bpf.h revision 233937
1/*- 2 * Copyright (c) 1990, 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * This code is derived from the Stanford/CMU enet packet filter, 6 * (net/enet.c) distributed as part of 4.3BSD, and code contributed 7 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 8 * Berkeley Laboratory. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 4. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * @(#)bpf.h 8.1 (Berkeley) 6/10/93 35 * @(#)bpf.h 1.34 (LBL) 6/16/96 36 * 37 * $FreeBSD: head/sys/net/bpf.h 233937 2012-04-06 06:53:58Z melifaro $ 38 */ 39 40#ifndef _NET_BPF_H_ 41#define _NET_BPF_H_ 42 43/* BSD style release date */ 44#define BPF_RELEASE 199606 45 46typedef int32_t bpf_int32; 47typedef u_int32_t bpf_u_int32; 48typedef int64_t bpf_int64; 49typedef u_int64_t bpf_u_int64; 50 51/* 52 * Alignment macros. BPF_WORDALIGN rounds up to the next 53 * even multiple of BPF_ALIGNMENT. 54 */ 55#define BPF_ALIGNMENT sizeof(long) 56#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) 57 58#define BPF_MAXINSNS 512 59#define BPF_MAXBUFSIZE 0x80000 60#define BPF_MINBUFSIZE 32 61 62/* 63 * Structure for BIOCSETF. 64 */ 65struct bpf_program { 66 u_int bf_len; 67 struct bpf_insn *bf_insns; 68}; 69 70/* 71 * Struct returned by BIOCGSTATS. 72 */ 73struct bpf_stat { 74 u_int bs_recv; /* number of packets received */ 75 u_int bs_drop; /* number of packets dropped */ 76}; 77 78/* 79 * Struct return by BIOCVERSION. This represents the version number of 80 * the filter language described by the instruction encodings below. 81 * bpf understands a program iff kernel_major == filter_major && 82 * kernel_minor >= filter_minor, that is, if the value returned by the 83 * running kernel has the same major number and a minor number equal 84 * equal to or less than the filter being downloaded. Otherwise, the 85 * results are undefined, meaning an error may be returned or packets 86 * may be accepted haphazardly. 87 * It has nothing to do with the source code version. 88 */ 89struct bpf_version { 90 u_short bv_major; 91 u_short bv_minor; 92}; 93/* Current version number of filter architecture. */ 94#define BPF_MAJOR_VERSION 1 95#define BPF_MINOR_VERSION 1 96 97/* 98 * Historically, BPF has supported a single buffering model, first using mbuf 99 * clusters in kernel, and later using malloc(9) buffers in kernel. We now 100 * support multiple buffering modes, which may be queried and set using 101 * BIOCGETBUFMODE and BIOCSETBUFMODE. So as to avoid handling the complexity 102 * of changing modes while sniffing packets, the mode becomes fixed once an 103 * interface has been attached to the BPF descriptor. 104 */ 105#define BPF_BUFMODE_BUFFER 1 /* Kernel buffers with read(). */ 106#define BPF_BUFMODE_ZBUF 2 /* Zero-copy buffers. */ 107 108/*- 109 * Struct used by BIOCSETZBUF, BIOCROTZBUF: describes up to two zero-copy 110 * buffer as used by BPF. 111 */ 112struct bpf_zbuf { 113 void *bz_bufa; /* Location of 'a' zero-copy buffer. */ 114 void *bz_bufb; /* Location of 'b' zero-copy buffer. */ 115 size_t bz_buflen; /* Size of zero-copy buffers. */ 116}; 117 118#define BIOCGBLEN _IOR('B', 102, u_int) 119#define BIOCSBLEN _IOWR('B', 102, u_int) 120#define BIOCSETF _IOW('B', 103, struct bpf_program) 121#define BIOCFLUSH _IO('B', 104) 122#define BIOCPROMISC _IO('B', 105) 123#define BIOCGDLT _IOR('B', 106, u_int) 124#define BIOCGETIF _IOR('B', 107, struct ifreq) 125#define BIOCSETIF _IOW('B', 108, struct ifreq) 126#define BIOCSRTIMEOUT _IOW('B', 109, struct timeval) 127#define BIOCGRTIMEOUT _IOR('B', 110, struct timeval) 128#define BIOCGSTATS _IOR('B', 111, struct bpf_stat) 129#define BIOCIMMEDIATE _IOW('B', 112, u_int) 130#define BIOCVERSION _IOR('B', 113, struct bpf_version) 131#define BIOCGRSIG _IOR('B', 114, u_int) 132#define BIOCSRSIG _IOW('B', 115, u_int) 133#define BIOCGHDRCMPLT _IOR('B', 116, u_int) 134#define BIOCSHDRCMPLT _IOW('B', 117, u_int) 135#define BIOCGDIRECTION _IOR('B', 118, u_int) 136#define BIOCSDIRECTION _IOW('B', 119, u_int) 137#define BIOCSDLT _IOW('B', 120, u_int) 138#define BIOCGDLTLIST _IOWR('B', 121, struct bpf_dltlist) 139#define BIOCLOCK _IO('B', 122) 140#define BIOCSETWF _IOW('B', 123, struct bpf_program) 141#define BIOCFEEDBACK _IOW('B', 124, u_int) 142#define BIOCGETBUFMODE _IOR('B', 125, u_int) 143#define BIOCSETBUFMODE _IOW('B', 126, u_int) 144#define BIOCGETZMAX _IOR('B', 127, size_t) 145#define BIOCROTZBUF _IOR('B', 128, struct bpf_zbuf) 146#define BIOCSETZBUF _IOW('B', 129, struct bpf_zbuf) 147#define BIOCSETFNR _IOW('B', 130, struct bpf_program) 148#define BIOCGTSTAMP _IOR('B', 131, u_int) 149#define BIOCSTSTAMP _IOW('B', 132, u_int) 150 151/* Obsolete */ 152#define BIOCGSEESENT BIOCGDIRECTION 153#define BIOCSSEESENT BIOCSDIRECTION 154 155/* Packet directions */ 156enum bpf_direction { 157 BPF_D_IN, /* See incoming packets */ 158 BPF_D_INOUT, /* See incoming and outgoing packets */ 159 BPF_D_OUT /* See outgoing packets */ 160}; 161 162/* Time stamping functions */ 163#define BPF_T_MICROTIME 0x0000 164#define BPF_T_NANOTIME 0x0001 165#define BPF_T_BINTIME 0x0002 166#define BPF_T_NONE 0x0003 167#define BPF_T_FORMAT_MASK 0x0003 168#define BPF_T_NORMAL 0x0000 169#define BPF_T_FAST 0x0100 170#define BPF_T_MONOTONIC 0x0200 171#define BPF_T_MONOTONIC_FAST (BPF_T_FAST | BPF_T_MONOTONIC) 172#define BPF_T_FLAG_MASK 0x0300 173#define BPF_T_FORMAT(t) ((t) & BPF_T_FORMAT_MASK) 174#define BPF_T_FLAG(t) ((t) & BPF_T_FLAG_MASK) 175#define BPF_T_VALID(t) \ 176 ((t) == BPF_T_NONE || (BPF_T_FORMAT(t) != BPF_T_NONE && \ 177 ((t) & ~(BPF_T_FORMAT_MASK | BPF_T_FLAG_MASK)) == 0)) 178 179#define BPF_T_MICROTIME_FAST (BPF_T_MICROTIME | BPF_T_FAST) 180#define BPF_T_NANOTIME_FAST (BPF_T_NANOTIME | BPF_T_FAST) 181#define BPF_T_BINTIME_FAST (BPF_T_BINTIME | BPF_T_FAST) 182#define BPF_T_MICROTIME_MONOTONIC (BPF_T_MICROTIME | BPF_T_MONOTONIC) 183#define BPF_T_NANOTIME_MONOTONIC (BPF_T_NANOTIME | BPF_T_MONOTONIC) 184#define BPF_T_BINTIME_MONOTONIC (BPF_T_BINTIME | BPF_T_MONOTONIC) 185#define BPF_T_MICROTIME_MONOTONIC_FAST (BPF_T_MICROTIME | BPF_T_MONOTONIC_FAST) 186#define BPF_T_NANOTIME_MONOTONIC_FAST (BPF_T_NANOTIME | BPF_T_MONOTONIC_FAST) 187#define BPF_T_BINTIME_MONOTONIC_FAST (BPF_T_BINTIME | BPF_T_MONOTONIC_FAST) 188 189/* 190 * Structure prepended to each packet. 191 */ 192struct bpf_ts { 193 bpf_int64 bt_sec; /* seconds */ 194 bpf_u_int64 bt_frac; /* fraction */ 195}; 196struct bpf_xhdr { 197 struct bpf_ts bh_tstamp; /* time stamp */ 198 bpf_u_int32 bh_caplen; /* length of captured portion */ 199 bpf_u_int32 bh_datalen; /* original length of packet */ 200 u_short bh_hdrlen; /* length of bpf header (this struct 201 plus alignment padding) */ 202}; 203/* Obsolete */ 204struct bpf_hdr { 205 struct timeval bh_tstamp; /* time stamp */ 206 bpf_u_int32 bh_caplen; /* length of captured portion */ 207 bpf_u_int32 bh_datalen; /* original length of packet */ 208 u_short bh_hdrlen; /* length of bpf header (this struct 209 plus alignment padding) */ 210}; 211#ifdef _KERNEL 212#define MTAG_BPF 0x627066 213#define MTAG_BPF_TIMESTAMP 0 214#endif 215 216/* 217 * When using zero-copy BPF buffers, a shared memory header is present 218 * allowing the kernel BPF implementation and user process to synchronize 219 * without using system calls. This structure defines that header. When 220 * accessing these fields, appropriate atomic operation and memory barriers 221 * are required in order not to see stale or out-of-order data; see bpf(4) 222 * for reference code to access these fields from userspace. 223 * 224 * The layout of this structure is critical, and must not be changed; if must 225 * fit in a single page on all architectures. 226 */ 227struct bpf_zbuf_header { 228 volatile u_int bzh_kernel_gen; /* Kernel generation number. */ 229 volatile u_int bzh_kernel_len; /* Length of data in the buffer. */ 230 volatile u_int bzh_user_gen; /* User generation number. */ 231 u_int _bzh_pad[5]; 232}; 233 234/* 235 * Data-link level type codes. 236 */ 237#define DLT_NULL 0 /* BSD loopback encapsulation */ 238#define DLT_EN10MB 1 /* Ethernet (10Mb) */ 239#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ 240#define DLT_AX25 3 /* Amateur Radio AX.25 */ 241#define DLT_PRONET 4 /* Proteon ProNET Token Ring */ 242#define DLT_CHAOS 5 /* Chaos */ 243#define DLT_IEEE802 6 /* IEEE 802 Networks */ 244#define DLT_ARCNET 7 /* ARCNET */ 245#define DLT_SLIP 8 /* Serial Line IP */ 246#define DLT_PPP 9 /* Point-to-point Protocol */ 247#define DLT_FDDI 10 /* FDDI */ 248#define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ 249#define DLT_RAW 12 /* raw IP */ 250 251/* 252 * These are values from BSD/OS's "bpf.h". 253 * These are not the same as the values from the traditional libpcap 254 * "bpf.h"; however, these values shouldn't be generated by any 255 * OS other than BSD/OS, so the correct values to use here are the 256 * BSD/OS values. 257 * 258 * Platforms that have already assigned these values to other 259 * DLT_ codes, however, should give these codes the values 260 * from that platform, so that programs that use these codes will 261 * continue to compile - even though they won't correctly read 262 * files of these types. 263 */ 264#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ 265#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ 266 267#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ 268 269/* 270 * These values are defined by NetBSD; other platforms should refrain from 271 * using them for other purposes, so that NetBSD savefiles with link 272 * types of 50 or 51 can be read as this type on all platforms. 273 */ 274#define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ 275#define DLT_PPP_ETHER 51 /* PPP over Ethernet */ 276 277/* 278 * Reserved for the Symantec Enterprise Firewall. 279 */ 280#define DLT_SYMANTEC_FIREWALL 99 281 282 283/* 284 * This value was defined by libpcap 0.5; platforms that have defined 285 * it with a different value should define it here with that value - 286 * a link type of 104 in a save file will be mapped to DLT_C_HDLC, 287 * whatever value that happens to be, so programs will correctly 288 * handle files with that link type regardless of the value of 289 * DLT_C_HDLC. 290 * 291 * The name DLT_C_HDLC was used by BSD/OS; we use that name for source 292 * compatibility with programs written for BSD/OS. 293 * 294 * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, 295 * for source compatibility with programs written for libpcap 0.5. 296 */ 297#define DLT_C_HDLC 104 /* Cisco HDLC */ 298#define DLT_CHDLC DLT_C_HDLC 299 300#define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ 301 302/* 303 * Values between 106 and 107 are used in capture file headers as 304 * link-layer types corresponding to DLT_ types that might differ 305 * between platforms; don't use those values for new DLT_ new types. 306 */ 307 308/* 309 * Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides 310 * with other values. 311 * DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header 312 * (DLCI, etc.). 313 */ 314#define DLT_FRELAY 107 315 316/* 317 * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except 318 * that the AF_ type in the link-layer header is in network byte order. 319 * 320 * OpenBSD defines it as 12, but that collides with DLT_RAW, so we 321 * define it as 108 here. If OpenBSD picks up this file, it should 322 * define DLT_LOOP as 12 in its version, as per the comment above - 323 * and should not use 108 as a DLT_ value. 324 */ 325#define DLT_LOOP 108 326 327/* 328 * Values between 109 and 112 are used in capture file headers as 329 * link-layer types corresponding to DLT_ types that might differ 330 * between platforms; don't use those values for new DLT_ new types. 331 */ 332 333/* 334 * Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's 335 * DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other 336 * than OpenBSD. 337 */ 338#define DLT_ENC 109 339 340/* 341 * This is for Linux cooked sockets. 342 */ 343#define DLT_LINUX_SLL 113 344 345/* 346 * Apple LocalTalk hardware. 347 */ 348#define DLT_LTALK 114 349 350/* 351 * Acorn Econet. 352 */ 353#define DLT_ECONET 115 354 355/* 356 * Reserved for use with OpenBSD ipfilter. 357 */ 358#define DLT_IPFILTER 116 359 360/* 361 * Reserved for use in capture-file headers as a link-layer type 362 * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, 363 * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it 364 * in capture-file headers. 365 */ 366#define DLT_PFLOG 117 367 368/* 369 * Registered for Cisco-internal use. 370 */ 371#define DLT_CISCO_IOS 118 372 373/* 374 * Reserved for 802.11 cards using the Prism II chips, with a link-layer 375 * header including Prism monitor mode information plus an 802.11 376 * header. 377 */ 378#define DLT_PRISM_HEADER 119 379 380/* 381 * Reserved for Aironet 802.11 cards, with an Aironet link-layer header 382 * (see Doug Ambrisko's FreeBSD patches). 383 */ 384#define DLT_AIRONET_HEADER 120 385 386/* 387 * Reserved for use by OpenBSD's pfsync device. 388 */ 389#define DLT_PFSYNC 121 390 391/* 392 * Reserved for Siemens HiPath HDLC. XXX 393 */ 394#define DLT_HHDLC 121 395 396/* 397 * Reserved for RFC 2625 IP-over-Fibre Channel. 398 */ 399#define DLT_IP_OVER_FC 122 400 401/* 402 * Reserved for Full Frontal ATM on Solaris. 403 */ 404#define DLT_SUNATM 123 405 406/* 407 * Reserved as per request from Kent Dahlgren <kent@praesum.com> 408 * for private use. 409 */ 410#define DLT_RIO 124 /* RapidIO */ 411#define DLT_PCI_EXP 125 /* PCI Express */ 412#define DLT_AURORA 126 /* Xilinx Aurora link layer */ 413 414/* 415 * BSD header for 802.11 plus a number of bits of link-layer information 416 * including radio information. 417 */ 418#ifndef DLT_IEEE802_11_RADIO 419#define DLT_IEEE802_11_RADIO 127 420#endif 421 422/* 423 * Reserved for TZSP encapsulation. 424 */ 425#define DLT_TZSP 128 /* Tazmen Sniffer Protocol */ 426 427/* 428 * Reserved for Linux ARCNET. 429 */ 430#define DLT_ARCNET_LINUX 129 431 432/* 433 * Juniper-private data link types. 434 */ 435#define DLT_JUNIPER_MLPPP 130 436#define DLT_JUNIPER_MLFR 131 437#define DLT_JUNIPER_ES 132 438#define DLT_JUNIPER_GGSN 133 439#define DLT_JUNIPER_MFR 134 440#define DLT_JUNIPER_ATM2 135 441#define DLT_JUNIPER_SERVICES 136 442#define DLT_JUNIPER_ATM1 137 443 444/* 445 * Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund 446 * <dieter@apple.com>. The header that's presented is an Ethernet-like 447 * header: 448 * 449 * #define FIREWIRE_EUI64_LEN 8 450 * struct firewire_header { 451 * u_char firewire_dhost[FIREWIRE_EUI64_LEN]; 452 * u_char firewire_shost[FIREWIRE_EUI64_LEN]; 453 * u_short firewire_type; 454 * }; 455 * 456 * with "firewire_type" being an Ethernet type value, rather than, 457 * for example, raw GASP frames being handed up. 458 */ 459#define DLT_APPLE_IP_OVER_IEEE1394 138 460 461/* 462 * Various SS7 encapsulations, as per a request from Jeff Morriss 463 * <jeff.morriss[AT]ulticom.com> and subsequent discussions. 464 */ 465#define DLT_MTP2_WITH_PHDR 139 /* pseudo-header with various info, followed by MTP2 */ 466#define DLT_MTP2 140 /* MTP2, without pseudo-header */ 467#define DLT_MTP3 141 /* MTP3, without pseudo-header or MTP2 */ 468#define DLT_SCCP 142 /* SCCP, without pseudo-header or MTP2 or MTP3 */ 469 470/* 471 * Reserved for DOCSIS. 472 */ 473#define DLT_DOCSIS 143 474 475/* 476 * Reserved for Linux IrDA. 477 */ 478#define DLT_LINUX_IRDA 144 479 480/* 481 * Reserved for IBM SP switch and IBM Next Federation switch. 482 */ 483#define DLT_IBM_SP 145 484#define DLT_IBM_SN 146 485 486/* 487 * Reserved for private use. If you have some link-layer header type 488 * that you want to use within your organization, with the capture files 489 * using that link-layer header type not ever be sent outside your 490 * organization, you can use these values. 491 * 492 * No libpcap release will use these for any purpose, nor will any 493 * tcpdump release use them, either. 494 * 495 * Do *NOT* use these in capture files that you expect anybody not using 496 * your private versions of capture-file-reading tools to read; in 497 * particular, do *NOT* use them in products, otherwise you may find that 498 * people won't be able to use tcpdump, or snort, or Ethereal, or... to 499 * read capture files from your firewall/intrusion detection/traffic 500 * monitoring/etc. appliance, or whatever product uses that DLT_ value, 501 * and you may also find that the developers of those applications will 502 * not accept patches to let them read those files. 503 * 504 * Also, do not use them if somebody might send you a capture using them 505 * for *their* private type and tools using them for *your* private type 506 * would have to read them. 507 * 508 * Instead, ask "tcpdump-workers@tcpdump.org" for a new DLT_ value, 509 * as per the comment above, and use the type you're given. 510 */ 511#define DLT_USER0 147 512#define DLT_USER1 148 513#define DLT_USER2 149 514#define DLT_USER3 150 515#define DLT_USER4 151 516#define DLT_USER5 152 517#define DLT_USER6 153 518#define DLT_USER7 154 519#define DLT_USER8 155 520#define DLT_USER9 156 521#define DLT_USER10 157 522#define DLT_USER11 158 523#define DLT_USER12 159 524#define DLT_USER13 160 525#define DLT_USER14 161 526#define DLT_USER15 162 527 528/* 529 * For future use with 802.11 captures - defined by AbsoluteValue 530 * Systems to store a number of bits of link-layer information 531 * including radio information: 532 * 533 * http://www.shaftnet.org/~pizza/software/capturefrm.txt 534 * 535 * but it might be used by some non-AVS drivers now or in the 536 * future. 537 */ 538#define DLT_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */ 539 540/* 541 * Juniper-private data link type, as per request from 542 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 543 * for passing on chassis-internal metainformation such as 544 * QOS profiles, etc.. 545 */ 546#define DLT_JUNIPER_MONITOR 164 547 548/* 549 * Reserved for BACnet MS/TP. 550 */ 551#define DLT_BACNET_MS_TP 165 552 553/* 554 * Another PPP variant as per request from Karsten Keil <kkeil@suse.de>. 555 * 556 * This is used in some OSes to allow a kernel socket filter to distinguish 557 * between incoming and outgoing packets, on a socket intended to 558 * supply pppd with outgoing packets so it can do dial-on-demand and 559 * hangup-on-lack-of-demand; incoming packets are filtered out so they 560 * don't cause pppd to hold the connection up (you don't want random 561 * input packets such as port scans, packets from old lost connections, 562 * etc. to force the connection to stay up). 563 * 564 * The first byte of the PPP header (0xff03) is modified to accomodate 565 * the direction - 0x00 = IN, 0x01 = OUT. 566 */ 567#define DLT_PPP_PPPD 166 568 569/* 570 * Names for backwards compatibility with older versions of some PPP 571 * software; new software should use DLT_PPP_PPPD. 572 */ 573#define DLT_PPP_WITH_DIRECTION DLT_PPP_PPPD 574#define DLT_LINUX_PPP_WITHDIRECTION DLT_PPP_PPPD 575 576/* 577 * Juniper-private data link type, as per request from 578 * Hannes Gredler <hannes@juniper.net>. The DLT_s are used 579 * for passing on chassis-internal metainformation such as 580 * QOS profiles, cookies, etc.. 581 */ 582#define DLT_JUNIPER_PPPOE 167 583#define DLT_JUNIPER_PPPOE_ATM 168 584 585#define DLT_GPRS_LLC 169 /* GPRS LLC */ 586#define DLT_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */ 587#define DLT_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */ 588 589/* 590 * Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line 591 * monitoring equipment. 592 */ 593#define DLT_GCOM_T1E1 172 594#define DLT_GCOM_SERIAL 173 595 596/* 597 * Juniper-private data link type, as per request from 598 * Hannes Gredler <hannes@juniper.net>. The DLT_ is used 599 * for internal communication to Physical Interface Cards (PIC) 600 */ 601#define DLT_JUNIPER_PIC_PEER 174 602 603/* 604 * Link types requested by Gregor Maier <gregor@endace.com> of Endace 605 * Measurement Systems. They add an ERF header (see 606 * http://www.endace.com/support/EndaceRecordFormat.pdf) in front of 607 * the link-layer header. 608 */ 609#define DLT_ERF_ETH 175 /* Ethernet */ 610#define DLT_ERF_POS 176 /* Packet-over-SONET */ 611 612/* 613 * Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD 614 * for vISDN (http://www.orlandi.com/visdn/). Its link-layer header 615 * includes additional information before the LAPD header, so it's 616 * not necessarily a generic LAPD header. 617 */ 618#define DLT_LINUX_LAPD 177 619 620/* 621 * Juniper-private data link type, as per request from 622 * Hannes Gredler <hannes@juniper.net>. 623 * The DLT_ are used for prepending meta-information 624 * like interface index, interface name 625 * before standard Ethernet, PPP, Frelay & C-HDLC Frames 626 */ 627#define DLT_JUNIPER_ETHER 178 628#define DLT_JUNIPER_PPP 179 629#define DLT_JUNIPER_FRELAY 180 630#define DLT_JUNIPER_CHDLC 181 631 632/* 633 * Multi Link Frame Relay (FRF.16) 634 */ 635#define DLT_MFR 182 636 637/* 638 * Juniper-private data link type, as per request from 639 * Hannes Gredler <hannes@juniper.net>. 640 * The DLT_ is used for internal communication with a 641 * voice Adapter Card (PIC) 642 */ 643#define DLT_JUNIPER_VP 183 644 645/* 646 * Arinc 429 frames. 647 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 648 * Every frame contains a 32bit A429 label. 649 * More documentation on Arinc 429 can be found at 650 * http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf 651 */ 652#define DLT_A429 184 653 654/* 655 * Arinc 653 Interpartition Communication messages. 656 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 657 * Please refer to the A653-1 standard for more information. 658 */ 659#define DLT_A653_ICM 185 660 661/* 662 * USB packets, beginning with a USB setup header; requested by 663 * Paolo Abeni <paolo.abeni@email.it>. 664 */ 665#define DLT_USB 186 666 667/* 668 * Bluetooth HCI UART transport layer (part H:4); requested by 669 * Paolo Abeni. 670 */ 671#define DLT_BLUETOOTH_HCI_H4 187 672 673/* 674 * IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz 675 * <cruz_petagay@bah.com>. 676 */ 677#define DLT_IEEE802_16_MAC_CPS 188 678 679/* 680 * USB packets, beginning with a Linux USB header; requested by 681 * Paolo Abeni <paolo.abeni@email.it>. 682 */ 683#define DLT_USB_LINUX 189 684 685/* 686 * Controller Area Network (CAN) v. 2.0B packets. 687 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 688 * Used to dump CAN packets coming from a CAN Vector board. 689 * More documentation on the CAN v2.0B frames can be found at 690 * http://www.can-cia.org/downloads/?269 691 */ 692#define DLT_CAN20B 190 693 694/* 695 * IEEE 802.15.4, with address fields padded, as is done by Linux 696 * drivers; requested by Juergen Schimmer. 697 */ 698#define DLT_IEEE802_15_4_LINUX 191 699 700/* 701 * Per Packet Information encapsulated packets. 702 * DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>. 703 */ 704#define DLT_PPI 192 705 706/* 707 * Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header; 708 * requested by Charles Clancy. 709 */ 710#define DLT_IEEE802_16_MAC_CPS_RADIO 193 711 712/* 713 * Juniper-private data link type, as per request from 714 * Hannes Gredler <hannes@juniper.net>. 715 * The DLT_ is used for internal communication with a 716 * integrated service module (ISM). 717 */ 718#define DLT_JUNIPER_ISM 194 719 720/* 721 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 722 * nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>. 723 */ 724#define DLT_IEEE802_15_4 195 725 726/* 727 * Various link-layer types, with a pseudo-header, for SITA 728 * (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com). 729 */ 730#define DLT_SITA 196 731 732/* 733 * Various link-layer types, with a pseudo-header, for Endace DAG cards; 734 * encapsulates Endace ERF records. Requested by Stephen Donnelly 735 * <stephen@endace.com>. 736 */ 737#define DLT_ERF 197 738 739/* 740 * Special header prepended to Ethernet packets when capturing from a 741 * u10 Networks board. Requested by Phil Mulholland 742 * <phil@u10networks.com>. 743 */ 744#define DLT_RAIF1 198 745 746/* 747 * IPMB packet for IPMI, beginning with the I2C slave address, followed 748 * by the netFn and LUN, etc.. Requested by Chanthy Toeung 749 * <chanthy.toeung@ca.kontron.com>. 750 */ 751#define DLT_IPMB 199 752 753/* 754 * Juniper-private data link type, as per request from 755 * Hannes Gredler <hannes@juniper.net>. 756 * The DLT_ is used for capturing data on a secure tunnel interface. 757 */ 758#define DLT_JUNIPER_ST 200 759 760/* 761 * Bluetooth HCI UART transport layer (part H:4), with pseudo-header 762 * that includes direction information; requested by Paolo Abeni. 763 */ 764#define DLT_BLUETOOTH_HCI_H4_WITH_PHDR 201 765 766/* 767 * AX.25 packet with a 1-byte KISS header; see 768 * 769 * http://www.ax25.net/kiss.htm 770 * 771 * as per Richard Stearn <richard@rns-stearn.demon.co.uk>. 772 */ 773#define DLT_AX25_KISS 202 774 775/* 776 * LAPD packets from an ISDN channel, starting with the address field, 777 * with no pseudo-header. 778 * Requested by Varuna De Silva <varunax@gmail.com>. 779 */ 780#define DLT_LAPD 203 781 782/* 783 * Variants of various link-layer headers, with a one-byte direction 784 * pseudo-header prepended - zero means "received by this host", 785 * non-zero (any non-zero value) means "sent by this host" - as per 786 * Will Barker <w.barker@zen.co.uk>. 787 */ 788#define DLT_PPP_WITH_DIR 204 /* PPP - don't confuse with DLT_PPP_WITH_DIRECTION */ 789#define DLT_C_HDLC_WITH_DIR 205 /* Cisco HDLC */ 790#define DLT_FRELAY_WITH_DIR 206 /* Frame Relay */ 791#define DLT_LAPB_WITH_DIR 207 /* LAPB */ 792 793/* 794 * 208 is reserved for an as-yet-unspecified proprietary link-layer 795 * type, as requested by Will Barker. 796 */ 797 798/* 799 * IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman 800 * <avn@pigeonpoint.com>. 801 */ 802#define DLT_IPMB_LINUX 209 803 804/* 805 * FlexRay automotive bus - http://www.flexray.com/ - as requested 806 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 807 */ 808#define DLT_FLEXRAY 210 809 810/* 811 * Media Oriented Systems Transport (MOST) bus for multimedia 812 * transport - http://www.mostcooperation.com/ - as requested 813 * by Hannes Kaelber <hannes.kaelber@x2e.de>. 814 */ 815#define DLT_MOST 211 816 817/* 818 * Local Interconnect Network (LIN) bus for vehicle networks - 819 * http://www.lin-subbus.org/ - as requested by Hannes Kaelber 820 * <hannes.kaelber@x2e.de>. 821 */ 822#define DLT_LIN 212 823 824/* 825 * X2E-private data link type used for serial line capture, 826 * as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 827 */ 828#define DLT_X2E_SERIAL 213 829 830/* 831 * X2E-private data link type used for the Xoraya data logger 832 * family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>. 833 */ 834#define DLT_X2E_XORAYA 214 835 836/* 837 * IEEE 802.15.4, exactly as it appears in the spec (no padding, no 838 * nothing), but with the PHY-level data for non-ASK PHYs (4 octets 839 * of 0 as preamble, one octet of SFD, one octet of frame length+ 840 * reserved bit, and then the MAC-layer data, starting with the 841 * frame control field). 842 * 843 * Requested by Max Filippov <jcmvbkbc@gmail.com>. 844 */ 845#define DLT_IEEE802_15_4_NONASK_PHY 215 846 847/* 848 * David Gibson <david@gibson.dropbear.id.au> requested this for 849 * captures from the Linux kernel /dev/input/eventN devices. This 850 * is used to communicate keystrokes and mouse movements from the 851 * Linux kernel to display systems, such as Xorg. 852 */ 853#define DLT_LINUX_EVDEV 216 854 855/* 856 * GSM Um and Abis interfaces, preceded by a "gsmtap" header. 857 * 858 * Requested by Harald Welte <laforge@gnumonks.org>. 859 */ 860#define DLT_GSMTAP_UM 217 861#define DLT_GSMTAP_ABIS 218 862 863/* 864 * MPLS, with an MPLS label as the link-layer header. 865 * Requested by Michele Marchetto <michele@openbsd.org> on behalf 866 * of OpenBSD. 867 */ 868#define DLT_MPLS 219 869 870/* 871 * USB packets, beginning with a Linux USB header, with the USB header 872 * padded to 64 bytes; required for memory-mapped access. 873 */ 874#define DLT_USB_LINUX_MMAPPED 220 875 876/* 877 * DECT packets, with a pseudo-header; requested by 878 * Matthias Wenzel <tcpdump@mazzoo.de>. 879 */ 880#define DLT_DECT 221 881/* 882 * From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov> 883 * Date: Mon, 11 May 2009 11:18:30 -0500 884 * 885 * DLT_AOS. We need it for AOS Space Data Link Protocol. 886 * I have already written dissectors for but need an OK from 887 * legal before I can submit a patch. 888 * 889 */ 890#define DLT_AOS 222 891 892/* 893 * Wireless HART (Highway Addressable Remote Transducer) 894 * From the HART Communication Foundation 895 * IES/PAS 62591 896 * 897 * Requested by Sam Roberts <vieuxtech@gmail.com>. 898 */ 899#define DLT_WIHART 223 900 901/* 902 * Fibre Channel FC-2 frames, beginning with a Frame_Header. 903 * Requested by Kahou Lei <kahou82@gmail.com>. 904 */ 905#define DLT_FC_2 224 906 907/* 908 * Fibre Channel FC-2 frames, beginning with an encoding of the 909 * SOF, and ending with an encoding of the EOF. 910 * 911 * The encodings represent the frame delimiters as 4-byte sequences 912 * representing the corresponding ordered sets, with K28.5 913 * represented as 0xBC, and the D symbols as the corresponding 914 * byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, 915 * is represented as 0xBC 0xB5 0x55 0x55. 916 * 917 * Requested by Kahou Lei <kahou82@gmail.com>. 918 */ 919#define DLT_FC_2_WITH_FRAME_DELIMS 225 920/* 921 * Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>. 922 * 923 * The pseudo-header starts with a one-byte version number; for version 2, 924 * the pseudo-header is: 925 * 926 * struct dl_ipnetinfo { 927 * u_int8_t dli_version; 928 * u_int8_t dli_family; 929 * u_int16_t dli_htype; 930 * u_int32_t dli_pktlen; 931 * u_int32_t dli_ifindex; 932 * u_int32_t dli_grifindex; 933 * u_int32_t dli_zsrc; 934 * u_int32_t dli_zdst; 935 * }; 936 * 937 * dli_version is 2 for the current version of the pseudo-header. 938 * 939 * dli_family is a Solaris address family value, so it's 2 for IPv4 940 * and 26 for IPv6. 941 * 942 * dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing 943 * packets, and 2 for packets arriving from another zone on the same 944 * machine. 945 * 946 * dli_pktlen is the length of the packet data following the pseudo-header 947 * (so the captured length minus dli_pktlen is the length of the 948 * pseudo-header, assuming the entire pseudo-header was captured). 949 * 950 * dli_ifindex is the interface index of the interface on which the 951 * packet arrived. 952 * 953 * dli_grifindex is the group interface index number (for IPMP interfaces). 954 * 955 * dli_zsrc is the zone identifier for the source of the packet. 956 * 957 * dli_zdst is the zone identifier for the destination of the packet. 958 * 959 * A zone number of 0 is the global zone; a zone number of 0xffffffff 960 * means that the packet arrived from another host on the network, not 961 * from another zone on the same machine. 962 * 963 * An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates 964 * which of those it is. 965 */ 966#define DLT_IPNET 226 967 968/* 969 * CAN (Controller Area Network) frames, with a pseudo-header as supplied 970 * by Linux SocketCAN. See Documentation/networking/can.txt in the Linux 971 * source. 972 * 973 * Requested by Felix Obenhuber <felix@obenhuber.de>. 974 */ 975#define DLT_CAN_SOCKETCAN 227 976 977/* 978 * Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies 979 * whether it's v4 or v6. Requested by Darren Reed <Darren.Reed@Sun.COM>. 980 */ 981#define DLT_IPV4 228 982#define DLT_IPV6 229 983 984/* 985 * DLT and savefile link type values are split into a class and 986 * a member of that class. A class value of 0 indicates a regular 987 * DLT_/LINKTYPE_ value. 988 */ 989#define DLT_CLASS(x) ((x) & 0x03ff0000) 990 991/* 992 * The instruction encodings. 993 */ 994/* instruction classes */ 995#define BPF_CLASS(code) ((code) & 0x07) 996#define BPF_LD 0x00 997#define BPF_LDX 0x01 998#define BPF_ST 0x02 999#define BPF_STX 0x03 1000#define BPF_ALU 0x04 1001#define BPF_JMP 0x05 1002#define BPF_RET 0x06 1003#define BPF_MISC 0x07 1004 1005/* ld/ldx fields */ 1006#define BPF_SIZE(code) ((code) & 0x18) 1007#define BPF_W 0x00 1008#define BPF_H 0x08 1009#define BPF_B 0x10 1010#define BPF_MODE(code) ((code) & 0xe0) 1011#define BPF_IMM 0x00 1012#define BPF_ABS 0x20 1013#define BPF_IND 0x40 1014#define BPF_MEM 0x60 1015#define BPF_LEN 0x80 1016#define BPF_MSH 0xa0 1017 1018/* alu/jmp fields */ 1019#define BPF_OP(code) ((code) & 0xf0) 1020#define BPF_ADD 0x00 1021#define BPF_SUB 0x10 1022#define BPF_MUL 0x20 1023#define BPF_DIV 0x30 1024#define BPF_OR 0x40 1025#define BPF_AND 0x50 1026#define BPF_LSH 0x60 1027#define BPF_RSH 0x70 1028#define BPF_NEG 0x80 1029#define BPF_JA 0x00 1030#define BPF_JEQ 0x10 1031#define BPF_JGT 0x20 1032#define BPF_JGE 0x30 1033#define BPF_JSET 0x40 1034#define BPF_SRC(code) ((code) & 0x08) 1035#define BPF_K 0x00 1036#define BPF_X 0x08 1037 1038/* ret - BPF_K and BPF_X also apply */ 1039#define BPF_RVAL(code) ((code) & 0x18) 1040#define BPF_A 0x10 1041 1042/* misc */ 1043#define BPF_MISCOP(code) ((code) & 0xf8) 1044#define BPF_TAX 0x00 1045#define BPF_TXA 0x80 1046 1047/* 1048 * The instruction data structure. 1049 */ 1050struct bpf_insn { 1051 u_short code; 1052 u_char jt; 1053 u_char jf; 1054 bpf_u_int32 k; 1055}; 1056 1057/* 1058 * Macros for insn array initializers. 1059 */ 1060#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } 1061#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } 1062 1063/* 1064 * Structure to retrieve available DLTs for the interface. 1065 */ 1066struct bpf_dltlist { 1067 u_int bfl_len; /* number of bfd_list array */ 1068 u_int *bfl_list; /* array of DLTs */ 1069}; 1070 1071#ifdef _KERNEL 1072#ifdef MALLOC_DECLARE 1073MALLOC_DECLARE(M_BPF); 1074#endif 1075#ifdef SYSCTL_DECL 1076SYSCTL_DECL(_net_bpf); 1077#endif 1078 1079/* 1080 * Rotate the packet buffers in descriptor d. Move the store buffer into the 1081 * hold slot, and the free buffer ino the store slot. Zero the length of the 1082 * new store buffer. Descriptor lock should be held. 1083 */ 1084#define ROTATE_BUFFERS(d) do { \ 1085 (d)->bd_hbuf = (d)->bd_sbuf; \ 1086 (d)->bd_hlen = (d)->bd_slen; \ 1087 (d)->bd_sbuf = (d)->bd_fbuf; \ 1088 (d)->bd_slen = 0; \ 1089 (d)->bd_fbuf = NULL; \ 1090 bpf_bufheld(d); \ 1091} while (0) 1092 1093/* 1094 * Descriptor associated with each attached hardware interface. 1095 * FIXME: this structure is exposed to external callers to speed up 1096 * bpf_peers_present() call. However we cover all fields not needed by 1097 * this function via BPF_INTERNAL define 1098 */ 1099struct bpf_if { 1100 LIST_ENTRY(bpf_if) bif_next; /* list of all interfaces */ 1101 LIST_HEAD(, bpf_d) bif_dlist; /* descriptor list */ 1102#ifdef BPF_INTERNAL 1103 u_int bif_dlt; /* link layer type */ 1104 u_int bif_hdrlen; /* length of link header */ 1105 struct ifnet *bif_ifp; /* corresponding interface */ 1106 struct rwlock bif_lock; /* interface lock */ 1107#endif 1108}; 1109 1110void bpf_bufheld(struct bpf_d *d); 1111int bpf_validate(const struct bpf_insn *, int); 1112void bpf_tap(struct bpf_if *, u_char *, u_int); 1113void bpf_mtap(struct bpf_if *, struct mbuf *); 1114void bpf_mtap2(struct bpf_if *, void *, u_int, struct mbuf *); 1115void bpfattach(struct ifnet *, u_int, u_int); 1116void bpfattach2(struct ifnet *, u_int, u_int, struct bpf_if **); 1117void bpfdetach(struct ifnet *); 1118 1119void bpfilterattach(int); 1120u_int bpf_filter(const struct bpf_insn *, u_char *, u_int, u_int); 1121 1122static __inline int 1123bpf_peers_present(struct bpf_if *bpf) 1124{ 1125 1126 if (!LIST_EMPTY(&bpf->bif_dlist)) 1127 return (1); 1128 return (0); 1129} 1130 1131#define BPF_TAP(_ifp,_pkt,_pktlen) do { \ 1132 if (bpf_peers_present((_ifp)->if_bpf)) \ 1133 bpf_tap((_ifp)->if_bpf, (_pkt), (_pktlen)); \ 1134} while (0) 1135#define BPF_MTAP(_ifp,_m) do { \ 1136 if (bpf_peers_present((_ifp)->if_bpf)) { \ 1137 M_ASSERTVALID(_m); \ 1138 bpf_mtap((_ifp)->if_bpf, (_m)); \ 1139 } \ 1140} while (0) 1141#define BPF_MTAP2(_ifp,_data,_dlen,_m) do { \ 1142 if (bpf_peers_present((_ifp)->if_bpf)) { \ 1143 M_ASSERTVALID(_m); \ 1144 bpf_mtap2((_ifp)->if_bpf,(_data),(_dlen),(_m)); \ 1145 } \ 1146} while (0) 1147#endif 1148 1149/* 1150 * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). 1151 */ 1152#define BPF_MEMWORDS 16 1153 1154#endif /* _NET_BPF_H_ */ 1155