1146277Sdarrenr/* $FreeBSD$ */ 2146277Sdarrenr 3146277Sdarrenr/*- 4146277Sdarrenr * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 5146277Sdarrenr * The Regents of the University of California. All rights reserved. 6146277Sdarrenr * 7146277Sdarrenr * This code is derived from the Stanford/CMU enet packet filter, 8146277Sdarrenr * (net/enet.c) distributed as part of 4.3BSD, and code contributed 9146277Sdarrenr * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 10146277Sdarrenr * Berkeley Laboratory. 11146277Sdarrenr * 12146277Sdarrenr * Redistribution and use in source and binary forms, with or without 13146277Sdarrenr * modification, are permitted provided that the following conditions 14146277Sdarrenr * are met: 15146277Sdarrenr * 1. Redistributions of source code must retain the above copyright 16146277Sdarrenr * notice, this list of conditions and the following disclaimer. 17146277Sdarrenr * 2. Redistributions in binary form must reproduce the above copyright 18146277Sdarrenr * notice, this list of conditions and the following disclaimer in the 19146277Sdarrenr * documentation and/or other materials provided with the distribution. 20146277Sdarrenr * 3. All advertising materials mentioning features or use of this software 21146277Sdarrenr * must display the following acknowledgement: 22146277Sdarrenr * This product includes software developed by the University of 23146277Sdarrenr * California, Berkeley and its contributors. 24146277Sdarrenr * 4. Neither the name of the University nor the names of its contributors 25146277Sdarrenr * may be used to endorse or promote products derived from this software 26146277Sdarrenr * without specific prior written permission. 27146277Sdarrenr * 28146277Sdarrenr * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 29146277Sdarrenr * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 30146277Sdarrenr * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 31146277Sdarrenr * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 32146277Sdarrenr * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 33146277Sdarrenr * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 34146277Sdarrenr * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35146277Sdarrenr * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36146277Sdarrenr * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37146277Sdarrenr * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38146277Sdarrenr * SUCH DAMAGE. 39146277Sdarrenr * 40146277Sdarrenr * @(#)bpf.h 7.1 (Berkeley) 5/7/91 41146277Sdarrenr * 42146277Sdarrenr * @(#) $Header: /tcpdump/master/libpcap/pcap-bpf.h,v 1.37 2005/05/01 19:46:27 guy Exp $ (LBL) 43146277Sdarrenr */ 44146277Sdarrenr 45146277Sdarrenr/* 46146277Sdarrenr * This is libpcap's cut-down version of bpf.h; it includes only 47146277Sdarrenr * the stuff needed for the code generator and the userland BPF 48146277Sdarrenr * interpreter, and the libpcap APIs for setting filters, etc.. 49146277Sdarrenr * 50146277Sdarrenr * "pcap-bpf.c" will include the native OS version, as it deals with 51146277Sdarrenr * the OS's BPF implementation. 52146277Sdarrenr * 53146277Sdarrenr * XXX - should this all just be moved to "pcap.h"? 54146277Sdarrenr */ 55146277Sdarrenr 56146277Sdarrenr#ifndef BPF_MAJOR_VERSION 57146277Sdarrenr 58146277Sdarrenr#ifdef __cplusplus 59146277Sdarrenrextern "C" { 60146277Sdarrenr#endif 61146277Sdarrenr 62146277Sdarrenr/* BSD style release date */ 63146277Sdarrenr#define BPF_RELEASE 199606 64146277Sdarrenr 65146277Sdarrenr#ifdef MSDOS /* must be 32-bit */ 66146277Sdarrenrtypedef long bpf_int32; 67146277Sdarrenrtypedef unsigned long bpf_u_int32; 68146277Sdarrenr#else 69146277Sdarrenrtypedef int bpf_int32; 70146277Sdarrenrtypedef u_int bpf_u_int32; 71146277Sdarrenr#endif 72146277Sdarrenr 73146277Sdarrenr/* 74146277Sdarrenr * Alignment macros. BPF_WORDALIGN rounds up to the next 75146277Sdarrenr * even multiple of BPF_ALIGNMENT. 76146277Sdarrenr */ 77146277Sdarrenr#ifndef __NetBSD__ 78146277Sdarrenr#define BPF_ALIGNMENT sizeof(bpf_int32) 79146277Sdarrenr#else 80146277Sdarrenr#define BPF_ALIGNMENT sizeof(long) 81146277Sdarrenr#endif 82146277Sdarrenr#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) 83146277Sdarrenr 84146277Sdarrenr#define BPF_MAXINSNS 512 85146277Sdarrenr#define BPF_MAXBUFSIZE 0x8000 86146277Sdarrenr#define BPF_MINBUFSIZE 32 87146277Sdarrenr 88146277Sdarrenr/* 89146277Sdarrenr * Structure for "pcap_compile()", "pcap_setfilter()", etc.. 90146277Sdarrenr */ 91146277Sdarrenrstruct bpf_program { 92146277Sdarrenr u_int bf_len; 93146277Sdarrenr struct bpf_insn *bf_insns; 94146277Sdarrenr}; 95146277Sdarrenr 96146277Sdarrenr/* 97146277Sdarrenr * Struct return by BIOCVERSION. This represents the version number of 98146277Sdarrenr * the filter language described by the instruction encodings below. 99146277Sdarrenr * bpf understands a program iff kernel_major == filter_major && 100146277Sdarrenr * kernel_minor >= filter_minor, that is, if the value returned by the 101146277Sdarrenr * running kernel has the same major number and a minor number equal 102146277Sdarrenr * equal to or less than the filter being downloaded. Otherwise, the 103146277Sdarrenr * results are undefined, meaning an error may be returned or packets 104146277Sdarrenr * may be accepted haphazardly. 105146277Sdarrenr * It has nothing to do with the source code version. 106146277Sdarrenr */ 107146277Sdarrenrstruct bpf_version { 108146277Sdarrenr u_short bv_major; 109146277Sdarrenr u_short bv_minor; 110146277Sdarrenr}; 111146277Sdarrenr/* Current version number of filter architecture. */ 112146277Sdarrenr#define BPF_MAJOR_VERSION 1 113146277Sdarrenr#define BPF_MINOR_VERSION 1 114146277Sdarrenr 115146277Sdarrenr/* 116146277Sdarrenr * Data-link level type codes. 117146277Sdarrenr * 118146277Sdarrenr * Do *NOT* add new values to this list without asking 119146277Sdarrenr * "tcpdump-workers@tcpdump.org" for a value. Otherwise, you run the 120146277Sdarrenr * risk of using a value that's already being used for some other purpose, 121146277Sdarrenr * and of having tools that read libpcap-format captures not being able 122146277Sdarrenr * to handle captures with your new DLT_ value, with no hope that they 123146277Sdarrenr * will ever be changed to do so (as that would destroy their ability 124146277Sdarrenr * to read captures using that value for that other purpose). 125146277Sdarrenr */ 126146277Sdarrenr 127146277Sdarrenr/* 128146277Sdarrenr * These are the types that are the same on all platforms, and that 129146277Sdarrenr * have been defined by <net/bpf.h> for ages. 130146277Sdarrenr */ 131146277Sdarrenr#define DLT_NULL 0 /* BSD loopback encapsulation */ 132146277Sdarrenr#define DLT_EN10MB 1 /* Ethernet (10Mb) */ 133146277Sdarrenr#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ 134146277Sdarrenr#define DLT_AX25 3 /* Amateur Radio AX.25 */ 135146277Sdarrenr#define DLT_PRONET 4 /* Proteon ProNET Token Ring */ 136146277Sdarrenr#define DLT_CHAOS 5 /* Chaos */ 137146277Sdarrenr#define DLT_IEEE802 6 /* IEEE 802 Networks */ 138146277Sdarrenr#define DLT_ARCNET 7 /* ARCNET, with BSD-style header */ 139146277Sdarrenr#define DLT_SLIP 8 /* Serial Line IP */ 140146277Sdarrenr#define DLT_PPP 9 /* Point-to-point Protocol */ 141146277Sdarrenr#define DLT_FDDI 10 /* FDDI */ 142146277Sdarrenr 143146277Sdarrenr/* 144146277Sdarrenr * These are types that are different on some platforms, and that 145146277Sdarrenr * have been defined by <net/bpf.h> for ages. We use #ifdefs to 146146277Sdarrenr * detect the BSDs that define them differently from the traditional 147146277Sdarrenr * libpcap <net/bpf.h> 148146277Sdarrenr * 149146277Sdarrenr * XXX - DLT_ATM_RFC1483 is 13 in BSD/OS, and DLT_RAW is 14 in BSD/OS, 150146277Sdarrenr * but I don't know what the right #define is for BSD/OS. 151146277Sdarrenr */ 152146277Sdarrenr#define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ 153146277Sdarrenr 154146277Sdarrenr#ifdef __OpenBSD__ 155146277Sdarrenr#define DLT_RAW 14 /* raw IP */ 156146277Sdarrenr#else 157146277Sdarrenr#define DLT_RAW 12 /* raw IP */ 158146277Sdarrenr#endif 159146277Sdarrenr 160146277Sdarrenr/* 161146277Sdarrenr * Given that the only OS that currently generates BSD/OS SLIP or PPP 162146277Sdarrenr * is, well, BSD/OS, arguably everybody should have chosen its values 163146277Sdarrenr * for DLT_SLIP_BSDOS and DLT_PPP_BSDOS, which are 15 and 16, but they 164146277Sdarrenr * didn't. So it goes. 165146277Sdarrenr */ 166146277Sdarrenr#if defined(__NetBSD__) || defined(__FreeBSD__) 167146277Sdarrenr#ifndef DLT_SLIP_BSDOS 168146277Sdarrenr#define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ 169146277Sdarrenr#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ 170146277Sdarrenr#endif 171146277Sdarrenr#else 172146277Sdarrenr#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ 173146277Sdarrenr#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ 174146277Sdarrenr#endif 175146277Sdarrenr 176146277Sdarrenr/* 177146277Sdarrenr * 17 is used for DLT_OLD_PFLOG in OpenBSD; 178146277Sdarrenr * OBSOLETE: DLT_PFLOG is 117 in OpenBSD now as well. See below. 179146277Sdarrenr * 18 is used for DLT_PFSYNC in OpenBSD; don't use it for anything else. 180146277Sdarrenr */ 181146277Sdarrenr 182146277Sdarrenr#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ 183146277Sdarrenr 184146277Sdarrenr/* 185146277Sdarrenr * Apparently Redback uses this for its SmartEdge 400/800. I hope 186146277Sdarrenr * nobody else decided to use it, too. 187146277Sdarrenr */ 188146277Sdarrenr#define DLT_REDBACK_SMARTEDGE 32 189146277Sdarrenr 190146277Sdarrenr/* 191146277Sdarrenr * These values are defined by NetBSD; other platforms should refrain from 192146277Sdarrenr * using them for other purposes, so that NetBSD savefiles with link 193146277Sdarrenr * types of 50 or 51 can be read as this type on all platforms. 194146277Sdarrenr */ 195146277Sdarrenr#define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ 196146277Sdarrenr#define DLT_PPP_ETHER 51 /* PPP over Ethernet */ 197146277Sdarrenr 198146277Sdarrenr/* 199146277Sdarrenr * The Axent Raptor firewall - now the Symantec Enterprise Firewall - uses 200146277Sdarrenr * a link-layer type of 99 for the tcpdump it supplies. The link-layer 201146277Sdarrenr * header has 6 bytes of unknown data, something that appears to be an 202146277Sdarrenr * Ethernet type, and 36 bytes that appear to be 0 in at least one capture 203146277Sdarrenr * I've seen. 204146277Sdarrenr */ 205146277Sdarrenr#define DLT_SYMANTEC_FIREWALL 99 206146277Sdarrenr 207146277Sdarrenr/* 208146277Sdarrenr * Values between 100 and 103 are used in capture file headers as 209146277Sdarrenr * link-layer types corresponding to DLT_ types that differ 210146277Sdarrenr * between platforms; don't use those values for new DLT_ new types. 211146277Sdarrenr */ 212146277Sdarrenr 213146277Sdarrenr/* 214146277Sdarrenr * This value was defined by libpcap 0.5; platforms that have defined 215146277Sdarrenr * it with a different value should define it here with that value - 216146277Sdarrenr * a link type of 104 in a save file will be mapped to DLT_C_HDLC, 217146277Sdarrenr * whatever value that happens to be, so programs will correctly 218146277Sdarrenr * handle files with that link type regardless of the value of 219146277Sdarrenr * DLT_C_HDLC. 220146277Sdarrenr * 221146277Sdarrenr * The name DLT_C_HDLC was used by BSD/OS; we use that name for source 222146277Sdarrenr * compatibility with programs written for BSD/OS. 223146277Sdarrenr * 224146277Sdarrenr * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, 225146277Sdarrenr * for source compatibility with programs written for libpcap 0.5. 226146277Sdarrenr */ 227146277Sdarrenr#define DLT_C_HDLC 104 /* Cisco HDLC */ 228146277Sdarrenr#define DLT_CHDLC DLT_C_HDLC 229146277Sdarrenr 230146277Sdarrenr#define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ 231146277Sdarrenr 232146277Sdarrenr/* 233146277Sdarrenr * 106 is reserved for Linux Classical IP over ATM; it's like DLT_RAW, 234146277Sdarrenr * except when it isn't. (I.e., sometimes it's just raw IP, and 235146277Sdarrenr * sometimes it isn't.) We currently handle it as DLT_LINUX_SLL, 236146277Sdarrenr * so that we don't have to worry about the link-layer header.) 237146277Sdarrenr */ 238146277Sdarrenr 239146277Sdarrenr/* 240146277Sdarrenr * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides 241146277Sdarrenr * with other values. 242146277Sdarrenr * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header 243146277Sdarrenr * (DLCI, etc.). 244146277Sdarrenr */ 245146277Sdarrenr#define DLT_FRELAY 107 246146277Sdarrenr 247146277Sdarrenr/* 248146277Sdarrenr * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except 249146277Sdarrenr * that the AF_ type in the link-layer header is in network byte order. 250146277Sdarrenr * 251146277Sdarrenr * OpenBSD defines it as 12, but that collides with DLT_RAW, so we 252146277Sdarrenr * define it as 108 here. If OpenBSD picks up this file, it should 253146277Sdarrenr * define DLT_LOOP as 12 in its version, as per the comment above - 254146277Sdarrenr * and should not use 108 as a DLT_ value. 255146277Sdarrenr */ 256146277Sdarrenr#define DLT_LOOP 108 257146277Sdarrenr 258146277Sdarrenr/* 259146277Sdarrenr * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's 260146277Sdarrenr * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other 261146277Sdarrenr * than OpenBSD. 262146277Sdarrenr */ 263146277Sdarrenr#ifdef __OpenBSD__ 264146277Sdarrenr#define DLT_ENC 13 265146277Sdarrenr#else 266146277Sdarrenr#define DLT_ENC 109 267146277Sdarrenr#endif 268146277Sdarrenr 269146277Sdarrenr/* 270146277Sdarrenr * Values between 110 and 112 are reserved for use in capture file headers 271146277Sdarrenr * as link-layer types corresponding to DLT_ types that might differ 272146277Sdarrenr * between platforms; don't use those values for new DLT_ types 273146277Sdarrenr * other than the corresponding DLT_ types. 274146277Sdarrenr */ 275146277Sdarrenr 276146277Sdarrenr/* 277146277Sdarrenr * This is for Linux cooked sockets. 278146277Sdarrenr */ 279146277Sdarrenr#define DLT_LINUX_SLL 113 280146277Sdarrenr 281146277Sdarrenr/* 282146277Sdarrenr * Apple LocalTalk hardware. 283146277Sdarrenr */ 284146277Sdarrenr#define DLT_LTALK 114 285146277Sdarrenr 286146277Sdarrenr/* 287146277Sdarrenr * Acorn Econet. 288146277Sdarrenr */ 289146277Sdarrenr#define DLT_ECONET 115 290146277Sdarrenr 291146277Sdarrenr/* 292146277Sdarrenr * Reserved for use with OpenBSD ipfilter. 293146277Sdarrenr */ 294146277Sdarrenr#define DLT_IPFILTER 116 295146277Sdarrenr 296146277Sdarrenr/* 297146277Sdarrenr * OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, but that's DLT_LANE8023 298146277Sdarrenr * in SuSE 6.3, so we can't use 17 for it in capture-file headers. 299146277Sdarrenr * 300146277Sdarrenr * XXX: is there a conflict with DLT_PFSYNC 18 as well? 301146277Sdarrenr */ 302146277Sdarrenr#ifdef __OpenBSD__ 303146277Sdarrenr#define DLT_OLD_PFLOG 17 304146277Sdarrenr#define DLT_PFSYNC 18 305146277Sdarrenr#endif 306146277Sdarrenr#define DLT_PFLOG 117 307146277Sdarrenr 308146277Sdarrenr/* 309146277Sdarrenr * Registered for Cisco-internal use. 310146277Sdarrenr */ 311146277Sdarrenr#define DLT_CISCO_IOS 118 312146277Sdarrenr 313146277Sdarrenr/* 314146277Sdarrenr * For 802.11 cards using the Prism II chips, with a link-layer 315146277Sdarrenr * header including Prism monitor mode information plus an 802.11 316146277Sdarrenr * header. 317146277Sdarrenr */ 318146277Sdarrenr#define DLT_PRISM_HEADER 119 319146277Sdarrenr 320146277Sdarrenr/* 321146277Sdarrenr * Reserved for Aironet 802.11 cards, with an Aironet link-layer header 322146277Sdarrenr * (see Doug Ambrisko's FreeBSD patches). 323146277Sdarrenr */ 324146277Sdarrenr#define DLT_AIRONET_HEADER 120 325146277Sdarrenr 326146277Sdarrenr/* 327146277Sdarrenr * Reserved for Siemens HiPath HDLC. 328146277Sdarrenr */ 329146277Sdarrenr#define DLT_HHDLC 121 330146277Sdarrenr 331146277Sdarrenr/* 332146277Sdarrenr * This is for RFC 2625 IP-over-Fibre Channel. 333146277Sdarrenr * 334146277Sdarrenr * This is not for use with raw Fibre Channel, where the link-layer 335146277Sdarrenr * header starts with a Fibre Channel frame header; it's for IP-over-FC, 336146277Sdarrenr * where the link-layer header starts with an RFC 2625 Network_Header 337146277Sdarrenr * field. 338146277Sdarrenr */ 339146277Sdarrenr#define DLT_IP_OVER_FC 122 340146277Sdarrenr 341146277Sdarrenr/* 342146277Sdarrenr * This is for Full Frontal ATM on Solaris with SunATM, with a 343146277Sdarrenr * pseudo-header followed by an AALn PDU. 344146277Sdarrenr * 345146277Sdarrenr * There may be other forms of Full Frontal ATM on other OSes, 346146277Sdarrenr * with different pseudo-headers. 347146277Sdarrenr * 348146277Sdarrenr * If ATM software returns a pseudo-header with VPI/VCI information 349146277Sdarrenr * (and, ideally, packet type information, e.g. signalling, ILMI, 350146277Sdarrenr * LANE, LLC-multiplexed traffic, etc.), it should not use 351146277Sdarrenr * DLT_ATM_RFC1483, but should get a new DLT_ value, so tcpdump 352146277Sdarrenr * and the like don't have to infer the presence or absence of a 353146277Sdarrenr * pseudo-header and the form of the pseudo-header. 354146277Sdarrenr */ 355146277Sdarrenr#define DLT_SUNATM 123 /* Solaris+SunATM */ 356146277Sdarrenr 357146277Sdarrenr/* 358146277Sdarrenr * Reserved as per request from Kent Dahlgren <kent@praesum.com> 359146277Sdarrenr * for private use. 360146277Sdarrenr */ 361146277Sdarrenr#define DLT_RIO 124 /* RapidIO */ 362146277Sdarrenr#define DLT_PCI_EXP 125 /* PCI Express */ 363146277Sdarrenr#define DLT_AURORA 126 /* Xilinx Aurora link layer */ 364146277Sdarrenr 365146277Sdarrenr/* 366146277Sdarrenr * Header for 802.11 plus a number of bits of link-layer information 367146277Sdarrenr * including radio information, used by some recent BSD drivers as 368146277Sdarrenr * well as the madwifi Atheros driver for Linux. 369146277Sdarrenr */ 370146277Sdarrenr#define DLT_IEEE802_11_RADIO 127 /* 802.11 plus radiotap radio header */ 371146277Sdarrenr 372146277Sdarrenr/* 373146277Sdarrenr * Reserved for the TZSP encapsulation, as per request from 374146277Sdarrenr * Chris Waters <chris.waters@networkchemistry.com> 375146277Sdarrenr * TZSP is a generic encapsulation for any other link type, 376146277Sdarrenr * which includes a means to include meta-information 377146277Sdarrenr * with the packet, e.g. signal strength and channel 378146277Sdarrenr * for 802.11 packets. 379146277Sdarrenr */ 380146277Sdarrenr#define DLT_TZSP 128 /* Tazmen Sniffer Protocol */ 381146277Sdarrenr 382146277Sdarrenr/* 383146277Sdarrenr * BSD's ARCNET headers have the source host, destination host, 384146277Sdarrenr * and type at the beginning of the packet; that's what's handed 385146277Sdarrenr * up to userland via BPF. 386146277Sdarrenr * 387146277Sdarrenr * Linux's ARCNET headers, however, have a 2-byte offset field 388146277Sdarrenr * between the host IDs and the type; that's what's handed up 389146277Sdarrenr * to userland via PF_PACKET sockets. 390146277Sdarrenr * 391146277Sdarrenr * We therefore have to have separate DLT_ values for them. 392146277Sdarrenr */ 393146277Sdarrenr#define DLT_ARCNET_LINUX 129 /* ARCNET */ 394146277Sdarrenr 395146277Sdarrenr/* 396146277Sdarrenr * Juniper-private data link types, as per request from 397146277Sdarrenr * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 398146277Sdarrenr * for passing on chassis-internal metainformation such as 399146277Sdarrenr * QOS profiles, etc.. 400146277Sdarrenr */ 401146277Sdarrenr#define DLT_JUNIPER_MLPPP 130 402146277Sdarrenr#define DLT_JUNIPER_MLFR 131 403146277Sdarrenr#define DLT_JUNIPER_ES 132 404146277Sdarrenr#define DLT_JUNIPER_GGSN 133 405146277Sdarrenr#define DLT_JUNIPER_MFR 134 406146277Sdarrenr#define DLT_JUNIPER_ATM2 135 407146277Sdarrenr#define DLT_JUNIPER_SERVICES 136 408146277Sdarrenr#define DLT_JUNIPER_ATM1 137 409146277Sdarrenr 410146277Sdarrenr/* 411146277Sdarrenr * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund 412146277Sdarrenr * <dieter@apple.com>. The header that's presented is an Ethernet-like 413146277Sdarrenr * header: 414146277Sdarrenr * 415146277Sdarrenr * #define FIREWIRE_EUI64_LEN 8 416146277Sdarrenr * struct firewire_header { 417146277Sdarrenr * u_char firewire_dhost[FIREWIRE_EUI64_LEN]; 418146277Sdarrenr * u_char firewire_shost[FIREWIRE_EUI64_LEN]; 419146277Sdarrenr * u_short firewire_type; 420146277Sdarrenr * }; 421146277Sdarrenr * 422146277Sdarrenr * with "firewire_type" being an Ethernet type value, rather than, 423146277Sdarrenr * for example, raw GASP frames being handed up. 424146277Sdarrenr */ 425146277Sdarrenr#define DLT_APPLE_IP_OVER_IEEE1394 138 426146277Sdarrenr 427146277Sdarrenr/* 428146277Sdarrenr * Various SS7 encapsulations, as per a request from Jeff Morriss 429146277Sdarrenr * <jeff.morriss[AT]ulticom.com> and subsequent discussions. 430146277Sdarrenr */ 431146277Sdarrenr#define DLT_MTP2_WITH_PHDR 139 /* pseudo-header with various info, followed by MTP2 */ 432146277Sdarrenr#define DLT_MTP2 140 /* MTP2, without pseudo-header */ 433146277Sdarrenr#define DLT_MTP3 141 /* MTP3, without pseudo-header or MTP2 */ 434146277Sdarrenr#define DLT_SCCP 142 /* SCCP, without pseudo-header or MTP2 or MTP3 */ 435146277Sdarrenr 436146277Sdarrenr/* 437146277Sdarrenr * DOCSIS MAC frames. 438146277Sdarrenr */ 439146277Sdarrenr#define DLT_DOCSIS 143 440146277Sdarrenr 441146277Sdarrenr/* 442146277Sdarrenr * Linux-IrDA packets. Protocol defined at http://www.irda.org. 443146277Sdarrenr * Those packets include IrLAP headers and above (IrLMP...), but 444146277Sdarrenr * don't include Phy framing (SOF/EOF/CRC & byte stuffing), because Phy 445146277Sdarrenr * framing can be handled by the hardware and depend on the bitrate. 446146277Sdarrenr * This is exactly the format you would get capturing on a Linux-IrDA 447146277Sdarrenr * interface (irdaX), but not on a raw serial port. 448146277Sdarrenr * Note the capture is done in "Linux-cooked" mode, so each packet include 449146277Sdarrenr * a fake packet header (struct sll_header). This is because IrDA packet 450146277Sdarrenr * decoding is dependant on the direction of the packet (incomming or 451146277Sdarrenr * outgoing). 452146277Sdarrenr * When/if other platform implement IrDA capture, we may revisit the 453146277Sdarrenr * issue and define a real DLT_IRDA... 454146277Sdarrenr * Jean II 455146277Sdarrenr */ 456146277Sdarrenr#define DLT_LINUX_IRDA 144 457146277Sdarrenr 458146277Sdarrenr/* 459146277Sdarrenr * Reserved for IBM SP switch and IBM Next Federation switch. 460146277Sdarrenr */ 461146277Sdarrenr#define DLT_IBM_SP 145 462146277Sdarrenr#define DLT_IBM_SN 146 463146277Sdarrenr 464146277Sdarrenr/* 465146277Sdarrenr * Reserved for private use. If you have some link-layer header type 466146277Sdarrenr * that you want to use within your organization, with the capture files 467146277Sdarrenr * using that link-layer header type not ever be sent outside your 468146277Sdarrenr * organization, you can use these values. 469146277Sdarrenr * 470146277Sdarrenr * No libpcap release will use these for any purpose, nor will any 471146277Sdarrenr * tcpdump release use them, either. 472146277Sdarrenr * 473146277Sdarrenr * Do *NOT* use these in capture files that you expect anybody not using 474146277Sdarrenr * your private versions of capture-file-reading tools to read; in 475146277Sdarrenr * particular, do *NOT* use them in products, otherwise you may find that 476146277Sdarrenr * people won't be able to use tcpdump, or snort, or Ethereal, or... to 477146277Sdarrenr * read capture files from your firewall/intrusion detection/traffic 478146277Sdarrenr * monitoring/etc. appliance, or whatever product uses that DLT_ value, 479146277Sdarrenr * and you may also find that the developers of those applications will 480146277Sdarrenr * not accept patches to let them read those files. 481146277Sdarrenr * 482146277Sdarrenr * Also, do not use them if somebody might send you a capture using them 483146277Sdarrenr * for *their* private type and tools using them for *your* private type 484146277Sdarrenr * would have to read them. 485146277Sdarrenr * 486146277Sdarrenr * Instead, ask "tcpdump-workers@tcpdump.org" for a new DLT_ value, 487146277Sdarrenr * as per the comment above, and use the type you're given. 488146277Sdarrenr */ 489146277Sdarrenr#define DLT_USER0 147 490146277Sdarrenr#define DLT_USER1 148 491146277Sdarrenr#define DLT_USER2 149 492146277Sdarrenr#define DLT_USER3 150 493146277Sdarrenr#define DLT_USER4 151 494146277Sdarrenr#define DLT_USER5 152 495146277Sdarrenr#define DLT_USER6 153 496146277Sdarrenr#define DLT_USER7 154 497146277Sdarrenr#define DLT_USER8 155 498146277Sdarrenr#define DLT_USER9 156 499146277Sdarrenr#define DLT_USER10 157 500146277Sdarrenr#define DLT_USER11 158 501146277Sdarrenr#define DLT_USER12 159 502146277Sdarrenr#define DLT_USER13 160 503146277Sdarrenr#define DLT_USER14 161 504146277Sdarrenr#define DLT_USER15 162 505146277Sdarrenr 506146277Sdarrenr/* 507146277Sdarrenr * For future use with 802.11 captures - defined by AbsoluteValue 508146277Sdarrenr * Systems to store a number of bits of link-layer information 509146277Sdarrenr * including radio information: 510146277Sdarrenr * 511146277Sdarrenr * http://www.shaftnet.org/~pizza/software/capturefrm.txt 512146277Sdarrenr * 513146277Sdarrenr * but it might be used by some non-AVS drivers now or in the 514146277Sdarrenr * future. 515146277Sdarrenr */ 516146277Sdarrenr#define DLT_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 517146277Sdarrenr 518146277Sdarrenr/* 519146277Sdarrenr * Juniper-private data link type, as per request from 520146277Sdarrenr * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 521146277Sdarrenr * for passing on chassis-internal metainformation such as 522146277Sdarrenr * QOS profiles, etc.. 523146277Sdarrenr */ 524146277Sdarrenr#define DLT_JUNIPER_MONITOR 164 525146277Sdarrenr 526146277Sdarrenr/* 527146277Sdarrenr * Reserved for BACnet MS/TP. 528146277Sdarrenr */ 529146277Sdarrenr#define DLT_BACNET_MS_TP 165 530146277Sdarrenr 531146277Sdarrenr/* 532146277Sdarrenr * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>. 533146277Sdarrenr * 534146277Sdarrenr * This is used in some OSes to allow a kernel socket filter to distinguish 535146277Sdarrenr * between incoming and outgoing packets, on a socket intended to 536146277Sdarrenr * supply pppd with outgoing packets so it can do dial-on-demand and 537146277Sdarrenr * hangup-on-lack-of-demand; incoming packets are filtered out so they 538146277Sdarrenr * don't cause pppd to hold the connection up (you don't want random 539146277Sdarrenr * input packets such as port scans, packets from old lost connections, 540146277Sdarrenr * etc. to force the connection to stay up). 541146277Sdarrenr * 542146277Sdarrenr * The first byte of the PPP header (0xff03) is modified to accomodate 543146277Sdarrenr * the direction - 0x00 = IN, 0x01 = OUT. 544146277Sdarrenr */ 545146277Sdarrenr#define DLT_PPP_PPPD 166 546146277Sdarrenr 547146277Sdarrenr/* 548146277Sdarrenr * Names for backwards compatibility with older versions of some PPP 549146277Sdarrenr * software; new software should use DLT_PPP_PPPD. 550146277Sdarrenr */ 551146277Sdarrenr#define DLT_PPP_WITH_DIRECTION DLT_PPP_PPPD 552146277Sdarrenr#define DLT_LINUX_PPP_WITHDIRECTION DLT_PPP_PPPD 553146277Sdarrenr 554146277Sdarrenr/* 555146277Sdarrenr * Juniper-private data link type, as per request from 556146277Sdarrenr * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 557146277Sdarrenr * for passing on chassis-internal metainformation such as 558146277Sdarrenr * QOS profiles, cookies, etc.. 559146277Sdarrenr */ 560146277Sdarrenr#define DLT_JUNIPER_PPPOE 167 561146277Sdarrenr#define DLT_JUNIPER_PPPOE_ATM 168 562146277Sdarrenr 563146277Sdarrenr#define DLT_GPRS_LLC 169 /* GPRS LLC */ 564146277Sdarrenr#define DLT_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 565146277Sdarrenr#define DLT_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */ 566146277Sdarrenr 567146277Sdarrenr/* 568146277Sdarrenr * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line 569146277Sdarrenr * monitoring equipment. 570146277Sdarrenr */ 571146277Sdarrenr#define DLT_GCOM_T1E1 172 572146277Sdarrenr#define DLT_GCOM_SERIAL 173 573146277Sdarrenr 574146277Sdarrenr/* 575146277Sdarrenr * Juniper-private data link type, as per request from 576146277Sdarrenr * Hannes Gredler <hannes@juniper.net>. The DLT_ is used 577146277Sdarrenr * for internal communication to Physical Interface Cards (PIC) 578146277Sdarrenr */ 579146277Sdarrenr#define DLT_JUNIPER_PIC_PEER 174 580146277Sdarrenr 581146277Sdarrenr/* 582146277Sdarrenr * Link types requested by Gregor Maier <gregor@endace.com> of Endace 583146277Sdarrenr * Measurement Systems. They add an ERF header (see 584146277Sdarrenr * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of 585146277Sdarrenr * the link-layer header. 586146277Sdarrenr */ 587146277Sdarrenr#define DLT_ERF_ETH 175 /* Ethernet */ 588146277Sdarrenr#define DLT_ERF_POS 176 /* Packet-over-SONET */ 589146277Sdarrenr 590146277Sdarrenr/* 591146277Sdarrenr * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD 592146277Sdarrenr * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 593146277Sdarrenr * includes additional information before the LAPD header, so it's 594146277Sdarrenr * not necessarily a generic LAPD header. 595146277Sdarrenr */ 596146277Sdarrenr#define DLT_LINUX_LAPD 177 597146277Sdarrenr 598146277Sdarrenr/* 599146277Sdarrenr * The instruction encodings. 600146277Sdarrenr */ 601146277Sdarrenr/* instruction classes */ 602146277Sdarrenr#define BPF_CLASS(code) ((code) & 0x07) 603146277Sdarrenr#define BPF_LD 0x00 604146277Sdarrenr#define BPF_LDX 0x01 605146277Sdarrenr#define BPF_ST 0x02 606146277Sdarrenr#define BPF_STX 0x03 607146277Sdarrenr#define BPF_ALU 0x04 608146277Sdarrenr#define BPF_JMP 0x05 609146277Sdarrenr#define BPF_RET 0x06 610146277Sdarrenr#define BPF_MISC 0x07 611146277Sdarrenr 612146277Sdarrenr/* ld/ldx fields */ 613146277Sdarrenr#define BPF_SIZE(code) ((code) & 0x18) 614146277Sdarrenr#define BPF_W 0x00 615146277Sdarrenr#define BPF_H 0x08 616146277Sdarrenr#define BPF_B 0x10 617146277Sdarrenr#define BPF_MODE(code) ((code) & 0xe0) 618146277Sdarrenr#define BPF_IMM 0x00 619146277Sdarrenr#define BPF_ABS 0x20 620146277Sdarrenr#define BPF_IND 0x40 621146277Sdarrenr#define BPF_MEM 0x60 622146277Sdarrenr#define BPF_LEN 0x80 623146277Sdarrenr#define BPF_MSH 0xa0 624146277Sdarrenr 625146277Sdarrenr/* alu/jmp fields */ 626146277Sdarrenr#define BPF_OP(code) ((code) & 0xf0) 627146277Sdarrenr#define BPF_ADD 0x00 628146277Sdarrenr#define BPF_SUB 0x10 629146277Sdarrenr#define BPF_MUL 0x20 630146277Sdarrenr#define BPF_DIV 0x30 631146277Sdarrenr#define BPF_OR 0x40 632146277Sdarrenr#define BPF_AND 0x50 633146277Sdarrenr#define BPF_LSH 0x60 634146277Sdarrenr#define BPF_RSH 0x70 635146277Sdarrenr#define BPF_NEG 0x80 636146277Sdarrenr#define BPF_JA 0x00 637146277Sdarrenr#define BPF_JEQ 0x10 638146277Sdarrenr#define BPF_JGT 0x20 639146277Sdarrenr#define BPF_JGE 0x30 640146277Sdarrenr#define BPF_JSET 0x40 641146277Sdarrenr#define BPF_SRC(code) ((code) & 0x08) 642146277Sdarrenr#define BPF_K 0x00 643146277Sdarrenr#define BPF_X 0x08 644146277Sdarrenr 645146277Sdarrenr/* ret - BPF_K and BPF_X also apply */ 646146277Sdarrenr#define BPF_RVAL(code) ((code) & 0x18) 647146277Sdarrenr#define BPF_A 0x10 648146277Sdarrenr 649146277Sdarrenr/* misc */ 650146277Sdarrenr#define BPF_MISCOP(code) ((code) & 0xf8) 651146277Sdarrenr#define BPF_TAX 0x00 652146277Sdarrenr#define BPF_TXA 0x80 653146277Sdarrenr 654146277Sdarrenr/* 655146277Sdarrenr * The instruction data structure. 656146277Sdarrenr */ 657146277Sdarrenrstruct bpf_insn { 658146277Sdarrenr u_short code; 659146277Sdarrenr u_char jt; 660146277Sdarrenr u_char jf; 661146277Sdarrenr bpf_int32 k; 662146277Sdarrenr}; 663146277Sdarrenr 664146277Sdarrenr/* 665146277Sdarrenr * Macros for insn array initializers. 666146277Sdarrenr */ 667146277Sdarrenr#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } 668146277Sdarrenr#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } 669146277Sdarrenr 670146277Sdarrenr#if __STDC__ || defined(__cplusplus) 671146277Sdarrenrextern int bpf_validate(struct bpf_insn *, int); 672146277Sdarrenrextern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); 673146277Sdarrenr#else 674146277Sdarrenrextern int bpf_validate(); 675146277Sdarrenrextern u_int bpf_filter(); 676146277Sdarrenr#endif 677146277Sdarrenr 678146277Sdarrenr/* 679146277Sdarrenr * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). 680146277Sdarrenr */ 681146277Sdarrenr#define BPF_MEMWORDS 16 682146277Sdarrenr 683146277Sdarrenr#ifdef __cplusplus 684146277Sdarrenr} 685146277Sdarrenr#endif 686146277Sdarrenr 687146277Sdarrenr#endif 688