/src/libpcap/pcap-common.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (c) 1993, 1994, 1995, 1996, 1997 |
3 | | * The Regents of the University of California. All rights reserved. |
4 | | * |
5 | | * Redistribution and use in source and binary forms, with or without |
6 | | * modification, are permitted provided that: (1) source code distributions |
7 | | * retain the above copyright notice and this paragraph in its entirety, (2) |
8 | | * distributions including binary code include the above copyright notice and |
9 | | * this paragraph in its entirety in the documentation or other materials |
10 | | * provided with the distribution, and (3) all advertising materials mentioning |
11 | | * features or use of this software display the following acknowledgement: |
12 | | * ``This product includes software developed by the University of California, |
13 | | * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of |
14 | | * the University nor the names of its contributors may be used to endorse |
15 | | * or promote products derived from this software without specific prior |
16 | | * written permission. |
17 | | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED |
18 | | * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF |
19 | | * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. |
20 | | * |
21 | | * pcap-common.c - common code for pcap and pcapng files |
22 | | */ |
23 | | |
24 | | #ifdef HAVE_CONFIG_H |
25 | | #include <config.h> |
26 | | #endif |
27 | | |
28 | | #include <pcap-types.h> |
29 | | |
30 | | #include "pcap-int.h" |
31 | | |
32 | | #include "pcap-common.h" |
33 | | |
34 | | /* |
35 | | * We don't write DLT_* values to capture files, because they're not the |
36 | | * same on all platforms. |
37 | | * |
38 | | * Unfortunately, the various flavors of BSD have not always used the same |
39 | | * numerical values for the same data types, and various patches to |
40 | | * libpcap for non-BSD OSes have added their own DLT_* codes for link |
41 | | * layer encapsulation types seen on those OSes, and those codes have had, |
42 | | * in some cases, values that were also used, on other platforms, for other |
43 | | * link layer encapsulation types. |
44 | | * |
45 | | * This means that capture files of a type whose numerical DLT_* code |
46 | | * means different things on different BSDs, or with different versions |
47 | | * of libpcap, can't always be read on systems other than those like |
48 | | * the one running on the machine on which the capture was made. |
49 | | * |
50 | | * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes |
51 | | * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_* |
52 | | * codes to DLT_* codes when reading a savefile header. |
53 | | * |
54 | | * For those DLT_* codes that have, as far as we know, the same values on |
55 | | * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as |
56 | | * DLT_xxx; that way, captures of those types can still be read by |
57 | | * versions of libpcap that map LINKTYPE_* values to DLT_* values, and |
58 | | * captures of those types written by versions of libpcap that map DLT_ |
59 | | * values to LINKTYPE_ values can still be read by older versions |
60 | | * of libpcap. |
61 | | * |
62 | | * The other LINKTYPE_* codes are given values starting at 100, in the |
63 | | * hopes that no DLT_* code will be given one of those values. |
64 | | * |
65 | | * In order to ensure that a given LINKTYPE_* code's value will refer to |
66 | | * the same encapsulation type on all platforms, you should not allocate |
67 | | * a new LINKTYPE_* value without consulting |
68 | | * "tcpdump-workers@lists.tcpdump.org". The tcpdump developers will |
69 | | * allocate a value for you, and will not subsequently allocate it to |
70 | | * anybody else; that value will be added to the "pcap.h" in the |
71 | | * tcpdump.org Git repository, so that a future libpcap release will |
72 | | * include it. |
73 | | * |
74 | | * You should, if possible, also contribute patches to libpcap and tcpdump |
75 | | * to handle the new encapsulation type, so that they can also be checked |
76 | | * into the tcpdump.org Git repository and so that they will appear in |
77 | | * future libpcap and tcpdump releases. |
78 | | * |
79 | | * Do *NOT* assume that any values after the largest value in this file |
80 | | * are available; you might not have the most up-to-date version of this |
81 | | * file, and new values after that one might have been assigned. Also, |
82 | | * do *NOT* use any values below 100 - those might already have been |
83 | | * taken by one (or more!) organizations. |
84 | | * |
85 | | * Any platform that defines additional DLT_* codes should: |
86 | | * |
87 | | * request a LINKTYPE_* code and value from tcpdump.org, |
88 | | * as per the above; |
89 | | * |
90 | | * add, in their version of libpcap, an entry to map |
91 | | * those DLT_* codes to the corresponding LINKTYPE_* |
92 | | * code; |
93 | | * |
94 | | * redefine, in their "net/bpf.h", any DLT_* values |
95 | | * that collide with the values used by their additional |
96 | | * DLT_* codes, to remove those collisions (but without |
97 | | * making them collide with any of the LINKTYPE_* |
98 | | * values equal to 50 or above; they should also avoid |
99 | | * defining DLT_* values that collide with those |
100 | | * LINKTYPE_* values, either). |
101 | | */ |
102 | | #define LINKTYPE_NULL DLT_NULL |
103 | | #define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */ |
104 | | #define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */ |
105 | | #define LINKTYPE_AX25 DLT_AX25 |
106 | | #define LINKTYPE_PRONET DLT_PRONET |
107 | | #define LINKTYPE_CHAOS DLT_CHAOS |
108 | | #define LINKTYPE_IEEE802_5 DLT_IEEE802 /* DLT_IEEE802 is used for 802.5 Token Ring */ |
109 | | #define LINKTYPE_ARCNET_BSD DLT_ARCNET /* BSD-style headers */ |
110 | | #define LINKTYPE_SLIP DLT_SLIP |
111 | | #define LINKTYPE_PPP DLT_PPP |
112 | | #define LINKTYPE_FDDI DLT_FDDI |
113 | | |
114 | | /* |
115 | | * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662 |
116 | | * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol |
117 | | * field) at the beginning of the packet. |
118 | | * |
119 | | * This is for use when there is always such a header; the address field |
120 | | * might be 0xff, for regular PPP, or it might be an address field for Cisco |
121 | | * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco |
122 | | * HDLC"). This is, for example, what you get with NetBSD's DLT_PPP_SERIAL. |
123 | | * |
124 | | * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that |
125 | | * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL |
126 | | * captures will be written out with a link type that NetBSD's tcpdump |
127 | | * can read. |
128 | | */ |
129 | | #define LINKTYPE_PPP_HDLC 50 /* PPP in HDLC-like framing */ |
130 | | |
131 | | #define LINKTYPE_PPP_ETHER 51 /* NetBSD PPP-over-Ethernet */ |
132 | | |
133 | | #define LINKTYPE_SYMANTEC_FIREWALL 99 /* Symantec Enterprise Firewall */ |
134 | | |
135 | | /* |
136 | | * These correspond to DLT_s that have different values on different |
137 | | * platforms; we map between these values in capture files and |
138 | | * the DLT_ values as returned by pcap_datalink() and passed to |
139 | | * pcap_open_dead(). |
140 | | */ |
141 | | #define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */ |
142 | | #define LINKTYPE_RAW 101 /* raw IP */ |
143 | | #define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */ |
144 | | #define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */ |
145 | | |
146 | | /* |
147 | | * Values starting with 104 are used for newly-assigned link-layer |
148 | | * header type values; for those link-layer header types, the DLT_ |
149 | | * value returned by pcap_datalink() and passed to pcap_open_dead(), |
150 | | * and the LINKTYPE_ value that appears in capture files, are the |
151 | | * same. |
152 | | * |
153 | | * LINKTYPE_MATCHING_MIN is the lowest such value; LINKTYPE_MATCHING_MAX |
154 | | * is the highest such value. |
155 | | */ |
156 | 0 | #define LINKTYPE_MATCHING_MIN 104 /* lowest value in the "matching" range */ |
157 | | |
158 | | #define LINKTYPE_C_HDLC 104 /* Cisco HDLC */ |
159 | | #define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */ |
160 | 0 | #define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */ |
161 | | #define LINKTYPE_FRELAY 107 /* Frame Relay */ |
162 | | #define LINKTYPE_LOOP 108 /* OpenBSD loopback */ |
163 | | #define LINKTYPE_ENC 109 /* OpenBSD IPSEC enc */ |
164 | | |
165 | | /* |
166 | | * These two types are reserved for future use. |
167 | | */ |
168 | | #define LINKTYPE_LANE8023 110 /* ATM LANE + 802.3 */ |
169 | | #define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */ |
170 | | |
171 | | /* |
172 | | * Used for NetBSD DLT_HDLC; from looking at the one driver in NetBSD |
173 | | * that uses it, it's Cisco HDLC, so it's the same as DLT_C_HDLC/ |
174 | | * LINKTYPE_C_HDLC, but we define a separate value to avoid some |
175 | | * compatibility issues with programs on NetBSD. |
176 | | * |
177 | | * All code should treat LINKTYPE_NETBSD_HDLC and LINKTYPE_C_HDLC the same. |
178 | | */ |
179 | | #define LINKTYPE_NETBSD_HDLC 112 /* NetBSD HDLC framing */ |
180 | | |
181 | | #define LINKTYPE_LINUX_SLL 113 /* Linux cooked socket capture */ |
182 | | #define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */ |
183 | | #define LINKTYPE_ECONET 115 /* Acorn Econet */ |
184 | | |
185 | | /* |
186 | | * Reserved for use with OpenBSD ipfilter. |
187 | | */ |
188 | | #define LINKTYPE_IPFILTER 116 |
189 | | |
190 | | #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ |
191 | | #define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */ |
192 | | #define LINKTYPE_IEEE802_11_PRISM 119 /* 802.11 plus Prism II monitor mode radio metadata header */ |
193 | | #define LINKTYPE_IEEE802_11_AIRONET 120 /* 802.11 plus FreeBSD Aironet driver radio metadata header */ |
194 | | |
195 | | /* |
196 | | * Reserved for Siemens HiPath HDLC. |
197 | | */ |
198 | | #define LINKTYPE_HHDLC 121 |
199 | | |
200 | | #define LINKTYPE_IP_OVER_FC 122 /* RFC 2625 IP-over-Fibre Channel */ |
201 | | #define LINKTYPE_SUNATM 123 /* Solaris+SunATM */ |
202 | | |
203 | | /* |
204 | | * Reserved as per request from Kent Dahlgren <kent@praesum.com> |
205 | | * for private use. |
206 | | */ |
207 | | #define LINKTYPE_RIO 124 /* RapidIO */ |
208 | | #define LINKTYPE_PCI_EXP 125 /* PCI Express */ |
209 | | #define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */ |
210 | | |
211 | | #define LINKTYPE_IEEE802_11_RADIOTAP 127 /* 802.11 plus radiotap radio metadata header */ |
212 | | |
213 | | /* |
214 | | * Reserved for the TZSP encapsulation, as per request from |
215 | | * Chris Waters <chris.waters@networkchemistry.com> |
216 | | * TZSP is a generic encapsulation for any other link type, |
217 | | * which includes a means to include meta-information |
218 | | * with the packet, e.g. signal strength and channel |
219 | | * for 802.11 packets. |
220 | | */ |
221 | | #define LINKTYPE_TZSP 128 /* Tazmen Sniffer Protocol */ |
222 | | |
223 | | #define LINKTYPE_ARCNET_LINUX 129 /* Linux-style headers */ |
224 | | |
225 | | /* |
226 | | * Juniper-private data link types, as per request from |
227 | | * Hannes Gredler <hannes@juniper.net>. The corresponding |
228 | | * DLT_s are used for passing on chassis-internal |
229 | | * metainformation such as QOS profiles, etc.. |
230 | | */ |
231 | | #define LINKTYPE_JUNIPER_MLPPP 130 |
232 | | #define LINKTYPE_JUNIPER_MLFR 131 |
233 | | #define LINKTYPE_JUNIPER_ES 132 |
234 | | #define LINKTYPE_JUNIPER_GGSN 133 |
235 | | #define LINKTYPE_JUNIPER_MFR 134 |
236 | | #define LINKTYPE_JUNIPER_ATM2 135 |
237 | | #define LINKTYPE_JUNIPER_SERVICES 136 |
238 | | #define LINKTYPE_JUNIPER_ATM1 137 |
239 | | |
240 | | #define LINKTYPE_APPLE_IP_OVER_IEEE1394 138 /* Apple IP-over-IEEE 1394 cooked header */ |
241 | | |
242 | | #define LINKTYPE_MTP2_WITH_PHDR 139 |
243 | | #define LINKTYPE_MTP2 140 |
244 | | #define LINKTYPE_MTP3 141 |
245 | | #define LINKTYPE_SCCP 142 |
246 | | |
247 | | #define LINKTYPE_DOCSIS 143 /* DOCSIS MAC frames */ |
248 | | |
249 | | #define LINKTYPE_LINUX_IRDA 144 /* Linux-IrDA */ |
250 | | |
251 | | /* |
252 | | * Reserved for IBM SP switch and IBM Next Federation switch. |
253 | | */ |
254 | | #define LINKTYPE_IBM_SP 145 |
255 | | #define LINKTYPE_IBM_SN 146 |
256 | | |
257 | | /* |
258 | | * Reserved for private use. If you have some link-layer header type |
259 | | * that you want to use within your organization, with the capture files |
260 | | * using that link-layer header type not ever be sent outside your |
261 | | * organization, you can use these values. |
262 | | * |
263 | | * No libpcap release will use these for any purpose, nor will any |
264 | | * tcpdump release use them, either. |
265 | | * |
266 | | * Do *NOT* use these in capture files that you expect anybody not using |
267 | | * your private versions of capture-file-reading tools to read; in |
268 | | * particular, do *NOT* use them in products, otherwise you may find that |
269 | | * people won't be able to use tcpdump, or snort, or Ethereal, or... to |
270 | | * read capture files from your firewall/intrusion detection/traffic |
271 | | * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value, |
272 | | * and you may also find that the developers of those applications will |
273 | | * not accept patches to let them read those files. |
274 | | * |
275 | | * Also, do not use them if somebody might send you a capture using them |
276 | | * for *their* private type and tools using them for *your* private type |
277 | | * would have to read them. |
278 | | * |
279 | | * Instead, in those cases, ask "tcpdump-workers@lists.tcpdump.org" for a |
280 | | * new DLT_ and LINKTYPE_ value, as per the comment in pcap/bpf.h, and use |
281 | | * the type you're given. |
282 | | */ |
283 | | #define LINKTYPE_USER0 147 |
284 | | #define LINKTYPE_USER1 148 |
285 | | #define LINKTYPE_USER2 149 |
286 | | #define LINKTYPE_USER3 150 |
287 | | #define LINKTYPE_USER4 151 |
288 | | #define LINKTYPE_USER5 152 |
289 | | #define LINKTYPE_USER6 153 |
290 | | #define LINKTYPE_USER7 154 |
291 | | #define LINKTYPE_USER8 155 |
292 | | #define LINKTYPE_USER9 156 |
293 | | #define LINKTYPE_USER10 157 |
294 | | #define LINKTYPE_USER11 158 |
295 | | #define LINKTYPE_USER12 159 |
296 | | #define LINKTYPE_USER13 160 |
297 | | #define LINKTYPE_USER14 161 |
298 | | #define LINKTYPE_USER15 162 |
299 | | |
300 | | /* |
301 | | * For future use with 802.11 captures - defined by AbsoluteValue |
302 | | * Systems to store a number of bits of link-layer information |
303 | | * including radio information: |
304 | | * |
305 | | * http://www.shaftnet.org/~pizza/software/capturefrm.txt |
306 | | */ |
307 | | #define LINKTYPE_IEEE802_11_AVS 163 /* 802.11 plus AVS radio metadata header */ |
308 | | |
309 | | /* |
310 | | * Juniper-private data link type, as per request from |
311 | | * Hannes Gredler <hannes@juniper.net>. The corresponding |
312 | | * DLT_s are used for passing on chassis-internal |
313 | | * metainformation such as QOS profiles, etc.. |
314 | | */ |
315 | | #define LINKTYPE_JUNIPER_MONITOR 164 |
316 | | |
317 | | /* |
318 | | * BACnet MS/TP frames. |
319 | | */ |
320 | | #define LINKTYPE_BACNET_MS_TP 165 |
321 | | |
322 | | /* |
323 | | * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>. |
324 | | * |
325 | | * This is used in some OSes to allow a kernel socket filter to distinguish |
326 | | * between incoming and outgoing packets, on a socket intended to |
327 | | * supply pppd with outgoing packets so it can do dial-on-demand and |
328 | | * hangup-on-lack-of-demand; incoming packets are filtered out so they |
329 | | * don't cause pppd to hold the connection up (you don't want random |
330 | | * input packets such as port scans, packets from old lost connections, |
331 | | * etc. to force the connection to stay up). |
332 | | * |
333 | | * The first byte of the PPP header (0xff03) is modified to accommodate |
334 | | * the direction - 0x00 = IN, 0x01 = OUT. |
335 | | */ |
336 | | #define LINKTYPE_PPP_PPPD 166 |
337 | | |
338 | | /* |
339 | | * Juniper-private data link type, as per request from |
340 | | * Hannes Gredler <hannes@juniper.net>. The DLT_s are used |
341 | | * for passing on chassis-internal metainformation such as |
342 | | * QOS profiles, cookies, etc.. |
343 | | */ |
344 | | #define LINKTYPE_JUNIPER_PPPOE 167 |
345 | | #define LINKTYPE_JUNIPER_PPPOE_ATM 168 |
346 | | |
347 | | #define LINKTYPE_GPRS_LLC 169 /* GPRS LLC */ |
348 | | #define LINKTYPE_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ |
349 | | #define LINKTYPE_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */ |
350 | | |
351 | | /* |
352 | | * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line |
353 | | * monitoring equipment. |
354 | | */ |
355 | | #define LINKTYPE_GCOM_T1E1 172 |
356 | | #define LINKTYPE_GCOM_SERIAL 173 |
357 | | |
358 | | /* |
359 | | * Juniper-private data link type, as per request from |
360 | | * Hannes Gredler <hannes@juniper.net>. The DLT_ is used |
361 | | * for internal communication to Physical Interface Cards (PIC) |
362 | | */ |
363 | | #define LINKTYPE_JUNIPER_PIC_PEER 174 |
364 | | |
365 | | /* |
366 | | * Link types requested by Gregor Maier <gregor@endace.com> of Endace |
367 | | * Measurement Systems. They add an ERF header (see |
368 | | * https://www.endace.com/support/EndaceRecordFormat.pdf) in front of |
369 | | * the link-layer header. |
370 | | */ |
371 | | #define LINKTYPE_ERF_ETH 175 /* Ethernet */ |
372 | | #define LINKTYPE_ERF_POS 176 /* Packet-over-SONET */ |
373 | | |
374 | | /* |
375 | | * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD |
376 | | * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header |
377 | | * includes additional information before the LAPD header, so it's |
378 | | * not necessarily a generic LAPD header. |
379 | | */ |
380 | | #define LINKTYPE_LINUX_LAPD 177 |
381 | | |
382 | | /* |
383 | | * Juniper-private data link type, as per request from |
384 | | * Hannes Gredler <hannes@juniper.net>. |
385 | | * The Link Types are used for prepending meta-information |
386 | | * like interface index, interface name |
387 | | * before standard Ethernet, PPP, Frelay & C-HDLC Frames |
388 | | */ |
389 | | #define LINKTYPE_JUNIPER_ETHER 178 |
390 | | #define LINKTYPE_JUNIPER_PPP 179 |
391 | | #define LINKTYPE_JUNIPER_FRELAY 180 |
392 | | #define LINKTYPE_JUNIPER_CHDLC 181 |
393 | | |
394 | | /* |
395 | | * Multi Link Frame Relay (FRF.16) |
396 | | */ |
397 | | #define LINKTYPE_MFR 182 |
398 | | |
399 | | /* |
400 | | * Juniper-private data link type, as per request from |
401 | | * Hannes Gredler <hannes@juniper.net>. |
402 | | * The DLT_ is used for internal communication with a |
403 | | * voice Adapter Card (PIC) |
404 | | */ |
405 | | #define LINKTYPE_JUNIPER_VP 183 |
406 | | |
407 | | /* |
408 | | * Arinc 429 frames. |
409 | | * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. |
410 | | * Every frame contains a 32bit A429 label. |
411 | | * More documentation on Arinc 429 can be found at |
412 | | * https://web.archive.org/web/20040616233302/https://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf |
413 | | */ |
414 | | #define LINKTYPE_A429 184 |
415 | | |
416 | | /* |
417 | | * Arinc 653 Interpartition Communication messages. |
418 | | * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. |
419 | | * Please refer to the A653-1 standard for more information. |
420 | | */ |
421 | | #define LINKTYPE_A653_ICM 185 |
422 | | |
423 | | /* |
424 | | * This used to be "USB packets, beginning with a USB setup header; |
425 | | * requested by Paolo Abeni <paolo.abeni@email.it>." |
426 | | * |
427 | | * However, that header didn't work all that well - it left out some |
428 | | * useful information - and was abandoned in favor of the DLT_USB_LINUX |
429 | | * header. |
430 | | * |
431 | | * This is now used by FreeBSD for its BPF taps for USB; that has its |
432 | | * own headers. So it is written, so it is done. |
433 | | */ |
434 | | #define LINKTYPE_USB_FREEBSD 186 |
435 | | |
436 | | /* |
437 | | * Bluetooth HCI UART transport layer (part H:4); requested by |
438 | | * Paolo Abeni. |
439 | | */ |
440 | | #define LINKTYPE_BLUETOOTH_HCI_H4 187 |
441 | | |
442 | | /* |
443 | | * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz |
444 | | * <cruz_petagay@bah.com>. |
445 | | */ |
446 | | #define LINKTYPE_IEEE802_16_MAC_CPS 188 |
447 | | |
448 | | /* |
449 | | * USB packets, beginning with a Linux USB header; requested by |
450 | | * Paolo Abeni <paolo.abeni@email.it>. |
451 | | */ |
452 | | #define LINKTYPE_USB_LINUX 189 |
453 | | |
454 | | /* |
455 | | * Controller Area Network (CAN) v. 2.0B packets. |
456 | | * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. |
457 | | * Used to dump CAN packets coming from a CAN Vector board. |
458 | | * More documentation on the CAN v2.0B frames can be found at |
459 | | * http://www.can-cia.org/downloads/?269 |
460 | | */ |
461 | | #define LINKTYPE_CAN20B 190 |
462 | | |
463 | | /* |
464 | | * IEEE 802.15.4, with address fields padded, as is done by Linux |
465 | | * drivers; requested by Juergen Schimmer. |
466 | | */ |
467 | | #define LINKTYPE_IEEE802_15_4_LINUX 191 |
468 | | |
469 | | /* |
470 | | * Per Packet Information encapsulated packets. |
471 | | * LINKTYPE_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. |
472 | | */ |
473 | | #define LINKTYPE_PPI 192 |
474 | | |
475 | | /* |
476 | | * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; |
477 | | * requested by Charles Clancy. |
478 | | */ |
479 | | #define LINKTYPE_IEEE802_16_MAC_CPS_RADIO 193 |
480 | | |
481 | | /* |
482 | | * Juniper-private data link type, as per request from |
483 | | * Hannes Gredler <hannes@juniper.net>. |
484 | | * The DLT_ is used for internal communication with a |
485 | | * integrated service module (ISM). |
486 | | */ |
487 | | #define LINKTYPE_JUNIPER_ISM 194 |
488 | | |
489 | | /* |
490 | | * IEEE 802.15.4, exactly as it appears in the spec (no padding, no |
491 | | * nothing), and with the FCS at the end of the frame; requested by |
492 | | * Mikko Saarnivala <mikko.saarnivala@sensinode.com>. |
493 | | * |
494 | | * This should only be used if the FCS is present at the end of the |
495 | | * frame; if the frame has no FCS, DLT_IEEE802_15_4_NOFCS should be |
496 | | * used. |
497 | | */ |
498 | | #define LINKTYPE_IEEE802_15_4_WITHFCS 195 |
499 | | |
500 | | /* |
501 | | * Various link-layer types, with a pseudo-header, for SITA |
502 | | * (https://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com). |
503 | | */ |
504 | | #define LINKTYPE_SITA 196 |
505 | | |
506 | | /* |
507 | | * Various link-layer types, with a pseudo-header, for Endace DAG cards; |
508 | | * encapsulates Endace ERF records. Requested by Stephen Donnelly |
509 | | * <stephen@endace.com>. |
510 | | */ |
511 | | #define LINKTYPE_ERF 197 |
512 | | |
513 | | /* |
514 | | * Special header prepended to Ethernet packets when capturing from a |
515 | | * u10 Networks board. Requested by Phil Mulholland |
516 | | * <phil@u10networks.com>. |
517 | | */ |
518 | | #define LINKTYPE_RAIF1 198 |
519 | | |
520 | | /* |
521 | | * IPMB packet for IPMI, beginning with a 2-byte header, followed by |
522 | | * the I2C slave address, followed by the netFn and LUN, etc.. |
523 | | * Requested by Chanthy Toeung <chanthy.toeung@ca.kontron.com>. |
524 | | * |
525 | | * XXX - its DLT_ value used to be called DLT_IPMB, back when we got the |
526 | | * impression from the email thread requesting it that the packet |
527 | | * had no extra 2-byte header. We've renamed it; if anybody used |
528 | | * DLT_IPMB and assumed no 2-byte header, this will cause the compile |
529 | | * to fail, at which point we'll have to figure out what to do about |
530 | | * the two header types using the same DLT_/LINKTYPE_ value. If that |
531 | | * doesn't happen, we'll assume nobody used it and that the redefinition |
532 | | * is safe. |
533 | | */ |
534 | | #define LINKTYPE_IPMB_KONTRON 199 |
535 | | |
536 | | /* |
537 | | * Juniper-private data link type, as per request from |
538 | | * Hannes Gredler <hannes@juniper.net>. |
539 | | * The DLT_ is used for capturing data on a secure tunnel interface. |
540 | | */ |
541 | | #define LINKTYPE_JUNIPER_ST 200 |
542 | | |
543 | | /* |
544 | | * Bluetooth HCI UART transport layer (part H:4), with pseudo-header |
545 | | * that includes direction information; requested by Paolo Abeni. |
546 | | */ |
547 | | #define LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR 201 |
548 | | |
549 | | /* |
550 | | * AX.25 packet with a 1-byte KISS header; see |
551 | | * |
552 | | * http://www.ax25.net/kiss.htm |
553 | | * |
554 | | * as per Richard Stearn <richard@rns-stearn.demon.co.uk>. |
555 | | */ |
556 | | #define LINKTYPE_AX25_KISS 202 |
557 | | |
558 | | /* |
559 | | * LAPD packets from an ISDN channel, starting with the address field, |
560 | | * with no pseudo-header. |
561 | | * Requested by Varuna De Silva <varunax@gmail.com>. |
562 | | */ |
563 | | #define LINKTYPE_LAPD 203 |
564 | | |
565 | | /* |
566 | | * PPP, with a one-byte direction pseudo-header prepended - zero means |
567 | | * "received by this host", non-zero (any non-zero value) means "sent by |
568 | | * this host" - as per Will Barker <w.barker@zen.co.uk>. |
569 | | */ |
570 | | #define LINKTYPE_PPP_WITH_DIR 204 /* Don't confuse with LINKTYPE_PPP_PPPD */ |
571 | | |
572 | | /* |
573 | | * Cisco HDLC, with a one-byte direction pseudo-header prepended - zero |
574 | | * means "received by this host", non-zero (any non-zero value) means |
575 | | * "sent by this host" - as per Will Barker <w.barker@zen.co.uk>. |
576 | | */ |
577 | | #define LINKTYPE_C_HDLC_WITH_DIR 205 /* Cisco HDLC */ |
578 | | |
579 | | /* |
580 | | * Frame Relay, with a one-byte direction pseudo-header prepended - zero |
581 | | * means "received by this host" (DCE -> DTE), non-zero (any non-zero |
582 | | * value) means "sent by this host" (DTE -> DCE) - as per Will Barker |
583 | | * <w.barker@zen.co.uk>. |
584 | | */ |
585 | | #define LINKTYPE_FRELAY_WITH_DIR 206 /* Frame Relay */ |
586 | | |
587 | | /* |
588 | | * LAPB, with a one-byte direction pseudo-header prepended - zero means |
589 | | * "received by this host" (DCE -> DTE), non-zero (any non-zero value) |
590 | | * means "sent by this host" (DTE -> DCE)- as per Will Barker |
591 | | * <w.barker@zen.co.uk>. |
592 | | */ |
593 | | #define LINKTYPE_LAPB_WITH_DIR 207 /* LAPB */ |
594 | | |
595 | | /* |
596 | | * 208 is reserved for an as-yet-unspecified proprietary link-layer |
597 | | * type, as requested by Will Barker. |
598 | | */ |
599 | | |
600 | | /* |
601 | | * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman |
602 | | * <avn@pigeonpoint.com>. |
603 | | */ |
604 | | #define LINKTYPE_IPMB_LINUX 209 |
605 | | |
606 | | /* |
607 | | * FlexRay automotive bus - http://www.flexray.com/ - as requested |
608 | | * by Hannes Kaelber <hannes.kaelber@x2e.de>. |
609 | | */ |
610 | | #define LINKTYPE_FLEXRAY 210 |
611 | | |
612 | | /* |
613 | | * Media Oriented Systems Transport (MOST) bus for multimedia |
614 | | * transport - https://www.mostcooperation.com/ - as requested |
615 | | * by Hannes Kaelber <hannes.kaelber@x2e.de>. |
616 | | */ |
617 | | #define LINKTYPE_MOST 211 |
618 | | |
619 | | /* |
620 | | * Local Interconnect Network (LIN) bus for vehicle networks - |
621 | | * http://www.lin-subbus.org/ - as requested by Hannes Kaelber |
622 | | * <hannes.kaelber@x2e.de>. |
623 | | */ |
624 | | #define LINKTYPE_LIN 212 |
625 | | |
626 | | /* |
627 | | * X2E-private data link type used for serial line capture, |
628 | | * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. |
629 | | */ |
630 | | #define LINKTYPE_X2E_SERIAL 213 |
631 | | |
632 | | /* |
633 | | * X2E-private data link type used for the Xoraya data logger |
634 | | * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. |
635 | | */ |
636 | | #define LINKTYPE_X2E_XORAYA 214 |
637 | | |
638 | | /* |
639 | | * IEEE 802.15.4, exactly as it appears in the spec (no padding, no |
640 | | * nothing), but with the PHY-level data for non-ASK PHYs (4 octets |
641 | | * of 0 as preamble, one octet of SFD, one octet of frame length+ |
642 | | * reserved bit, and then the MAC-layer data, starting with the |
643 | | * frame control field). |
644 | | * |
645 | | * Requested by Max Filippov <jcmvbkbc@gmail.com>. |
646 | | */ |
647 | | #define LINKTYPE_IEEE802_15_4_NONASK_PHY 215 |
648 | | |
649 | | /* |
650 | | * David Gibson <david@gibson.dropbear.id.au> requested this for |
651 | | * captures from the Linux kernel /dev/input/eventN devices. This |
652 | | * is used to communicate keystrokes and mouse movements from the |
653 | | * Linux kernel to display systems, such as Xorg. |
654 | | */ |
655 | | #define LINKTYPE_LINUX_EVDEV 216 |
656 | | |
657 | | /* |
658 | | * GSM Um and Abis interfaces, preceded by a "gsmtap" header. |
659 | | * |
660 | | * Requested by Harald Welte <laforge@gnumonks.org>. |
661 | | */ |
662 | | #define LINKTYPE_GSMTAP_UM 217 |
663 | | #define LINKTYPE_GSMTAP_ABIS 218 |
664 | | |
665 | | /* |
666 | | * MPLS, with an MPLS label as the link-layer header. |
667 | | * Requested by Michele Marchetto <michele@openbsd.org> on behalf |
668 | | * of OpenBSD. |
669 | | */ |
670 | | #define LINKTYPE_MPLS 219 |
671 | | |
672 | | /* |
673 | | * USB packets, beginning with a Linux USB header, with the USB header |
674 | | * padded to 64 bytes; required for memory-mapped access. |
675 | | */ |
676 | | #define LINKTYPE_USB_LINUX_MMAPPED 220 |
677 | | |
678 | | /* |
679 | | * DECT packets, with a pseudo-header; requested by |
680 | | * Matthias Wenzel <tcpdump@mazzoo.de>. |
681 | | */ |
682 | | #define LINKTYPE_DECT 221 |
683 | | |
684 | | /* |
685 | | * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov> |
686 | | * Date: Mon, 11 May 2009 11:18:30 -0500 |
687 | | * |
688 | | * DLT_AOS. We need it for AOS Space Data Link Protocol. |
689 | | * I have already written dissectors for but need an OK from |
690 | | * legal before I can submit a patch. |
691 | | * |
692 | | */ |
693 | | #define LINKTYPE_AOS 222 |
694 | | |
695 | | /* |
696 | | * WirelessHART (Highway Addressable Remote Transducer) |
697 | | * From the HART Communication Foundation |
698 | | * IEC/PAS 62591 |
699 | | * |
700 | | * Requested by Sam Roberts <vieuxtech@gmail.com>. |
701 | | */ |
702 | | #define LINKTYPE_WIHART 223 |
703 | | |
704 | | /* |
705 | | * Fibre Channel FC-2 frames, beginning with a Frame_Header. |
706 | | * Requested by Kahou Lei <kahou82@gmail.com>. |
707 | | */ |
708 | | #define LINKTYPE_FC_2 224 |
709 | | |
710 | | /* |
711 | | * Fibre Channel FC-2 frames, beginning with an encoding of the |
712 | | * SOF, and ending with an encoding of the EOF. |
713 | | * |
714 | | * The encodings represent the frame delimiters as 4-byte sequences |
715 | | * representing the corresponding ordered sets, with K28.5 |
716 | | * represented as 0xBC, and the D symbols as the corresponding |
717 | | * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, |
718 | | * is represented as 0xBC 0xB5 0x55 0x55. |
719 | | * |
720 | | * Requested by Kahou Lei <kahou82@gmail.com>. |
721 | | */ |
722 | | #define LINKTYPE_FC_2_WITH_FRAME_DELIMS 225 |
723 | | |
724 | | /* |
725 | | * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>. |
726 | | * |
727 | | * The pseudo-header starts with a one-byte version number; for version 2, |
728 | | * the pseudo-header is: |
729 | | * |
730 | | * struct dl_ipnetinfo { |
731 | | * uint8_t dli_version; |
732 | | * uint8_t dli_family; |
733 | | * uint16_t dli_htype; |
734 | | * uint32_t dli_pktlen; |
735 | | * uint32_t dli_ifindex; |
736 | | * uint32_t dli_grifindex; |
737 | | * uint32_t dli_zsrc; |
738 | | * uint32_t dli_zdst; |
739 | | * }; |
740 | | * |
741 | | * dli_version is 2 for the current version of the pseudo-header. |
742 | | * |
743 | | * dli_family is a Solaris address family value, so it's 2 for IPv4 |
744 | | * and 26 for IPv6. |
745 | | * |
746 | | * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing |
747 | | * packets, and 2 for packets arriving from another zone on the same |
748 | | * machine. |
749 | | * |
750 | | * dli_pktlen is the length of the packet data following the pseudo-header |
751 | | * (so the captured length minus dli_pktlen is the length of the |
752 | | * pseudo-header, assuming the entire pseudo-header was captured). |
753 | | * |
754 | | * dli_ifindex is the interface index of the interface on which the |
755 | | * packet arrived. |
756 | | * |
757 | | * dli_grifindex is the group interface index number (for IPMP interfaces). |
758 | | * |
759 | | * dli_zsrc is the zone identifier for the source of the packet. |
760 | | * |
761 | | * dli_zdst is the zone identifier for the destination of the packet. |
762 | | * |
763 | | * A zone number of 0 is the global zone; a zone number of 0xffffffff |
764 | | * means that the packet arrived from another host on the network, not |
765 | | * from another zone on the same machine. |
766 | | * |
767 | | * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates |
768 | | * which of those it is. |
769 | | */ |
770 | | #define LINKTYPE_IPNET 226 |
771 | | |
772 | | /* |
773 | | * CAN (Controller Area Network) frames, with a pseudo-header as supplied |
774 | | * by Linux SocketCAN, and with multi-byte numerical fields in that header |
775 | | * in big-endian byte order. |
776 | | * |
777 | | * See Documentation/networking/can.txt in the Linux source. |
778 | | * |
779 | | * Requested by Felix Obenhuber <felix@obenhuber.de>. |
780 | | */ |
781 | | #define LINKTYPE_CAN_SOCKETCAN 227 |
782 | | |
783 | | /* |
784 | | * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies |
785 | | * whether it's v4 or v6. Requested by Darren Reed <Darren.Reed@Sun.COM>. |
786 | | */ |
787 | | #define LINKTYPE_IPV4 228 |
788 | | #define LINKTYPE_IPV6 229 |
789 | | |
790 | | /* |
791 | | * IEEE 802.15.4, exactly as it appears in the spec (no padding, no |
792 | | * nothing), and with no FCS at the end of the frame; requested by |
793 | | * Jon Smirl <jonsmirl@gmail.com>. |
794 | | */ |
795 | | #define LINKTYPE_IEEE802_15_4_NOFCS 230 |
796 | | |
797 | | /* |
798 | | * Raw D-Bus: |
799 | | * |
800 | | * https://www.freedesktop.org/wiki/Software/dbus |
801 | | * |
802 | | * messages: |
803 | | * |
804 | | * https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages |
805 | | * |
806 | | * starting with the endianness flag, followed by the message type, etc., |
807 | | * but without the authentication handshake before the message sequence: |
808 | | * |
809 | | * https://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol |
810 | | * |
811 | | * Requested by Martin Vidner <martin@vidner.net>. |
812 | | */ |
813 | | #define LINKTYPE_DBUS 231 |
814 | | |
815 | | /* |
816 | | * Juniper-private data link type, as per request from |
817 | | * Hannes Gredler <hannes@juniper.net>. |
818 | | */ |
819 | | #define LINKTYPE_JUNIPER_VS 232 |
820 | | #define LINKTYPE_JUNIPER_SRX_E2E 233 |
821 | | #define LINKTYPE_JUNIPER_FIBRECHANNEL 234 |
822 | | |
823 | | /* |
824 | | * DVB-CI (DVB Common Interface for communication between a PC Card |
825 | | * module and a DVB receiver). See |
826 | | * |
827 | | * https://www.kaiser.cx/pcap-dvbci.html |
828 | | * |
829 | | * for the specification. |
830 | | * |
831 | | * Requested by Martin Kaiser <martin@kaiser.cx>. |
832 | | */ |
833 | | #define LINKTYPE_DVB_CI 235 |
834 | | |
835 | | /* |
836 | | * Variant of 3GPP TS 27.010 multiplexing protocol. Requested |
837 | | * by Hans-Christoph Schemmel <hans-christoph.schemmel@cinterion.com>. |
838 | | */ |
839 | | #define LINKTYPE_MUX27010 236 |
840 | | |
841 | | /* |
842 | | * STANAG 5066 D_PDUs. Requested by M. Baris Demiray |
843 | | * <barisdemiray@gmail.com>. |
844 | | */ |
845 | | #define LINKTYPE_STANAG_5066_D_PDU 237 |
846 | | |
847 | | /* |
848 | | * Juniper-private data link type, as per request from |
849 | | * Hannes Gredler <hannes@juniper.net>. |
850 | | */ |
851 | | #define LINKTYPE_JUNIPER_ATM_CEMIC 238 |
852 | | |
853 | | /* |
854 | | * NetFilter LOG messages |
855 | | * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets) |
856 | | * |
857 | | * Requested by Jakub Zawadzki <darkjames-ws@darkjames.pl> |
858 | | */ |
859 | | #define LINKTYPE_NFLOG 239 |
860 | | |
861 | | /* |
862 | | * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type |
863 | | * for Ethernet packets with a 4-byte pseudo-header and always |
864 | | * with the payload including the FCS, as supplied by their |
865 | | * netANALYZER hardware and software. |
866 | | * |
867 | | * Requested by Holger P. Frommer <HPfrommer@hilscher.com> |
868 | | */ |
869 | | #define LINKTYPE_NETANALYZER 240 |
870 | | |
871 | | /* |
872 | | * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type |
873 | | * for Ethernet packets with a 4-byte pseudo-header and FCS and |
874 | | * 1 byte of SFD, as supplied by their netANALYZER hardware and |
875 | | * software. |
876 | | * |
877 | | * Requested by Holger P. Frommer <HPfrommer@hilscher.com> |
878 | | */ |
879 | | #define LINKTYPE_NETANALYZER_TRANSPARENT 241 |
880 | | |
881 | | /* |
882 | | * IP-over-InfiniBand, as specified by RFC 4391. |
883 | | * |
884 | | * Requested by Petr Sumbera <petr.sumbera@oracle.com>. |
885 | | */ |
886 | | #define LINKTYPE_IPOIB 242 |
887 | | |
888 | | /* |
889 | | * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0). |
890 | | * |
891 | | * Requested by Guy Martin <gmsoft@tuxicoman.be>. |
892 | | */ |
893 | | #define LINKTYPE_MPEG_2_TS 243 |
894 | | |
895 | | /* |
896 | | * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as |
897 | | * used by their ng40 protocol tester. |
898 | | * |
899 | | * Requested by Jens Grimmer <jens.grimmer@ng4t.com>. |
900 | | */ |
901 | | #define LINKTYPE_NG40 244 |
902 | | |
903 | | /* |
904 | | * Pseudo-header giving adapter number and flags, followed by an NFC |
905 | | * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU, |
906 | | * as specified by NFC Forum Logical Link Control Protocol Technical |
907 | | * Specification LLCP 1.1. |
908 | | * |
909 | | * Requested by Mike Wakerly <mikey@google.com>. |
910 | | */ |
911 | | #define LINKTYPE_NFC_LLCP 245 |
912 | | |
913 | | /* |
914 | | * pfsync output; DLT_PFSYNC is 18, which collides with DLT_CIP in |
915 | | * SuSE 6.3, on OpenBSD, NetBSD, DragonFly BSD, and macOS, and |
916 | | * is 121, which collides with DLT_HHDLC, in FreeBSD. We pick a |
917 | | * shiny new link-layer header type value that doesn't collide with |
918 | | * anything, in the hopes that future pfsync savefiles, if any, |
919 | | * won't require special hacks to distinguish from other savefiles. |
920 | | * |
921 | | */ |
922 | 0 | #define LINKTYPE_PFSYNC 246 |
923 | | |
924 | | /* |
925 | | * Raw InfiniBand packets, starting with the Local Routing Header. |
926 | | * |
927 | | * Requested by Oren Kladnitsky <orenk@mellanox.com>. |
928 | | */ |
929 | | #define LINKTYPE_INFINIBAND 247 |
930 | | |
931 | | /* |
932 | | * SCTP, with no lower-level protocols (i.e., no IPv4 or IPv6). |
933 | | * |
934 | | * Requested by Michael Tuexen <Michael.Tuexen@lurchi.franken.de>. |
935 | | */ |
936 | | #define LINKTYPE_SCTP 248 |
937 | | |
938 | | /* |
939 | | * USB packets, beginning with a USBPcap header. |
940 | | * |
941 | | * Requested by Tomasz Mon <desowin@gmail.com> |
942 | | */ |
943 | | #define LINKTYPE_USBPCAP 249 |
944 | | |
945 | | /* |
946 | | * Schweitzer Engineering Laboratories "RTAC" product serial-line |
947 | | * packets. |
948 | | * |
949 | | * Requested by Chris Bontje <chris_bontje@selinc.com>. |
950 | | */ |
951 | | #define LINKTYPE_RTAC_SERIAL 250 |
952 | | |
953 | | /* |
954 | | * Bluetooth Low Energy air interface link-layer packets. |
955 | | * |
956 | | * Requested by Mike Kershaw <dragorn@kismetwireless.net>. |
957 | | */ |
958 | | #define LINKTYPE_BLUETOOTH_LE_LL 251 |
959 | | |
960 | | /* |
961 | | * Link-layer header type for upper-protocol layer PDU saves from wireshark. |
962 | | * |
963 | | * the actual contents are determined by two TAGs, one or more of |
964 | | * which is stored with each packet: |
965 | | * |
966 | | * EXP_PDU_TAG_DISSECTOR_NAME the name of the Wireshark dissector |
967 | | * that can make sense of the data stored. |
968 | | * |
969 | | * EXP_PDU_TAG_HEUR_DISSECTOR_NAME the name of the Wireshark heuristic |
970 | | * dissector that can make sense of the |
971 | | * data stored. |
972 | | */ |
973 | | #define LINKTYPE_WIRESHARK_UPPER_PDU 252 |
974 | | |
975 | | /* |
976 | | * Link-layer header type for the netlink protocol (nlmon devices). |
977 | | */ |
978 | | #define LINKTYPE_NETLINK 253 |
979 | | |
980 | | /* |
981 | | * Bluetooth Linux Monitor headers for the BlueZ stack. |
982 | | */ |
983 | | #define LINKTYPE_BLUETOOTH_LINUX_MONITOR 254 |
984 | | |
985 | | /* |
986 | | * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as |
987 | | * captured by Ubertooth. |
988 | | */ |
989 | | #define LINKTYPE_BLUETOOTH_BREDR_BB 255 |
990 | | |
991 | | /* |
992 | | * Bluetooth Low Energy link layer packets, as captured by Ubertooth. |
993 | | */ |
994 | | #define LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR 256 |
995 | | |
996 | | /* |
997 | | * PROFIBUS data link layer. |
998 | | */ |
999 | | #define LINKTYPE_PROFIBUS_DL 257 |
1000 | | |
1001 | | /* |
1002 | | * Apple's DLT_PKTAP headers. |
1003 | | * |
1004 | | * Sadly, the folks at Apple either had no clue that the DLT_USERn values |
1005 | | * are for internal use within an organization and partners only, and |
1006 | | * didn't know that the right way to get a link-layer header type is to |
1007 | | * ask tcpdump.org for one, or knew and didn't care, so they just |
1008 | | * used DLT_USER2, which causes problems for everything except for |
1009 | | * their version of tcpdump. |
1010 | | * |
1011 | | * So I'll just give them one; hopefully this will show up in a |
1012 | | * libpcap release in time for them to get this into 10.10 Big Sur |
1013 | | * or whatever Mavericks' successor is called. LINKTYPE_PKTAP |
1014 | | * will be 258 *even on macOS*; that is *intentional*, so that |
1015 | | * PKTAP files look the same on *all* OSes (different OSes can have |
1016 | | * different numerical values for a given DLT_, but *MUST NOT* have |
1017 | | * different values for what goes in a file, as files can be moved |
1018 | | * between OSes!). |
1019 | | */ |
1020 | 0 | #define LINKTYPE_PKTAP 258 |
1021 | | |
1022 | | /* |
1023 | | * Ethernet packets preceded by a header giving the last 6 octets |
1024 | | * of the preamble specified by 802.3-2012 Clause 65, section |
1025 | | * 65.1.3.2 "Transmit". |
1026 | | */ |
1027 | | #define LINKTYPE_EPON 259 |
1028 | | |
1029 | | /* |
1030 | | * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format" |
1031 | | * in the PICMG HPM.2 specification. |
1032 | | */ |
1033 | | #define LINKTYPE_IPMI_HPM_2 260 |
1034 | | |
1035 | | /* |
1036 | | * per Joshua Wright <jwright@hasborg.com>, formats for Zwave captures. |
1037 | | */ |
1038 | | #define LINKTYPE_ZWAVE_R1_R2 261 |
1039 | | #define LINKTYPE_ZWAVE_R3 262 |
1040 | | |
1041 | | /* |
1042 | | * per Steve Karg <skarg@users.sourceforge.net>, formats for Wattstopper |
1043 | | * Digital Lighting Management room bus serial protocol captures. |
1044 | | */ |
1045 | | #define LINKTYPE_WATTSTOPPER_DLM 263 |
1046 | | |
1047 | | /* |
1048 | | * ISO 14443 contactless smart card messages. |
1049 | | */ |
1050 | | #define LINKTYPE_ISO_14443 264 |
1051 | | |
1052 | | /* |
1053 | | * Radio data system (RDS) groups. IEC 62106. |
1054 | | * Per Jonathan Brucker <jonathan.brucke@gmail.com>. |
1055 | | */ |
1056 | | #define LINKTYPE_RDS 265 |
1057 | | |
1058 | | /* |
1059 | | * USB packets, beginning with a Darwin (macOS, etc.) header. |
1060 | | */ |
1061 | | #define LINKTYPE_USB_DARWIN 266 |
1062 | | |
1063 | | /* |
1064 | | * OpenBSD DLT_OPENFLOW. |
1065 | | */ |
1066 | | #define LINKTYPE_OPENFLOW 267 |
1067 | | |
1068 | | /* |
1069 | | * SDLC frames containing SNA PDUs. |
1070 | | */ |
1071 | | #define LINKTYPE_SDLC 268 |
1072 | | |
1073 | | /* |
1074 | | * per "Selvig, Bjorn" <b.selvig@ti.com> used for |
1075 | | * TI protocol sniffer. |
1076 | | */ |
1077 | | #define LINKTYPE_TI_LLN_SNIFFER 269 |
1078 | | |
1079 | | /* |
1080 | | * per: Erik de Jong <erikdejong at gmail.com> for |
1081 | | * https://github.com/eriknl/LoRaTap/releases/tag/v0.1 |
1082 | | */ |
1083 | | #define LINKTYPE_LORATAP 270 |
1084 | | |
1085 | | /* |
1086 | | * per: Stefanha at gmail.com for |
1087 | | * https://lists.sandelman.ca/pipermail/tcpdump-workers/2017-May/000772.html |
1088 | | * and: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/vsockmon.h |
1089 | | * for: https://qemu-project.org/Features/VirtioVsock |
1090 | | */ |
1091 | | #define LINKTYPE_VSOCK 271 |
1092 | | |
1093 | | /* |
1094 | | * Nordic Semiconductor Bluetooth LE sniffer. |
1095 | | */ |
1096 | | #define LINKTYPE_NORDIC_BLE 272 |
1097 | | |
1098 | | /* |
1099 | | * Excentis DOCSIS 3.1 RF sniffer (XRA-31) |
1100 | | * per: bruno.verstuyft at excentis.com |
1101 | | * https://www.xra31.com/xra-header |
1102 | | */ |
1103 | | #define LINKTYPE_DOCSIS31_XRA31 273 |
1104 | | |
1105 | | /* |
1106 | | * mPackets, as specified by IEEE 802.3br Figure 99-4, starting |
1107 | | * with the preamble and always ending with a CRC field. |
1108 | | */ |
1109 | | #define LINKTYPE_ETHERNET_MPACKET 274 |
1110 | | |
1111 | | /* |
1112 | | * DisplayPort AUX channel monitoring data as specified by VESA |
1113 | | * DisplayPort(DP) Standard preceded by a pseudo-header. |
1114 | | * per dirk.eibach at gdsys.cc |
1115 | | */ |
1116 | | #define LINKTYPE_DISPLAYPORT_AUX 275 |
1117 | | |
1118 | | /* |
1119 | | * Linux cooked sockets v2. |
1120 | | */ |
1121 | | #define LINKTYPE_LINUX_SLL2 276 |
1122 | | |
1123 | | /* |
1124 | | * Sercos Monitor, per Manuel Jacob <manuel.jacob at steinbeis-stg.de> |
1125 | | */ |
1126 | | #define LINKTYPE_SERCOS_MONITOR 277 |
1127 | | |
1128 | | /* |
1129 | | * OpenVizsla http://openvizsla.org is open source USB analyzer hardware. |
1130 | | * It consists of FPGA with attached USB phy and FTDI chip for streaming |
1131 | | * the data to the host PC. |
1132 | | * |
1133 | | * Current OpenVizsla data encapsulation format is described here: |
1134 | | * https://github.com/matwey/libopenvizsla/wiki/OpenVizsla-protocol-description |
1135 | | * |
1136 | | */ |
1137 | | #define LINKTYPE_OPENVIZSLA 278 |
1138 | | |
1139 | | /* |
1140 | | * The Elektrobit High Speed Capture and Replay (EBHSCR) protocol is produced |
1141 | | * by a PCIe Card for interfacing high speed automotive interfaces. |
1142 | | * |
1143 | | * The specification for this frame format can be found at: |
1144 | | * https://www.elektrobit.com/ebhscr |
1145 | | * |
1146 | | * for Guenter.Ebermann at elektrobit.com |
1147 | | * |
1148 | | */ |
1149 | | #define LINKTYPE_EBHSCR 279 |
1150 | | |
1151 | | /* |
1152 | | * The https://fd.io vpp graph dispatch tracer produces pcap trace files |
1153 | | * in the format documented here: |
1154 | | * https://fdio-vpp.readthedocs.io/en/latest/gettingstarted/developers/vnet.html#graph-dispatcher-pcap-tracing |
1155 | | */ |
1156 | | #define LINKTYPE_VPP_DISPATCH 280 |
1157 | | |
1158 | | /* |
1159 | | * Broadcom Ethernet switches (ROBO switch) 4 bytes proprietary tagging format. |
1160 | | */ |
1161 | | #define LINKTYPE_DSA_TAG_BRCM 281 |
1162 | | #define LINKTYPE_DSA_TAG_BRCM_PREPEND 282 |
1163 | | |
1164 | | /* |
1165 | | * IEEE 802.15.4 with pseudo-header and optional meta-data TLVs, PHY payload |
1166 | | * exactly as it appears in the spec (no padding, no nothing), and FCS if |
1167 | | * specified by FCS Type TLV; requested by James Ko <jck@exegin.com>. |
1168 | | * Specification at https://github.com/jkcko/ieee802.15.4-tap |
1169 | | */ |
1170 | | #define LINKTYPE_IEEE802_15_4_TAP 283 |
1171 | | |
1172 | | /* |
1173 | | * Marvell (Ethertype) Distributed Switch Architecture proprietary tagging format. |
1174 | | */ |
1175 | | #define LINKTYPE_DSA_TAG_DSA 284 |
1176 | | #define LINKTYPE_DSA_TAG_EDSA 285 |
1177 | | |
1178 | | /* |
1179 | | * Payload of lawful intercept packets using the ELEE protocol; |
1180 | | * https://socket.hr/draft-dfranusic-opsawg-elee-00.xml |
1181 | | * https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://socket.hr/draft-dfranusic-opsawg-elee-00.xml&modeAsFormat=html/ascii |
1182 | | */ |
1183 | | #define LINKTYPE_ELEE 286 |
1184 | | |
1185 | | /* |
1186 | | * Serial frames transmitted between a host and a Z-Wave chip. |
1187 | | */ |
1188 | | #define LINKTYPE_Z_WAVE_SERIAL 287 |
1189 | | |
1190 | | /* |
1191 | | * USB 2.0, 1.1, and 1.0 packets as transmitted over the cable. |
1192 | | * Deprecated in favor of speed specific LINKTYPEs: LINKTYPE_USB_2_0_LOW_SPEED, |
1193 | | * LINKTYPE_USB_2_0_FULL_SPEED and LINKTYPE_USB_2_0_HIGH_SPEED. |
1194 | | */ |
1195 | | #define LINKTYPE_USB_2_0 288 |
1196 | | |
1197 | | /* |
1198 | | * ATSC Link-Layer Protocol (A/330) packets. |
1199 | | */ |
1200 | | #define LINKTYPE_ATSC_ALP 289 |
1201 | | |
1202 | | /* |
1203 | | * Event Tracing for Windows messages. |
1204 | | */ |
1205 | | #define LINKTYPE_ETW 290 |
1206 | | |
1207 | | /* |
1208 | | * Hilscher Gesellschaft fuer Systemautomation mbH |
1209 | | * netANALYZER NG hardware and software. |
1210 | | * |
1211 | | * The specification for this footer can be found at: |
1212 | | * https://kb.hilscher.com/x/brDJBw |
1213 | | * |
1214 | | * Requested by Jan Adam <jadam@hilscher.com> |
1215 | | */ |
1216 | | #define LINKTYPE_NETANALYZER_NG 291 |
1217 | | |
1218 | | /* |
1219 | | * Serial NCP (Network Co-Processor) protocol for Zigbee stack ZBOSS |
1220 | | * by DSR. |
1221 | | * ZBOSS NCP protocol description: https://cloud.dsr-corporation.com/index.php/s/3isHzaNTTgtJebn |
1222 | | * Header in pcap file: https://cloud.dsr-corporation.com/index.php/s/fiqSDorAAAZrsYB |
1223 | | * |
1224 | | * Requested by Eugene Exarevsky <eugene.exarevsky@dsr-corporation.com> |
1225 | | */ |
1226 | | #define LINKTYPE_ZBOSS_NCP 292 |
1227 | | |
1228 | | /* |
1229 | | * USB 2.0, 1.1, and 1.0 packets as transmitted over the cable. |
1230 | | */ |
1231 | | #define LINKTYPE_USB_2_0_LOW_SPEED 293 |
1232 | | #define LINKTYPE_USB_2_0_FULL_SPEED 294 |
1233 | | #define LINKTYPE_USB_2_0_HIGH_SPEED 295 |
1234 | | |
1235 | | /* |
1236 | | * Auerswald Logger Protocol |
1237 | | * description is provided on |
1238 | | * https://github.com/Auerswald-GmbH/auerlog/blob/master/auerlog.txt |
1239 | | * requested by Auerswald Developer Team <developer(at)auerswald.de> |
1240 | | */ |
1241 | | #define LINKTYPE_AUERSWALD_LOG 296 |
1242 | | |
1243 | 0 | #define LINKTYPE_MATCHING_MAX 296 /* highest value in the "matching" range */ |
1244 | | |
1245 | | |
1246 | | /* |
1247 | | * The DLT_ and LINKTYPE_ values in the "matching" range should be the |
1248 | | * same, so DLT_MATCHING_MAX and LINKTYPE_MATCHING_MAX should be the |
1249 | | * same. |
1250 | | */ |
1251 | | #if LINKTYPE_MATCHING_MAX != DLT_MATCHING_MAX |
1252 | | #error The LINKTYPE_ matching range does not match the DLT_ matching range |
1253 | | #endif |
1254 | | |
1255 | | static struct linktype_map { |
1256 | | int dlt; |
1257 | | int linktype; |
1258 | | } map[] = { |
1259 | | /* |
1260 | | * These DLT_* codes have LINKTYPE_* codes with values identical |
1261 | | * to the values of the corresponding DLT_* code. |
1262 | | */ |
1263 | | { DLT_NULL, LINKTYPE_NULL }, |
1264 | | { DLT_EN10MB, LINKTYPE_ETHERNET }, |
1265 | | { DLT_EN3MB, LINKTYPE_EXP_ETHERNET }, |
1266 | | { DLT_AX25, LINKTYPE_AX25 }, |
1267 | | { DLT_PRONET, LINKTYPE_PRONET }, |
1268 | | { DLT_CHAOS, LINKTYPE_CHAOS }, |
1269 | | { DLT_IEEE802, LINKTYPE_IEEE802_5 }, |
1270 | | { DLT_ARCNET, LINKTYPE_ARCNET_BSD }, |
1271 | | { DLT_SLIP, LINKTYPE_SLIP }, |
1272 | | { DLT_PPP, LINKTYPE_PPP }, |
1273 | | { DLT_FDDI, LINKTYPE_FDDI }, |
1274 | | { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL }, |
1275 | | |
1276 | | /* |
1277 | | * These DLT_* codes have different values on different |
1278 | | * platforms; we map them to LINKTYPE_* codes that |
1279 | | * have values that should never be equal to any DLT_* |
1280 | | * code. |
1281 | | */ |
1282 | | #ifdef DLT_FR |
1283 | | /* BSD/OS Frame Relay */ |
1284 | | { DLT_FR, LINKTYPE_FRELAY }, |
1285 | | #endif |
1286 | | |
1287 | | { DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 }, |
1288 | | { DLT_RAW, LINKTYPE_RAW }, |
1289 | | { DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS }, |
1290 | | { DLT_PPP_BSDOS, LINKTYPE_PPP_BSDOS }, |
1291 | | { DLT_HDLC, LINKTYPE_NETBSD_HDLC }, |
1292 | | |
1293 | | /* BSD/OS Cisco HDLC */ |
1294 | | { DLT_C_HDLC, LINKTYPE_C_HDLC }, |
1295 | | |
1296 | | /* |
1297 | | * These DLT_* codes are not on all platforms, but, so far, |
1298 | | * there don't appear to be any platforms that define |
1299 | | * other codes with those values; we map them to |
1300 | | * different LINKTYPE_* values anyway, just in case. |
1301 | | */ |
1302 | | |
1303 | | /* Linux ATM Classical IP */ |
1304 | | { DLT_ATM_CLIP, LINKTYPE_ATM_CLIP }, |
1305 | | |
1306 | | /* NetBSD sync/async serial PPP (or Cisco HDLC) */ |
1307 | | { DLT_PPP_SERIAL, LINKTYPE_PPP_HDLC }, |
1308 | | |
1309 | | /* NetBSD PPP over Ethernet */ |
1310 | | { DLT_PPP_ETHER, LINKTYPE_PPP_ETHER }, |
1311 | | |
1312 | | /* |
1313 | | * All LINKTYPE_ values between LINKTYPE_MATCHING_MIN |
1314 | | * and LINKTYPE_MATCHING_MAX are mapped to identical |
1315 | | * DLT_ values. |
1316 | | */ |
1317 | | |
1318 | | { -1, -1 } |
1319 | | }; |
1320 | | |
1321 | | int |
1322 | | dlt_to_linktype(int dlt) |
1323 | 0 | { |
1324 | 0 | int i; |
1325 | | |
1326 | | /* |
1327 | | * DLTs that, on some platforms, have values in the matching range |
1328 | | * but that *don't* have the same value as the corresponding |
1329 | | * LINKTYPE because, for some reason, not all OSes have the |
1330 | | * same value for that DLT (note that the DLT's value might be |
1331 | | * outside the matching range on some of those OSes). |
1332 | | */ |
1333 | 0 | if (dlt == DLT_PFSYNC) |
1334 | 0 | return (LINKTYPE_PFSYNC); |
1335 | 0 | if (dlt == DLT_PKTAP) |
1336 | 0 | return (LINKTYPE_PKTAP); |
1337 | | |
1338 | | /* |
1339 | | * For all other values in the matching range, the DLT |
1340 | | * value is the same as the LINKTYPE value. |
1341 | | */ |
1342 | 0 | if (dlt >= DLT_MATCHING_MIN && dlt <= DLT_MATCHING_MAX) |
1343 | 0 | return (dlt); |
1344 | | |
1345 | | /* |
1346 | | * Map the values outside that range. |
1347 | | */ |
1348 | 0 | for (i = 0; map[i].dlt != -1; i++) { |
1349 | 0 | if (map[i].dlt == dlt) |
1350 | 0 | return (map[i].linktype); |
1351 | 0 | } |
1352 | | |
1353 | | /* |
1354 | | * If we don't have a mapping for this DLT, return an |
1355 | | * error; that means that this is a value with no corresponding |
1356 | | * LINKTYPE, and we need to assign one. |
1357 | | */ |
1358 | 0 | return (-1); |
1359 | 0 | } |
1360 | | |
1361 | | int |
1362 | | linktype_to_dlt(int linktype) |
1363 | 0 | { |
1364 | 0 | int i; |
1365 | | |
1366 | | /* |
1367 | | * LINKTYPEs in the matching range that *don't* |
1368 | | * have the same value as the corresponding DLTs |
1369 | | * because, for some reason, not all OSes have the |
1370 | | * same value for that DLT. |
1371 | | */ |
1372 | 0 | if (linktype == LINKTYPE_PFSYNC) |
1373 | 0 | return (DLT_PFSYNC); |
1374 | 0 | if (linktype == LINKTYPE_PKTAP) |
1375 | 0 | return (DLT_PKTAP); |
1376 | | |
1377 | | /* |
1378 | | * For all other values in the matching range, except for |
1379 | | * LINKTYPE_ATM_CLIP, the LINKTYPE value is the same as |
1380 | | * the DLT value. |
1381 | | * |
1382 | | * LINKTYPE_ATM_CLIP is a special case. DLT_ATM_CLIP is |
1383 | | * not on all platforms, but, so far, there don't appear |
1384 | | * to be any platforms that define it as anything other |
1385 | | * than 19; we define LINKTYPE_ATM_CLIP as something |
1386 | | * other than 19, just in case. That value is in the |
1387 | | * matching range, so we have to check for it. |
1388 | | */ |
1389 | 0 | if (linktype >= LINKTYPE_MATCHING_MIN && |
1390 | 0 | linktype <= LINKTYPE_MATCHING_MAX && |
1391 | 0 | linktype != LINKTYPE_ATM_CLIP) |
1392 | 0 | return (linktype); |
1393 | | |
1394 | | /* |
1395 | | * Map the values outside that range. |
1396 | | */ |
1397 | 0 | for (i = 0; map[i].linktype != -1; i++) { |
1398 | 0 | if (map[i].linktype == linktype) |
1399 | 0 | return (map[i].dlt); |
1400 | 0 | } |
1401 | | |
1402 | | /* |
1403 | | * If we don't have an entry for this LINKTYPE, return |
1404 | | * the link type value; it may be a DLT from an newer |
1405 | | * version of libpcap. |
1406 | | */ |
1407 | 0 | return linktype; |
1408 | 0 | } |
1409 | | |
1410 | | /* |
1411 | | * Return the maximum snapshot length for a given DLT_ value. |
1412 | | * |
1413 | | * For most link-layer types, we use MAXIMUM_SNAPLEN. |
1414 | | * |
1415 | | * For DLT_DBUS, the maximum is 128MiB, as per |
1416 | | * |
1417 | | * https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages |
1418 | | * |
1419 | | * For DLT_EBHSCR, the maximum is 8MiB, as per |
1420 | | * |
1421 | | * https://www.elektrobit.com/ebhscr |
1422 | | * |
1423 | | * For DLT_USBPCAP, the maximum is 1MiB, as per |
1424 | | * |
1425 | | * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15985 |
1426 | | */ |
1427 | | u_int |
1428 | | max_snaplen_for_dlt(int dlt) |
1429 | 0 | { |
1430 | 0 | switch (dlt) { |
1431 | | |
1432 | 0 | case DLT_DBUS: |
1433 | 0 | return 128*1024*1024; |
1434 | | |
1435 | 0 | case DLT_EBHSCR: |
1436 | 0 | return 8*1024*1024; |
1437 | | |
1438 | 0 | case DLT_USBPCAP: |
1439 | 0 | return 1024*1024; |
1440 | | |
1441 | 0 | default: |
1442 | 0 | return MAXIMUM_SNAPLEN; |
1443 | 0 | } |
1444 | 0 | } |