
#define LINKTYPE_LIN    212
625
626
/*
627
 * X2E-private data link type used for serial line capture,
628
 * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
629
 */
630
#define LINKTYPE_X2E_SERIAL 213
631
632
/*
633
 * X2E-private data link type used for the Xoraya data logger
634
 * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
635
 */
636
#define LINKTYPE_X2E_XORAYA 214
637
638
/*
639
 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
640
 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets
641
 * of 0 as preamble, one octet of SFD, one octet of frame length+
642
 * reserved bit, and then the MAC-layer data, starting with the
643
 * frame control field).
644
 *
645
 * Requested by Max Filippov <jcmvbkbc@gmail.com>.
646
 */
647
#define LINKTYPE_IEEE802_15_4_NONASK_PHY  215
648
649
/*
650
 * David Gibson <david@gibson.dropbear.id.au> requested this for
651
 * captures from the Linux kernel /dev/input/eventN devices. This
652
 * is used to communicate keystrokes and mouse movements from the
653
 * Linux kernel to display systems, such as Xorg.
654
 */
655
#define LINKTYPE_LINUX_EVDEV  216
656
657
/*
658
 * GSM Um and Abis interfaces, preceded by a "gsmtap" header.
659
 *
660
 * Requested by Harald Welte <laforge@gnumonks.org>.
661
 */
662
#define LINKTYPE_GSMTAP_UM  217
663
#define LINKTYPE_GSMTAP_ABIS  218
664
665
/*
666
 * MPLS, with an MPLS label as the link-layer header.
667
 * Requested by Michele Marchetto <michele@openbsd.org> on behalf
668
 * of OpenBSD.
669
 */
670
#define LINKTYPE_MPLS   219
671
672
/*
673
 * USB packets, beginning with a Linux USB header, with the USB header
674
 * padded to 64 bytes; required for memory-mapped access.
675
 */
676
#define LINKTYPE_USB_LINUX_MMAPPED    220
677
678
/*
679
 * DECT packets, with a pseudo-header; requested by
680
 * Matthias Wenzel <tcpdump@mazzoo.de>.
681
 */
682
#define LINKTYPE_DECT   221
683
684
/*
685
 * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov>
686
 * Date: Mon, 11 May 2009 11:18:30 -0500
687
 *
688
 * DLT_AOS. We need it for AOS Space Data Link Protocol.
689
 *   I have already written dissectors for but need an OK from
690
 *   legal before I can submit a patch.
691
 *
692
 */
693
#define LINKTYPE_AOS    222
694
695
/*
696
 * WirelessHART (Highway Addressable Remote Transducer)
697
 * From the HART Communication Foundation
698
 * IEC/PAS 62591
699
 *
700
 * Requested by Sam Roberts <vieuxtech@gmail.com>.
701
 */
702
#define LINKTYPE_WIHART   223
703
704
/*
705
 * Fibre Channel FC-2 frames, beginning with a Frame_Header.
706
 * Requested by Kahou Lei <kahou82@gmail.com>.
707
 */
708
#define LINKTYPE_FC_2   224
709
710
/*
711
 * Fibre Channel FC-2 frames, beginning with an encoding of the
712
 * SOF, and ending with an encoding of the EOF.
713
 *
714
 * The encodings represent the frame delimiters as 4-byte sequences
715
 * representing the corresponding ordered sets, with K28.5
716
 * represented as 0xBC, and the D symbols as the corresponding
717
 * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2,
718
 * is represented as 0xBC 0xB5 0x55 0x55.
719
 *
720
 * Requested by Kahou Lei <kahou82@gmail.com>.
721
 */
722
#define LINKTYPE_FC_2_WITH_FRAME_DELIMS   225
723
724
/*
725
 * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>.
726
 *
727
 * The pseudo-header starts with a one-byte version number; for version 2,
728
 * the pseudo-header is:
729
 *
730
 * struct dl_ipnetinfo {
731
 *     uint8_t   dli_version;
732
 *     uint8_t   dli_family;
733
 *     uint16_t  dli_htype;
734
 *     uint32_t  dli_pktlen;
735
 *     uint32_t  dli_ifindex;
736
 *     uint32_t  dli_grifindex;
737
 *     uint32_t  dli_zsrc;
738
 *     uint32_t  dli_zdst;
739
 * };
740
 *
741
 * dli_version is 2 for the current version of the pseudo-header.
742
 *
743
 * dli_family is a Solaris address family value, so it's 2 for IPv4
744
 * and 26 for IPv6.
745
 *
746
 * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing
747
 * packets, and 2 for packets arriving from another zone on the same
748
 * machine.
749
 *
750
 * dli_pktlen is the length of the packet data following the pseudo-header
751
 * (so the captured length minus dli_pktlen is the length of the
752
 * pseudo-header, assuming the entire pseudo-header was captured).
753
 *
754
 * dli_ifindex is the interface index of the interface on which the
755
 * packet arrived.
756
 *
757
 * dli_grifindex is the group interface index number (for IPMP interfaces).
758
 *
759
 * dli_zsrc is the zone identifier for the source of the packet.
760
 *
761
 * dli_zdst is the zone identifier for the destination of the packet.
762
 *
763
 * A zone number of 0 is the global zone; a zone number of 0xffffffff
764
 * means that the packet arrived from another host on the network, not
765
 * from another zone on the same machine.
766
 *
767
 * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates
768
 * which of those it is.
769
 */
770
#define LINKTYPE_IPNET    226
771
772
/*
773
 * CAN (Controller Area Network) frames, with a pseudo-header as supplied
774
 * by Linux SocketCAN, and with multi-byte numerical fields in that header
775
 * in big-endian byte order.
776
 *
777
 * See Documentation/networking/can.txt in the Linux source.
778
 *
779
 * Requested by Felix Obenhuber <felix@obenhuber.de>.
780
 */
781
#define LINKTYPE_CAN_SOCKETCAN  227
782
783
/*
784
 * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies
785
 * whether it's v4 or v6.  Requested by Darren Reed <Darren.Reed@Sun.COM>.
786
 */
787
#define LINKTYPE_IPV4   228
788
#define LINKTYPE_IPV6   229
789
790
/*
791
 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
792
 * nothing), and with no FCS at the end of the frame; requested by
793
 * Jon Smirl <jonsmirl@gmail.com>.
794
 */
795
#define LINKTYPE_IEEE802_15_4_NOFCS   230
796
797
/*
798
 * Raw D-Bus:
799
 *
800
 *  https://www.freedesktop.org/wiki/Software/dbus
801
 *
802
 * messages:
803
 *
804
 *  https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages
805
 *
806
 * starting with the endianness flag, followed by the message type, etc.,
807
 * but without the authentication handshake before the message sequence:
808
 *
809
 *  https://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
810
 *
811
 * Requested by Martin Vidner <martin@vidner.net>.
812
 */
813
#define LINKTYPE_DBUS   231
814
815
/*
816
 * Juniper-private data link type, as per request from
817
 * Hannes Gredler <hannes@juniper.net>.
818
 */
819
#define LINKTYPE_JUNIPER_VS     232
820
#define LINKTYPE_JUNIPER_SRX_E2E    233
821
#define LINKTYPE_JUNIPER_FIBRECHANNEL   234
822
823
/*
824
 * DVB-CI (DVB Common Interface for communication between a PC Card
825
 * module and a DVB receiver).  See
826
 *
827
 *  https://www.kaiser.cx/pcap-dvbci.html
828
 *
829
 * for the specification.
830
 *
831
 * Requested by Martin Kaiser <martin@kaiser.cx>.
832
 */
833
#define LINKTYPE_DVB_CI   235
834
835
/*
836
 * Variant of 3GPP TS 27.010 multiplexing protocol.  Requested
837
 * by Hans-Christoph Schemmel <hans-christoph.schemmel@cinterion.com>.
838
 */
839
#define LINKTYPE_MUX27010 236
840
841
/*
842
 * STANAG 5066 D_PDUs.  Requested by M. Baris Demiray
843
 * <barisdemiray@gmail.com>.
844
 */
845
#define LINKTYPE_STANAG_5066_D_PDU    237
846
847
/*
848
 * Juniper-private data link type, as per request from
849
 * Hannes Gredler <hannes@juniper.net>.
850
 */
851
#define LINKTYPE_JUNIPER_ATM_CEMIC    238
852
853
/*
854
 * NetFilter LOG messages
855
 * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets)
856
 *
857
 * Requested by Jakub Zawadzki <darkjames-ws@darkjames.pl>
858
 */
859
#define LINKTYPE_NFLOG    239
860
861
/*
862
 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
863
 * for Ethernet packets with a 4-byte pseudo-header and always
864
 * with the payload including the FCS, as supplied by their
865
 * netANALYZER hardware and software.
866
 *
867
 * Requested by Holger P. Frommer <HPfrommer@hilscher.com>
868
 */
869
#define LINKTYPE_NETANALYZER  240
870
871
/*
872
 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
873
 * for Ethernet packets with a 4-byte pseudo-header and FCS and
874
 * 1 byte of SFD, as supplied by their netANALYZER hardware and
875
 * software.
876
 *
877
 * Requested by Holger P. Frommer <HPfrommer@hilscher.com>
878
 */
879
#define LINKTYPE_NETANALYZER_TRANSPARENT  241
880
881
/*
882
 * IP-over-InfiniBand, as specified by RFC 4391.
883
 *
884
 * Requested by Petr Sumbera <petr.sumbera@oracle.com>.
885
 */
886
#define LINKTYPE_IPOIB    242
887
888
/*
889
 * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0).
890
 *
891
 * Requested by Guy Martin <gmsoft@tuxicoman.be>.
892
 */
893
#define LINKTYPE_MPEG_2_TS  243
894
895
/*
896
 * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as
897
 * used by their ng40 protocol tester.
898
 *
899
 * Requested by Jens Grimmer <jens.grimmer@ng4t.com>.
900
 */
901
#define LINKTYPE_NG40   244
902
903
/*
904
 * Pseudo-header giving adapter number and flags, followed by an NFC
905
 * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU,
906
 * as specified by NFC Forum Logical Link Control Protocol Technical
907
 * Specification LLCP 1.1.
908
 *
909
 * Requested by Mike Wakerly <mikey@google.com>.
910
 */
911
#define LINKTYPE_NFC_LLCP 245
912
913
/*
914
 * pfsync output; DLT_PFSYNC is 18, which collides with DLT_CIP in
915
 * SuSE 6.3, on OpenBSD, NetBSD, DragonFly BSD, and macOS, and
916
 * is 121, which collides with DLT_HHDLC, in FreeBSD.  We pick a
917
 * shiny new link-layer header type value that doesn't collide with
918
 * anything, in the hopes that future pfsync savefiles, if any,
919
 * won't require special hacks to distinguish from other savefiles.
920
 *
921
 */
922
0
#define LINKTYPE_PFSYNC   246
923
924
/*
925
 * Raw InfiniBand packets, starting with the Local Routing Header.
926
 *
927
 * Requested by Oren Kladnitsky <orenk@mellanox.com>.
928
 */
929
#define LINKTYPE_INFINIBAND 247
930
931
/*
932
 * SCTP, with no lower-level protocols (i.e., no IPv4 or IPv6).
933
 *
934
 * Requested by Michael Tuexen <Michael.Tuexen@lurchi.franken.de>.
935
 */
936
#define LINKTYPE_SCTP   248
937
938
/*
939
 * USB packets, beginning with a USBPcap header.
940
 *
941
 * Requested by Tomasz Mon <desowin@gmail.com>
942
 */
943
#define LINKTYPE_USBPCAP  249
944
945
/*
946
 * Schweitzer Engineering Laboratories "RTAC" product serial-line
947
 * packets.
948
 *
949
 * Requested by Chris Bontje <chris_bontje@selinc.com>.
950
 */
951
#define LINKTYPE_RTAC_SERIAL    250
952
953
/*
954
 * Bluetooth Low Energy air interface link-layer packets.
955
 *
956
 * Requested by Mike Kershaw <dragorn@kismetwireless.net>.
957
 */
958
#define LINKTYPE_BLUETOOTH_LE_LL  251
959
960
/*
961
 * Link-layer header type for upper-protocol layer PDU saves from wireshark.
962
 *
963
 * the actual contents are determined by two TAGs, one or more of
964
 * which is stored with each packet:
965
 *
966
 *   EXP_PDU_TAG_DISSECTOR_NAME      the name of the Wireshark dissector
967
 *             that can make sense of the data stored.
968
 *
969
 *   EXP_PDU_TAG_HEUR_DISSECTOR_NAME the name of the Wireshark heuristic
970
 *             dissector that can make sense of the
971
 *             data stored.
972
 */
973
#define LINKTYPE_WIRESHARK_UPPER_PDU  252
974
975
/*
976
 * Link-layer header type for the netlink protocol (nlmon devices).
977
 */
978
#define LINKTYPE_NETLINK    253
979
980
/*
981
 * Bluetooth Linux Monitor headers for the BlueZ stack.
982
 */
983
#define LINKTYPE_BLUETOOTH_LINUX_MONITOR  254
984
985
/*
986
 * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as
987
 * captured by Ubertooth.
988
 */
989
#define LINKTYPE_BLUETOOTH_BREDR_BB 255
990
991
/*
992
 * Bluetooth Low Energy link layer packets, as captured by Ubertooth.
993
 */
994
#define LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR  256
995
996
/*
997
 * PROFIBUS data link layer.
998
 */
999
#define LINKTYPE_PROFIBUS_DL    257
1000
1001
/*
1002
 * Apple's DLT_PKTAP headers.
1003
 *
1004
 * Sadly, the folks at Apple either had no clue that the DLT_USERn values
1005
 * are for internal use within an organization and partners only, and
1006
 * didn't know that the right way to get a link-layer header type is to
1007
 * ask tcpdump.org for one, or knew and didn't care, so they just
1008
 * used DLT_USER2, which causes problems for everything except for
1009
 * their version of tcpdump.
1010
 *
1011
 * So I'll just give them one; hopefully this will show up in a
1012
 * libpcap release in time for them to get this into 10.10 Big Sur
1013
 * or whatever Mavericks' successor is called.  LINKTYPE_PKTAP
1014
 * will be 258 *even on macOS*; that is *intentional*, so that
1015
 * PKTAP files look the same on *all* OSes (different OSes can have
1016
 * different numerical values for a given DLT_, but *MUST NOT* have
1017
 * different values for what goes in a file, as files can be moved
1018
 * between OSes!).
1019
 */
1020
0
#define LINKTYPE_PKTAP    258
1021
1022
/*
1023
 * Ethernet packets preceded by a header giving the last 6 octets
1024
 * of the preamble specified by 802.3-2012 Clause 65, section
1025
 * 65.1.3.2 "Transmit".
1026
 */
1027
#define LINKTYPE_EPON   259
1028
1029
/*
1030
 * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format"
1031
 * in the PICMG HPM.2 specification.
1032
 */
1033
#define LINKTYPE_IPMI_HPM_2 260
1034
1035
/*
1036
 * per  Joshua Wright <jwright@hasborg.com>, formats for Zwave captures.
1037
 */
1038
#define LINKTYPE_ZWAVE_R1_R2  261
1039
#define LINKTYPE_ZWAVE_R3 262
1040
1041
/*
1042
 * per Steve Karg <skarg@users.sourceforge.net>, formats for Wattstopper
1043
 * Digital Lighting Management room bus serial protocol captures.
1044
 */
1045
#define LINKTYPE_WATTSTOPPER_DLM 263
1046
1047
/*
1048
 * ISO 14443 contactless smart card messages.
1049
 */
1050
#define LINKTYPE_ISO_14443      264
1051
1052
/*
1053
 * Radio data system (RDS) groups.  IEC 62106.
1054
 * Per Jonathan Brucker <jonathan.brucke@gmail.com>.
1055
 */
1056
#define LINKTYPE_RDS    265
1057
1058
/*
1059
 * USB packets, beginning with a Darwin (macOS, etc.) header.
1060
 */
1061
#define LINKTYPE_USB_DARWIN 266
1062
1063
/*
1064
 * OpenBSD DLT_OPENFLOW.
1065
 */
1066
#define LINKTYPE_OPENFLOW 267
1067
1068
/*
1069
 * SDLC frames containing SNA PDUs.
1070
 */
1071
#define LINKTYPE_SDLC   268
1072
1073
/*
1074
 * per "Selvig, Bjorn" <b.selvig@ti.com> used for
1075
 * TI protocol sniffer.
1076
 */
1077
#define LINKTYPE_TI_LLN_SNIFFER 269
1078
1079
/*
1080
 * per: Erik de Jong <erikdejong at gmail.com> for
1081
 *   https://github.com/eriknl/LoRaTap/releases/tag/v0.1
1082
 */
1083
#define LINKTYPE_LORATAP        270
1084
1085
/*
1086
 * per: Stefanha at gmail.com for
1087
 *   https://lists.sandelman.ca/pipermail/tcpdump-workers/2017-May/000772.html
1088
 * and: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/vsockmon.h
1089
 * for: https://qemu-project.org/Features/VirtioVsock
1090
 */
1091
#define LINKTYPE_VSOCK          271
1092
1093
/*
1094
 * Nordic Semiconductor Bluetooth LE sniffer.
1095
 */
1096
#define LINKTYPE_NORDIC_BLE 272
1097
1098
/*
1099
 * Excentis DOCSIS 3.1 RF sniffer (XRA-31)
1100
 *   per: bruno.verstuyft at excentis.com
1101
 *        https://www.xra31.com/xra-header
1102
 */
1103
#define LINKTYPE_DOCSIS31_XRA31 273
1104
1105
/*
1106
 * mPackets, as specified by IEEE 802.3br Figure 99-4, starting
1107
 * with the preamble and always ending with a CRC field.
1108
 */
1109
#define LINKTYPE_ETHERNET_MPACKET 274
1110
1111
/*
1112
 * DisplayPort AUX channel monitoring data as specified by VESA
1113
 * DisplayPort(DP) Standard preceded by a pseudo-header.
1114
 *    per dirk.eibach at gdsys.cc
1115
 */
1116
#define LINKTYPE_DISPLAYPORT_AUX  275
1117
1118
/*
1119
 * Linux cooked sockets v2.
1120
 */
1121
#define LINKTYPE_LINUX_SLL2 276
1122
1123
/*
1124
 * Sercos Monitor, per Manuel Jacob <manuel.jacob at steinbeis-stg.de>
1125
 */
1126
#define LINKTYPE_SERCOS_MONITOR 277
1127
1128
/*
1129
 * OpenVizsla http://openvizsla.org is open source USB analyzer hardware.
1130
 * It consists of FPGA with attached USB phy and FTDI chip for streaming
1131
 * the data to the host PC.
1132
 *
1133
 * Current OpenVizsla data encapsulation format is described here:
1134
 * https://github.com/matwey/libopenvizsla/wiki/OpenVizsla-protocol-description
1135
 *
1136
 */
1137
#define LINKTYPE_OPENVIZSLA     278
1138
1139
/*
1140
 * The Elektrobit High Speed Capture and Replay (EBHSCR) protocol is produced
1141
 * by a PCIe Card for interfacing high speed automotive interfaces.
1142
 *
1143
 * The specification for this frame format can be found at:
1144
 *   https://www.elektrobit.com/ebhscr
1145
 *
1146
 * for Guenter.Ebermann at elektrobit.com
1147
 *
1148
 */
1149
#define LINKTYPE_EBHSCR         279
1150
1151
/*
1152
 * The https://fd.io vpp graph dispatch tracer produces pcap trace files
1153
 * in the format documented here:
1154
 * https://fdio-vpp.readthedocs.io/en/latest/gettingstarted/developers/vnet.html#graph-dispatcher-pcap-tracing
1155
 */
1156
#define LINKTYPE_VPP_DISPATCH 280
1157
1158
/*
1159
 * Broadcom Ethernet switches (ROBO switch) 4 bytes proprietary tagging format.
1160
 */
1161
#define LINKTYPE_DSA_TAG_BRCM 281
1162
#define LINKTYPE_DSA_TAG_BRCM_PREPEND 282
1163
1164
/*
1165
 * IEEE 802.15.4 with pseudo-header and optional meta-data TLVs, PHY payload
1166
 * exactly as it appears in the spec (no padding, no nothing), and FCS if
1167
 * specified by FCS Type TLV;  requested by James Ko <jck@exegin.com>.
1168
 * Specification at https://github.com/jkcko/ieee802.15.4-tap
1169
 */
1170
#define LINKTYPE_IEEE802_15_4_TAP       283
1171
1172
/*
1173
 * Marvell (Ethertype) Distributed Switch Architecture proprietary tagging format.
1174
 */
1175
#define LINKTYPE_DSA_TAG_DSA  284
1176
#define LINKTYPE_DSA_TAG_EDSA 285
1177
1178
/*
1179
 * Payload of lawful intercept packets using the ELEE protocol;
1180
 * https://socket.hr/draft-dfranusic-opsawg-elee-00.xml
1181
 * https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://socket.hr/draft-dfranusic-opsawg-elee-00.xml&modeAsFormat=html/ascii
1182
 */
1183
#define LINKTYPE_ELEE   286
1184
1185
/*
1186
 * Serial frames transmitted between a host and a Z-Wave chip.
1187
 */
1188
#define LINKTYPE_Z_WAVE_SERIAL  287
1189
1190
/*
1191
 * USB 2.0, 1.1, and 1.0 packets as transmitted over the cable.
1192
 * Deprecated in favor of speed specific LINKTYPEs: LINKTYPE_USB_2_0_LOW_SPEED,
1193
 * LINKTYPE_USB_2_0_FULL_SPEED and LINKTYPE_USB_2_0_HIGH_SPEED.
1194
 */
1195
#define LINKTYPE_USB_2_0  288
1196
1197
/*
1198
 * ATSC Link-Layer Protocol (A/330) packets.
1199
 */
1200
#define LINKTYPE_ATSC_ALP 289
1201
1202
/*
1203
 * Event Tracing for Windows messages.
1204
 */
1205
#define LINKTYPE_ETW    290
1206
1207
/*
1208
 * Hilscher Gesellschaft fuer Systemautomation mbH
1209
 * netANALYZER NG hardware and software.
1210
 *
1211
 * The specification for this footer can be found at:
1212
 * https://kb.hilscher.com/x/brDJBw
1213
 *
1214
 * Requested by Jan Adam <jadam@hilscher.com>
1215
 */
1216
#define LINKTYPE_NETANALYZER_NG 291
1217
1218
/*
1219
 * Serial NCP (Network Co-Processor) protocol for Zigbee stack ZBOSS
1220
 * by DSR.
1221
 * ZBOSS NCP protocol description: https://cloud.dsr-corporation.com/index.php/s/3isHzaNTTgtJebn
1222
 * Header in pcap file: https://cloud.dsr-corporation.com/index.php/s/fiqSDorAAAZrsYB
1223
 *
1224
 * Requested by Eugene Exarevsky <eugene.exarevsky@dsr-corporation.com>
1225
 */
1226
#define LINKTYPE_ZBOSS_NCP  292
1227
1228
/*
1229
 * USB 2.0, 1.1, and 1.0 packets as transmitted over the cable.
1230
 */
1231
#define LINKTYPE_USB_2_0_LOW_SPEED  293
1232
#define LINKTYPE_USB_2_0_FULL_SPEED 294
1233
#define LINKTYPE_USB_2_0_HIGH_SPEED 295
1234
1235
/*
1236
 * Auerswald Logger Protocol
1237
 * description is provided on
1238
 * https://github.com/Auerswald-GmbH/auerlog/blob/master/auerlog.txt
1239
 * requested by Auerswald Developer Team <developer(at)auerswald.de>
1240
 */
1241
#define LINKTYPE_AUERSWALD_LOG  296
1242
1243
0
#define LINKTYPE_MATCHING_MAX 296    /* highest value in the "matching" range */
1244
1245
1246
/*
1247
 * The DLT_ and LINKTYPE_ values in the "matching" range should be the
1248
 * same, so DLT_MATCHING_MAX and LINKTYPE_MATCHING_MAX should be the
1249
 * same.
1250
 */
1251
#if LINKTYPE_MATCHING_MAX != DLT_MATCHING_MAX
1252
#error The LINKTYPE_ matching range does not match the DLT_ matching range
1253
#endif
1254
1255
static struct linktype_map {
1256
  int dlt;
1257
  int linktype;
1258
} map[] = {
1259
  /*
1260
   * These DLT_* codes have LINKTYPE_* codes with values identical
1261
   * to the values of the corresponding DLT_* code.
1262
   */
1263
  { DLT_NULL,   LINKTYPE_NULL },
1264
  { DLT_EN10MB,   LINKTYPE_ETHERNET },
1265
  { DLT_EN3MB,    LINKTYPE_EXP_ETHERNET },
1266
  { DLT_AX25,   LINKTYPE_AX25 },
1267
  { DLT_PRONET,   LINKTYPE_PRONET },
1268
  { DLT_CHAOS,    LINKTYPE_CHAOS },
1269
  { DLT_IEEE802,    LINKTYPE_IEEE802_5 },
1270
  { DLT_ARCNET,   LINKTYPE_ARCNET_BSD },
1271
  { DLT_SLIP,   LINKTYPE_SLIP },
1272
  { DLT_PPP,    LINKTYPE_PPP },
1273
  { DLT_FDDI,   LINKTYPE_FDDI },
1274
  { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL },
1275
1276
  /*
1277
   * These DLT_* codes have different values on different
1278
   * platforms; we map them to LINKTYPE_* codes that
1279
   * have values that should never be equal to any DLT_*
1280
   * code.
1281
   */
1282
#ifdef DLT_FR
1283
  /* BSD/OS Frame Relay */
1284
  { DLT_FR,   LINKTYPE_FRELAY },
1285
#endif
1286
1287
  { DLT_ATM_RFC1483,  LINKTYPE_ATM_RFC1483 },
1288
  { DLT_RAW,    LINKTYPE_RAW },
1289
  { DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS },
1290
  { DLT_PPP_BSDOS,  LINKTYPE_PPP_BSDOS },
1291
  { DLT_HDLC,   LINKTYPE_NETBSD_HDLC },
1292
1293
  /* BSD/OS Cisco HDLC */
1294
  { DLT_C_HDLC,   LINKTYPE_C_HDLC },
1295
1296
  /*
1297
   * These DLT_* codes are not on all platforms, but, so far,
1298
   * there don't appear to be any platforms that define
1299
   * other codes with those values; we map them to
1300
   * different LINKTYPE_* values anyway, just in case.
1301
   */
1302
1303
  /* Linux ATM Classical IP */
1304
  { DLT_ATM_CLIP,   LINKTYPE_ATM_CLIP },
1305
1306
  /* NetBSD sync/async serial PPP (or Cisco HDLC) */
1307
  { DLT_PPP_SERIAL, LINKTYPE_PPP_HDLC },
1308
1309
  /* NetBSD PPP over Ethernet */
1310
  { DLT_PPP_ETHER,  LINKTYPE_PPP_ETHER },
1311
1312
  /*
1313
   * All LINKTYPE_ values between LINKTYPE_MATCHING_MIN
1314
   * and LINKTYPE_MATCHING_MAX are mapped to identical
1315
   * DLT_ values.
1316
   */
1317
1318
  { -1,     -1 }
1319
};
1320
1321
int
1322
dlt_to_linktype(int dlt)
1323
0
{
1324
0
  int i;
1325
1326
  /*
1327
   * DLTs that, on some platforms, have values in the matching range
1328
   * but that *don't* have the same value as the corresponding
1329
   * LINKTYPE because, for some reason, not all OSes have the
1330
   * same value for that DLT (note that the DLT's value might be
1331
   * outside the matching range on some of those OSes).
1332
   */
1333
0
  if (dlt == DLT_PFSYNC)
1334
0
    return (LINKTYPE_PFSYNC);
1335
0
  if (dlt == DLT_PKTAP)
1336
0
    return (LINKTYPE_PKTAP);
1337
1338
  /*
1339
   * For all other values in the matching range, the DLT
1340
   * value is the same as the LINKTYPE value.
1341
   */
1342
0
  if (dlt >= DLT_MATCHING_MIN && dlt <= DLT_MATCHING_MAX)
1343
0
    return (dlt);
1344
1345
  /*
1346
   * Map the values outside that range.
1347
   */
1348
0
  for (i = 0; map[i].dlt != -1; i++) {
1349
0
    if (map[i].dlt == dlt)
1350
0
      return (map[i].linktype);
1351
0
  }
1352
1353
  /*
1354
   * If we don't have a mapping for this DLT, return an
1355
   * error; that means that this is a value with no corresponding
1356
   * LINKTYPE, and we need to assign one.
1357
   */
1358
0
  return (-1);
1359
0
}
1360
1361
int
1362
linktype_to_dlt(int linktype)
1363
0
{
1364
0
  int i;
1365
1366
  /*
1367
   * LINKTYPEs in the matching range that *don't*
1368
   * have the same value as the corresponding DLTs
1369
   * because, for some reason, not all OSes have the
1370
   * same value for that DLT.
1371
   */
1372
0
  if (linktype == LINKTYPE_PFSYNC)
1373
0
    return (DLT_PFSYNC);
1374
0
  if (linktype == LINKTYPE_PKTAP)
1375
0
    return (DLT_PKTAP);
1376
1377
  /*
1378
   * For all other values in the matching range, except for
1379
   * LINKTYPE_ATM_CLIP, the LINKTYPE value is the same as
1380
   * the DLT value.
1381
   *
1382
   * LINKTYPE_ATM_CLIP is a special case.  DLT_ATM_CLIP is
1383
   * not on all platforms, but, so far, there don't appear
1384
   * to be any platforms that define it as anything other
1385
   * than 19; we define LINKTYPE_ATM_CLIP as something
1386
   * other than 19, just in case.  That value is in the
1387
   * matching range, so we have to check for it.
1388
   */
1389
0
  if (linktype >= LINKTYPE_MATCHING_MIN &&
1390
0
      linktype <= LINKTYPE_MATCHING_MAX &&
1391
0
      linktype != LINKTYPE_ATM_CLIP)
1392
0
    return (linktype);
1393
1394
  /*
1395
   * Map the values outside that range.
1396
   */
1397
0
  for (i = 0; map[i].linktype != -1; i++) {
1398
0
    if (map[i].linktype == linktype)
1399
0
      return (map[i].dlt);
1400
0
  }
1401
1402
  /*
1403
   * If we don't have an entry for this LINKTYPE, return
1404
   * the link type value; it may be a DLT from an newer
1405
   * version of libpcap.
1406
   */
1407
0
  return linktype;
1408
0
}
1409
1410
/*
1411
 * Return the maximum snapshot length for a given DLT_ value.
1412
 *
1413
 * For most link-layer types, we use MAXIMUM_SNAPLEN.
1414
 *
1415
 * For DLT_DBUS, the maximum is 128MiB, as per
1416
 *
1417
 *    https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages
1418
 *
1419
 * For DLT_EBHSCR, the maximum is 8MiB, as per
1420
 *
1421
 *    https://www.elektrobit.com/ebhscr
1422
 *
1423
 * For DLT_USBPCAP, the maximum is 1MiB, as per
1424
 *
1425
 *    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15985
1426
 */
1427
u_int
1428
max_snaplen_for_dlt(int dlt)
1429
0
{
1430
0
  switch (dlt) {
1431
1432
0
  case DLT_DBUS:
1433
0
    return 128*1024*1024;
1434
1435
0
  case DLT_EBHSCR:
1436
0
    return 8*1024*1024;
1437
1438
0
  case DLT_USBPCAP:
1439
0
    return 1024*1024;
1440
1441
0
  default:
1442
0
    return MAXIMUM_SNAPLEN;
1443
0
  }
1444
0
}