The Tcpdump Group git mirrors - libpcap/blob - pcap-linktype.4

   1 .\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap-linktype.4,v 1.1.2.1 2008-04-05 20:21:09 guy Exp $
   2 .\"
   3 .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
   4 .\"     The Regents of the University of California.  All rights reserved.
   5 .\" All rights reserved.
   6 .\"
   7 .\" Redistribution and use in source and binary forms, with or without
   8 .\" modification, are permitted provided that: (1) source code distributions
   9 .\" retain the above copyright notice and this paragraph in its entirety, (2)
  10 .\" distributions including binary code include the above copyright notice and
  11 .\" this paragraph in its entirety in the documentation or other materials
  12 .\" provided with the distribution, and (3) all advertising materials mentioning
  13 .\" features or use of this software display the following acknowledgement:
  14 .\" ``This product includes software developed by the University of California,
  15 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
  16 .\" the University nor the names of its contributors may be used to endorse
  17 .\" or promote products derived from this software without specific prior
  18 .\" written permission.
  19 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
  20 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  21 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  22 .\"
  23 .TH PCAP-LINKTYPE 4 "4 April 2008"
  24 .SH NAME
  25 pcap-linktype \- link-layer header types supported by libpcap
  26 .SH DESCRIPTION
  27 Libpcap supplies for a live capture or ``savefile'' value that indicates
  28 the type of link-layer header at the beginning of the packets it
  29 provides.  This is not necessarily the type of link-layer header that
  30 the packets being captured have on the network from which they're being
  31 captured; for example, packets from an IEEE 802.11 network might be
  32 provided by libpcap with Ethernet headers that the network adapter or
  33 the network adapter driver generates from the 802.11 headers.
  34 .PP
  35 The link-layer header types supported by libpcap are:
  36 .RS 5
  37 .TP 5
  38 .B DLT_NULL
  39 BSD loopback encapsulation; the link layer header is a 4-byte field, in
  40 .I host
  41 byte order, containing a PF_ value from
  42 .B socket.h
  43 for the network-layer protocol of the packet.
  44 .IP
  45 Note that ``host byte order'' is the byte order of the machine on which
  46 the packets are captured, and the PF_ values are for the OS of the
  47 machine on which the packets are captured; if a live capture is being
  48 done, ``host byte order'' is the byte order of the machine capturing the
  49 packets, and the PF_ values are those of the OS of the machine capturing
  50 the packets, but if a ``savefile'' is being read, the byte order and PF_
  51 values are
  52 .I not
  53 necessarily those of the machine reading the capture file.
  54 .TP 5
  55 .B DLT_EN10MB
  56 Ethernet (10Mb, 100Mb, 1000Mb, and up)
  57 .TP 5
  58 .B DLT_IEEE802
  59 IEEE 802.5 Token Ring
  60 .TP 5
  61 .B DLT_ARCNET
  62 ARCNET
  63 .TP 5
  64 .B DLT_SLIP
  65 SLIP; the link layer header contains, in order:
  66 .RS 10
  67 .LP
  68 a 1-byte flag, which is 0 for packets received by the machine and 1 for
  69 packets sent by the machine;
  70 .LP
  71 a 1-byte field, the upper 4 bits of which indicate the type of packet,
  72 as per RFC 1144:
  73 .RS 5
  74 .TP 5
  75 0x40
  76 an unmodified IP datagram (TYPE_IP);
  77 .TP 5
  78 0x70
  79 an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being
  80 the first byte of the raw IP header on the wire, containing the
  81 connection number in the protocol field;
  82 .TP 5
  83 0x80
  84 a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the
  85 first byte of the compressed TCP/IP datagram header;
  86 .RE
  87 .LP
  88 for UNCOMPRESSED_TCP, the rest of the modified IP header, and for
  89 COMPRESSED_TCP, the compressed TCP/IP datagram header;
  90 .RE
  91 .RS 5
  92 .LP
  93 for a total of 16 bytes; the uncompressed IP datagram follows the header.
  94 .RE
  95 .TP 5
  96 .B DLT_PPP
  97 PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like
  98 framing, with the PPP header following those two bytes, otherwise it's
  99 PPP without framing, and the packet begins with the PPP header.
 100 .TP 5
 101 .B DLT_FDDI
 102 FDDI
 103 .TP 5
 104 .B DLT_ATM_RFC1483
 105 RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2
 106 LLC header.
 107 .TP 5
 108 .B DLT_RAW
 109 raw IP; the packet begins with an IP header.
 110 .TP 5
 111 .B DLT_PPP_SERIAL
 112 PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC
 113 framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF
 114 for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP
 115 with HDLC framing.
 116 .TP 5
 117 .B DLT_PPP_ETHER
 118 PPPoE; the packet begins with a PPPoE header, as per RFC 2516.
 119 .TP 5
 120 .B DLT_C_HDLC
 121 Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.
 122 .TP 5
 123 .B DLT_IEEE802_11
 124 IEEE 802.11 wireless LAN
 125 .TP 5
 126 .B DLT_FRELAY
 127 Frame Relay
 128 .TP 5
 129 .B DLT_LOOP
 130 OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in
 131 .I network
 132 byte order, containing a PF_ value from OpenBSD's
 133 .B socket.h
 134 for the network-layer protocol of the packet.
 135 .IP
 136 Note that, if a ``savefile'' is being read, those PF_ values are
 137 .I not
 138 necessarily those of the machine reading the capture file.
 139 .TP 5
 140 .B DLT_LINUX_SLL
 141 Linux "cooked" capture encapsulation; the link layer header contains, in
 142 order:
 143 .RS 10
 144 .LP
 145 a 2-byte "packet type", in network byte order, which is one of:
 146 .RS 5
 147 .TP 5
 148 0
 149 packet was sent to us by somebody else
 150 .TP 5
 151 1
 152 packet was broadcast by somebody else
 153 .TP 5
 154 2
 155 packet was multicast, but not broadcast, by somebody else
 156 .TP 5
 157 3
 158 packet was sent by somebody else to somebody else
 159 .TP 5
 160 4
 161 packet was sent by us
 162 .RE
 163 .LP
 164 a 2-byte field, in network byte order, containing a Linux ARPHRD_ value
 165 for the link layer device type;
 166 .LP
 167 a 2-byte field, in network byte order, containing the length of the
 168 link layer address of the sender of the packet (which could be 0);
 169 .LP
 170 an 8-byte field containing that number of bytes of the link layer header
 171 (if there are more than 8 bytes, only the first 8 are present);
 172 .LP
 173 a 2-byte field containing an Ethernet protocol type, in network byte
 174 order, or containing 1 for Novell 802.3 frames without an 802.2 LLC
 175 header or 4 for frames beginning with an 802.2 LLC header.
 176 .RE
 177 .TP 5
 178 .B DLT_LTALK
 179 Apple LocalTalk; the packet begins with an AppleTalk LLAP header.
 180 .TP 5
 181 .B DLT_PFLOG
 182 OpenBSD pflog; the link layer header contains, in order:
 183 .RS 10
 184 .LP
 185 a 1-byte header length, in host byte order;
 186 .LP
 187 a 4-byte PF_ value, in host byte order;
 188 .LP
 189 a 2-byte action code, in network byte order, which is one of:
 190 .RS 5
 191 .TP 5
 192 0
 193 passed
 194 .TP 5
 195 1
 196 dropped
 197 .TP 5
 198 2
 199 scrubbed
 200 .RE
 201 .LP
 202 a 2-byte reason code, in network byte order, which is one of:
 203 .RS 5
 204 .TP 5
 205 0
 206 match
 207 .TP 5
 208 1
 209 bad offset
 210 .TP 5
 211 2
 212 fragment
 213 .TP 5
 214 3
 215 short
 216 .TP 5
 217 4
 218 normalize
 219 .TP 5
 220 5
 221 memory
 222 .RE
 223 .LP
 224 a 16-character interface name;
 225 .LP
 226 a 16-character ruleset name (only meaningful if subrule is set);
 227 .LP
 228 a 4-byte rule number, in network byte order;
 229 .LP
 230 a 4-byte subrule number, in network byte order;
 231 .LP
 232 a 1-byte direction, in network byte order, which is one of:
 233 .RS 5
 234 .TP 5
 235 0
 236 incoming or outgoing
 237 .TP 5
 238 1
 239 incoming
 240 .TP 5
 241 2
 242 outgoing
 243 .RE
 244 .RE
 245 .TP 5
 246 .B DLT_PRISM_HEADER
 247 Prism monitor mode information followed by an 802.11 header.
 248 .TP 5
 249 .B DLT_IP_OVER_FC
 250 RFC 2625 IP-over-Fibre Channel, with the link-layer header being the
 251 Network_Header as described in that RFC.
 252 .TP 5
 253 .B DLT_SUNATM
 254 SunATM devices; the link layer header contains, in order:
 255 .RS 10
 256 .LP
 257 a 1-byte flag field, containing a direction flag in the uppermost bit,
 258 which is set for packets transmitted by the machine and clear for
 259 packets received by the machine, and a 4-byte traffic type in the
 260 low-order 4 bits, which is one of:
 261 .RS 5
 262 .TP 5
 263 0
 264 raw traffic
 265 .TP 5
 266 1
 267 LANE traffic
 268 .TP 5
 269 2
 270 LLC-encapsulated traffic
 271 .TP 5
 272 3
 273 MARS traffic
 274 .TP 5
 275 4
 276 IFMP traffic
 277 .TP 5
 278 5
 279 ILMI traffic
 280 .TP 5
 281 6
 282 Q.2931 traffic
 283 .RE
 284 .LP
 285 a 1-byte VPI value;
 286 .LP
 287 a 2-byte VCI field, in network byte order.
 288 .RE
 289 .TP 5
 290 .B DLT_IEEE802_11_RADIO
 291 link-layer information followed by an 802.11 header - see
 292 http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description
 293 of the link-layer information.
 294 .TP 5
 295 .B DLT_ARCNET_LINUX
 296 ARCNET, with no exception frames, reassembled packets rather than raw
 297 frames, and an extra 16-bit offset field between the destination host
 298 and type bytes.
 299 .TP 5
 300 .B DLT_LINUX_IRDA
 301 Linux-IrDA packets, with a
 302 .B DLT_LINUX_SLL
 303 header followed by the IrLAP header.
 304 .TP 5
 305 .B DLT_LINUX_LAPD
 306 LAPD (Q.921) frames, with a
 307 .B DLT_LINUX_SLL
 308 header captured via vISDN.
 309 .RE