pcap-common.c revision 235426
1/* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * pcap-common.c - common code for pcap and pcap-ng files 22 */ 23 24#ifdef HAVE_CONFIG_H 25#include "config.h" 26#endif 27 28#ifdef WIN32 29#include <pcap-stdinc.h> 30#else /* WIN32 */ 31#if HAVE_INTTYPES_H 32#include <inttypes.h> 33#elif HAVE_STDINT_H 34#include <stdint.h> 35#endif 36#ifdef HAVE_SYS_BITYPES_H 37#include <sys/bitypes.h> 38#endif 39#include <sys/types.h> 40#endif /* WIN32 */ 41 42#include "pcap-int.h" 43#include "pcap/usb.h" 44 45#include "pcap-common.h" 46 47/* 48 * We don't write DLT_* values to capture files, because they're not the 49 * same on all platforms. 50 * 51 * Unfortunately, the various flavors of BSD have not always used the same 52 * numerical values for the same data types, and various patches to 53 * libpcap for non-BSD OSes have added their own DLT_* codes for link 54 * layer encapsulation types seen on those OSes, and those codes have had, 55 * in some cases, values that were also used, on other platforms, for other 56 * link layer encapsulation types. 57 * 58 * This means that capture files of a type whose numerical DLT_* code 59 * means different things on different BSDs, or with different versions 60 * of libpcap, can't always be read on systems other than those like 61 * the one running on the machine on which the capture was made. 62 * 63 * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes 64 * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_* 65 * codes to DLT_* codes when reading a savefile header. 66 * 67 * For those DLT_* codes that have, as far as we know, the same values on 68 * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as 69 * DLT_xxx; that way, captures of those types can still be read by 70 * versions of libpcap that map LINKTYPE_* values to DLT_* values, and 71 * captures of those types written by versions of libpcap that map DLT_ 72 * values to LINKTYPE_ values can still be read by older versions 73 * of libpcap. 74 * 75 * The other LINKTYPE_* codes are given values starting at 100, in the 76 * hopes that no DLT_* code will be given one of those values. 77 * 78 * In order to ensure that a given LINKTYPE_* code's value will refer to 79 * the same encapsulation type on all platforms, you should not allocate 80 * a new LINKTYPE_* value without consulting 81 * "tcpdump-workers@lists.tcpdump.org". The tcpdump developers will 82 * allocate a value for you, and will not subsequently allocate it to 83 * anybody else; that value will be added to the "pcap.h" in the 84 * tcpdump.org Git repository, so that a future libpcap release will 85 * include it. 86 * 87 * You should, if possible, also contribute patches to libpcap and tcpdump 88 * to handle the new encapsulation type, so that they can also be checked 89 * into the tcpdump.org Git repository and so that they will appear in 90 * future libpcap and tcpdump releases. 91 * 92 * Do *NOT* assume that any values after the largest value in this file 93 * are available; you might not have the most up-to-date version of this 94 * file, and new values after that one might have been assigned. Also, 95 * do *NOT* use any values below 100 - those might already have been 96 * taken by one (or more!) organizations. 97 * 98 * Any platform that defines additional DLT_* codes should: 99 * 100 * request a LINKTYPE_* code and value from tcpdump.org, 101 * as per the above; 102 * 103 * add, in their version of libpcap, an entry to map 104 * those DLT_* codes to the corresponding LINKTYPE_* 105 * code; 106 * 107 * redefine, in their "net/bpf.h", any DLT_* values 108 * that collide with the values used by their additional 109 * DLT_* codes, to remove those collisions (but without 110 * making them collide with any of the LINKTYPE_* 111 * values equal to 50 or above; they should also avoid 112 * defining DLT_* values that collide with those 113 * LINKTYPE_* values, either). 114 */ 115#define LINKTYPE_NULL DLT_NULL 116#define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */ 117#define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */ 118#define LINKTYPE_AX25 DLT_AX25 119#define LINKTYPE_PRONET DLT_PRONET 120#define LINKTYPE_CHAOS DLT_CHAOS 121#define LINKTYPE_TOKEN_RING DLT_IEEE802 /* DLT_IEEE802 is used for Token Ring */ 122#define LINKTYPE_ARCNET_BSD DLT_ARCNET /* BSD-style headers */ 123#define LINKTYPE_SLIP DLT_SLIP 124#define LINKTYPE_PPP DLT_PPP 125#define LINKTYPE_FDDI DLT_FDDI 126 127/* 128 * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662 129 * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol 130 * field) at the beginning of the packet. 131 * 132 * This is for use when there is always such a header; the address field 133 * might be 0xff, for regular PPP, or it might be an address field for Cisco 134 * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco 135 * HDLC"). This is, for example, what you get with NetBSD's DLT_PPP_SERIAL. 136 * 137 * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that 138 * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL 139 * captures will be written out with a link type that NetBSD's tcpdump 140 * can read. 141 */ 142#define LINKTYPE_PPP_HDLC 50 /* PPP in HDLC-like framing */ 143 144#define LINKTYPE_PPP_ETHER 51 /* NetBSD PPP-over-Ethernet */ 145 146#define LINKTYPE_SYMANTEC_FIREWALL 99 /* Symantec Enterprise Firewall */ 147 148/* 149 * These correspond to DLT_s that have different values on different 150 * platforms; we map between these values in capture files and 151 * the DLT_ values as returned by pcap_datalink() and passed to 152 * pcap_open_dead(). 153 */ 154#define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */ 155#define LINKTYPE_RAW 101 /* raw IP */ 156#define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */ 157#define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */ 158 159/* 160 * Values starting with 104 are used for newly-assigned link-layer 161 * header type values; for those link-layer header types, the DLT_ 162 * value returned by pcap_datalink() and passed to pcap_open_dead(), 163 * and the LINKTYPE_ value that appears in capture files, are the 164 * same. 165 * 166 * LINKTYPE_MATCHING_MIN is the lowest such value; LINKTYPE_MATCHING_MAX 167 * is the highest such value. 168 */ 169#define LINKTYPE_MATCHING_MIN 104 /* lowest value in the "matching" range */ 170 171#define LINKTYPE_C_HDLC 104 /* Cisco HDLC */ 172#define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */ 173#define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */ 174#define LINKTYPE_FRELAY 107 /* Frame Relay */ 175#define LINKTYPE_LOOP 108 /* OpenBSD loopback */ 176#define LINKTYPE_ENC 109 /* OpenBSD IPSEC enc */ 177 178/* 179 * These three types are reserved for future use. 180 */ 181#define LINKTYPE_LANE8023 110 /* ATM LANE + 802.3 */ 182#define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */ 183#define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */ 184 185#define LINKTYPE_LINUX_SLL 113 /* Linux cooked socket capture */ 186#define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */ 187#define LINKTYPE_ECONET 115 /* Acorn Econet */ 188 189/* 190 * Reserved for use with OpenBSD ipfilter. 191 */ 192#define LINKTYPE_IPFILTER 116 193 194#define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ 195#define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */ 196#define LINKTYPE_PRISM_HEADER 119 /* 802.11+Prism II monitor mode */ 197#define LINKTYPE_AIRONET_HEADER 120 /* FreeBSD Aironet driver stuff */ 198 199/* 200 * Reserved for Siemens HiPath HDLC. 201 */ 202#define LINKTYPE_HHDLC 121 203 204#define LINKTYPE_IP_OVER_FC 122 /* RFC 2625 IP-over-Fibre Channel */ 205#define LINKTYPE_SUNATM 123 /* Solaris+SunATM */ 206 207/* 208 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 209 * for private use. 210 */ 211#define LINKTYPE_RIO 124 /* RapidIO */ 212#define LINKTYPE_PCI_EXP 125 /* PCI Express */ 213#define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */ 214 215#define LINKTYPE_IEEE802_11_RADIO 127 /* 802.11 plus BSD radio header */ 216 217/* 218 * Reserved for the TZSP encapsulation, as per request from 219 * Chris Waters <chris.waters@networkchemistry.com> 220 * TZSP is a generic encapsulation for any other link type, 221 * which includes a means to include meta-information 222 * with the packet, e.g. signal strength and channel 223 * for 802.11 packets. 224 */ 225#define LINKTYPE_TZSP 128 /* Tazmen Sniffer Protocol */ 226 227#define LINKTYPE_ARCNET_LINUX 129 /* Linux-style headers */ 228 229/* 230 * Juniper-private data link types, as per request from 231 * Hannes Gredler <hannes@juniper.net>. The corresponding 232 * DLT_s are used for passing on chassis-internal 233 * metainformation such as QOS profiles, etc.. 234 */ 235#define LINKTYPE_JUNIPER_MLPPP 130 236#define LINKTYPE_JUNIPER_MLFR 131 237#define LINKTYPE_JUNIPER_ES 132 238#define LINKTYPE_JUNIPER_GGSN 133 239#define LINKTYPE_JUNIPER_MFR 134 240#define LINKTYPE_JUNIPER_ATM2 135 241#define LINKTYPE_JUNIPER_SERVICES 136 242#define LINKTYPE_JUNIPER_ATM1 137 243 244#define LINKTYPE_APPLE_IP_OVER_IEEE1394 138 /* Apple IP-over-IEEE 1394 cooked header */ 245 246#define LINKTYPE_MTP2_WITH_PHDR 139 247#define LINKTYPE_MTP2 140 248#define LINKTYPE_MTP3 141 249#define LINKTYPE_SCCP 142 250 251#define LINKTYPE_DOCSIS 143 /* DOCSIS MAC frames */ 252 253#define LINKTYPE_LINUX_IRDA 144 /* Linux-IrDA */ 254 255/* 256 * Reserved for IBM SP switch and IBM Next Federation switch. 257 */ 258#define LINKTYPE_IBM_SP 145 259#define LINKTYPE_IBM_SN 146 260 261/* 262 * Reserved for private use. If you have some link-layer header type 263 * that you want to use within your organization, with the capture files 264 * using that link-layer header type not ever be sent outside your 265 * organization, you can use these values. 266 * 267 * No libpcap release will use these for any purpose, nor will any 268 * tcpdump release use them, either. 269 * 270 * Do *NOT* use these in capture files that you expect anybody not using 271 * your private versions of capture-file-reading tools to read; in 272 * particular, do *NOT* use them in products, otherwise you may find that 273 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 274 * read capture files from your firewall/intrusion detection/traffic 275 * monitoring/etc. appliance, or whatever product uses that LINKTYPE_ value, 276 * and you may also find that the developers of those applications will 277 * not accept patches to let them read those files. 278 * 279 * Also, do not use them if somebody might send you a capture using them 280 * for *their* private type and tools using them for *your* private type 281 * would have to read them. 282 * 283 * Instead, in those cases, ask "tcpdump-workers@lists.tcpdump.org" for a 284 * new DLT_ and LINKTYPE_ value, as per the comment in pcap/bpf.h, and use 285 * the type you're given. 286 */ 287#define LINKTYPE_USER0 147 288#define LINKTYPE_USER1 148 289#define LINKTYPE_USER2 149 290#define LINKTYPE_USER3 150 291#define LINKTYPE_USER4 151 292#define LINKTYPE_USER5 152 293#define LINKTYPE_USER6 153 294#define LINKTYPE_USER7 154 295#define LINKTYPE_USER8 155 296#define LINKTYPE_USER9 156 297#define LINKTYPE_USER10 157 298#define LINKTYPE_USER11 158 299#define LINKTYPE_USER12 159 300#define LINKTYPE_USER13 160 301#define LINKTYPE_USER14 161 302#define LINKTYPE_USER15 162 303 304/* 305 * For future use with 802.11 captures - defined by AbsoluteValue 306 * Systems to store a number of bits of link-layer information 307 * including radio information: 308 * 309 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 310 * 311 * but could and arguably should also be used by non-AVS Linux 312 * 802.11 drivers; that may happen in the future. 313 */ 314#define LINKTYPE_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 315 316/* 317 * Juniper-private data link type, as per request from 318 * Hannes Gredler <hannes@juniper.net>. The corresponding 319 * DLT_s are used for passing on chassis-internal 320 * metainformation such as QOS profiles, etc.. 321 */ 322#define LINKTYPE_JUNIPER_MONITOR 164 323 324/* 325 * Reserved for BACnet MS/TP. 326 */ 327#define LINKTYPE_BACNET_MS_TP 165 328 329/* 330 * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>. 331 * 332 * This is used in some OSes to allow a kernel socket filter to distinguish 333 * between incoming and outgoing packets, on a socket intended to 334 * supply pppd with outgoing packets so it can do dial-on-demand and 335 * hangup-on-lack-of-demand; incoming packets are filtered out so they 336 * don't cause pppd to hold the connection up (you don't want random 337 * input packets such as port scans, packets from old lost connections, 338 * etc. to force the connection to stay up). 339 * 340 * The first byte of the PPP header (0xff03) is modified to accomodate 341 * the direction - 0x00 = IN, 0x01 = OUT. 342 */ 343#define LINKTYPE_PPP_PPPD 166 344 345/* 346 * Juniper-private data link type, as per request from 347 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 348 * for passing on chassis-internal metainformation such as 349 * QOS profiles, cookies, etc.. 350 */ 351#define LINKTYPE_JUNIPER_PPPOE 167 352#define LINKTYPE_JUNIPER_PPPOE_ATM 168 353 354#define LINKTYPE_GPRS_LLC 169 /* GPRS LLC */ 355#define LINKTYPE_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 356#define LINKTYPE_GPF_F 171 /* GPF-T (ITU-T G.7041/Y.1303) */ 357 358/* 359 * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line 360 * monitoring equipment. 361 */ 362#define LINKTYPE_GCOM_T1E1 172 363#define LINKTYPE_GCOM_SERIAL 173 364 365/* 366 * Juniper-private data link type, as per request from 367 * Hannes Gredler <hannes@juniper.net>. The DLT_ is used 368 * for internal communication to Physical Interface Cards (PIC) 369 */ 370#define LINKTYPE_JUNIPER_PIC_PEER 174 371 372/* 373 * Link types requested by Gregor Maier <gregor@endace.com> of Endace 374 * Measurement Systems. They add an ERF header (see 375 * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of 376 * the link-layer header. 377 */ 378#define LINKTYPE_ERF_ETH 175 /* Ethernet */ 379#define LINKTYPE_ERF_POS 176 /* Packet-over-SONET */ 380 381/* 382 * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD 383 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 384 * includes additional information before the LAPD header, so it's 385 * not necessarily a generic LAPD header. 386 */ 387#define LINKTYPE_LINUX_LAPD 177 388 389/* 390 * Juniper-private data link type, as per request from 391 * Hannes Gredler <hannes@juniper.net>. 392 * The Link Types are used for prepending meta-information 393 * like interface index, interface name 394 * before standard Ethernet, PPP, Frelay & C-HDLC Frames 395 */ 396#define LINKTYPE_JUNIPER_ETHER 178 397#define LINKTYPE_JUNIPER_PPP 179 398#define LINKTYPE_JUNIPER_FRELAY 180 399#define LINKTYPE_JUNIPER_CHDLC 181 400 401/* 402 * Multi Link Frame Relay (FRF.16) 403 */ 404#define LINKTYPE_MFR 182 405 406/* 407 * Juniper-private data link type, as per request from 408 * Hannes Gredler <hannes@juniper.net>. 409 * The DLT_ is used for internal communication with a 410 * voice Adapter Card (PIC) 411 */ 412#define LINKTYPE_JUNIPER_VP 183 413 414/* 415 * Arinc 429 frames. 416 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 417 * Every frame contains a 32bit A429 label. 418 * More documentation on Arinc 429 can be found at 419 * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf 420 */ 421#define LINKTYPE_A429 184 422 423/* 424 * Arinc 653 Interpartition Communication messages. 425 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 426 * Please refer to the A653-1 standard for more information. 427 */ 428#define LINKTYPE_A653_ICM 185 429 430/* 431 * USB packets, beginning with a USB setup header; requested by 432 * Paolo Abeni <paolo.abeni@email.it>. 433 */ 434#define LINKTYPE_USB 186 435 436/* 437 * Bluetooth HCI UART transport layer (part H:4); requested by 438 * Paolo Abeni. 439 */ 440#define LINKTYPE_BLUETOOTH_HCI_H4 187 441 442/* 443 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz 444 * <cruz_petagay@bah.com>. 445 */ 446#define LINKTYPE_IEEE802_16_MAC_CPS 188 447 448/* 449 * USB packets, beginning with a Linux USB header; requested by 450 * Paolo Abeni <paolo.abeni@email.it>. 451 */ 452#define LINKTYPE_USB_LINUX 189 453 454/* 455 * Controller Area Network (CAN) v. 2.0B packets. 456 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 457 * Used to dump CAN packets coming from a CAN Vector board. 458 * More documentation on the CAN v2.0B frames can be found at 459 * http://www.can-cia.org/downloads/?269 460 */ 461#define LINKTYPE_CAN20B 190 462 463/* 464 * IEEE 802.15.4, with address fields padded, as is done by Linux 465 * drivers; requested by Juergen Schimmer. 466 */ 467#define LINKTYPE_IEEE802_15_4_LINUX 191 468 469/* 470 * Per Packet Information encapsulated packets. 471 * LINKTYPE_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 472 */ 473#define LINKTYPE_PPI 192 474 475/* 476 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; 477 * requested by Charles Clancy. 478 */ 479#define LINKTYPE_IEEE802_16_MAC_CPS_RADIO 193 480 481/* 482 * Juniper-private data link type, as per request from 483 * Hannes Gredler <hannes@juniper.net>. 484 * The DLT_ is used for internal communication with a 485 * integrated service module (ISM). 486 */ 487#define LINKTYPE_JUNIPER_ISM 194 488 489/* 490 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 491 * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>. 492 */ 493#define LINKTYPE_IEEE802_15_4 195 494 495/* 496 * Various link-layer types, with a pseudo-header, for SITA 497 * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com). 498 */ 499#define LINKTYPE_SITA 196 500 501/* 502 * Various link-layer types, with a pseudo-header, for Endace DAG cards; 503 * encapsulates Endace ERF records. Requested by Stephen Donnelly 504 * <stephen@endace.com>. 505 */ 506#define LINKTYPE_ERF 197 507 508/* 509 * Special header prepended to Ethernet packets when capturing from a 510 * u10 Networks board. Requested by Phil Mulholland 511 * <phil@u10networks.com>. 512 */ 513#define LINKTYPE_RAIF1 198 514 515/* 516 * IPMB packet for IPMI, beginning with the I2C slave address, followed 517 * by the netFn and LUN, etc.. Requested by Chanthy Toeung 518 * <chanthy.toeung@ca.kontron.com>. 519 */ 520#define LINKTYPE_IPMB 199 521 522/* 523 * Juniper-private data link type, as per request from 524 * Hannes Gredler <hannes@juniper.net>. 525 * The DLT_ is used for capturing data on a secure tunnel interface. 526 */ 527#define LINKTYPE_JUNIPER_ST 200 528 529/* 530 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header 531 * that includes direction information; requested by Paolo Abeni. 532 */ 533#define LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR 201 534 535/* 536 * AX.25 packet with a 1-byte KISS header; see 537 * 538 * http://www.ax25.net/kiss.htm 539 * 540 * as per Richard Stearn <richard@rns-stearn.demon.co.uk>. 541 */ 542#define LINKTYPE_AX25_KISS 202 543 544/* 545 * LAPD packets from an ISDN channel, starting with the address field, 546 * with no pseudo-header. 547 * Requested by Varuna De Silva <varunax@gmail.com>. 548 */ 549#define LINKTYPE_LAPD 203 550 551/* 552 * Variants of various link-layer headers, with a one-byte direction 553 * pseudo-header prepended - zero means "received by this host", 554 * non-zero (any non-zero value) means "sent by this host" - as per 555 * Will Barker <w.barker@zen.co.uk>. 556 */ 557#define LINKTYPE_PPP_WITH_DIR 204 /* PPP */ 558#define LINKTYPE_C_HDLC_WITH_DIR 205 /* Cisco HDLC */ 559#define LINKTYPE_FRELAY_WITH_DIR 206 /* Frame Relay */ 560#define LINKTYPE_LAPB_WITH_DIR 207 /* LAPB */ 561 562/* 563 * 208 is reserved for an as-yet-unspecified proprietary link-layer 564 * type, as requested by Will Barker. 565 */ 566 567/* 568 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman 569 * <avn@pigeonpoint.com>. 570 */ 571#define LINKTYPE_IPMB_LINUX 209 572 573/* 574 * FlexRay automotive bus - http://www.flexray.com/ - as requested 575 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 576 */ 577#define LINKTYPE_FLEXRAY 210 578 579/* 580 * Media Oriented Systems Transport (MOST) bus for multimedia 581 * transport - http://www.mostcooperation.com/ - as requested 582 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 583 */ 584#define LINKTYPE_MOST 211 585 586/* 587 * Local Interconnect Network (LIN) bus for vehicle networks - 588 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber 589 * <hannes.kaelber@x2e.de>. 590 */ 591#define LINKTYPE_LIN 212 592 593/* 594 * X2E-private data link type used for serial line capture, 595 * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 596 */ 597#define LINKTYPE_X2E_SERIAL 213 598 599/* 600 * X2E-private data link type used for the Xoraya data logger 601 * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 602 */ 603#define LINKTYPE_X2E_XORAYA 214 604 605/* 606 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 607 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets 608 * of 0 as preamble, one octet of SFD, one octet of frame length+ 609 * reserved bit, and then the MAC-layer data, starting with the 610 * frame control field). 611 * 612 * Requested by Max Filippov <jcmvbkbc@gmail.com>. 613 */ 614#define LINKTYPE_IEEE802_15_4_NONASK_PHY 215 615 616/* 617 * David Gibson <david@gibson.dropbear.id.au> requested this for 618 * captures from the Linux kernel /dev/input/eventN devices. This 619 * is used to communicate keystrokes and mouse movements from the 620 * Linux kernel to display systems, such as Xorg. 621 */ 622#define LINKTYPE_LINUX_EVDEV 216 623 624/* 625 * GSM Um and Abis interfaces, preceded by a "gsmtap" header. 626 * 627 * Requested by Harald Welte <laforge@gnumonks.org>. 628 */ 629#define LINKTYPE_GSMTAP_UM 217 630#define LINKTYPE_GSMTAP_ABIS 218 631 632/* 633 * MPLS, with an MPLS label as the link-layer header. 634 * Requested by Michele Marchetto <michele@openbsd.org> on behalf 635 * of OpenBSD. 636 */ 637#define LINKTYPE_MPLS 219 638 639/* 640 * USB packets, beginning with a Linux USB header, with the USB header 641 * padded to 64 bytes; required for memory-mapped access. 642 */ 643#define LINKTYPE_USB_LINUX_MMAPPED 220 644 645/* 646 * DECT packets, with a pseudo-header; requested by 647 * Matthias Wenzel <tcpdump@mazzoo.de>. 648 */ 649#define LINKTYPE_DECT 221 650 651/* 652 * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov> 653 * Date: Mon, 11 May 2009 11:18:30 -0500 654 * 655 * DLT_AOS. We need it for AOS Space Data Link Protocol. 656 * I have already written dissectors for but need an OK from 657 * legal before I can submit a patch. 658 * 659 */ 660#define LINKTYPE_AOS 222 661 662/* 663 * Wireless HART (Highway Addressable Remote Transducer) 664 * From the HART Communication Foundation 665 * IES/PAS 62591 666 * 667 * Requested by Sam Roberts <vieuxtech@gmail.com>. 668 */ 669#define LINKTYPE_WIHART 223 670 671/* 672 * Fibre Channel FC-2 frames, beginning with a Frame_Header. 673 * Requested by Kahou Lei <kahou82@gmail.com>. 674 */ 675#define LINKTYPE_FC_2 224 676 677/* 678 * Fibre Channel FC-2 frames, beginning with an encoding of the 679 * SOF, and ending with an encoding of the EOF. 680 * 681 * The encodings represent the frame delimiters as 4-byte sequences 682 * representing the corresponding ordered sets, with K28.5 683 * represented as 0xBC, and the D symbols as the corresponding 684 * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, 685 * is represented as 0xBC 0xB5 0x55 0x55. 686 * 687 * Requested by Kahou Lei <kahou82@gmail.com>. 688 */ 689#define LINKTYPE_FC_2_WITH_FRAME_DELIMS 225 690 691/* 692 * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>. 693 * 694 * The pseudo-header starts with a one-byte version number; for version 2, 695 * the pseudo-header is: 696 * 697 * struct dl_ipnetinfo { 698 * u_int8_t dli_version; 699 * u_int8_t dli_family; 700 * u_int16_t dli_htype; 701 * u_int32_t dli_pktlen; 702 * u_int32_t dli_ifindex; 703 * u_int32_t dli_grifindex; 704 * u_int32_t dli_zsrc; 705 * u_int32_t dli_zdst; 706 * }; 707 * 708 * dli_version is 2 for the current version of the pseudo-header. 709 * 710 * dli_family is a Solaris address family value, so it's 2 for IPv4 711 * and 26 for IPv6. 712 * 713 * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing 714 * packets, and 2 for packets arriving from another zone on the same 715 * machine. 716 * 717 * dli_pktlen is the length of the packet data following the pseudo-header 718 * (so the captured length minus dli_pktlen is the length of the 719 * pseudo-header, assuming the entire pseudo-header was captured). 720 * 721 * dli_ifindex is the interface index of the interface on which the 722 * packet arrived. 723 * 724 * dli_grifindex is the group interface index number (for IPMP interfaces). 725 * 726 * dli_zsrc is the zone identifier for the source of the packet. 727 * 728 * dli_zdst is the zone identifier for the destination of the packet. 729 * 730 * A zone number of 0 is the global zone; a zone number of 0xffffffff 731 * means that the packet arrived from another host on the network, not 732 * from another zone on the same machine. 733 * 734 * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates 735 * which of those it is. 736 */ 737#define LINKTYPE_IPNET 226 738 739/* 740 * CAN (Controller Area Network) frames, with a pseudo-header as supplied 741 * by Linux SocketCAN. See Documentation/networking/can.txt in the Linux 742 * source. 743 * 744 * Requested by Felix Obenhuber <felix@obenhuber.de>. 745 */ 746#define LINKTYPE_CAN_SOCKETCAN 227 747 748/* 749 * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies 750 * whether it's v4 or v6. Requested by Darren Reed <Darren.Reed@Sun.COM>. 751 */ 752#define LINKTYPE_IPV4 228 753#define LINKTYPE_IPV6 229 754 755/* 756 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 757 * nothing), and with no FCS at the end of the frame; requested by 758 * Jon Smirl <jonsmirl@gmail.com>. 759 */ 760#define LINKTYPE_IEEE802_15_4_NOFCS 230 761 762/* 763 * Raw D-Bus: 764 * 765 * http://www.freedesktop.org/wiki/Software/dbus 766 * 767 * messages: 768 * 769 * http://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages 770 * 771 * starting with the endianness flag, followed by the message type, etc., 772 * but without the authentication handshake before the message sequence: 773 * 774 * http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol 775 * 776 * Requested by Martin Vidner <martin@vidner.net>. 777 */ 778#define LINKTYPE_DBUS 231 779 780/* 781 * Juniper-private data link type, as per request from 782 * Hannes Gredler <hannes@juniper.net>. 783 */ 784#define LINKTYPE_JUNIPER_VS 232 785#define LINKTYPE_JUNIPER_SRX_E2E 233 786#define LINKTYPE_JUNIPER_FIBRECHANNEL 234 787 788/* 789 * DVB-CI (DVB Common Interface for communication between a PC Card 790 * module and a DVB receiver). See 791 * 792 * http://www.kaiser.cx/pcap-dvbci.html 793 * 794 * for the specification. 795 * 796 * Requested by Martin Kaiser <martin@kaiser.cx>. 797 */ 798#define LINKTYPE_DVB_CI 235 799 800/* 801 * Variant of 3GPP TS 27.010 multiplexing protocol. Requested 802 * by Hans-Christoph Schemmel <hans-christoph.schemmel@cinterion.com>. 803 */ 804#define LINKTYPE_MUX27010 236 805 806/* 807 * STANAG 5066 D_PDUs. Requested by M. Baris Demiray 808 * <barisdemiray@gmail.com>. 809 */ 810#define LINKTYPE_STANAG_5066_D_PDU 237 811 812/* 813 * Juniper-private data link type, as per request from 814 * Hannes Gredler <hannes@juniper.net>. 815 */ 816#define LINKTYPE_JUNIPER_ATM_CEMIC 238 817 818/* 819 * NetFilter LOG messages 820 * (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets) 821 * 822 * Requested by Jakub Zawadzki <darkjames-ws@darkjames.pl> 823 */ 824#define LINKTYPE_NFLOG 239 825 826/* 827 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 828 * for Ethernet packets with a 4-byte pseudo-header and always 829 * with the payload including the FCS, as supplied by their 830 * netANALYZER hardware and software. 831 * 832 * Requested by Holger P. Frommer <HPfrommer@hilscher.com> 833 */ 834#define LINKTYPE_NETANALYZER 240 835 836/* 837 * Hilscher Gesellschaft fuer Systemautomation mbH link-layer type 838 * for Ethernet packets with a 4-byte pseudo-header and FCS and 839 * 1 byte of SFD, as supplied by their netANALYZER hardware and 840 * software. 841 * 842 * Requested by Holger P. Frommer <HPfrommer@hilscher.com> 843 */ 844#define LINKTYPE_NETANALYZER_TRANSPARENT 241 845 846/* 847 * IP-over-Infiniband, as specified by RFC 4391. 848 * 849 * Requested by Petr Sumbera <petr.sumbera@oracle.com>. 850 */ 851#define LINKTYPE_IPOIB 242 852 853#define LINKTYPE_MATCHING_MAX 242 /* highest value in the "matching" range */ 854 855static struct linktype_map { 856 int dlt; 857 int linktype; 858} map[] = { 859 /* 860 * These DLT_* codes have LINKTYPE_* codes with values identical 861 * to the values of the corresponding DLT_* code. 862 */ 863 { DLT_NULL, LINKTYPE_NULL }, 864 { DLT_EN10MB, LINKTYPE_ETHERNET }, 865 { DLT_EN3MB, LINKTYPE_EXP_ETHERNET }, 866 { DLT_AX25, LINKTYPE_AX25 }, 867 { DLT_PRONET, LINKTYPE_PRONET }, 868 { DLT_CHAOS, LINKTYPE_CHAOS }, 869 { DLT_IEEE802, LINKTYPE_TOKEN_RING }, 870 { DLT_ARCNET, LINKTYPE_ARCNET_BSD }, 871 { DLT_SLIP, LINKTYPE_SLIP }, 872 { DLT_PPP, LINKTYPE_PPP }, 873 { DLT_FDDI, LINKTYPE_FDDI }, 874 875 /* 876 * These DLT_* codes have different values on different 877 * platforms; we map them to LINKTYPE_* codes that 878 * have values that should never be equal to any DLT_* 879 * code. 880 */ 881#ifdef DLT_FR 882 /* BSD/OS Frame Relay */ 883 { DLT_FR, LINKTYPE_FRELAY }, 884#endif 885 886 { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL }, 887 { DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 }, 888 { DLT_RAW, LINKTYPE_RAW }, 889 { DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS }, 890 { DLT_PPP_BSDOS, LINKTYPE_PPP_BSDOS }, 891 892 /* BSD/OS Cisco HDLC */ 893 { DLT_C_HDLC, LINKTYPE_C_HDLC }, 894 895 /* 896 * These DLT_* codes are not on all platforms, but, so far, 897 * there don't appear to be any platforms that define 898 * other codes with those values; we map them to 899 * different LINKTYPE_* values anyway, just in case. 900 */ 901 902 /* Linux ATM Classical IP */ 903 { DLT_ATM_CLIP, LINKTYPE_ATM_CLIP }, 904 905 /* NetBSD sync/async serial PPP (or Cisco HDLC) */ 906 { DLT_PPP_SERIAL, LINKTYPE_PPP_HDLC }, 907 908 /* NetBSD PPP over Ethernet */ 909 { DLT_PPP_ETHER, LINKTYPE_PPP_ETHER }, 910 911 /* 912 * All LINKTYPE_ values between LINKTYPE_MATCHING_MIN 913 * and LINKTYPE_MATCHING_MAX are mapped to identical 914 * DLT_ values. 915 */ 916 917 { -1, -1 } 918}; 919 920int 921dlt_to_linktype(int dlt) 922{ 923 int i; 924 925 /* 926 * Map the values in the matching range. 927 */ 928 if (dlt >= DLT_MATCHING_MIN && dlt <= DLT_MATCHING_MAX) 929 return (dlt); 930 931 /* 932 * Map the values outside that range. 933 */ 934 for (i = 0; map[i].dlt != -1; i++) { 935 if (map[i].dlt == dlt) 936 return (map[i].linktype); 937 } 938 939 /* 940 * If we don't have a mapping for this DLT_ code, return an 941 * error; that means that this is a value with no corresponding 942 * LINKTYPE_ code, and we need to assign one. 943 */ 944 return (-1); 945} 946 947int 948linktype_to_dlt(int linktype) 949{ 950 int i; 951 952 /* 953 * Map the values in the matching range. 954 */ 955 if (linktype >= LINKTYPE_MATCHING_MIN && 956 linktype <= LINKTYPE_MATCHING_MAX) 957 return (linktype); 958 959 /* 960 * Map the values outside that range. 961 */ 962 for (i = 0; map[i].linktype != -1; i++) { 963 if (map[i].linktype == linktype) 964 return (map[i].dlt); 965 } 966 967 /* 968 * If we don't have an entry for this link type, return 969 * the link type value; it may be a DLT_ value from an 970 * older version of libpcap. 971 */ 972 return linktype; 973} 974 975/* 976 * The DLT_USB_LINUX and DLT_USB_LINUX_MMAPPED headers are in host 977 * byte order when capturing (it's supplied directly from a 978 * memory-mapped buffer shared by the kernel). 979 * 980 * When reading a DLT_USB_LINUX or DLT_USB_LINUX_MMAPPED capture file, 981 * we need to convert it from the capturing host's byte order to 982 * the reading host's byte order. 983 */ 984void 985swap_linux_usb_header(const struct pcap_pkthdr *hdr, u_char *buf, 986 int header_len_64_bytes) 987{ 988 pcap_usb_header_mmapped *uhdr = (pcap_usb_header_mmapped *)buf; 989 bpf_u_int32 offset = 0; 990 usb_isodesc *pisodesc; 991 int32_t numdesc, i; 992 993 /* 994 * "offset" is the offset *past* the field we're swapping; 995 * we skip the field *before* checking to make sure 996 * the captured data length includes the entire field. 997 */ 998 999 /* 1000 * The URB id is a totally opaque value; do we really need to 1001 * convert it to the reading host's byte order??? 1002 */ 1003 offset += 8; /* skip past id */ 1004 if (hdr->caplen < offset) 1005 return; 1006 uhdr->id = SWAPLL(uhdr->id); 1007 1008 offset += 4; /* skip past various 1-byte fields */ 1009 1010 offset += 2; /* skip past bus_id */ 1011 if (hdr->caplen < offset) 1012 return; 1013 uhdr->bus_id = SWAPSHORT(uhdr->bus_id); 1014 1015 offset += 2; /* skip past various 1-byte fields */ 1016 1017 offset += 8; /* skip past ts_sec */ 1018 if (hdr->caplen < offset) 1019 return; 1020 uhdr->ts_sec = SWAPLL(uhdr->ts_sec); 1021 1022 offset += 4; /* skip past ts_usec */ 1023 if (hdr->caplen < offset) 1024 return; 1025 uhdr->ts_usec = SWAPLONG(uhdr->ts_usec); 1026 1027 offset += 4; /* skip past status */ 1028 if (hdr->caplen < offset) 1029 return; 1030 uhdr->status = SWAPLONG(uhdr->status); 1031 1032 offset += 4; /* skip past urb_len */ 1033 if (hdr->caplen < offset) 1034 return; 1035 uhdr->urb_len = SWAPLONG(uhdr->urb_len); 1036 1037 offset += 4; /* skip past data_len */ 1038 if (hdr->caplen < offset) 1039 return; 1040 uhdr->data_len = SWAPLONG(uhdr->data_len); 1041 1042 if (uhdr->transfer_type == URB_ISOCHRONOUS) { 1043 offset += 4; /* skip past s.iso.error_count */ 1044 if (hdr->caplen < offset) 1045 return; 1046 uhdr->s.iso.error_count = SWAPLONG(uhdr->s.iso.error_count); 1047 1048 offset += 4; /* skip past s.iso.numdesc */ 1049 if (hdr->caplen < offset) 1050 return; 1051 uhdr->s.iso.numdesc = SWAPLONG(uhdr->s.iso.numdesc); 1052 } else 1053 offset += 8; /* skip USB setup header */ 1054 1055 if (header_len_64_bytes) { 1056 /* 1057 * This is either the "version 1" header, with 1058 * 16 bytes of additional fields at the end, or 1059 * a "version 0" header from a memory-mapped 1060 * capture, with 16 bytes of zeroed-out padding 1061 * at the end. Byte swap them as if this were 1062 * a "version 1" header. 1063 */ 1064 offset += 4; /* skip past interval */ 1065 if (hdr->caplen < offset) 1066 return; 1067 uhdr->interval = SWAPLONG(uhdr->interval); 1068 1069 offset += 4; /* skip past start_frame */ 1070 if (hdr->caplen < offset) 1071 return; 1072 uhdr->start_frame = SWAPLONG(uhdr->start_frame); 1073 1074 offset += 4; /* skip past xfer_flags */ 1075 if (hdr->caplen < offset) 1076 return; 1077 uhdr->xfer_flags = SWAPLONG(uhdr->xfer_flags); 1078 1079 offset += 4; /* skip past ndesc */ 1080 if (hdr->caplen < offset) 1081 return; 1082 uhdr->ndesc = SWAPLONG(uhdr->ndesc); 1083 } 1084 1085 if (uhdr->transfer_type == URB_ISOCHRONOUS) { 1086 /* swap the values in struct linux_usb_isodesc */ 1087 pisodesc = (usb_isodesc *)(void *)(buf+offset); 1088 numdesc = uhdr->s.iso.numdesc; 1089 for (i = 0; i < numdesc; i++) { 1090 offset += 4; /* skip past status */ 1091 if (hdr->caplen < offset) 1092 return; 1093 pisodesc->status = SWAPLONG(pisodesc->status); 1094 1095 offset += 4; /* skip past offset */ 1096 if (hdr->caplen < offset) 1097 return; 1098 pisodesc->offset = SWAPLONG(pisodesc->offset); 1099 1100 offset += 4; /* skip past len */ 1101 if (hdr->caplen < offset) 1102 return; 1103 pisodesc->len = SWAPLONG(pisodesc->len); 1104 1105 offset += 4; /* skip past padding */ 1106 1107 pisodesc++; 1108 } 1109 } 1110} 1111