1 /*- 2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * This code is derived from the Stanford/CMU enet packet filter, 6 * (net/enet.c) distributed as part of 4.3BSD, and code contributed 7 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 8 * Berkeley Laboratory. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the University of 21 * California, Berkeley and its contributors. 22 * 4. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * @(#)bpf.h 7.1 (Berkeley) 5/7/91 39 * 40 * @(#) $Header: /usr/cvsroot_private/winpcap/packetNtx/driver/win_bpf.h,v 1.2.2.1 2005/12/02 22:12:58 gianlucav Exp $ (LBL) 41 */ 42 43 #ifndef BPF_MAJOR_VERSION 44 45 /* BSD style release date */ 46 #define BPF_RELEASE 199606 47 48 #ifdef WIN_NT_DRIVER 49 #include <ndis.h> 50 #endif 51 52 53 #include "tme.h" 54 #include "time_calls.h" 55 56 typedef UCHAR u_char; 57 typedef USHORT u_short; 58 59 #ifdef WIN_NT_DRIVER 60 typedef ULONG u_int; 61 #endif 62 63 typedef LONG bpf_int32; 64 typedef ULONG bpf_u_int32; 65 typedef ULONG u_int32; 66 67 #define BPF_MAXINSNS 512 68 #define BPF_MAXBUFSIZE 0x8000 69 #define BPF_MINBUFSIZE 32 70 71 /* 72 * The instruction data structure. 73 */ 74 struct bpf_insn { 75 u_short code; 76 u_char jt; 77 u_char jf; 78 bpf_u_int32 k; 79 }; 80 81 /* 82 * Structure for BIOCSETF. 83 */ 84 struct bpf_program { 85 u_int bf_len; 86 struct bpf_insn *bf_insns; 87 }; 88 89 /* 90 * Struct returned by BIOCGSTATS. 91 */ 92 struct bpf_stat { 93 UINT bs_recv; ///< Number of packets that the driver received from the network adapter 94 ///< from the beginning of the current capture. This value includes the packets 95 ///< lost by the driver. 96 UINT bs_drop; ///< number of packets that the driver lost from the beginning of a capture. 97 ///< Basically, a packet is lost when the the buffer of the driver is full. 98 ///< In this situation the packet cannot be stored and the driver rejects it. 99 UINT ps_ifdrop; ///< drops by interface. XXX not yet supported 100 UINT bs_capt; ///< number of packets that pass the filter, find place in the kernel buffer and 101 ///< thus reach the application. 102 }; 103 104 /* 105 * Struct return by BIOCVERSION. This represents the version number of 106 * the filter language described by the instruction encodings below. 107 * bpf understands a program iff kernel_major == filter_major && 108 * kernel_minor >= filter_minor, that is, if the value returned by the 109 * running kernel has the same major number and a minor number equal 110 * equal to or less than the filter being downloaded. Otherwise, the 111 * results are undefined, meaning an error may be returned or packets 112 * may be accepted haphazardly. 113 * It has nothing to do with the source code version. 114 */ 115 struct bpf_version { 116 u_short bv_major; 117 u_short bv_minor; 118 }; 119 /* Current version number of filter architecture. */ 120 #define BPF_MAJOR_VERSION 1 121 #define BPF_MINOR_VERSION 1 122 123 124 /* 125 * Structure prepended to each packet. 126 */ 127 struct bpf_hdr { 128 struct timeval bh_tstamp; /* time stamp */ 129 bpf_u_int32 bh_caplen; /* length of captured portion */ 130 bpf_u_int32 bh_datalen; /* original length of packet */ 131 u_short bh_hdrlen; /* length of bpf header (this struct 132 plus alignment padding) */ 133 }; 134 135 /* 136 * Data-link level type codes. 137 */ 138 139 /* 140 * These are the types that are the same on all platforms; on other 141 * platforms, a <net/bpf.h> should be supplied that defines the additional 142 * DLT_* codes appropriately for that platform (the BSDs, for example, 143 * should not just pick up this version of "bpf.h"; they should also define 144 * the additional DLT_* codes used by their kernels, as well as the values 145 * defined here - and, if the values they use for particular DLT_ types 146 * differ from those here, they should use their values, not the ones 147 * here). 148 */ 149 #define DLT_NULL 0 /* no link-layer encapsulation */ 150 #define DLT_EN10MB 1 /* Ethernet (10Mb) */ 151 #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ 152 #define DLT_AX25 3 /* Amateur Radio AX.25 */ 153 #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ 154 #define DLT_CHAOS 5 /* Chaos */ 155 #define DLT_IEEE802 6 /* IEEE 802 Networks */ 156 #define DLT_ARCNET 7 /* ARCNET */ 157 #define DLT_SLIP 8 /* Serial Line IP */ 158 #define DLT_PPP 9 /* Point-to-point Protocol */ 159 #define DLT_FDDI 10 /* FDDI */ 160 161 /* 162 * These are values from the traditional libpcap "bpf.h". 163 * Ports of this to particular platforms should replace these definitions 164 * with the ones appropriate to that platform, if the values are 165 * different on that platform. 166 */ 167 #define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ 168 #define DLT_RAW 12 /* raw IP */ 169 170 /* 171 * These are values from BSD/OS's "bpf.h". 172 * These are not the same as the values from the traditional libpcap 173 * "bpf.h"; however, these values shouldn't be generated by any 174 * OS other than BSD/OS, so the correct values to use here are the 175 * BSD/OS values. 176 * 177 * Platforms that have already assigned these values to other 178 * DLT_ codes, however, should give these codes the values 179 * from that platform, so that programs that use these codes will 180 * continue to compile - even though they won't correctly read 181 * files of these types. 182 */ 183 #define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ 184 #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ 185 186 #define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ 187 188 /* 189 * This value is defined by NetBSD; other platforms should refrain from 190 * using it for other purposes, so that NetBSD savefiles with a link 191 * type of 50 can be read as this type on all platforms. 192 */ 193 #define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ 194 195 /* 196 * This value was defined by libpcap 0.5; platforms that have defined 197 * it with a different value should define it here with that value - 198 * a link type of 104 in a save file will be mapped to DLT_C_HDLC, 199 * whatever value that happens to be, so programs will correctly 200 * handle files with that link type regardless of the value of 201 * DLT_C_HDLC. 202 * 203 * The name DLT_C_HDLC was used by BSD/OS; we use that name for source 204 * compatibility with programs written for BSD/OS. 205 * 206 * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, 207 * for source compatibility with programs written for libpcap 0.5. 208 */ 209 #define DLT_C_HDLC 104 /* Cisco HDLC */ 210 #define DLT_CHDLC DLT_C_HDLC 211 212 /* 213 * Reserved for future use. 214 * Do not pick other numerical value for these unless you have also 215 * picked up the tcpdump.org top-of-CVS-tree version of "savefile.c", 216 * which will arrange that capture files for these DLT_ types have 217 * the same "network" value on all platforms, regardless of what 218 * value is chosen for their DLT_ type (thus allowing captures made 219 * on one platform to be read on other platforms, even if the two 220 * platforms don't use the same numerical values for all DLT_ types). 221 */ 222 #define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ 223 224 /* 225 * Values between 106 and 107 are used in capture file headers as 226 * link-layer types corresponding to DLT_ types that might differ 227 * between platforms; don't use those values for new DLT_ new types. 228 */ 229 230 /* 231 * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except 232 * that the AF_ type in the link-layer header is in network byte order. 233 * 234 * OpenBSD defines it as 12, but that collides with DLT_RAW, so we 235 * define it as 108 here. If OpenBSD picks up this file, it should 236 * define DLT_LOOP as 12 in its version, as per the comment above - 237 * and should not use 108 for any purpose. 238 */ 239 #define DLT_LOOP 108 240 241 /* 242 * Values between 109 and 112 are used in capture file headers as 243 * link-layer types corresponding to DLT_ types that might differ 244 * between platforms; don't use those values for new DLT_ new types. 245 */ 246 247 /* 248 * This is for Linux cooked sockets. 249 */ 250 #define DLT_LINUX_SLL 113 251 252 /* 253 * The instruction encodings. 254 */ 255 /* instruction classes */ 256 #define BPF_CLASS(code) ((code) & 0x07) 257 #define BPF_LD 0x00 258 #define BPF_LDX 0x01 259 #define BPF_ST 0x02 260 #define BPF_STX 0x03 261 #define BPF_ALU 0x04 262 #define BPF_JMP 0x05 263 #define BPF_RET 0x06 264 #define BPF_MISC 0x07 265 266 /* ld/ldx fields */ 267 #define BPF_SIZE(code) ((code) & 0x18) 268 #define BPF_W 0x00 269 #define BPF_H 0x08 270 #define BPF_B 0x10 271 #define BPF_MODE(code) ((code) & 0xe0) 272 #define BPF_IMM 0x00 273 #define BPF_ABS 0x20 274 #define BPF_IND 0x40 275 #define BPF_MEM 0x60 276 #define BPF_LEN 0x80 277 #define BPF_MSH 0xa0 278 279 /* alu/jmp fields */ 280 #define BPF_OP(code) ((code) & 0xf0) 281 #define BPF_ADD 0x00 282 #define BPF_SUB 0x10 283 #define BPF_MUL 0x20 284 #define BPF_DIV 0x30 285 #define BPF_OR 0x40 286 #define BPF_AND 0x50 287 #define BPF_LSH 0x60 288 #define BPF_RSH 0x70 289 #define BPF_NEG 0x80 290 #define BPF_JA 0x00 291 #define BPF_JEQ 0x10 292 #define BPF_JGT 0x20 293 #define BPF_JGE 0x30 294 #define BPF_JSET 0x40 295 #define BPF_SRC(code) ((code) & 0x08) 296 #define BPF_K 0x00 297 #define BPF_X 0x08 298 299 /* ret - BPF_K and BPF_X also apply */ 300 #define BPF_RVAL(code) ((code) & 0x18) 301 #define BPF_A 0x10 302 303 /* misc */ 304 #define BPF_MISCOP(code) ((code) & 0xf8) 305 #define BPF_TAX 0x00 306 #define BPF_TXA 0x80 307 308 /* TME instructions */ 309 #define BPF_TME 0x08 310 311 #define BPF_LOOKUP 0x90 312 #define BPF_EXECUTE 0xa0 313 #define BPF_INIT 0xb0 314 #define BPF_VALIDATE 0xc0 315 #define BPF_SET_ACTIVE 0xd0 316 #define BPF_RESET 0xe0 317 #define BPF_SET_MEMORY 0x80 318 #define BPF_GET_REGISTER_VALUE 0x70 319 #define BPF_SET_REGISTER_VALUE 0x60 320 #define BPF_SET_WORKING 0x50 321 #define BPF_SET_ACTIVE_READ 0x40 322 #define BPF_SET_AUTODELETION 0x30 323 #define BPF_SEPARATION 0xff 324 325 #define BPF_MEM_EX_IMM 0xc0 326 #define BPF_MEM_EX_IND 0xe0 327 /*used for ST */ 328 #define BPF_MEM_EX 0xc0 329 330 331 /* 332 * Macros for insn array initializers. 333 */ 334 #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } 335 #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } 336 337 /* 338 * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). 339 */ 340 #define BPF_MEMWORDS 16 341 342 #ifdef __cplusplus 343 extern "C" 344 { 345 #endif 346 347 /*! 348 \brief Validates a filtering program arriving from the user-level app. 349 \param f The filter. 350 \param len Its length, in pseudo instructions. 351 \param mem_ex_size The length of the extended memory, used to validate LD/ST to that memory 352 \return true if f is a valid filter program.. 353 354 The kernel needs to be able to verify an application's filter code. Otherwise, a bogus program could easily 355 crash the system. 356 This function returns true if f is a valid filter program. The constraints are that each jump be forward and 357 to a valid code. The code must terminate with either an accept or reject. 358 */ 359 int32 bpf_validate(struct bpf_insn *f,int32 len, uint32 mem_ex_size); 360 361 /*! 362 \brief The filtering pseudo-machine interpreter. 363 \param pc The filter. 364 \param p Pointer to a memory buffer containing the packet on which the filter will be executed. 365 \param wirelen Original length of the packet. 366 \param buflen Current length of the packet. In some cases (for example when the transfer of the packet to the RAM 367 has not yet finished), bpf_filter can be executed on a portion of the packet. 368 \param mem_ex The extended memory. 369 \param tme The virtualization of the TME co-processor 370 \param time_ref Data structure needed by the TME co-processor to timestamp data 371 \return The portion of the packet to keep, in bytes. 0 means that the packet must be rejected, -1 means that 372 the whole packet must be kept. 373 374 \note this function is not used in normal situations, because the jitter creates a native filtering function 375 that is faster than the interpreter. 376 */ 377 u_int bpf_filter(register struct bpf_insn *pc, 378 register UCHAR *p, 379 u_int wirelen, 380 register u_int buflen , 381 PMEM_TYPE mem_ex, 382 PTME_CORE tme , 383 struct time_conv *time_ref); 384 385 /*! 386 \brief The filtering pseudo-machine interpreter with two buffers. This function is slower than bpf_filter(), 387 but works correctly also if the MAC header and the data of the packet are in two different buffers. 388 \param pc The filter. 389 \param p Pointer to a memory buffer containing the MAC header of the packet. 390 \param pd Pointer to a memory buffer containing the data of the packet. 391 \param wirelen Original length of the packet. 392 \param buflen Current length of the packet. In some cases (for example when the transfer of the packet to the RAM 393 has not yet finished), bpf_filter can be executed on a portion of the packet. 394 \param mem_ex The extended memory. 395 \param tme The virtualization of the TME co-processor 396 \param time_ref Data structure needed by the TME co-processor to timestamp data 397 \return The portion of the packet to keep, in bytes. 0 means that the packet must be rejected, -1 means that 398 the whole packet must be kept. 399 400 This function is used when NDIS passes the packet to NPF_tap() in two buffers instead than in a single one. 401 */ 402 u_int bpf_filter_with_2_buffers(register struct bpf_insn *pc, 403 register u_char *p, 404 register u_char *pd, 405 register int headersize, 406 u_int wirelen, 407 register u_int buflen, 408 PMEM_TYPE mem_ex, 409 PTME_CORE tme, 410 struct time_conv *time_ref); 411 412 #ifdef __cplusplus 413 } 414 #endif 415 416 417 #endif 418