master
1/*-
2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * This code is derived from the Stanford/CMU enet packet filter,
6 * (net/enet.c) distributed as part of 4.3BSD, and code contributed
7 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
8 * Berkeley Laboratory.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the University nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * @(#)bpf.h 7.1 (Berkeley) 5/7/91
35 */
36
37#ifndef _NET_DLT_H_
38#define _NET_DLT_H_
39
40/*
41 * Link-layer header type codes.
42 *
43 * Do *NOT* add new values to this list without asking
44 * "tcpdump-workers@lists.tcpdump.org" for a value. Otherwise, you run
45 * the risk of using a value that's already being used for some other
46 * purpose, and of having tools that read libpcap-format captures not
47 * being able to handle captures with your new DLT_ value, with no hope
48 * that they will ever be changed to do so (as that would destroy their
49 * ability to read captures using that value for that other purpose).
50 *
51 * See
52 *
53 * https://www.tcpdump.org/linktypes.html
54 *
55 * for detailed descriptions of some of these link-layer header types.
56 */
57
58/*
59 * These are the types that are the same on all platforms, and that
60 * have been defined by <net/bpf.h> for ages.
61 */
62#define DLT_NULL 0 /* BSD loopback encapsulation */
63#define DLT_EN10MB 1 /* Ethernet (10Mb) */
64#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */
65#define DLT_AX25 3 /* Amateur Radio AX.25 */
66#define DLT_PRONET 4 /* Proteon ProNET Token Ring */
67#define DLT_CHAOS 5 /* Chaos */
68#define DLT_IEEE802 6 /* 802.5 Token Ring */
69#define DLT_ARCNET 7 /* ARCNET, with BSD-style header */
70#define DLT_SLIP 8 /* Serial Line IP */
71#define DLT_PPP 9 /* Point-to-point Protocol */
72#define DLT_FDDI 10 /* FDDI */
73
74/*
75 * These are types that are different on some platforms, and that
76 * have been defined by <net/bpf.h> for ages. We use #ifdefs to
77 * detect the BSDs that define them differently from the traditional
78 * libpcap <net/bpf.h>
79 *
80 * XXX - DLT_ATM_RFC1483 is 13 in BSD/OS, and DLT_RAW is 14 in BSD/OS,
81 * but I don't know what the right #define is for BSD/OS.
82 */
83#define DLT_ATM_RFC1483 11 /* LLC-encapsulated ATM */
84
85#ifdef __OpenBSD__
86#define DLT_RAW 14 /* raw IP */
87#else
88#define DLT_RAW 12 /* raw IP */
89#endif
90
91/*
92 * Given that the only OS that currently generates BSD/OS SLIP or PPP
93 * is, well, BSD/OS, arguably everybody should have chosen its values
94 * for DLT_SLIP_BSDOS and DLT_PPP_BSDOS, which are 15 and 16, but they
95 * didn't. So it goes.
96 */
97#if defined(__NetBSD__) || defined(__FreeBSD__)
98#ifndef DLT_SLIP_BSDOS
99#define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */
100#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */
101#endif
102#else
103#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */
104#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */
105#endif
106
107/*
108 * NetBSD uses 15 for HIPPI.
109 *
110 * From a quick look at sys/net/if_hippi.h and sys/net/if_hippisubr.c
111 * in an older version of NetBSD , the header appears to be:
112 *
113 * a 1-byte ULP field (ULP-id)?
114 *
115 * a 1-byte flags field;
116 *
117 * a 2-byte "offsets" field;
118 *
119 * a 4-byte "D2 length" field (D2_Size?);
120 *
121 * a 4-byte "destination switch" field (or a 1-byte field
122 * containing the Forwarding Class, Double_Wide, and Message_Type
123 * sub fields, followed by a 3-byte Destination_Switch_Address
124 * field?, HIPPI-LE 3.4-style?);
125 *
126 * a 4-byte "source switch" field (or a 1-byte field containing the
127 * Destination_Address_type and Source_Address_Type fields, followed
128 * by a 3-byte Source_Switch_Address field, HIPPI-LE 3.4-style?);
129 *
130 * a 2-byte reserved field;
131 *
132 * a 6-byte destination address field;
133 *
134 * a 2-byte "local admin" field;
135 *
136 * a 6-byte source address field;
137 *
138 * followed by an 802.2 LLC header.
139 *
140 * This looks somewhat like something derived from the HIPPI-FP 4.4
141 * Header_Area, followed an HIPPI-FP 4.4 D1_Area containing a D1 data set
142 * with the header in HIPPI-LE 3.4 (ANSI X3.218-1993), followed by an
143 * HIPPI-FP 4.4 D2_Area (with no Offset) containing the 802.2 LLC header
144 * and payload? Or does the "offsets" field contain the D2_Offset,
145 * with that many bytes of offset before the payload?
146 *
147 * See http://wotug.org/parallel/standards/hippi/ for an archive of
148 * HIPPI specifications.
149 *
150 * RFC 2067 imposes some additional restrictions. It says that the
151 * Offset is always zero
152 *
153 * HIPPI is long-gone, and the source files found in an older version
154 * of NetBSD don't appear to be in the main CVS branch, so we may never
155 * see a capture with this link-layer type.
156 */
157#if defined(__NetBSD__)
158#define DLT_HIPPI 15 /* HIPPI */
159#endif
160
161/*
162 * NetBSD uses 16 for DLT_HDLC; see below.
163 * BSD/OS uses it for PPP; see above.
164 * As far as I know, no other OS uses it for anything; don't use it
165 * for anything else.
166 */
167
168/*
169 * 17 was used for DLT_PFLOG in OpenBSD; it no longer is.
170 *
171 * It was DLT_LANE8023 in SuSE 6.3, so we defined LINKTYPE_PFLOG
172 * as 117 so that pflog captures would use a link-layer header type
173 * value that didn't collide with any other values. On all
174 * platforms other than OpenBSD, we defined DLT_PFLOG as 117,
175 * and we mapped between LINKTYPE_PFLOG and DLT_PFLOG.
176 *
177 * OpenBSD eventually switched to using 117 for DLT_PFLOG as well.
178 *
179 * Don't use 17 for anything else.
180 */
181
182/*
183 * 18 is used for DLT_PFSYNC in OpenBSD, NetBSD, DragonFly BSD and
184 * macOS; don't use it for anything else. (FreeBSD uses 121, which
185 * collides with DLT_HHDLC, even though it doesn't use 18 for
186 * anything and doesn't appear to have ever used it for anything.)
187 *
188 * We define it as 18 on those platforms; it is, unfortunately, used
189 * for DLT_CIP in Suse 6.3, so we don't define it as DLT_PFSYNC
190 * in general. As the packet format for it, like that for
191 * DLT_PFLOG, is not only OS-dependent but OS-version-dependent,
192 * we don't support printing it in tcpdump except on OSes that
193 * have the relevant header files, so it's not that useful on
194 * other platforms.
195 */
196#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__DragonFly__) || defined(__APPLE__)
197#define DLT_PFSYNC 18
198#endif
199
200#define DLT_ATM_CLIP 19 /* Linux Classical IP over ATM */
201
202/*
203 * Apparently Redback uses this for its SmartEdge 400/800. I hope
204 * nobody else decided to use it, too.
205 */
206#define DLT_REDBACK_SMARTEDGE 32
207
208/*
209 * These values are defined by NetBSD; other platforms should refrain from
210 * using them for other purposes, so that NetBSD savefiles with link
211 * types of 50 or 51 can be read as this type on all platforms.
212 */
213#define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */
214#define DLT_PPP_ETHER 51 /* PPP over Ethernet */
215
216/*
217 * The Axent Raptor firewall - now the Symantec Enterprise Firewall - uses
218 * a link-layer type of 99 for the tcpdump it supplies. The link-layer
219 * header has 6 bytes of unknown data, something that appears to be an
220 * Ethernet type, and 36 bytes that appear to be 0 in at least one capture
221 * I've seen.
222 */
223#define DLT_SYMANTEC_FIREWALL 99
224
225/*
226 * Values between 100 and 103 are used in capture file headers as
227 * link-layer header type LINKTYPE_ values corresponding to DLT_ types
228 * that differ between platforms; don't use those values for new DLT_
229 * new types.
230 */
231
232/*
233 * Values starting with 104 are used for newly-assigned link-layer
234 * header type values; for those link-layer header types, the DLT_
235 * value returned by pcap_datalink() and passed to pcap_open_dead(),
236 * and the LINKTYPE_ value that appears in capture files, are the
237 * same.
238 *
239 * DLT_MATCHING_MIN is the lowest such value; DLT_MATCHING_MAX is
240 * the highest such value.
241 */
242#define DLT_MATCHING_MIN 104
243
244/*
245 * This value was defined by libpcap 0.5; platforms that have defined
246 * it with a different value should define it here with that value -
247 * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
248 * whatever value that happens to be, so programs will correctly
249 * handle files with that link type regardless of the value of
250 * DLT_C_HDLC.
251 *
252 * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
253 * compatibility with programs written for BSD/OS.
254 *
255 * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
256 * for source compatibility with programs written for libpcap 0.5.
257 */
258#define DLT_C_HDLC 104 /* Cisco HDLC */
259#define DLT_CHDLC DLT_C_HDLC
260
261#define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */
262
263/*
264 * 106 is reserved for Linux Classical IP over ATM; it's like DLT_RAW,
265 * except when it isn't. (I.e., sometimes it's just raw IP, and
266 * sometimes it isn't.) We currently handle it as DLT_LINUX_SLL,
267 * so that we don't have to worry about the link-layer header.)
268 */
269
270/*
271 * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides
272 * with other values.
273 * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header
274 * (DLCI, etc.).
275 */
276#define DLT_FRELAY 107
277
278/*
279 * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
280 * that the AF_ type in the link-layer header is in network byte order.
281 *
282 * DLT_LOOP is 12 in OpenBSD, but that's DLT_RAW in other OSes, so
283 * we don't use 12 for it in OSes other than OpenBSD; instead, we
284 * use the same value as LINKTYPE_LOOP.
285 */
286#ifdef __OpenBSD__
287#define DLT_LOOP 12
288#else
289#define DLT_LOOP 108
290#endif
291
292/*
293 * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's
294 * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other
295 * than OpenBSD; instead, we use the same value as LINKTYPE_ENC.
296 */
297#ifdef __OpenBSD__
298#define DLT_ENC 13
299#else
300#define DLT_ENC 109
301#endif
302
303/*
304 * Values 110 and 111 are reserved for use in capture file headers
305 * as link-layer types corresponding to DLT_ types that might differ
306 * between platforms; don't use those values for new DLT_ types
307 * other than the corresponding DLT_ types.
308 */
309
310/*
311 * NetBSD uses 16 for (Cisco) "HDLC framing". For other platforms,
312 * we define it to have the same value as LINKTYPE_NETBSD_HDLC.
313 */
314#if defined(__NetBSD__)
315#define DLT_HDLC 16 /* Cisco HDLC */
316#else
317#define DLT_HDLC 112
318#endif
319
320/*
321 * Linux cooked sockets.
322 */
323#define DLT_LINUX_SLL 113
324
325/*
326 * Apple LocalTalk hardware.
327 */
328#define DLT_LTALK 114
329
330/*
331 * Acorn Econet.
332 */
333#define DLT_ECONET 115
334
335/*
336 * Reserved for use with OpenBSD ipfilter.
337 */
338#define DLT_IPFILTER 116
339
340/*
341 * OpenBSD DLT_PFLOG.
342 */
343#define DLT_PFLOG 117
344
345/*
346 * Registered for Cisco-internal use.
347 */
348#define DLT_CISCO_IOS 118
349
350/*
351 * For 802.11 cards using the Prism II chips, with a link-layer
352 * header including Prism monitor mode information plus an 802.11
353 * header.
354 */
355#define DLT_PRISM_HEADER 119
356
357/*
358 * Reserved for Aironet 802.11 cards, with an Aironet link-layer header
359 * (see Doug Ambrisko's FreeBSD patches).
360 */
361#define DLT_AIRONET_HEADER 120
362
363/*
364 * Sigh.
365 *
366 * 121 was reserved for Siemens HiPath HDLC on 2002-01-25, as
367 * requested by Tomas Kukosa.
368 *
369 * On 2004-02-25, a FreeBSD checkin to sys/net/bpf.h was made that
370 * assigned 121 as DLT_PFSYNC. In current versions, its libpcap
371 * does DLT_ <-> LINKTYPE_ mapping, mapping DLT_PFSYNC to a
372 * LINKTYPE_PFSYNC value of 246, so it should write out DLT_PFSYNC
373 * dump files with 246 as the link-layer header type. (Earlier
374 * versions might not have done mapping, in which case they would
375 * have written them out with a link-layer header type of 121.)
376 *
377 * OpenBSD, from which pf came, however, uses 18 for DLT_PFSYNC;
378 * its libpcap does no DLT_ <-> LINKTYPE_ mapping, so it would
379 * write out DLT_PFSYNC dump files with use 18 as the link-layer
380 * header type.
381 *
382 * NetBSD, DragonFly BSD, and Darwin also use 18 for DLT_PFSYNC; in
383 * current versions, their libpcaps do DLT_ <-> LINKTYPE_ mapping,
384 * mapping DLT_PFSYNC to a LINKTYPE_PFSYNC value of 246, so they
385 * should write out DLT_PFSYNC dump files with 246 as the link-layer
386 * header type. (Earlier versions might not have done mapping,
387 * in which case they'd work the same way OpenBSD does, writing
388 * them out with a link-layer header type of 18.)
389 *
390 * We'll define DLT_PFSYNC as:
391 *
392 * 18 on NetBSD, OpenBSD, DragonFly BSD, and Darwin;
393 *
394 * 121 on FreeBSD;
395 *
396 * 246 everywhere else.
397 *
398 * We'll define DLT_HHDLC as 121 on everything except for FreeBSD;
399 * anybody who wants to compile, on FreeBSD, code that uses DLT_HHDLC
400 * is out of luck.
401 *
402 * We'll define LINKTYPE_PFSYNC as 246 on *all* platforms, so that
403 * savefiles written using *this* code won't use 18 or 121 for PFSYNC,
404 * they'll all use 246.
405 *
406 * Code that uses pcap_datalink() to determine the link-layer header
407 * type of a savefile won't, when built and run on FreeBSD, be able
408 * to distinguish between LINKTYPE_PFSYNC and LINKTYPE_HHDLC capture
409 * files, as pcap_datalink() will give 121 for both of them. Code
410 * that doesn't, such as the code in Wireshark, will be able to
411 * distinguish between them.
412 *
413 * FreeBSD's libpcap won't map a link-layer header type of 18 - i.e.,
414 * DLT_PFSYNC files from OpenBSD and possibly older versions of NetBSD,
415 * DragonFly BSD, and macOS - to DLT_PFSYNC, so code built with FreeBSD's
416 * libpcap won't treat those files as DLT_PFSYNC files.
417 *
418 * Other libpcaps won't map a link-layer header type of 121 to DLT_PFSYNC;
419 * this means they can read DLT_HHDLC files, if any exist, but won't
420 * treat pcap files written by any older versions of FreeBSD libpcap that
421 * didn't map to 246 as DLT_PFSYNC files.
422 */
423#ifdef __FreeBSD__
424#define DLT_PFSYNC 121
425#else
426#define DLT_HHDLC 121
427#endif
428
429/*
430 * This is for RFC 2625 IP-over-Fibre Channel.
431 *
432 * This is not for use with raw Fibre Channel, where the link-layer
433 * header starts with a Fibre Channel frame header; it's for IP-over-FC,
434 * where the link-layer header starts with an RFC 2625 Network_Header
435 * field.
436 */
437#define DLT_IP_OVER_FC 122
438
439/*
440 * This is for Full Frontal ATM on Solaris with SunATM, with a
441 * pseudo-header followed by an AALn PDU.
442 *
443 * There may be other forms of Full Frontal ATM on other OSes,
444 * with different pseudo-headers.
445 *
446 * If ATM software returns a pseudo-header with VPI/VCI information
447 * (and, ideally, packet type information, e.g. signalling, ILMI,
448 * LANE, LLC-multiplexed traffic, etc.), it should not use
449 * DLT_ATM_RFC1483, but should get a new DLT_ value, so tcpdump
450 * and the like don't have to infer the presence or absence of a
451 * pseudo-header and the form of the pseudo-header.
452 */
453#define DLT_SUNATM 123 /* Solaris+SunATM */
454
455/*
456 * Reserved as per request from Kent Dahlgren <kent@praesum.com>
457 * for private use.
458 */
459#define DLT_RIO 124 /* RapidIO */
460#define DLT_PCI_EXP 125 /* PCI Express */
461#define DLT_AURORA 126 /* Xilinx Aurora link layer */
462
463/*
464 * Header for 802.11 plus a number of bits of link-layer information
465 * including radio information, used by some recent BSD drivers as
466 * well as the madwifi Atheros driver for Linux.
467 */
468#define DLT_IEEE802_11_RADIO 127 /* 802.11 plus radiotap radio header */
469
470/*
471 * Reserved for the TZSP encapsulation, as per request from
472 * Chris Waters <chris.waters@networkchemistry.com>
473 * TZSP is a generic encapsulation for any other link type,
474 * which includes a means to include meta-information
475 * with the packet, e.g. signal strength and channel
476 * for 802.11 packets.
477 */
478#define DLT_TZSP 128 /* Tazmen Sniffer Protocol */
479
480/*
481 * BSD's ARCNET headers have the source host, destination host,
482 * and type at the beginning of the packet; that's what's handed
483 * up to userland via BPF.
484 *
485 * Linux's ARCNET headers, however, have a 2-byte offset field
486 * between the host IDs and the type; that's what's handed up
487 * to userland via PF_PACKET sockets.
488 *
489 * We therefore have to have separate DLT_ values for them.
490 */
491#define DLT_ARCNET_LINUX 129 /* ARCNET */
492
493/*
494 * Juniper-private data link types, as per request from
495 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used
496 * for passing on chassis-internal metainformation such as
497 * QOS profiles, etc..
498 */
499#define DLT_JUNIPER_MLPPP 130
500#define DLT_JUNIPER_MLFR 131
501#define DLT_JUNIPER_ES 132
502#define DLT_JUNIPER_GGSN 133
503#define DLT_JUNIPER_MFR 134
504#define DLT_JUNIPER_ATM2 135
505#define DLT_JUNIPER_SERVICES 136
506#define DLT_JUNIPER_ATM1 137
507
508/*
509 * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund
510 * <dieter@apple.com>. The header that's presented is an Ethernet-like
511 * header:
512 *
513 * #define FIREWIRE_EUI64_LEN 8
514 * struct firewire_header {
515 * u_char firewire_dhost[FIREWIRE_EUI64_LEN];
516 * u_char firewire_shost[FIREWIRE_EUI64_LEN];
517 * u_short firewire_type;
518 * };
519 *
520 * with "firewire_type" being an Ethernet type value, rather than,
521 * for example, raw GASP frames being handed up.
522 */
523#define DLT_APPLE_IP_OVER_IEEE1394 138
524
525/*
526 * Various SS7 encapsulations, as per a request from Jeff Morriss
527 * <jeff.morriss[AT]ulticom.com> and subsequent discussions.
528 */
529#define DLT_MTP2_WITH_PHDR 139 /* pseudo-header with various info, followed by MTP2 */
530#define DLT_MTP2 140 /* MTP2, without pseudo-header */
531#define DLT_MTP3 141 /* MTP3, without pseudo-header or MTP2 */
532#define DLT_SCCP 142 /* SCCP, without pseudo-header or MTP2 or MTP3 */
533
534/*
535 * DOCSIS MAC frames.
536 */
537#define DLT_DOCSIS 143
538
539/*
540 * Linux-IrDA packets. Protocol defined at https://www.irda.org.
541 * Those packets include IrLAP headers and above (IrLMP...), but
542 * don't include Phy framing (SOF/EOF/CRC & byte stuffing), because Phy
543 * framing can be handled by the hardware and depend on the bitrate.
544 * This is exactly the format you would get capturing on a Linux-IrDA
545 * interface (irdaX), but not on a raw serial port.
546 * Note the capture is done in "Linux-cooked" mode, so each packet include
547 * a fake packet header (struct sll_header). This is because IrDA packet
548 * decoding is dependent on the direction of the packet (incoming or
549 * outgoing).
550 * When/if other platform implement IrDA capture, we may revisit the
551 * issue and define a real DLT_IRDA...
552 * Jean II
553 */
554#define DLT_LINUX_IRDA 144
555
556/*
557 * Reserved for IBM SP switch and IBM Next Federation switch.
558 */
559#define DLT_IBM_SP 145
560#define DLT_IBM_SN 146
561
562/*
563 * Reserved for private use. If you have some link-layer header type
564 * that you want to use within your organization, with the capture files
565 * using that link-layer header type not ever be sent outside your
566 * organization, you can use these values.
567 *
568 * No libpcap release will use these for any purpose, nor will any
569 * tcpdump release use them, either.
570 *
571 * Do *NOT* use these in capture files that you expect anybody not using
572 * your private versions of capture-file-reading tools to read; in
573 * particular, do *NOT* use them in products, otherwise you may find that
574 * people won't be able to use tcpdump, or snort, or Ethereal, or... to
575 * read capture files from your firewall/intrusion detection/traffic
576 * monitoring/etc. appliance, or whatever product uses that DLT_ value,
577 * and you may also find that the developers of those applications will
578 * not accept patches to let them read those files.
579 *
580 * Also, do not use them if somebody might send you a capture using them
581 * for *their* private type and tools using them for *your* private type
582 * would have to read them.
583 *
584 * Instead, ask "tcpdump-workers@lists.tcpdump.org" for a new DLT_ value,
585 * as per the comment above, and use the type you're given.
586 */
587#define DLT_USER0 147
588#define DLT_USER1 148
589#define DLT_USER2 149
590#define DLT_USER3 150
591#define DLT_USER4 151
592#define DLT_USER5 152
593#define DLT_USER6 153
594#define DLT_USER7 154
595#define DLT_USER8 155
596#define DLT_USER9 156
597#define DLT_USER10 157
598#define DLT_USER11 158
599#define DLT_USER12 159
600#define DLT_USER13 160
601#define DLT_USER14 161
602#define DLT_USER15 162
603
604/*
605 * For future use with 802.11 captures - defined by AbsoluteValue
606 * Systems to store a number of bits of link-layer information
607 * including radio information:
608 *
609 * http://www.shaftnet.org/~pizza/software/capturefrm.txt
610 *
611 * but it might be used by some non-AVS drivers now or in the
612 * future.
613 */
614#define DLT_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */
615
616/*
617 * Juniper-private data link type, as per request from
618 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used
619 * for passing on chassis-internal metainformation such as
620 * QOS profiles, etc..
621 */
622#define DLT_JUNIPER_MONITOR 164
623
624/*
625 * BACnet MS/TP frames.
626 */
627#define DLT_BACNET_MS_TP 165
628
629/*
630 * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>.
631 *
632 * This is used in some OSes to allow a kernel socket filter to distinguish
633 * between incoming and outgoing packets, on a socket intended to
634 * supply pppd with outgoing packets so it can do dial-on-demand and
635 * hangup-on-lack-of-demand; incoming packets are filtered out so they
636 * don't cause pppd to hold the connection up (you don't want random
637 * input packets such as port scans, packets from old lost connections,
638 * etc. to force the connection to stay up).
639 *
640 * The first byte of the PPP header (0xff03) is modified to accommodate
641 * the direction - 0x00 = IN, 0x01 = OUT.
642 */
643#define DLT_PPP_PPPD 166
644
645/*
646 * Names for backwards compatibility with older versions of some PPP
647 * software; new software should use DLT_PPP_PPPD.
648 */
649#define DLT_PPP_WITH_DIRECTION DLT_PPP_PPPD
650#define DLT_LINUX_PPP_WITHDIRECTION DLT_PPP_PPPD
651
652/*
653 * Juniper-private data link type, as per request from
654 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used
655 * for passing on chassis-internal metainformation such as
656 * QOS profiles, cookies, etc..
657 */
658#define DLT_JUNIPER_PPPOE 167
659#define DLT_JUNIPER_PPPOE_ATM 168
660
661#define DLT_GPRS_LLC 169 /* GPRS LLC */
662#define DLT_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */
663#define DLT_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */
664
665/*
666 * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line
667 * monitoring equipment.
668 */
669#define DLT_GCOM_T1E1 172
670#define DLT_GCOM_SERIAL 173
671
672/*
673 * Juniper-private data link type, as per request from
674 * Hannes Gredler <hannes@juniper.net>. The DLT_ is used
675 * for internal communication to Physical Interface Cards (PIC)
676 */
677#define DLT_JUNIPER_PIC_PEER 174
678
679/*
680 * Link types requested by Gregor Maier <gregor@endace.com> of Endace
681 * Measurement Systems. They add an ERF header (see
682 * https://www.endace.com/support/EndaceRecordFormat.pdf) in front of
683 * the link-layer header.
684 */
685#define DLT_ERF_ETH 175 /* Ethernet */
686#define DLT_ERF_POS 176 /* Packet-over-SONET */
687
688/*
689 * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD
690 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header
691 * includes additional information before the LAPD header, so it's
692 * not necessarily a generic LAPD header.
693 */
694#define DLT_LINUX_LAPD 177
695
696/*
697 * Juniper-private data link type, as per request from
698 * Hannes Gredler <hannes@juniper.net>.
699 * The DLT_ are used for prepending meta-information
700 * like interface index, interface name
701 * before standard Ethernet, PPP, Frelay & C-HDLC Frames
702 */
703#define DLT_JUNIPER_ETHER 178
704#define DLT_JUNIPER_PPP 179
705#define DLT_JUNIPER_FRELAY 180
706#define DLT_JUNIPER_CHDLC 181
707
708/*
709 * Multi Link Frame Relay (FRF.16)
710 */
711#define DLT_MFR 182
712
713/*
714 * Juniper-private data link type, as per request from
715 * Hannes Gredler <hannes@juniper.net>.
716 * The DLT_ is used for internal communication with a
717 * voice Adapter Card (PIC)
718 */
719#define DLT_JUNIPER_VP 183
720
721/*
722 * Arinc 429 frames.
723 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
724 * Every frame contains a 32bit A429 label.
725 * More documentation on Arinc 429 can be found at
726 * https://web.archive.org/web/20040616233302/https://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf
727 */
728#define DLT_A429 184
729
730/*
731 * Arinc 653 Interpartition Communication messages.
732 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
733 * Please refer to the A653-1 standard for more information.
734 */
735#define DLT_A653_ICM 185
736
737/*
738 * This used to be "USB packets, beginning with a USB setup header;
739 * requested by Paolo Abeni <paolo.abeni@email.it>."
740 *
741 * However, that header didn't work all that well - it left out some
742 * useful information - and was abandoned in favor of the DLT_USB_LINUX
743 * header.
744 *
745 * This is now used by FreeBSD for its BPF taps for USB; that has its
746 * own headers. So it is written, so it is done.
747 *
748 * For source-code compatibility, we also define DLT_USB to have this
749 * value. We do it numerically so that, if code that includes this
750 * file (directly or indirectly) also includes an OS header that also
751 * defines DLT_USB as 186, we don't get a redefinition warning.
752 * (NetBSD 7 does that.)
753 */
754#define DLT_USB_FREEBSD 186
755#define DLT_USB 186
756
757/*
758 * Bluetooth HCI UART transport layer (part H:4); requested by
759 * Paolo Abeni.
760 */
761#define DLT_BLUETOOTH_HCI_H4 187
762
763/*
764 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz
765 * <cruz_petagay@bah.com>.
766 */
767#define DLT_IEEE802_16_MAC_CPS 188
768
769/*
770 * USB packets, beginning with a Linux USB header; requested by
771 * Paolo Abeni <paolo.abeni@email.it>.
772 */
773#define DLT_USB_LINUX 189
774
775/*
776 * Controller Area Network (CAN) v. 2.0B packets.
777 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
778 * Used to dump CAN packets coming from a CAN Vector board.
779 * More documentation on the CAN v2.0B frames can be found at
780 * http://www.can-cia.org/downloads/?269
781 */
782#define DLT_CAN20B 190
783
784/*
785 * IEEE 802.15.4, with address fields padded, as is done by Linux
786 * drivers; requested by Juergen Schimmer.
787 */
788#define DLT_IEEE802_15_4_LINUX 191
789
790/*
791 * Per Packet Information encapsulated packets.
792 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
793 */
794#define DLT_PPI 192
795
796/*
797 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header;
798 * requested by Charles Clancy.
799 */
800#define DLT_IEEE802_16_MAC_CPS_RADIO 193
801
802/*
803 * Juniper-private data link type, as per request from
804 * Hannes Gredler <hannes@juniper.net>.
805 * The DLT_ is used for internal communication with a
806 * integrated service module (ISM).
807 */
808#define DLT_JUNIPER_ISM 194
809
810/*
811 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
812 * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>.
813 * For this one, we expect the FCS to be present at the end of the frame;
814 * if the frame has no FCS, DLT_IEEE802_15_4_NOFCS should be used.
815 *
816 * We keep the name DLT_IEEE802_15_4 as an alias for backwards
817 * compatibility, but, again, this should *only* be used for 802.15.4
818 * frames that include the FCS.
819 */
820#define DLT_IEEE802_15_4_WITHFCS 195
821#define DLT_IEEE802_15_4 DLT_IEEE802_15_4_WITHFCS
822
823/*
824 * Various link-layer types, with a pseudo-header, for SITA
825 * (https://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com).
826 */
827#define DLT_SITA 196
828
829/*
830 * Various link-layer types, with a pseudo-header, for Endace DAG cards;
831 * encapsulates Endace ERF records. Requested by Stephen Donnelly
832 * <stephen@endace.com>.
833 */
834#define DLT_ERF 197
835
836/*
837 * Special header prepended to Ethernet packets when capturing from a
838 * u10 Networks board. Requested by Phil Mulholland
839 * <phil@u10networks.com>.
840 */
841#define DLT_RAIF1 198
842
843/*
844 * IPMB packet for IPMI, beginning with a 2-byte header, followed by
845 * the I2C slave address, followed by the netFn and LUN, etc..
846 * Requested by Chanthy Toeung <chanthy.toeung@ca.kontron.com>.
847 *
848 * XXX - this used to be called DLT_IPMB, back when we got the
849 * impression from the email thread requesting it that the packet
850 * had no extra 2-byte header. We've renamed it; if anybody used
851 * DLT_IPMB and assumed no 2-byte header, this will cause the compile
852 * to fail, at which point we'll have to figure out what to do about
853 * the two header types using the same DLT_/LINKTYPE_ value. If that
854 * doesn't happen, we'll assume nobody used it and that the redefinition
855 * is safe.
856 */
857#define DLT_IPMB_KONTRON 199
858
859/*
860 * Juniper-private data link type, as per request from
861 * Hannes Gredler <hannes@juniper.net>.
862 * The DLT_ is used for capturing data on a secure tunnel interface.
863 */
864#define DLT_JUNIPER_ST 200
865
866/*
867 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header
868 * that includes direction information; requested by Paolo Abeni.
869 */
870#define DLT_BLUETOOTH_HCI_H4_WITH_PHDR 201
871
872/*
873 * AX.25 packet with a 1-byte KISS header; see
874 *
875 * http://www.ax25.net/kiss.htm
876 *
877 * as per Richard Stearn <richard@rns-stearn.demon.co.uk>.
878 */
879#define DLT_AX25_KISS 202
880
881/*
882 * LAPD packets from an ISDN channel, starting with the address field,
883 * with no pseudo-header.
884 * Requested by Varuna De Silva <varunax@gmail.com>.
885 */
886#define DLT_LAPD 203
887
888/*
889 * PPP, with a one-byte direction pseudo-header prepended - zero means
890 * "received by this host", non-zero (any non-zero value) means "sent by
891 * this host" - as per Will Barker <w.barker@zen.co.uk>.
892 *
893 * Don't confuse this with DLT_PPP_WITH_DIRECTION, which is an old
894 * name for what is now called DLT_PPP_PPPD.
895 */
896#define DLT_PPP_WITH_DIR 204
897
898/*
899 * Cisco HDLC, with a one-byte direction pseudo-header prepended - zero
900 * means "received by this host", non-zero (any non-zero value) means
901 * "sent by this host" - as per Will Barker <w.barker@zen.co.uk>.
902 */
903#define DLT_C_HDLC_WITH_DIR 205
904
905/*
906 * Frame Relay, with a one-byte direction pseudo-header prepended - zero
907 * means "received by this host" (DCE -> DTE), non-zero (any non-zero
908 * value) means "sent by this host" (DTE -> DCE) - as per Will Barker
909 * <w.barker@zen.co.uk>.
910 */
911#define DLT_FRELAY_WITH_DIR 206
912
913/*
914 * LAPB, with a one-byte direction pseudo-header prepended - zero means
915 * "received by this host" (DCE -> DTE), non-zero (any non-zero value)
916 * means "sent by this host" (DTE -> DCE)- as per Will Barker
917 * <w.barker@zen.co.uk>.
918 */
919#define DLT_LAPB_WITH_DIR 207
920
921/*
922 * 208 is reserved for an as-yet-unspecified proprietary link-layer
923 * type, as requested by Will Barker.
924 */
925
926/*
927 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman
928 * <avn@pigeonpoint.com>.
929 */
930#define DLT_IPMB_LINUX 209
931
932/*
933 * FlexRay automotive bus - http://www.flexray.com/ - as requested
934 * by Hannes Kaelber <hannes.kaelber@x2e.de>.
935 */
936#define DLT_FLEXRAY 210
937
938/*
939 * Media Oriented Systems Transport (MOST) bus for multimedia
940 * transport - https://www.mostcooperation.com/ - as requested
941 * by Hannes Kaelber <hannes.kaelber@x2e.de>.
942 */
943#define DLT_MOST 211
944
945/*
946 * Local Interconnect Network (LIN) bus for vehicle networks -
947 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber
948 * <hannes.kaelber@x2e.de>.
949 */
950#define DLT_LIN 212
951
952/*
953 * X2E-private data link type used for serial line capture,
954 * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
955 */
956#define DLT_X2E_SERIAL 213
957
958/*
959 * X2E-private data link type used for the Xoraya data logger
960 * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
961 */
962#define DLT_X2E_XORAYA 214
963
964/*
965 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
966 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets
967 * of 0 as preamble, one octet of SFD, one octet of frame length+
968 * reserved bit, and then the MAC-layer data, starting with the
969 * frame control field).
970 *
971 * Requested by Max Filippov <jcmvbkbc@gmail.com>.
972 */
973#define DLT_IEEE802_15_4_NONASK_PHY 215
974
975/*
976 * David Gibson <david@gibson.dropbear.id.au> requested this for
977 * captures from the Linux kernel /dev/input/eventN devices. This
978 * is used to communicate keystrokes and mouse movements from the
979 * Linux kernel to display systems, such as Xorg.
980 */
981#define DLT_LINUX_EVDEV 216
982
983/*
984 * GSM Um and Abis interfaces, preceded by a "gsmtap" header.
985 *
986 * Requested by Harald Welte <laforge@gnumonks.org>.
987 */
988#define DLT_GSMTAP_UM 217
989#define DLT_GSMTAP_ABIS 218
990
991/*
992 * MPLS, with an MPLS label as the link-layer header.
993 * Requested by Michele Marchetto <michele@openbsd.org> on behalf
994 * of OpenBSD.
995 */
996#define DLT_MPLS 219
997
998/*
999 * USB packets, beginning with a Linux USB header, with the USB header
1000 * padded to 64 bytes; required for memory-mapped access.
1001 */
1002#define DLT_USB_LINUX_MMAPPED 220
1003
1004/*
1005 * DECT packets, with a pseudo-header; requested by
1006 * Matthias Wenzel <tcpdump@mazzoo.de>.
1007 */
1008#define DLT_DECT 221
1009
1010/*
1011 * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov>
1012 * Date: Mon, 11 May 2009 11:18:30 -0500
1013 *
1014 * DLT_AOS. We need it for AOS Space Data Link Protocol.
1015 * I have already written dissectors for but need an OK from
1016 * legal before I can submit a patch.
1017 *
1018 */
1019#define DLT_AOS 222
1020
1021/*
1022 * Wireless HART (Highway Addressable Remote Transducer)
1023 * From the HART Communication Foundation
1024 * IES/PAS 62591
1025 *
1026 * Requested by Sam Roberts <vieuxtech@gmail.com>.
1027 */
1028#define DLT_WIHART 223
1029
1030/*
1031 * Fibre Channel FC-2 frames, beginning with a Frame_Header.
1032 * Requested by Kahou Lei <kahou82@gmail.com>.
1033 */
1034#define DLT_FC_2 224
1035
1036/*
1037 * Fibre Channel FC-2 frames, beginning with an encoding of the
1038 * SOF, and ending with an encoding of the EOF.
1039 *
1040 * The encodings represent the frame delimiters as 4-byte sequences
1041 * representing the corresponding ordered sets, with K28.5
1042 * represented as 0xBC, and the D symbols as the corresponding
1043 * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2,
1044 * is represented as 0xBC 0xB5 0x55 0x55.
1045 *
1046 * Requested by Kahou Lei <kahou82@gmail.com>.
1047 */
1048#define DLT_FC_2_WITH_FRAME_DELIMS 225
1049
1050/*
1051 * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>.
1052 *
1053 * The pseudo-header starts with a one-byte version number; for version 2,
1054 * the pseudo-header is:
1055 *
1056 * struct dl_ipnetinfo {
1057 * uint8_t dli_version;
1058 * uint8_t dli_family;
1059 * uint16_t dli_htype;
1060 * uint32_t dli_pktlen;
1061 * uint32_t dli_ifindex;
1062 * uint32_t dli_grifindex;
1063 * uint32_t dli_zsrc;
1064 * uint32_t dli_zdst;
1065 * };
1066 *
1067 * dli_version is 2 for the current version of the pseudo-header.
1068 *
1069 * dli_family is a Solaris address family value, so it's 2 for IPv4
1070 * and 26 for IPv6.
1071 *
1072 * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing
1073 * packets, and 2 for packets arriving from another zone on the same
1074 * machine.
1075 *
1076 * dli_pktlen is the length of the packet data following the pseudo-header
1077 * (so the captured length minus dli_pktlen is the length of the
1078 * pseudo-header, assuming the entire pseudo-header was captured).
1079 *
1080 * dli_ifindex is the interface index of the interface on which the
1081 * packet arrived.
1082 *
1083 * dli_grifindex is the group interface index number (for IPMP interfaces).
1084 *
1085 * dli_zsrc is the zone identifier for the source of the packet.
1086 *
1087 * dli_zdst is the zone identifier for the destination of the packet.
1088 *
1089 * A zone number of 0 is the global zone; a zone number of 0xffffffff
1090 * means that the packet arrived from another host on the network, not
1091 * from another zone on the same machine.
1092 *
1093 * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates
1094 * which of those it is.
1095 */
1096#define DLT_IPNET 226
1097
1098/*
1099 * CAN (Controller Area Network) frames, with a pseudo-header as supplied
1100 * by Linux SocketCAN, and with multi-byte numerical fields in that header
1101 * in big-endian byte order.
1102 *
1103 * See Documentation/networking/can.txt in the Linux source.
1104 *
1105 * Requested by Felix Obenhuber <felix@obenhuber.de>.
1106 */
1107#define DLT_CAN_SOCKETCAN 227
1108
1109/*
1110 * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies
1111 * whether it's v4 or v6. Requested by Darren Reed <Darren.Reed@Sun.COM>.
1112 */
1113#define DLT_IPV4 228
1114#define DLT_IPV6 229
1115
1116/*
1117 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no
1118 * nothing), and with no FCS at the end of the frame; requested by
1119 * Jon Smirl <jonsmirl@gmail.com>.
1120 */
1121#define DLT_IEEE802_15_4_NOFCS 230
1122
1123/*
1124 * Raw D-Bus:
1125 *
1126 * https://www.freedesktop.org/wiki/Software/dbus
1127 *
1128 * messages:
1129 *
1130 * https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages
1131 *
1132 * starting with the endianness flag, followed by the message type, etc.,
1133 * but without the authentication handshake before the message sequence:
1134 *
1135 * https://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
1136 *
1137 * Requested by Martin Vidner <martin@vidner.net>.
1138 */
1139#define DLT_DBUS 231
1140
1141/*
1142 * Juniper-private data link type, as per request from
1143 * Hannes Gredler <hannes@juniper.net>.
1144 */
1145#define DLT_JUNIPER_VS 232
1146#define DLT_JUNIPER_SRX_E2E 233
1147#define DLT_JUNIPER_FIBRECHANNEL 234
1148
1149/*
1150 * DVB-CI (DVB Common Interface for communication between a PC Card
1151 * module and a DVB receiver). See
1152 *
1153 * https://www.kaiser.cx/pcap-dvbci.html
1154 *
1155 * for the specification.
1156 *
1157 * Requested by Martin Kaiser <martin@kaiser.cx>.
1158 */
1159#define DLT_DVB_CI 235
1160
1161/*
1162 * Variant of 3GPP TS 27.010 multiplexing protocol (similar to, but
1163 * *not* the same as, 27.010). Requested by Hans-Christoph Schemmel
1164 * <hans-christoph.schemmel@cinterion.com>.
1165 */
1166#define DLT_MUX27010 236
1167
1168/*
1169 * STANAG 5066 D_PDUs. Requested by M. Baris Demiray
1170 * <barisdemiray@gmail.com>.
1171 */
1172#define DLT_STANAG_5066_D_PDU 237
1173
1174/*
1175 * Juniper-private data link type, as per request from
1176 * Hannes Gredler <hannes@juniper.net>.
1177 */
1178#define DLT_JUNIPER_ATM_CEMIC 238
1179
1180/*
1181 * NetFilter LOG messages
1182 * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets)
1183 *
1184 * Requested by Jakub Zawadzki <darkjames-ws@darkjames.pl>
1185 */
1186#define DLT_NFLOG 239
1187
1188/*
1189 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
1190 * for Ethernet packets with a 4-byte pseudo-header and always
1191 * with the payload including the FCS, as supplied by their
1192 * netANALYZER hardware and software.
1193 *
1194 * Requested by Holger P. Frommer <HPfrommer@hilscher.com>
1195 */
1196#define DLT_NETANALYZER 240
1197
1198/*
1199 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
1200 * for Ethernet packets with a 4-byte pseudo-header and FCS and
1201 * with the Ethernet header preceded by 7 bytes of preamble and
1202 * 1 byte of SFD, as supplied by their netANALYZER hardware and
1203 * software.
1204 *
1205 * Requested by Holger P. Frommer <HPfrommer@hilscher.com>
1206 */
1207#define DLT_NETANALYZER_TRANSPARENT 241
1208
1209/*
1210 * IP-over-InfiniBand, as specified by RFC 4391.
1211 *
1212 * Requested by Petr Sumbera <petr.sumbera@oracle.com>.
1213 */
1214#define DLT_IPOIB 242
1215
1216/*
1217 * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0).
1218 *
1219 * Requested by Guy Martin <gmsoft@tuxicoman.be>.
1220 */
1221#define DLT_MPEG_2_TS 243
1222
1223/*
1224 * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as
1225 * used by their ng40 protocol tester.
1226 *
1227 * Requested by Jens Grimmer <jens.grimmer@ng4t.com>.
1228 */
1229#define DLT_NG40 244
1230
1231/*
1232 * Pseudo-header giving adapter number and flags, followed by an NFC
1233 * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU,
1234 * as specified by NFC Forum Logical Link Control Protocol Technical
1235 * Specification LLCP 1.1.
1236 *
1237 * Requested by Mike Wakerly <mikey@google.com>.
1238 */
1239#define DLT_NFC_LLCP 245
1240
1241/*
1242 * 246 is used as LINKTYPE_PFSYNC; do not use it for any other purpose.
1243 *
1244 * DLT_PFSYNC has different values on different platforms, and all of
1245 * them collide with something used elsewhere. On platforms that
1246 * don't already define it, define it as 246.
1247 */
1248#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && !defined(__DragonFly__) && !defined(__APPLE__)
1249#define DLT_PFSYNC 246
1250#endif
1251
1252/*
1253 * Raw InfiniBand packets, starting with the Local Routing Header.
1254 *
1255 * Requested by Oren Kladnitsky <orenk@mellanox.com>.
1256 */
1257#define DLT_INFINIBAND 247
1258
1259/*
1260 * SCTP, with no lower-level protocols (i.e., no IPv4 or IPv6).
1261 *
1262 * Requested by Michael Tuexen <Michael.Tuexen@lurchi.franken.de>.
1263 */
1264#define DLT_SCTP 248
1265
1266/*
1267 * USB packets, beginning with a USBPcap header.
1268 *
1269 * Requested by Tomasz Mon <desowin@gmail.com>
1270 */
1271#define DLT_USBPCAP 249
1272
1273/*
1274 * Schweitzer Engineering Laboratories "RTAC" product serial-line
1275 * packets.
1276 *
1277 * Requested by Chris Bontje <chris_bontje@selinc.com>.
1278 */
1279#define DLT_RTAC_SERIAL 250
1280
1281/*
1282 * Bluetooth Low Energy air interface link-layer packets.
1283 *
1284 * Requested by Mike Kershaw <dragorn@kismetwireless.net>.
1285 */
1286#define DLT_BLUETOOTH_LE_LL 251
1287
1288/*
1289 * DLT type for upper-protocol layer PDU saves from Wireshark.
1290 *
1291 * the actual contents are determined by two TAGs, one or more of
1292 * which is stored with each packet:
1293 *
1294 * EXP_PDU_TAG_DISSECTOR_NAME the name of the Wireshark dissector
1295 * that can make sense of the data stored.
1296 *
1297 * EXP_PDU_TAG_HEUR_DISSECTOR_NAME the name of the Wireshark heuristic
1298 * dissector that can make sense of the
1299 * data stored.
1300 */
1301#define DLT_WIRESHARK_UPPER_PDU 252
1302
1303/*
1304 * DLT type for the netlink protocol (nlmon devices).
1305 */
1306#define DLT_NETLINK 253
1307
1308/*
1309 * Bluetooth Linux Monitor headers for the BlueZ stack.
1310 */
1311#define DLT_BLUETOOTH_LINUX_MONITOR 254
1312
1313/*
1314 * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as
1315 * captured by Ubertooth.
1316 */
1317#define DLT_BLUETOOTH_BREDR_BB 255
1318
1319/*
1320 * Bluetooth Low Energy link layer packets, as captured by Ubertooth.
1321 */
1322#define DLT_BLUETOOTH_LE_LL_WITH_PHDR 256
1323
1324/*
1325 * PROFIBUS data link layer.
1326 */
1327#define DLT_PROFIBUS_DL 257
1328
1329/*
1330 * Apple's DLT_PKTAP headers.
1331 *
1332 * Sadly, the folks at Apple either had no clue that the DLT_USERn values
1333 * are for internal use within an organization and partners only, and
1334 * didn't know that the right way to get a link-layer header type is to
1335 * ask tcpdump.org for one, or knew and didn't care, so they just
1336 * used DLT_USER2, which causes problems for everything except for
1337 * their version of tcpdump.
1338 *
1339 * So I'll just give them one; hopefully this will show up in a
1340 * libpcap release in time for them to get this into 10.10 Big Sur
1341 * or whatever Mavericks' successor is called. LINKTYPE_PKTAP
1342 * will be 258 *even on macOS*; that is *intentional*, so that
1343 * PKTAP files look the same on *all* OSes (different OSes can have
1344 * different numerical values for a given DLT_, but *MUST NOT* have
1345 * different values for what goes in a file, as files can be moved
1346 * between OSes!).
1347 *
1348 * When capturing, on a system with a Darwin-based OS, on a device
1349 * that returns 149 (DLT_USER2 and Apple's DLT_PKTAP) with this
1350 * version of libpcap, the DLT_ value for the pcap_t will be DLT_PKTAP,
1351 * and that will continue to be DLT_USER2 on Darwin-based OSes. That way,
1352 * binary compatibility with Mavericks is preserved for programs using
1353 * this version of libpcap. This does mean that if you were using
1354 * DLT_USER2 for some capture device on macOS, you can't do so with
1355 * this version of libpcap, just as you can't with Apple's libpcap -
1356 * on macOS, they define DLT_PKTAP to be DLT_USER2, so programs won't
1357 * be able to distinguish between PKTAP and whatever you were using
1358 * DLT_USER2 for.
1359 *
1360 * If the program saves the capture to a file using this version of
1361 * libpcap's pcap_dump code, the LINKTYPE_ value in the file will be
1362 * LINKTYPE_PKTAP, which will be 258, even on Darwin-based OSes.
1363 * That way, the file will *not* be a DLT_USER2 file. That means
1364 * that the latest version of tcpdump, when built with this version
1365 * of libpcap, and sufficiently recent versions of Wireshark will
1366 * be able to read those files and interpret them correctly; however,
1367 * Apple's version of tcpdump in OS X 10.9 won't be able to handle
1368 * them. (Hopefully, Apple will pick up this version of libpcap,
1369 * and the corresponding version of tcpdump, so that tcpdump will
1370 * be able to handle the old LINKTYPE_USER2 captures *and* the new
1371 * LINKTYPE_PKTAP captures.)
1372 */
1373#ifdef __APPLE__
1374#define DLT_PKTAP DLT_USER2
1375#else
1376#define DLT_PKTAP 258
1377#endif
1378
1379/*
1380 * Ethernet packets preceded by a header giving the last 6 octets
1381 * of the preamble specified by 802.3-2012 Clause 65, section
1382 * 65.1.3.2 "Transmit".
1383 */
1384#define DLT_EPON 259
1385
1386/*
1387 * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format"
1388 * in the PICMG HPM.2 specification.
1389 */
1390#define DLT_IPMI_HPM_2 260
1391
1392/*
1393 * per Joshua Wright <jwright@hasborg.com>, formats for Zwave captures.
1394 */
1395#define DLT_ZWAVE_R1_R2 261
1396#define DLT_ZWAVE_R3 262
1397
1398/*
1399 * per Steve Karg <skarg@users.sourceforge.net>, formats for Wattstopper
1400 * Digital Lighting Management room bus serial protocol captures.
1401 */
1402#define DLT_WATTSTOPPER_DLM 263
1403
1404/*
1405 * ISO 14443 contactless smart card messages.
1406 */
1407#define DLT_ISO_14443 264
1408
1409/*
1410 * Radio data system (RDS) groups. IEC 62106.
1411 * Per Jonathan Brucker <jonathan.brucke@gmail.com>.
1412 */
1413#define DLT_RDS 265
1414
1415/*
1416 * USB packets, beginning with a Darwin (macOS, etc.) header.
1417 */
1418#define DLT_USB_DARWIN 266
1419
1420/*
1421 * OpenBSD DLT_OPENFLOW.
1422 */
1423#define DLT_OPENFLOW 267
1424
1425/*
1426 * SDLC frames containing SNA PDUs.
1427 */
1428#define DLT_SDLC 268
1429
1430/*
1431 * per "Selvig, Bjorn" <b.selvig@ti.com> used for
1432 * TI protocol sniffer.
1433 */
1434#define DLT_TI_LLN_SNIFFER 269
1435
1436/*
1437 * per: Erik de Jong <erikdejong at gmail.com> for
1438 * https://github.com/eriknl/LoRaTap/releases/tag/v0.1
1439 */
1440#define DLT_LORATAP 270
1441
1442/*
1443 * per: Stefanha at gmail.com for
1444 * https://lists.sandelman.ca/pipermail/tcpdump-workers/2017-May/000772.html
1445 * and: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/vsockmon.h
1446 * for: https://qemu-project.org/Features/VirtioVsock
1447 */
1448#define DLT_VSOCK 271
1449
1450/*
1451 * Nordic Semiconductor Bluetooth LE sniffer.
1452 */
1453#define DLT_NORDIC_BLE 272
1454
1455/*
1456 * Excentis DOCSIS 3.1 RF sniffer (XRA-31)
1457 * per: bruno.verstuyft at excentis.com
1458 * https://www.xra31.com/xra-header
1459 */
1460#define DLT_DOCSIS31_XRA31 273
1461
1462/*
1463 * mPackets, as specified by IEEE 802.3br Figure 99-4, starting
1464 * with the preamble and always ending with a CRC field.
1465 */
1466#define DLT_ETHERNET_MPACKET 274
1467
1468/*
1469 * DisplayPort AUX channel monitoring data as specified by VESA
1470 * DisplayPort(DP) Standard preceded by a pseudo-header.
1471 * per dirk.eibach at gdsys.cc
1472 */
1473#define DLT_DISPLAYPORT_AUX 275
1474
1475/*
1476 * Linux cooked sockets v2.
1477 */
1478#define DLT_LINUX_SLL2 276
1479
1480/*
1481 * Sercos Monitor, per Manuel Jacob <manuel.jacob at steinbeis-stg.de>
1482 */
1483#define DLT_SERCOS_MONITOR 277
1484
1485/*
1486 * OpenVizsla http://openvizsla.org is open source USB analyzer hardware.
1487 * It consists of FPGA with attached USB phy and FTDI chip for streaming
1488 * the data to the host PC.
1489 *
1490 * Current OpenVizsla data encapsulation format is described here:
1491 * https://github.com/matwey/libopenvizsla/wiki/OpenVizsla-protocol-description
1492 *
1493 */
1494#define DLT_OPENVIZSLA 278
1495
1496/*
1497 * The Elektrobit High Speed Capture and Replay (EBHSCR) protocol is produced
1498 * by a PCIe Card for interfacing high speed automotive interfaces.
1499 *
1500 * The specification for this frame format can be found at:
1501 * https://www.elektrobit.com/ebhscr
1502 *
1503 * for Guenter.Ebermann at elektrobit.com
1504 *
1505 */
1506#define DLT_EBHSCR 279
1507
1508/*
1509 * The https://fd.io vpp graph dispatch tracer produces pcap trace files
1510 * in the format documented here:
1511 * https://fdio-vpp.readthedocs.io/en/latest/gettingstarted/developers/vnet.html#graph-dispatcher-pcap-tracing
1512 */
1513#define DLT_VPP_DISPATCH 280
1514
1515/*
1516 * Broadcom Ethernet switches (ROBO switch) 4 bytes proprietary tagging format.
1517 */
1518#define DLT_DSA_TAG_BRCM 281
1519#define DLT_DSA_TAG_BRCM_PREPEND 282
1520
1521/*
1522 * IEEE 802.15.4 with pseudo-header and optional meta-data TLVs, PHY payload
1523 * exactly as it appears in the spec (no padding, no nothing), and FCS if
1524 * specified by FCS Type TLV; requested by James Ko <jck@exegin.com>.
1525 * Specification at https://github.com/jkcko/ieee802.15.4-tap
1526 */
1527#define DLT_IEEE802_15_4_TAP 283
1528
1529/*
1530 * Marvell (Ethertype) Distributed Switch Architecture proprietary tagging format.
1531 */
1532#define DLT_DSA_TAG_DSA 284
1533#define DLT_DSA_TAG_EDSA 285
1534
1535/*
1536 * Payload of lawful intercept packets using the ELEE protocol;
1537 * https://socket.hr/draft-dfranusic-opsawg-elee-00.xml
1538 * https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://socket.hr/draft-dfranusic-opsawg-elee-00.xml&modeAsFormat=html/ascii
1539 */
1540#define DLT_ELEE 286
1541
1542/*
1543 * Serial frames transmitted between a host and a Z-Wave chip.
1544 */
1545#define DLT_Z_WAVE_SERIAL 287
1546
1547/*
1548 * USB 2.0, 1.1, and 1.0 packets as transmitted over the cable.
1549 */
1550#define DLT_USB_2_0 288
1551
1552/*
1553 * ATSC Link-Layer Protocol (A/330) packets.
1554 */
1555#define DLT_ATSC_ALP 289
1556
1557/*
1558 * In case the code that includes this file (directly or indirectly)
1559 * has also included OS files that happen to define DLT_MATCHING_MAX,
1560 * with a different value (perhaps because that OS hasn't picked up
1561 * the latest version of our DLT definitions), we undefine the
1562 * previous value of DLT_MATCHING_MAX.
1563 */
1564#ifdef DLT_MATCHING_MAX
1565#undef DLT_MATCHING_MAX
1566#endif
1567#define DLT_MATCHING_MAX 289 /* highest value in the "matching" range */
1568
1569/*
1570 * DLT and savefile link type values are split into a class and
1571 * a member of that class. A class value of 0 indicates a regular
1572 * DLT_/LINKTYPE_ value.
1573 */
1574#define DLT_CLASS(x) ((x) & 0x03ff0000)
1575
1576/*
1577 * NetBSD-specific generic "raw" link type. The class value indicates
1578 * that this is the generic raw type, and the lower 16 bits are the
1579 * address family we're dealing with. Those values are NetBSD-specific;
1580 * do not assume that they correspond to AF_ values for your operating
1581 * system.
1582 */
1583#define DLT_CLASS_NETBSD_RAWAF 0x02240000
1584#define DLT_NETBSD_RAWAF(af) (DLT_CLASS_NETBSD_RAWAF | (af))
1585#define DLT_NETBSD_RAWAF_AF(x) ((x) & 0x0000ffff)
1586#define DLT_IS_NETBSD_RAWAF(x) (DLT_CLASS(x) == DLT_CLASS_NETBSD_RAWAF)
1587
1588#endif /* !_NET_DLT_H_ */