1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * pcap-common.c - common code for pcap and pcap-ng files 22 */ 23 24 #ifdef HAVE_CONFIG_H 25 #include "config.h" 26 #endif 27 28 #ifdef WIN32 29 #include <pcap-stdinc.h> 30 #else /* WIN32 */ 31 #if HAVE_INTTYPES_H 32 #include <inttypes.h> 33 #elif HAVE_STDINT_H 34 #include <stdint.h> 35 #endif 36 #ifdef HAVE_SYS_BITYPES_H 37 #include <sys/bitypes.h> 38 #endif 39 #include <sys/types.h> 40 #endif /* WIN32 */ 41 42 #include "pcap-int.h" 43 #include "pcap/usb.h" 44 45 #include "pcap-common.h" 46 47 /* 48 * We don't write DLT_* values to capture files, because they're not the 49 * same on all platforms. 50 * 51 * Unfortunately, the various flavors of BSD have not always used the same 52 * numerical values for the same data types, and various patches to 53 * libpcap for non-BSD OSes have added their own DLT_* codes for link 54 * layer encapsulation types seen on those OSes, and those codes have had, 55 * in some cases, values that were also used, on other platforms, for other 56 * link layer encapsulation types. 57 * 58 * This means that capture files of a type whose numerical DLT_* code 59 * means different things on different BSDs, or with different versions 60 * of libpcap, can't always be read on systems other than those like 61 * the one running on the machine on which the capture was made. 62 * 63 * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes 64 * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_* 65 * codes to DLT_* codes when reading a savefile header. 66 * 67 * For those DLT_* codes that have, as far as we know, the same values on 68 * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as 69 * DLT_xxx; that way, captures of those types can still be read by 70 * versions of libpcap that map LINKTYPE_* values to DLT_* values, and 71 * captures of those types written by versions of libpcap that map DLT_ 72 * values to LINKTYPE_ values can still be read by older versions 73 * of libpcap. 74 * 75 * The other LINKTYPE_* codes are given values starting at 100, in the 76 * hopes that no DLT_* code will be given one of those values. 77 * 78 * In order to ensure that a given LINKTYPE_* code's value will refer to 79 * the same encapsulation type on all platforms, you should not allocate 80 * a new LINKTYPE_* value without consulting 81 * "tcpdump-workers@lists.tcpdump.org". The tcpdump developers will 82 * allocate a value for you, and will not subsequently allocate it to 83 * anybody else; that value will be added to the "pcap.h" in the 84 * tcpdump.org Git repository, so that a future libpcap release will 85 * include it. 86 * 87 * You should, if possible, also contribute patches to libpcap and tcpdump 88 * to handle the new encapsulation type, so that they can also be checked 89 * into the tcpdump.org Git repository and so that they will appear in 90 * future libpcap and tcpdump releases. 91 * 92 * Do *NOT* assume that any values after the largest value in this file 93 * are available; you might not have the most up-to-date version of this 94 * file, and new values after that one might have been assigned. Also, 95 * do *NOT* use any values below 100 - those might already have been 96 * taken by one (or more!) organizations. 97 * 98 * Any platform that defines additional DLT_* codes should: 99 * 100 * request a LINKTYPE_* code and value from tcpdump.org, 101 * as per the above; 102 * 103 * add, in their version of libpcap, an entry to map 104 * those DLT_* codes to the corresponding LINKTYPE_* 105 * code; 106 * 107 * redefine, in their "net/bpf.h", any DLT_* values 108 * that collide with the values used by their additional 109 * DLT_* codes, to remove those collisions (but without 110 * making them collide with any of the LINKTYPE_* 111 * values equal to 50 or above; they should also avoid 112 * defining DLT_* values that collide with those 113 * LINKTYPE_* values, either). 114 */ 115 #define LINKTYPE_NULL DLT_NULL 116 #define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */ 117 #define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */ 118 #define LINKTYPE_AX25 DLT_AX25 119 #define LINKTYPE_PRONET DLT_PRONET 120 #define LINKTYPE_CHAOS DLT_CHAOS 121 #define LINKTYPE_IEEE802_5 DLT_IEEE802 /* DLT_IEEE802 is used for 802.5 Token Ring */ 122 #define LINKTYPE_ARCNET_BSD DLT_ARCNET /* BSD-style headers */ 123 #define LINKTYPE_SLIP DLT_SLIP 124 #define LINKTYPE_PPP DLT_PPP 125 #define LINKTYPE_FDDI DLT_FDDI 126 127 /* 128 * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662 129 * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol 130 * field) at the beginning of the packet. 131 * 132 * This is for use when there is always such a header; the address field 133 * might be 0xff, for regular PPP, or it might be an address field for Cisco 134 * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco 135 * HDLC"). This is, for example, what you get with NetBSD's DLT_PPP_SERIAL. 136 * 137 * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that 138 * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL 139 * captures will be written out with a link type that NetBSD's tcpdump 140 * can read. 141 */ 142 #define LINKTYPE_PPP_HDLC 50 /* PPP in HDLC-like framing */ 143 144 #define LINKTYPE_PPP_ETHER 51 /* NetBSD PPP-over-Ethernet */ 145 146 #define LINKTYPE_SYMANTEC_FIREWALL 99 /* Symantec Enterprise Firewall */ 147 148 /* 149 * These correspond to DLT_s that have different values on different 150 * platforms; we map between these values in capture files and 151 * the DLT_ values as returned by pcap_datalink() and passed to 152 * pcap_open_dead(). 153 */ 154 #define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */ 155 #define LINKTYPE_RAW 101 /* raw IP */ 156 #define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */ 157 #define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */ 158 159 /* 160 * Values starting with 104 are used for newly-assigned link-layer 161 * header type values; for those link-layer header types, the DLT_ 162 * value returned by pcap_datalink() and passed to pcap_open_dead(), 163 * and the LINKTYPE_ value that appears in capture files, are the 164 * same. 165 * 166 * LINKTYPE_MATCHING_MIN is the lowest such value; LINKTYPE_MATCHING_MAX 167 * is the highest such value. 168 */ 169 #define LINKTYPE_MATCHING_MIN 104 /* lowest value in the "matching" range */ 170 171 #define LINKTYPE_C_HDLC 104 /* Cisco HDLC */ 172 #define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */ 173 #define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */ 174 #define LINKTYPE_FRELAY 107 /* Frame Relay */ 175 #define LINKTYPE_LOOP 108 /* OpenBSD loopback */ 176 #define LINKTYPE_ENC 109 /* OpenBSD IPSEC enc */ 177 178 /* 179 * These three types are reserved for future use. 180 */ 181 #define LINKTYPE_LANE8023 110 /* ATM LANE + 802.3 */ 182 #define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */ 183 #define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */ 184 185 #define LINKTYPE_LINUX_SLL 113 /* Linux cooked socket capture */ 186 #define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */ 187 #define LINKTYPE_ECONET 115 /* Acorn Econet */ 188 189 /* 190 * Reserved for use with OpenBSD ipfilter. 191 */ 192 #define LINKTYPE_IPFILTER 116 193 194 #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ 195 #define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */ 196 #define LINKTYPE_IEEE802_11_PRISM 119 /* 802.11 plus Prism II monitor mode radio metadata header */ 197 #define LINKTYPE_IEEE802_11_AIRONET 120 /* 802.11 plus FreeBSD Aironet driver radio metadata header */ 198 199 /* 200 * Reserved for Siemens HiPath HDLC. 201 */ 202 #define LINKTYPE_HHDLC 121 203 204 #define LINKTYPE_IP_OVER_FC 122 /* RFC 2625 IP-over-Fibre Channel */ 205 #define LINKTYPE_SUNATM 123 /* Solaris+SunATM */ 206 207 /* 208 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 209 * for private use. 210 */ 211 #define LINKTYPE_RIO 124 /* RapidIO */ 212 #define LINKTYPE_PCI_EXP 125 /* PCI Express */ 213 #define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */ 214 215 #define LINKTYPE_IEEE802_11_RADIOTAP 127 /* 802.11 plus radiotap radio metadata header */ 216 217 /* 218 * Reserved for the TZSP encapsulation, as per request from 219 * Chris Waters <chris.waters@networkchemistry.com> 220 * TZSP is a generic encapsulation for any other link type, 221 * which includes a means to include meta-information 222 * with the packet, e.g. signal strength and channel 223 * for 802.11 packets. 224 */ 225 #define LINKTYPE_TZSP 128 /* Tazmen Sniffer Protocol */ 226 227 #define LINKTYPE_ARCNET_LINUX 129 /* Linux-style headers */ 228 229 /* 230 * Juniper-private data link types, as per request from 231 * Hannes Gredler <hannes@juniper.net>. The corresponding 232 * DLT_s are used for passing on chassis-internal 233 * metainformation such as QOS profiles, etc.. 234 */ 235 #define LINKTYPE_JUNIPER_MLPPP 130 236 #define LINKTYPE_JUNIPER_MLFR 131 237 #define LINKTYPE_JUNIPER_ES 132 238 #define LINKTYPE_JUNIPER_GGSN 133 239 #define LINKTYPE_JUNIPER_MFR 134 240 #define LINKTYPE_JUNIPER_ATM2 135 241 #define LINKTYPE_JUNIPER_SERVICES 136 242 #define LINKTYPE_JUNIPER_ATM1 137 243 244 #define LINKTYPE_APPLE_IP_OVER_IEEE1394 138 /* Apple IP-over-IEEE 1394 cooked header */ 245 246 #define LINKTYPE_MTP2_WITH_PHDR 139 247 #define LINKTYPE_MTP2 140 248 #define LINKTYPE_MTP3 141 249 #define LINKTYPE_SCCP 142 250 251 #define LINKTYPE_DOCSIS 143 /* DOCSIS MAC frames */ 252 253 #define LINKTYPE_LINUX_IRDA 144 /* Linux-IrDA */ 254 255 /* 256 * Reserved for IBM SP switch and IBM Next Federation switch. 257 */ 258 #define LINKTYPE_IBM_SP 145 259 #define LINKTYPE_IBM_SN 146 260 261 /* 262 * Reserved for private use. If you have some link-layer header type 263 * that you want to use within your organization, with the capture files 264 * using that link-layer header type not ever be sent outside your 265 * organization, you can use these values. 266 * 267 * No libpcap release will use these for any purpose, nor will any 268 * tcpdump release use them, either. 269 * 270 * Do *NOT* use these in capture files that you expect anybody not using 271 * your private versions of capture-file-reading tools to read; in 272 * particular, do *NOT* use them in products, otherwise you may find that 273 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 274 * read capture files from your firewall/intrusion detection/traffic 275 * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value, 276 * and you may also find that the developers of those applications will 277 * not accept patches to let them read those files. 278 * 279 * Also, do not use them if somebody might send you a capture using them 280 * for *their* private type and tools using them for *your* private type 281 * would have to read them. 282 * 283 * Instead, in those cases, ask "tcpdump-workers@lists.tcpdump.org" for a 284 * new DLT_ and LINKTYPE_ value, as per the comment in pcap/bpf.h, and use 285 * the type you're given. 286 */ 287 #define LINKTYPE_USER0 147 288 #define LINKTYPE_USER1 148 289 #define LINKTYPE_USER2 149 290 #define LINKTYPE_USER3 150 291 #define LINKTYPE_USER4 151 292 #define LINKTYPE_USER5 152 293 #define LINKTYPE_USER6 153 294 #define LINKTYPE_USER7 154 295 #define LINKTYPE_USER8 155 296 #define LINKTYPE_USER9 156 297 #define LINKTYPE_USER10 157 298 #define LINKTYPE_USER11 158 299 #define LINKTYPE_USER12 159 300 #define LINKTYPE_USER13 160 301 #define LINKTYPE_USER14 161 302 #define LINKTYPE_USER15 162 303 304 /* 305 * For future use with 802.11 captures - defined by AbsoluteValue 306 * Systems to store a number of bits of link-layer information 307 * including radio information: 308 * 309 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 310 */ 311 #define LINKTYPE_IEEE802_11_AVS 163 /* 802.11 plus AVS radio metadata header */ 312 313 /* 314 * Juniper-private data link type, as per request from 315 * Hannes Gredler <hannes@juniper.net>. The corresponding 316 * DLT_s are used for passing on chassis-internal 317 * metainformation such as QOS profiles, etc.. 318 */ 319 #define LINKTYPE_JUNIPER_MONITOR 164 320 321 /* 322 * BACnet MS/TP frames. 323 */ 324 #define LINKTYPE_BACNET_MS_TP 165 325 326 /* 327 * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>. 328 * 329 * This is used in some OSes to allow a kernel socket filter to distinguish 330 * between incoming and outgoing packets, on a socket intended to 331 * supply pppd with outgoing packets so it can do dial-on-demand and 332 * hangup-on-lack-of-demand; incoming packets are filtered out so they 333 * don't cause pppd to hold the connection up (you don't want random 334 * input packets such as port scans, packets from old lost connections, 335 * etc. to force the connection to stay up). 336 * 337 * The first byte of the PPP header (0xff03) is modified to accomodate 338 * the direction - 0x00 = IN, 0x01 = OUT. 339 */ 340 #define LINKTYPE_PPP_PPPD 166 341 342 /* 343 * Juniper-private data link type, as per request from 344 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 345 * for passing on chassis-internal metainformation such as 346 * QOS profiles, cookies, etc.. 347 */ 348 #define LINKTYPE_JUNIPER_PPPOE 167 349 #define LINKTYPE_JUNIPER_PPPOE_ATM 168 350 351 #define LINKTYPE_GPRS_LLC 169 /* GPRS LLC */ 352 #define LINKTYPE_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 353 #define LINKTYPE_GPF_F 171 /* GPF-T (ITU-T G.7041/Y.1303) */ 354 355 /* 356 * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line 357 * monitoring equipment. 358 */ 359 #define LINKTYPE_GCOM_T1E1 172 360 #define LINKTYPE_GCOM_SERIAL 173 361 362 /* 363 * Juniper-private data link type, as per request from 364 * Hannes Gredler <hannes@juniper.net>. The DLT_ is used 365 * for internal communication to Physical Interface Cards (PIC) 366 */ 367 #define LINKTYPE_JUNIPER_PIC_PEER 174 368 369 /* 370 * Link types requested by Gregor Maier <gregor@endace.com> of Endace 371 * Measurement Systems. They add an ERF header (see 372 * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of 373 * the link-layer header. 374 */ 375 #define LINKTYPE_ERF_ETH 175 /* Ethernet */ 376 #define LINKTYPE_ERF_POS 176 /* Packet-over-SONET */ 377 378 /* 379 * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD 380 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 381 * includes additional information before the LAPD header, so it's 382 * not necessarily a generic LAPD header. 383 */ 384 #define LINKTYPE_LINUX_LAPD 177 385 386 /* 387 * Juniper-private data link type, as per request from 388 * Hannes Gredler <hannes@juniper.net>. 389 * The Link Types are used for prepending meta-information 390 * like interface index, interface name 391 * before standard Ethernet, PPP, Frelay & C-HDLC Frames 392 */ 393 #define LINKTYPE_JUNIPER_ETHER 178 394 #define LINKTYPE_JUNIPER_PPP 179 395 #define LINKTYPE_JUNIPER_FRELAY 180 396 #define LINKTYPE_JUNIPER_CHDLC 181 397 398 /* 399 * Multi Link Frame Relay (FRF.16) 400 */ 401 #define LINKTYPE_MFR 182 402 403 /* 404 * Juniper-private data link type, as per request from 405 * Hannes Gredler <hannes@juniper.net>. 406 * The DLT_ is used for internal communication with a 407 * voice Adapter Card (PIC) 408 */ 409 #define LINKTYPE_JUNIPER_VP 183 410 411 /* 412 * Arinc 429 frames. 413 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 414 * Every frame contains a 32bit A429 label. 415 * More documentation on Arinc 429 can be found at 416 * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf 417 */ 418 #define LINKTYPE_A429 184 419 420 /* 421 * Arinc 653 Interpartition Communication messages. 422 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 423 * Please refer to the A653-1 standard for more information. 424 */ 425 #define LINKTYPE_A653_ICM 185 426 427 /* 428 * USB packets, beginning with a USB setup header; requested by 429 * Paolo Abeni <paolo.abeni@email.it>. 430 */ 431 #define LINKTYPE_USB 186 432 433 /* 434 * Bluetooth HCI UART transport layer (part H:4); requested by 435 * Paolo Abeni. 436 */ 437 #define LINKTYPE_BLUETOOTH_HCI_H4 187 438 439 /* 440 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz 441 * <cruz_petagay@bah.com>. 442 */ 443 #define LINKTYPE_IEEE802_16_MAC_CPS 188 444 445 /* 446 * USB packets, beginning with a Linux USB header; requested by 447 * Paolo Abeni <paolo.abeni@email.it>. 448 */ 449 #define LINKTYPE_USB_LINUX 189 450 451 /* 452 * Controller Area Network (CAN) v. 2.0B packets. 453 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 454 * Used to dump CAN packets coming from a CAN Vector board. 455 * More documentation on the CAN v2.0B frames can be found at 456 * http://www.can-cia.org/downloads/?269 457 */ 458 #define LINKTYPE_CAN20B 190 459 460 /* 461 * IEEE 802.15.4, with address fields padded, as is done by Linux 462 * drivers; requested by Juergen Schimmer. 463 */ 464 #define LINKTYPE_IEEE802_15_4_LINUX 191 465 466 /* 467 * Per Packet Information encapsulated packets. 468 * LINKTYPE_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 469 */ 470 #define LINKTYPE_PPI 192 471 472 /* 473 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; 474 * requested by Charles Clancy. 475 */ 476 #define LINKTYPE_IEEE802_16_MAC_CPS_RADIO 193 477 478 /* 479 * Juniper-private data link type, as per request from 480 * Hannes Gredler <hannes@juniper.net>. 481 * The DLT_ is used for internal communication with a 482 * integrated service module (ISM). 483 */ 484 #define LINKTYPE_JUNIPER_ISM 194 485 486 /* 487 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 488 * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>. 489 */ 490 #define LINKTYPE_IEEE802_15_4 195 491 492 /* 493 * Various link-layer types, with a pseudo-header, for SITA 494 * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com). 495 */ 496 #define LINKTYPE_SITA 196 497 498 /* 499 * Various link-layer types, with a pseudo-header, for Endace DAG cards; 500 * encapsulates Endace ERF records. Requested by Stephen Donnelly 501 * <stephen@endace.com>. 502 */ 503 #define LINKTYPE_ERF 197 504 505 /* 506 * Special header prepended to Ethernet packets when capturing from a 507 * u10 Networks board. Requested by Phil Mulholland 508 * <phil@u10networks.com>. 509 */ 510 #define LINKTYPE_RAIF1 198 511 512 /* 513 * IPMB packet for IPMI, beginning with the I2C slave address, followed 514 * by the netFn and LUN, etc.. Requested by Chanthy Toeung 515 * <chanthy.toeung@ca.kontron.com>. 516 */ 517 #define LINKTYPE_IPMB 199 518 519 /* 520 * Juniper-private data link type, as per request from 521 * Hannes Gredler <hannes@juniper.net>. 522 * The DLT_ is used for capturing data on a secure tunnel interface. 523 */ 524 #define LINKTYPE_JUNIPER_ST 200 525 526 /* 527 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header 528 * that includes direction information; requested by Paolo Abeni. 529 */ 530 #define LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR 201 531 532 /* 533 * AX.25 packet with a 1-byte KISS header; see 534 * 535 * http://www.ax25.net/kiss.htm 536 * 537 * as per Richard Stearn <richard@rns-stearn.demon.co.uk>. 538 */ 539 #define LINKTYPE_AX25_KISS 202 540 541 /* 542 * LAPD packets from an ISDN channel, starting with the address field, 543 * with no pseudo-header. 544 * Requested by Varuna De Silva <varunax@gmail.com>. 545 */ 546 #define LINKTYPE_LAPD 203 547 548 /* 549 * Variants of various link-layer headers, with a one-byte direction 550 * pseudo-header prepended - zero means "received by this host", 551 * non-zero (any non-zero value) means "sent by this host" - as per 552 * Will Barker <w.barker@zen.co.uk>. 553 */ 554 #define LINKTYPE_PPP_WITH_DIR 204 /* PPP */ 555 #define LINKTYPE_C_HDLC_WITH_DIR 205 /* Cisco HDLC */ 556 #define LINKTYPE_FRELAY_WITH_DIR 206 /* Frame Relay */ 557 #define LINKTYPE_LAPB_WITH_DIR 207 /* LAPB */ 558 559 /* 560 * 208 is reserved for an as-yet-unspecified proprietary link-layer 561 * type, as requested by Will Barker. 562 */ 563 564 /* 565 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman 566 * <avn@pigeonpoint.com>. 567 */ 568 #define LINKTYPE_IPMB_LINUX 209 569 570 /* 571 * FlexRay automotive bus - http://www.flexray.com/ - as requested 572 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 573 */ 574 #define LINKTYPE_FLEXRAY 210 575 576 /* 577 * Media Oriented Systems Transport (MOST) bus for multimedia 578 * transport - http://www.mostcooperation.com/ - as requested 579 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 580 */ 581 #define LINKTYPE_MOST 211 582 583 /* 584 * Local Interconnect Network (LIN) bus for vehicle networks - 585 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber 586 * <hannes.kaelber@x2e.de>. 587 */ 588 #define LINKTYPE_LIN 212 589 590 /* 591 * X2E-private data link type used for serial line capture, 592 * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 593 */ 594 #define LINKTYPE_X2E_SERIAL 213 595 596 /* 597 * X2E-private data link type used for the Xoraya data logger 598 * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 599 */ 600 #define LINKTYPE_X2E_XORAYA 214 601 602 /* 603 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 604 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets 605 * of 0 as preamble, one octet of SFD, one octet of frame length+ 606 * reserved bit, and then the MAC-layer data, starting with the 607 * frame control field). 608 * 609 * Requested by Max Filippov <jcmvbkbc@gmail.com>. 610 */ 611 #define LINKTYPE_IEEE802_15_4_NONASK_PHY 215 612 613 /* 614 * David Gibson <david@gibson.dropbear.id.au> requested this for 615 * captures from the Linux kernel /dev/input/eventN devices. This 616 * is used to communicate keystrokes and mouse movements from the 617 * Linux kernel to display systems, such as Xorg. 618 */ 619 #define LINKTYPE_LINUX_EVDEV 216 620 621 /* 622 * GSM Um and Abis interfaces, preceded by a "gsmtap" header. 623 * 624 * Requested by Harald Welte <laforge@gnumonks.org>. 625 */ 626 #define LINKTYPE_GSMTAP_UM 217 627 #define LINKTYPE_GSMTAP_ABIS 218 628 629 /* 630 * MPLS, with an MPLS label as the link-layer header. 631 * Requested by Michele Marchetto <michele@openbsd.org> on behalf 632 * of OpenBSD. 633 */ 634 #define LINKTYPE_MPLS 219 635 636 /* 637 * USB packets, beginning with a Linux USB header, with the USB header 638 * padded to 64 bytes; required for memory-mapped access. 639 */ 640 #define LINKTYPE_USB_LINUX_MMAPPED 220 641 642 /* 643 * DECT packets, with a pseudo-header; requested by 644 * Matthias Wenzel <tcpdump@mazzoo.de>. 645 */ 646 #define LINKTYPE_DECT 221 647 648 /* 649 * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov> 650 * Date: Mon, 11 May 2009 11:18:30 -0500 651 * 652 * DLT_AOS. We need it for AOS Space Data Link Protocol. 653 * I have already written dissectors for but need an OK from 654 * legal before I can submit a patch. 655 * 656 */ 657 #define LINKTYPE_AOS 222 658 659 /* 660 * Wireless HART (Highway Addressable Remote Transducer) 661 * From the HART Communication Foundation 662 * IES/PAS 62591 663 * 664 * Requested by Sam Roberts <vieuxtech@gmail.com>. 665 */ 666 #define LINKTYPE_WIHART 223 667 668 /* 669 * Fibre Channel FC-2 frames, beginning with a Frame_Header. 670 * Requested by Kahou Lei <kahou82@gmail.com>. 671 */ 672 #define LINKTYPE_FC_2 224 673 674 /* 675 * Fibre Channel FC-2 frames, beginning with an encoding of the 676 * SOF, and ending with an encoding of the EOF. 677 * 678 * The encodings represent the frame delimiters as 4-byte sequences 679 * representing the corresponding ordered sets, with K28.5 680 * represented as 0xBC, and the D symbols as the corresponding 681 * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, 682 * is represented as 0xBC 0xB5 0x55 0x55. 683 * 684 * Requested by Kahou Lei <kahou82@gmail.com>. 685 */ 686 #define LINKTYPE_FC_2_WITH_FRAME_DELIMS 225 687 688 /* 689 * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>. 690 * 691 * The pseudo-header starts with a one-byte version number; for version 2, 692 * the pseudo-header is: 693 * 694 * struct dl_ipnetinfo { 695 * u_int8_t dli_version; 696 * u_int8_t dli_family; 697 * u_int16_t dli_htype; 698 * u_int32_t dli_pktlen; 699 * u_int32_t dli_ifindex; 700 * u_int32_t dli_grifindex; 701 * u_int32_t dli_zsrc; 702 * u_int32_t dli_zdst; 703 * }; 704 * 705 * dli_version is 2 for the current version of the pseudo-header. 706 * 707 * dli_family is a Solaris address family value, so it's 2 for IPv4 708 * and 26 for IPv6. 709 * 710 * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing 711 * packets, and 2 for packets arriving from another zone on the same 712 * machine. 713 * 714 * dli_pktlen is the length of the packet data following the pseudo-header 715 * (so the captured length minus dli_pktlen is the length of the 716 * pseudo-header, assuming the entire pseudo-header was captured). 717 * 718 * dli_ifindex is the interface index of the interface on which the 719 * packet arrived. 720 * 721 * dli_grifindex is the group interface index number (for IPMP interfaces). 722 * 723 * dli_zsrc is the zone identifier for the source of the packet. 724 * 725 * dli_zdst is the zone identifier for the destination of the packet. 726 * 727 * A zone number of 0 is the global zone; a zone number of 0xffffffff 728 * means that the packet arrived from another host on the network, not 729 * from another zone on the same machine. 730 * 731 * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates 732 * which of those it is. 733 */ 734 #define LINKTYPE_IPNET 226 735 736 /* 737 * CAN (Controller Area Network) frames, with a pseudo-header as supplied 738 * by Linux SocketCAN. See Documentation/networking/can.txt in the Linux 739 * source. 740 * 741 * Requested by Felix Obenhuber <felix@obenhuber.de>. 742 */ 743 #define LINKTYPE_CAN_SOCKETCAN 227 744 745 /* 746 * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies 747 * whether it's v4 or v6. Requested by Darren Reed <Darren.Reed@Sun.COM>. 748 */ 749 #define LINKTYPE_IPV4 228 750 #define LINKTYPE_IPV6 229 751 752 /* 753 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 754 * nothing), and with no FCS at the end of the frame; requested by 755 * Jon Smirl <jonsmirl@gmail.com>. 756 */ 757 #define LINKTYPE_IEEE802_15_4_NOFCS 230 758 759 /* 760 * Raw D-Bus: 761 * 762 * http://www.freedesktop.org/wiki/Software/dbus 763 * 764 * messages: 765 * 766 * http://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages 767 * 768 * starting with the endianness flag, followed by the message type, etc., 769 * but without the authentication handshake before the message sequence: 770 * 771 * http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol 772 * 773 * Requested by Martin Vidner <martin@vidner.net>. 774 */ 775 #define LINKTYPE_DBUS 231 776 777 /* 778 * Juniper-private data link type, as per request from 779 * Hannes Gredler <hannes@juniper.net>. 780 */ 781 #define LINKTYPE_JUNIPER_VS 232 782 #define LINKTYPE_JUNIPER_SRX_E2E 233 783 #define LINKTYPE_JUNIPER_FIBRECHANNEL 234 784 785 /* 786 * DVB-CI (DVB Common Interface for communication between a PC Card 787 * module and a DVB receiver). See 788 * 789 * http://www.kaiser.cx/pcap-dvbci.html 790 * 791 * for the specification. 792 * 793 * Requested by Martin Kaiser <martin@kaiser.cx>. 794 */ 795 #define LINKTYPE_DVB_CI 235 796 797 /* 798 * Variant of 3GPP TS 27.010 multiplexing protocol. Requested 799 * by Hans-Christoph Schemmel <hans-christoph.schemmel@cinterion.com>. 800 */ 801 #define LINKTYPE_MUX27010 236 802 803 /* 804 * STANAG 5066 D_PDUs. Requested by M. Baris Demiray 805 * <barisdemiray@gmail.com>. 806 */ 807 #define LINKTYPE_STANAG_5066_D_PDU 237 808 809 /* 810 * Juniper-private data link type, as per request from 811 * Hannes Gredler <hannes@juniper.net>. 812 */ 813 #define LINKTYPE_JUNIPER_ATM_CEMIC 238 814 815 /* 816 * NetFilter LOG messages 817 * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets) 818 * 819 * Requested by Jakub Zawadzki <darkjames-ws@darkjames.pl> 820 */ 821 #define LINKTYPE_NFLOG 239 822 823 /* 824 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 825 * for Ethernet packets with a 4-byte pseudo-header and always 826 * with the payload including the FCS, as supplied by their 827 * netANALYZER hardware and software. 828 * 829 * Requested by Holger P. Frommer <HPfrommer@hilscher.com> 830 */ 831 #define LINKTYPE_NETANALYZER 240 832 833 /* 834 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 835 * for Ethernet packets with a 4-byte pseudo-header and FCS and 836 * 1 byte of SFD, as supplied by their netANALYZER hardware and 837 * software. 838 * 839 * Requested by Holger P. Frommer <HPfrommer@hilscher.com> 840 */ 841 #define LINKTYPE_NETANALYZER_TRANSPARENT 241 842 843 /* 844 * IP-over-Infiniband, as specified by RFC 4391. 845 * 846 * Requested by Petr Sumbera <petr.sumbera@oracle.com>. 847 */ 848 #define LINKTYPE_IPOIB 242 849 850 /* 851 * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0). 852 * 853 * Requested by Guy Martin <gmsoft@tuxicoman.be>. 854 */ 855 #define LINKTYPE_MPEG_2_TS 243 856 857 /* 858 * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as 859 * used by their ng40 protocol tester. 860 * 861 * Requested by Jens Grimmer <jens.grimmer@ng4t.com>. 862 */ 863 #define LINKTYPE_NG40 244 864 865 /* 866 * Pseudo-header giving adapter number and flags, followed by an NFC 867 * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU, 868 * as specified by NFC Forum Logical Link Control Protocol Technical 869 * Specification LLCP 1.1. 870 * 871 * Requested by Mike Wakerly <mikey@google.com>. 872 */ 873 #define LINKTYPE_NFC_LLCP 245 874 875 /* 876 * pfsync output; DLT_PFSYNC is 18, which collides with DLT_CIP in 877 * SuSE 6.3, on OpenBSD, NetBSD, DragonFly BSD, and Mac OS X, and 878 * is 121, which collides with DLT_HHDLC, in FreeBSD. We pick a 879 * shiny new link-layer header type value that doesn't collide with 880 * anything, in the hopes that future pfsync savefiles, if any, 881 * won't require special hacks to distinguish from other savefiles. 882 * 883 */ 884 #define LINKTYPE_PFSYNC 246 885 886 #define LINKTYPE_MATCHING_MAX 246 /* highest value in the "matching" range */ 887 888 static struct linktype_map { 889 int dlt; 890 int linktype; 891 } map[] = { 892 /* 893 * These DLT_* codes have LINKTYPE_* codes with values identical 894 * to the values of the corresponding DLT_* code. 895 */ 896 { DLT_NULL, LINKTYPE_NULL }, 897 { DLT_EN10MB, LINKTYPE_ETHERNET }, 898 { DLT_EN3MB, LINKTYPE_EXP_ETHERNET }, 899 { DLT_AX25, LINKTYPE_AX25 }, 900 { DLT_PRONET, LINKTYPE_PRONET }, 901 { DLT_CHAOS, LINKTYPE_CHAOS }, 902 { DLT_IEEE802, LINKTYPE_IEEE802_5 }, 903 { DLT_ARCNET, LINKTYPE_ARCNET_BSD }, 904 { DLT_SLIP, LINKTYPE_SLIP }, 905 { DLT_PPP, LINKTYPE_PPP }, 906 { DLT_FDDI, LINKTYPE_FDDI }, 907 { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL }, 908 909 /* 910 * These DLT_* codes have different values on different 911 * platforms; we map them to LINKTYPE_* codes that 912 * have values that should never be equal to any DLT_* 913 * code. 914 */ 915 #ifdef DLT_FR 916 /* BSD/OS Frame Relay */ 917 { DLT_FR, LINKTYPE_FRELAY }, 918 #endif 919 920 { DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 }, 921 { DLT_RAW, LINKTYPE_RAW }, 922 { DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS }, 923 { DLT_PPP_BSDOS, LINKTYPE_PPP_BSDOS }, 924 925 /* BSD/OS Cisco HDLC */ 926 { DLT_C_HDLC, LINKTYPE_C_HDLC }, 927 928 /* 929 * These DLT_* codes are not on all platforms, but, so far, 930 * there don't appear to be any platforms that define 931 * other codes with those values; we map them to 932 * different LINKTYPE_* values anyway, just in case. 933 */ 934 935 /* Linux ATM Classical IP */ 936 { DLT_ATM_CLIP, LINKTYPE_ATM_CLIP }, 937 938 /* NetBSD sync/async serial PPP (or Cisco HDLC) */ 939 { DLT_PPP_SERIAL, LINKTYPE_PPP_HDLC }, 940 941 /* NetBSD PPP over Ethernet */ 942 { DLT_PPP_ETHER, LINKTYPE_PPP_ETHER }, 943 944 /* 945 * All LINKTYPE_ values between LINKTYPE_MATCHING_MIN 946 * and LINKTYPE_MATCHING_MAX are mapped to identical 947 * DLT_ values. 948 */ 949 950 { -1, -1 } 951 }; 952 953 int 954 dlt_to_linktype(int dlt) 955 { 956 int i; 957 958 /* 959 * Map DLT_PFSYNC, whatever it might be, to LINKTYPE_PFSYNC. 960 */ 961 if (dlt == DLT_PFSYNC) 962 return (LINKTYPE_PFSYNC); 963 964 /* 965 * Map the values in the matching range. 966 */ 967 if (dlt >= DLT_MATCHING_MIN && dlt <= DLT_MATCHING_MAX) 968 return (dlt); 969 970 /* 971 * Map the values outside that range. 972 */ 973 for (i = 0; map[i].dlt != -1; i++) { 974 if (map[i].dlt == dlt) 975 return (map[i].linktype); 976 } 977 978 /* 979 * If we don't have a mapping for this DLT_ code, return an 980 * error; that means that this is a value with no corresponding 981 * LINKTYPE_ code, and we need to assign one. 982 */ 983 return (-1); 984 } 985 986 int 987 linktype_to_dlt(int linktype) 988 { 989 int i; 990 991 /* 992 * Map LINKTYPE_PFSYNC to DLT_PFSYNC, whatever it might be. 993 * LINKTYPE_PFSYNC is in the matching range, to make sure 994 * it's as safe from reuse as we can arrange, so we do 995 * this test first. 996 */ 997 if (linktype == LINKTYPE_PFSYNC) 998 return (DLT_PFSYNC); 999 1000 /* 1001 * Map the values in the matching range. 1002 */ 1003 if (linktype >= LINKTYPE_MATCHING_MIN && 1004 linktype <= LINKTYPE_MATCHING_MAX) 1005 return (linktype); 1006 1007 /* 1008 * Map the values outside that range. 1009 */ 1010 for (i = 0; map[i].linktype != -1; i++) { 1011 if (map[i].linktype == linktype) 1012 return (map[i].dlt); 1013 } 1014 1015 /* 1016 * If we don't have an entry for this link type, return 1017 * the link type value; it may be a DLT_ value from an 1018 * older version of libpcap. 1019 */ 1020 return linktype; 1021 } 1022 1023 /* 1024 * The DLT_USB_LINUX and DLT_USB_LINUX_MMAPPED headers are in host 1025 * byte order when capturing (it's supplied directly from a 1026 * memory-mapped buffer shared by the kernel). 1027 * 1028 * When reading a DLT_USB_LINUX or DLT_USB_LINUX_MMAPPED capture file, 1029 * we need to convert it from the capturing host's byte order to 1030 * the reading host's byte order. 1031 */ 1032 void 1033 swap_linux_usb_header(const struct pcap_pkthdr *hdr, u_char *buf, 1034 int header_len_64_bytes) 1035 { 1036 pcap_usb_header_mmapped *uhdr = (pcap_usb_header_mmapped *)buf; 1037 bpf_u_int32 offset = 0; 1038 usb_isodesc *pisodesc; 1039 int32_t numdesc, i; 1040 1041 /* 1042 * "offset" is the offset *past* the field we're swapping; 1043 * we skip the field *before* checking to make sure 1044 * the captured data length includes the entire field. 1045 */ 1046 1047 /* 1048 * The URB id is a totally opaque value; do we really need to 1049 * convert it to the reading host's byte order??? 1050 */ 1051 offset += 8; /* skip past id */ 1052 if (hdr->caplen < offset) 1053 return; 1054 uhdr->id = SWAPLL(uhdr->id); 1055 1056 offset += 4; /* skip past various 1-byte fields */ 1057 1058 offset += 2; /* skip past bus_id */ 1059 if (hdr->caplen < offset) 1060 return; 1061 uhdr->bus_id = SWAPSHORT(uhdr->bus_id); 1062 1063 offset += 2; /* skip past various 1-byte fields */ 1064 1065 offset += 8; /* skip past ts_sec */ 1066 if (hdr->caplen < offset) 1067 return; 1068 uhdr->ts_sec = SWAPLL(uhdr->ts_sec); 1069 1070 offset += 4; /* skip past ts_usec */ 1071 if (hdr->caplen < offset) 1072 return; 1073 uhdr->ts_usec = SWAPLONG(uhdr->ts_usec); 1074 1075 offset += 4; /* skip past status */ 1076 if (hdr->caplen < offset) 1077 return; 1078 uhdr->status = SWAPLONG(uhdr->status); 1079 1080 offset += 4; /* skip past urb_len */ 1081 if (hdr->caplen < offset) 1082 return; 1083 uhdr->urb_len = SWAPLONG(uhdr->urb_len); 1084 1085 offset += 4; /* skip past data_len */ 1086 if (hdr->caplen < offset) 1087 return; 1088 uhdr->data_len = SWAPLONG(uhdr->data_len); 1089 1090 if (uhdr->transfer_type == URB_ISOCHRONOUS) { 1091 offset += 4; /* skip past s.iso.error_count */ 1092 if (hdr->caplen < offset) 1093 return; 1094 uhdr->s.iso.error_count = SWAPLONG(uhdr->s.iso.error_count); 1095 1096 offset += 4; /* skip past s.iso.numdesc */ 1097 if (hdr->caplen < offset) 1098 return; 1099 uhdr->s.iso.numdesc = SWAPLONG(uhdr->s.iso.numdesc); 1100 } else 1101 offset += 8; /* skip USB setup header */ 1102 1103 if (header_len_64_bytes) { 1104 /* 1105 * This is either the "version 1" header, with 1106 * 16 bytes of additional fields at the end, or 1107 * a "version 0" header from a memory-mapped 1108 * capture, with 16 bytes of zeroed-out padding 1109 * at the end. Byte swap them as if this were 1110 * a "version 1" header. 1111 */ 1112 offset += 4; /* skip past interval */ 1113 if (hdr->caplen < offset) 1114 return; 1115 uhdr->interval = SWAPLONG(uhdr->interval); 1116 1117 offset += 4; /* skip past start_frame */ 1118 if (hdr->caplen < offset) 1119 return; 1120 uhdr->start_frame = SWAPLONG(uhdr->start_frame); 1121 1122 offset += 4; /* skip past xfer_flags */ 1123 if (hdr->caplen < offset) 1124 return; 1125 uhdr->xfer_flags = SWAPLONG(uhdr->xfer_flags); 1126 1127 offset += 4; /* skip past ndesc */ 1128 if (hdr->caplen < offset) 1129 return; 1130 uhdr->ndesc = SWAPLONG(uhdr->ndesc); 1131 } 1132 1133 if (uhdr->transfer_type == URB_ISOCHRONOUS) { 1134 /* swap the values in struct linux_usb_isodesc */ 1135 pisodesc = (usb_isodesc *)(void *)(buf+offset); 1136 numdesc = uhdr->s.iso.numdesc; 1137 for (i = 0; i < numdesc; i++) { 1138 offset += 4; /* skip past status */ 1139 if (hdr->caplen < offset) 1140 return; 1141 pisodesc->status = SWAPLONG(pisodesc->status); 1142 1143 offset += 4; /* skip past offset */ 1144 if (hdr->caplen < offset) 1145 return; 1146 pisodesc->offset = SWAPLONG(pisodesc->offset); 1147 1148 offset += 4; /* skip past len */ 1149 if (hdr->caplen < offset) 1150 return; 1151 pisodesc->len = SWAPLONG(pisodesc->len); 1152 1153 offset += 4; /* skip past padding */ 1154 1155 pisodesc++; 1156 } 1157 } 1158 } 1159