#include "config.h"
#endif
-#ifdef WIN32
+#ifdef _WIN32
#include <pcap-stdinc.h>
-#else /* WIN32 */
+#else /* _WIN32 */
#if HAVE_INTTYPES_H
#include <inttypes.h>
#elif HAVE_STDINT_H
#include <sys/bitypes.h>
#endif
#include <sys/types.h>
-#endif /* WIN32 */
+#endif /* _WIN32 */
#include "pcap-int.h"
#include "pcap/usb.h"
+#include "pcap/nflog.h"
#include "pcap-common.h"
* file, and new values after that one might have been assigned. Also,
* do *NOT* use any values below 100 - those might already have been
* taken by one (or more!) organizations.
+ *
+ * Any platform that defines additional DLT_* codes should:
+ *
+ * request a LINKTYPE_* code and value from tcpdump.org,
+ * as per the above;
+ *
+ * add, in their version of libpcap, an entry to map
+ * those DLT_* codes to the corresponding LINKTYPE_*
+ * code;
+ *
+ * redefine, in their "net/bpf.h", any DLT_* values
+ * that collide with the values used by their additional
+ * DLT_* codes, to remove those collisions (but without
+ * making them collide with any of the LINKTYPE_*
+ * values equal to 50 or above; they should also avoid
+ * defining DLT_* values that collide with those
+ * LINKTYPE_* values, either).
*/
#define LINKTYPE_NULL DLT_NULL
#define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */
#define LINKTYPE_AX25 DLT_AX25
#define LINKTYPE_PRONET DLT_PRONET
#define LINKTYPE_CHAOS DLT_CHAOS
-#define LINKTYPE_TOKEN_RING DLT_IEEE802 /* DLT_IEEE802 is used for Token Ring */
+#define LINKTYPE_IEEE802_5 DLT_IEEE802 /* DLT_IEEE802 is used for 802.5 Token Ring */
#define LINKTYPE_ARCNET_BSD DLT_ARCNET /* BSD-style headers */
#define LINKTYPE_SLIP DLT_SLIP
#define LINKTYPE_PPP DLT_PPP
#define LINKTYPE_SYMANTEC_FIREWALL 99 /* Symantec Enterprise Firewall */
+/*
+ * These correspond to DLT_s that have different values on different
+ * platforms; we map between these values in capture files and
+ * the DLT_ values as returned by pcap_datalink() and passed to
+ * pcap_open_dead().
+ */
#define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */
#define LINKTYPE_RAW 101 /* raw IP */
#define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */
#define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */
+
+/*
+ * Values starting with 104 are used for newly-assigned link-layer
+ * header type values; for those link-layer header types, the DLT_
+ * value returned by pcap_datalink() and passed to pcap_open_dead(),
+ * and the LINKTYPE_ value that appears in capture files, are the
+ * same.
+ *
+ * LINKTYPE_MATCHING_MIN is the lowest such value; LINKTYPE_MATCHING_MAX
+ * is the highest such value.
+ */
+#define LINKTYPE_MATCHING_MIN 104 /* lowest value in the "matching" range */
+
#define LINKTYPE_C_HDLC 104 /* Cisco HDLC */
#define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */
#define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */
#define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */
#define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */
-#define LINKTYPE_PRISM_HEADER 119 /* 802.11+Prism II monitor mode */
-#define LINKTYPE_AIRONET_HEADER 120 /* FreeBSD Aironet driver stuff */
+#define LINKTYPE_IEEE802_11_PRISM 119 /* 802.11 plus Prism II monitor mode radio metadata header */
+#define LINKTYPE_IEEE802_11_AIRONET 120 /* 802.11 plus FreeBSD Aironet driver radio metadata header */
/*
* Reserved for Siemens HiPath HDLC.
#define LINKTYPE_PCI_EXP 125 /* PCI Express */
#define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */
-#define LINKTYPE_IEEE802_11_RADIO 127 /* 802.11 plus BSD radio header */
+#define LINKTYPE_IEEE802_11_RADIOTAP 127 /* 802.11 plus radiotap radio metadata header */
/*
* Reserved for the TZSP encapsulation, as per request from
* including radio information:
*
* http://www.shaftnet.org/~pizza/software/capturefrm.txt
- *
- * but could and arguably should also be used by non-AVS Linux
- * 802.11 drivers; that may happen in the future.
*/
-#define LINKTYPE_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */
+#define LINKTYPE_IEEE802_11_AVS 163 /* 802.11 plus AVS radio metadata header */
/*
* Juniper-private data link type, as per request from
#define LINKTYPE_JUNIPER_MONITOR 164
/*
- * Reserved for BACnet MS/TP.
+ * BACnet MS/TP frames.
*/
#define LINKTYPE_BACNET_MS_TP 165
#define LINKTYPE_GPRS_LLC 169 /* GPRS LLC */
#define LINKTYPE_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */
-#define LINKTYPE_GPF_F 171 /* GPF-T (ITU-T G.7041/Y.1303) */
+#define LINKTYPE_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */
/*
/*
* Juniper-private data link type, as per request from
* The Link Types are used for prepending meta-information
* like interface index, interface name
* before standard Ethernet, PPP, Frelay & C-HDLC Frames
/*
* Juniper-private data link type, as per request from
* The DLT_ is used for internal communication with a
* voice Adapter Card (PIC)
*/
#define LINKTYPE_A653_ICM 185
/*
- * USB packets, beginning with a USB setup header; requested by
+ * This used to be "USB packets, beginning with a USB setup header;
+ *
+ * However, that header didn't work all that well - it left out some
+ * useful information - and was abandoned in favor of the DLT_USB_LINUX
+ * header.
+ *
+ * This is now used by FreeBSD for its BPF taps for USB; that has its
+ * own headers. So it is written, so it is done.
*/
-#define LINKTYPE_USB 186
+#define LINKTYPE_USB_FREEBSD 186
/*
* Bluetooth HCI UART transport layer (part H:4); requested by
/*
* Juniper-private data link type, as per request from
* The DLT_ is used for internal communication with a
* integrated service module (ISM).
*/
/*
* Juniper-private data link type, as per request from
* The DLT_ is used for capturing data on a secure tunnel interface.
*/
#define LINKTYPE_JUNIPER_ST 200
* IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman
*/
-#define LINKTYPE_IPMB_LINUX 209
+#define LINKTYPE_IPMB_LINUX 209
/*
* FlexRay automotive bus - http://www.flexray.com/ - as requested
*/
-#define LINKTYPE_FLEXRAY 210
+#define LINKTYPE_FLEXRAY 210
/*
* Media Oriented Systems Transport (MOST) bus for multimedia
* transport - http://www.mostcooperation.com/ - as requested
*/
-#define LINKTYPE_MOST 211
+#define LINKTYPE_MOST 211
/*
* Local Interconnect Network (LIN) bus for vehicle networks -
* http://www.lin-subbus.org/ - as requested by Hannes Kaelber
*/
-#define LINKTYPE_LIN 212
+#define LINKTYPE_LIN 212
/*
* X2E-private data link type used for serial line capture,
*/
-#define LINKTYPE_X2E_SERIAL 213
+#define LINKTYPE_X2E_SERIAL 213
/*
* X2E-private data link type used for the Xoraya data logger
*/
-#define LINKTYPE_X2E_XORAYA 214
+#define LINKTYPE_X2E_XORAYA 214
/*
* IEEE 802.15.4, exactly as it appears in the spec (no padding, no
*/
#define LINKTYPE_IEEE802_15_4_NONASK_PHY 215
-/*
+/*
* captures from the Linux kernel /dev/input/eventN devices. This
* is used to communicate keystrokes and mouse movements from the
- * Linux kernel to display systems, such as Xorg.
+ * Linux kernel to display systems, such as Xorg.
*/
-#define LINKTYPE_LINUX_EVDEV 216
+#define LINKTYPE_LINUX_EVDEV 216
/*
* GSM Um and Abis interfaces, preceded by a "gsmtap" header.
*
*/
-#define LINKTYPE_GSMTAP_UM 217
-#define LINKTYPE_GSMTAP_ABIS 218
+#define LINKTYPE_GSMTAP_UM 217
+#define LINKTYPE_GSMTAP_ABIS 218
/*
* MPLS, with an MPLS label as the link-layer header.
* of OpenBSD.
*/
-#define LINKTYPE_MPLS 219
+#define LINKTYPE_MPLS 219
/*
* USB packets, beginning with a Linux USB header, with the USB header
* DECT packets, with a pseudo-header; requested by
*/
-#define LINKTYPE_DECT 221
+#define LINKTYPE_DECT 221
/*
* legal before I can submit a patch.
*
*/
-#define LINKTYPE_AOS 222
+#define LINKTYPE_AOS 222
/*
* Wireless HART (Highway Addressable Remote Transducer)
*
*/
-#define LINKTYPE_WIHART 223
+#define LINKTYPE_WIHART 223
/*
* Fibre Channel FC-2 frames, beginning with a Frame_Header.
*/
-#define LINKTYPE_FC_2 224
+#define LINKTYPE_FC_2 224
/*
* Fibre Channel FC-2 frames, beginning with an encoding of the
* An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates
* which of those it is.
*/
-#define LINKTYPE_IPNET 226
+#define LINKTYPE_IPNET 226
/*
* CAN (Controller Area Network) frames, with a pseudo-header as supplied
*
*/
-#define LINKTYPE_CAN_SOCKETCAN 227
+#define LINKTYPE_CAN_SOCKETCAN 227
/*
* Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies
*/
-#define LINKTYPE_IPV4 228
-#define LINKTYPE_IPV6 229
+#define LINKTYPE_IPV4 228
+#define LINKTYPE_IPV6 229
/*
* IEEE 802.15.4, exactly as it appears in the spec (no padding, no
*
*/
-#define LINKTYPE_DBUS 231
+#define LINKTYPE_DBUS 231
/*
* Juniper-private data link type, as per request from
*/
#define LINKTYPE_JUNIPER_VS 232
#define LINKTYPE_JUNIPER_SRX_E2E 233
*
*/
-#define LINKTYPE_DVB_CI 235
+#define LINKTYPE_DVB_CI 235
/*
* Variant of 3GPP TS 27.010 multiplexing protocol. Requested
*/
-#define LINKTYPE_MUX27010 236
+#define LINKTYPE_MUX27010 236
/*
* STANAG 5066 D_PDUs. Requested by M. Baris Demiray
/*
* Juniper-private data link type, as per request from
*/
#define LINKTYPE_JUNIPER_ATM_CEMIC 238
/*
- * NetFilter LOG messages
+ * NetFilter LOG messages
* (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets)
*
*/
-#define LINKTYPE_NFLOG 239
+#define LINKTYPE_NFLOG 239
/*
* Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
* for Ethernet packets with a 4-byte pseudo-header and always
- * with the payload including the FCS.
+ * with the payload including the FCS, as supplied by their
+ * netANALYZER hardware and software.
*
*/
-#define LINKTYPE_ETHERNET_HILSCHER 240
+#define LINKTYPE_NETANALYZER 240
/*
* Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
* for Ethernet packets with a 4-byte pseudo-header and FCS and
- * with the Ethernet header preceded by 7 bytes of preamble and
- * 1 byte of SFD.
+ * 1 byte of SFD, as supplied by their netANALYZER hardware and
+ * software.
*
*/
-#define LINKTYPE_ETHERNET_HILSCHER_TRANSPARENT 241
+#define LINKTYPE_NETANALYZER_TRANSPARENT 241
+
+/*
+ * IP-over-InfiniBand, as specified by RFC 4391.
+ *
+ */
+#define LINKTYPE_IPOIB 242
+
+/*
+ * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0).
+ *
+ */
+#define LINKTYPE_MPEG_2_TS 243
+
+/*
+ * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as
+ * used by their ng40 protocol tester.
+ *
+ */
+#define LINKTYPE_NG40 244
+
+/*
+ * Pseudo-header giving adapter number and flags, followed by an NFC
+ * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU,
+ * as specified by NFC Forum Logical Link Control Protocol Technical
+ * Specification LLCP 1.1.
+ *
+ */
+#define LINKTYPE_NFC_LLCP 245
+
+/*
+ * pfsync output; DLT_PFSYNC is 18, which collides with DLT_CIP in
+ * SuSE 6.3, on OpenBSD, NetBSD, DragonFly BSD, and Mac OS X, and
+ * is 121, which collides with DLT_HHDLC, in FreeBSD. We pick a
+ * shiny new link-layer header type value that doesn't collide with
+ * anything, in the hopes that future pfsync savefiles, if any,
+ * won't require special hacks to distinguish from other savefiles.
+ *
+ */
+#define LINKTYPE_PFSYNC 246
+
+/*
+ * Raw InfiniBand packets, starting with the Local Routing Header.
+ *
+ */
+#define LINKTYPE_INFINIBAND 247
+
+/*
+ * SCTP, with no lower-level protocols (i.e., no IPv4 or IPv6).
+ *
+ */
+#define LINKTYPE_SCTP 248
+
+/*
+ * USB packets, beginning with a USBPcap header.
+ *
+ */
+#define LINKTYPE_USBPCAP 249
+
+/*
+ * Schweitzer Engineering Laboratories "RTAC" product serial-line
+ * packets.
+ *
+ */
+#define DLT_RTAC_SERIAL 250
+
+/*
+ * Bluetooth Low Energy air interface link-layer packets.
+ *
+ */
+#define LINKTYPE_BLUETOOTH_LE_LL 251
+
+/*
+ * Link-layer header type for upper-protocol layer PDU saves from wireshark.
+ *
+ * the actual contents are determined by two TAGs stored with each
+ * packet:
+ * EXP_PDU_TAG_LINKTYPE the link type (LINKTYPE_ value) of the
+ * original packet.
+ *
+ * EXP_PDU_TAG_PROTO_NAME the name of the wireshark dissector
+ * that can make sense of the data stored.
+ */
+#define LINKTYPE_WIRESHARK_UPPER_PDU 252
+
+/*
+ * Link-layer header type for the netlink protocol (nlmon devices).
+ */
+#define LINKTYPE_NETLINK 253
+/*
+ * Bluetooth Linux Monitor headers for the BlueZ stack.
+ */
+#define LINKTYPE_BLUETOOTH_LINUX_MONITOR 254
+
+/*
+ * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as
+ * captured by Ubertooth.
+ */
+#define LINKTYPE_BLUETOOTH_BREDR_BB 255
+
+/*
+ * Bluetooth Low Energy link layer packets, as captured by Ubertooth.
+ */
+#define LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR 256
+
+/*
+ * PROFIBUS data link layer.
+ */
+#define LINKTYPE_PROFIBUS_DL 257
+
+/*
+ * Apple's DLT_PKTAP headers.
+ *
+ * Sadly, the folks at Apple either had no clue that the DLT_USERn values
+ * are for internal use within an organization and partners only, and
+ * didn't know that the right way to get a link-layer header type is to
+ * ask tcpdump.org for one, or knew and didn't care, so they just
+ * used DLT_USER2, which causes problems for everything except for
+ * their version of tcpdump.
+ *
+ * So I'll just give them one; hopefully this will show up in a
+ * libpcap release in time for them to get this into 10.10 Big Sur
+ * or whatever Mavericks' successor is called. LINKTYPE_PKTAP
+ * will be 258 *even on OS X*; that is *intentional*, so that
+ * PKTAP files look the same on *all* OSes (different OSes can have
+ * different numerical values for a given DLT_, but *MUST NOT* have
+ * different values for what goes in a file, as files can be moved
+ * between OSes!).
+ */
+#define LINKTYPE_PKTAP 258
+
+/*
+ * Ethernet packets preceded by a header giving the last 6 octets
+ * of the preamble specified by 802.3-2012 Clause 65, section
+ * 65.1.3.2 "Transmit".
+ */
+#define LINKTYPE_EPON 259
+
+/*
+ * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format"
+ * in the PICMG HPM.2 specification.
+ */
+#define LINKTYPE_IPMI_HPM_2 260
+
+/*
+ */
+#define LINKTYPE_ZWAVE_R1_R2 261
+#define LINKTYPE_ZWAVE_R3 262
+
+/*
+ * Digital Lighting Management room bus serial protocol captures.
+ */
+#define LINKTYPE_WATTSTOPPER_DLM 263
+
+/*
+ * ISO 14443 contactless smart card messages.
+ */
+#define LINKTYPE_ISO_14443 264
+
+#define LINKTYPE_MATCHING_MAX 264 /* highest value in the "matching" range */
static struct linktype_map {
int dlt;
{ DLT_AX25, LINKTYPE_AX25 },
{ DLT_PRONET, LINKTYPE_PRONET },
{ DLT_CHAOS, LINKTYPE_CHAOS },
- { DLT_IEEE802, LINKTYPE_TOKEN_RING },
+ { DLT_IEEE802, LINKTYPE_IEEE802_5 },
{ DLT_ARCNET, LINKTYPE_ARCNET_BSD },
{ DLT_SLIP, LINKTYPE_SLIP },
{ DLT_PPP, LINKTYPE_PPP },
{ DLT_FDDI, LINKTYPE_FDDI },
+ { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL },
/*
* These DLT_* codes have different values on different
{ DLT_FR, LINKTYPE_FRELAY },
#endif
- { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL },
{ DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 },
{ DLT_RAW, LINKTYPE_RAW },
{ DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS },
/* NetBSD PPP over Ethernet */
{ DLT_PPP_ETHER, LINKTYPE_PPP_ETHER },
- /* IEEE 802.11 wireless */
- { DLT_IEEE802_11, LINKTYPE_IEEE802_11 },
-
- /* Frame Relay */
- { DLT_FRELAY, LINKTYPE_FRELAY },
-
- /* OpenBSD loopback */
- { DLT_LOOP, LINKTYPE_LOOP },
-
- /* OpenBSD IPSEC enc */
- { DLT_ENC, LINKTYPE_ENC },
-
- /* Linux cooked socket capture */
- { DLT_LINUX_SLL, LINKTYPE_LINUX_SLL },
-
- /* Apple LocalTalk hardware */
- { DLT_LTALK, LINKTYPE_LTALK },
-
- /* Acorn Econet */
- { DLT_ECONET, LINKTYPE_ECONET },
-
- /* OpenBSD DLT_PFLOG */
- { DLT_PFLOG, LINKTYPE_PFLOG },
-
- /* For Cisco-internal use */
- { DLT_CISCO_IOS, LINKTYPE_CISCO_IOS },
-
- /* Prism II monitor-mode header plus 802.11 header */
- { DLT_PRISM_HEADER, LINKTYPE_PRISM_HEADER },
-
- /* FreeBSD Aironet driver stuff */
- { DLT_AIRONET_HEADER, LINKTYPE_AIRONET_HEADER },
-
- /* Siemens HiPath HDLC */
- { DLT_HHDLC, LINKTYPE_HHDLC },
-
- /* RFC 2625 IP-over-Fibre Channel */
- { DLT_IP_OVER_FC, LINKTYPE_IP_OVER_FC },
-
- /* Solaris+SunATM */
- { DLT_SUNATM, LINKTYPE_SUNATM },
-
- /* RapidIO */
- { DLT_RIO, LINKTYPE_RIO },
-
- /* PCI Express */
- { DLT_PCI_EXP, LINKTYPE_PCI_EXP },
-
- /* Xilinx Aurora link layer */
- { DLT_AURORA, LINKTYPE_AURORA },
-
- /* 802.11 plus BSD radio header */
- { DLT_IEEE802_11_RADIO, LINKTYPE_IEEE802_11_RADIO },
-
- /* Tazmen Sniffer Protocol */
- { DLT_TZSP, LINKTYPE_TZSP },
-
- /* Arcnet with Linux-style link-layer headers */
- { DLT_ARCNET_LINUX, LINKTYPE_ARCNET_LINUX },
-
- /* Juniper-internal chassis encapsulation */
- { DLT_JUNIPER_MLPPP, LINKTYPE_JUNIPER_MLPPP },
- { DLT_JUNIPER_MLFR, LINKTYPE_JUNIPER_MLFR },
- { DLT_JUNIPER_ES, LINKTYPE_JUNIPER_ES },
- { DLT_JUNIPER_GGSN, LINKTYPE_JUNIPER_GGSN },
- { DLT_JUNIPER_MFR, LINKTYPE_JUNIPER_MFR },
- { DLT_JUNIPER_ATM2, LINKTYPE_JUNIPER_ATM2 },
- { DLT_JUNIPER_SERVICES, LINKTYPE_JUNIPER_SERVICES },
- { DLT_JUNIPER_ATM1, LINKTYPE_JUNIPER_ATM1 },
-
- /* Apple IP-over-IEEE 1394 cooked header */
- { DLT_APPLE_IP_OVER_IEEE1394, LINKTYPE_APPLE_IP_OVER_IEEE1394 },
-
- /* SS7 */
- { DLT_MTP2_WITH_PHDR, LINKTYPE_MTP2_WITH_PHDR },
- { DLT_MTP2, LINKTYPE_MTP2 },
- { DLT_MTP3, LINKTYPE_MTP3 },
- { DLT_SCCP, LINKTYPE_SCCP },
-
- /* DOCSIS MAC frames */
- { DLT_DOCSIS, LINKTYPE_DOCSIS },
-
- /* IrDA IrLAP packets + Linux-cooked header */
- { DLT_LINUX_IRDA, LINKTYPE_LINUX_IRDA },
-
- /* IBM SP and Next Federation switches */
- { DLT_IBM_SP, LINKTYPE_IBM_SP },
- { DLT_IBM_SN, LINKTYPE_IBM_SN },
-
- /* 802.11 plus AVS radio header */
- { DLT_IEEE802_11_RADIO_AVS, LINKTYPE_IEEE802_11_RADIO_AVS },
-
/*
- * Any platform that defines additional DLT_* codes should:
- *
- * request a LINKTYPE_* code and value from tcpdump.org,
- * as per the above;
- *
- * add, in their version of libpcap, an entry to map
- * those DLT_* codes to the corresponding LINKTYPE_*
- * code;
- *
- * redefine, in their "net/bpf.h", any DLT_* values
- * that collide with the values used by their additional
- * DLT_* codes, to remove those collisions (but without
- * making them collide with any of the LINKTYPE_*
- * values equal to 50 or above; they should also avoid
- * defining DLT_* values that collide with those
- * LINKTYPE_* values, either).
+ * All LINKTYPE_ values between LINKTYPE_MATCHING_MIN
+ * and LINKTYPE_MATCHING_MAX are mapped to identical
+ * DLT_ values.
*/
- /* Juniper-internal chassis encapsulation */
- { DLT_JUNIPER_MONITOR, LINKTYPE_JUNIPER_MONITOR },
-
- /* BACnet MS/TP */
- { DLT_BACNET_MS_TP, LINKTYPE_BACNET_MS_TP },
-
- /* PPP for pppd, with direction flag in the PPP header */
- { DLT_PPP_PPPD, LINKTYPE_PPP_PPPD},
-
- /* Juniper-internal chassis encapsulation */
- { DLT_JUNIPER_PPPOE, LINKTYPE_JUNIPER_PPPOE },
- { DLT_JUNIPER_PPPOE_ATM,LINKTYPE_JUNIPER_PPPOE_ATM },
-
- /* GPRS LLC */
- { DLT_GPRS_LLC, LINKTYPE_GPRS_LLC },
-
- /* Transparent Generic Framing Procedure (ITU-T G.7041/Y.1303) */
- { DLT_GPF_T, LINKTYPE_GPF_T },
-
- /* Framed Generic Framing Procedure (ITU-T G.7041/Y.1303) */
- { DLT_GPF_F, LINKTYPE_GPF_F },
-
- { DLT_GCOM_T1E1, LINKTYPE_GCOM_T1E1 },
- { DLT_GCOM_SERIAL, LINKTYPE_GCOM_SERIAL },
-
- /* Juniper-internal chassis encapsulation */
- { DLT_JUNIPER_PIC_PEER, LINKTYPE_JUNIPER_PIC_PEER },
-
- /* Endace types */
- { DLT_ERF_ETH, LINKTYPE_ERF_ETH },
- { DLT_ERF_POS, LINKTYPE_ERF_POS },
-
- /* viSDN LAPD */
- { DLT_LINUX_LAPD, LINKTYPE_LINUX_LAPD },
-
- /* Juniper meta-information before Ether, PPP, Frame Relay, C-HDLC Frames */
- { DLT_JUNIPER_ETHER, LINKTYPE_JUNIPER_ETHER },
- { DLT_JUNIPER_PPP, LINKTYPE_JUNIPER_PPP },
- { DLT_JUNIPER_FRELAY, LINKTYPE_JUNIPER_FRELAY },
- { DLT_JUNIPER_CHDLC, LINKTYPE_JUNIPER_CHDLC },
-
- /* Multi Link Frame Relay (FRF.16) */
- { DLT_MFR, LINKTYPE_MFR },
-
- /* Juniper Voice PIC */
- { DLT_JUNIPER_VP, LINKTYPE_JUNIPER_VP },
-
- /* Controller Area Network (CAN) v2.0B */
- { DLT_A429, LINKTYPE_A429 },
-
- /* Arinc 653 Interpartition Communication messages */
- { DLT_A653_ICM, LINKTYPE_A653_ICM },
-
- /* USB */
- { DLT_USB, LINKTYPE_USB },
-
- /* Bluetooth HCI UART transport layer */
- { DLT_BLUETOOTH_HCI_H4, LINKTYPE_BLUETOOTH_HCI_H4 },
-
- /* IEEE 802.16 MAC Common Part Sublayer */
- { DLT_IEEE802_16_MAC_CPS, LINKTYPE_IEEE802_16_MAC_CPS },
-
- /* USB with Linux header */
- { DLT_USB_LINUX, LINKTYPE_USB_LINUX },
-
- /* Controller Area Network (CAN) v2.0B */
- { DLT_CAN20B, LINKTYPE_CAN20B },
-
- /* IEEE 802.15.4 with address fields padded */
- { DLT_IEEE802_15_4_LINUX, LINKTYPE_IEEE802_15_4_LINUX },
-
- /* Per Packet Information encapsulated packets */
- { DLT_PPI, LINKTYPE_PPI },
-
- /* IEEE 802.16 MAC Common Part Sublayer plus radiotap header */
- { DLT_IEEE802_16_MAC_CPS_RADIO, LINKTYPE_IEEE802_16_MAC_CPS_RADIO },
-
- /* Juniper Voice ISM */
- { DLT_JUNIPER_ISM, LINKTYPE_JUNIPER_ISM },
-
- /* IEEE 802.15.4 exactly as it appears in the spec, with FCS */
- { DLT_IEEE802_15_4, LINKTYPE_IEEE802_15_4 },
-
- /* Various link-layer types for SITA */
- { DLT_SITA, LINKTYPE_SITA },
-
- /* Various link-layer types for Endace */
- { DLT_ERF, LINKTYPE_ERF },
-
- /* Special header for u10 Networks boards */
- { DLT_RAIF1, LINKTYPE_RAIF1 },
-
- /* IPMB */
- { DLT_IPMB, LINKTYPE_IPMB },
-
- /* Juniper Secure Tunnel */
- { DLT_JUNIPER_ST, LINKTYPE_JUNIPER_ST },
-
- /* Bluetooth HCI UART transport layer, with pseudo-header */
- { DLT_BLUETOOTH_HCI_H4_WITH_PHDR, LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR },
-
- /* AX.25 with KISS header */
- { DLT_AX25_KISS, LINKTYPE_AX25_KISS },
-
- /* Raw LAPD, with no pseudo-header */
- { DLT_LAPD, LINKTYPE_LAPD },
-
- /* PPP with one-byte pseudo-header giving direction */
- { DLT_PPP_WITH_DIR, LINKTYPE_PPP_WITH_DIR },
-
- /* Cisco HDLC with one-byte pseudo-header giving direction */
- { DLT_C_HDLC_WITH_DIR, LINKTYPE_C_HDLC_WITH_DIR },
-
- /* Frame Relay with one-byte pseudo-header giving direction */
- { DLT_FRELAY_WITH_DIR, LINKTYPE_FRELAY_WITH_DIR },
-
- /* LAPB with one-byte pseudo-header giving direction */
- { DLT_LAPB_WITH_DIR, LINKTYPE_LAPB_WITH_DIR },
-
- /* IPMB with Linux pseudo-header */
- { DLT_IPMB_LINUX, LINKTYPE_IPMB_LINUX },
-
- /* FlexRay */
- { DLT_FLEXRAY, LINKTYPE_FLEXRAY },
-
- /* MOST */
- { DLT_MOST, LINKTYPE_MOST },
-
- /* LIN */
- { DLT_LIN, LINKTYPE_LIN },
-
- /* X2E-private serial line capture */
- { DLT_X2E_SERIAL, LINKTYPE_X2E_SERIAL },
-
- /* X2E-private for Xoraya data logger family */
- { DLT_X2E_XORAYA, LINKTYPE_X2E_XORAYA },
-
- /* IEEE 802.15.4 with PHY data for non-ASK PHYs */
- { DLT_IEEE802_15_4_NONASK_PHY, LINKTYPE_IEEE802_15_4_NONASK_PHY },
-
- /* Input device events from Linux /dev/input/eventN devices */
- { DLT_LINUX_EVDEV, LINKTYPE_LINUX_EVDEV },
-
- /* GSM types */
- { DLT_GSMTAP_UM, LINKTYPE_GSMTAP_UM },
- { DLT_GSMTAP_ABIS, LINKTYPE_GSMTAP_ABIS },
-
- /* MPLS, with an MPLS label as the link-layer header */
- { DLT_MPLS, LINKTYPE_MPLS },
-
- /* USB with padded Linux header */
- { DLT_USB_LINUX_MMAPPED, LINKTYPE_USB_LINUX_MMAPPED },
-
- /* DECT packets with a pseudo-header */
- { DLT_DECT, LINKTYPE_DECT },
-
- /* AOS Space Data Link Protocol */
- { DLT_AOS, LINKTYPE_AOS },
-
- /* Wireless HART */
- { DLT_WIHART, LINKTYPE_WIHART },
-
- /* Fibre Channel FC-2 frames without SOF or EOF */
- { DLT_FC_2, LINKTYPE_FC_2 },
-
- /* Fibre Channel FC-2 frames with SOF and EOF */
- { DLT_FC_2_WITH_FRAME_DELIMS, LINKTYPE_FC_2_WITH_FRAME_DELIMS },
-
- /* Solaris IPNET */
- { DLT_IPNET, LINKTYPE_IPNET },
-
- /* CAN frames with SocketCAN headers */
- { DLT_CAN_SOCKETCAN, LINKTYPE_CAN_SOCKETCAN },
-
- /* Raw IPv4/IPv6 */
- { DLT_IPV4, LINKTYPE_IPV4 },
- { DLT_IPV6, LINKTYPE_IPV6 },
-
- /* IEEE 802.15.4 exactly as it appears in the spec, without FCS */
- { DLT_IEEE802_15_4_NOFCS, LINKTYPE_IEEE802_15_4_NOFCS },
-
- /* D-Bus messages */
- { DLT_DBUS, LINKTYPE_DBUS },
-
- /* Juniper Virtual Server */
- { DLT_JUNIPER_VS, LINKTYPE_JUNIPER_VS },
-
- /* Juniper SRX E2E debugging */
- { DLT_JUNIPER_SRX_E2E, LINKTYPE_JUNIPER_SRX_E2E },
-
- /* Juniper Fibrechannel */
- { DLT_JUNIPER_FIBRECHANNEL, LINKTYPE_JUNIPER_FIBRECHANNEL },
-
- /* DVB-CI */
- { DLT_DVB_CI, LINKTYPE_DVB_CI },
-
- /* Variant of 3GPP TS 27.010 */
- { DLT_MUX27010, LINKTYPE_MUX27010 },
-
- /* STANAG 5066 D_PDUs */
- { DLT_STANAG_5066_D_PDU, LINKTYPE_STANAG_5066_D_PDU },
-
- /* Juniper ATM CE MIC */
- { DLT_JUNIPER_ATM_CEMIC, LINKTYPE_JUNIPER_ATM_CEMIC },
-
- /* Linux NetFilter LOG messages */
- { DLT_NFLOG, LINKTYPE_NFLOG },
-
- /* Ethernet with Hilscher pseudo-header */
- { DLT_ETHERNET_HILSCHER, LINKTYPE_ETHERNET_HILSCHER },
-
- /* Ethernet with Hilscher pseudo-header and preamble/SFD */
- { DLT_ETHERNET_HILSCHER_TRANSPARENT, LINKTYPE_ETHERNET_HILSCHER_TRANSPARENT },
-
{ -1, -1 }
};
{
int i;
+ /*
+ * DLTs that, on some platforms, have values in the matching range
+ * but that *don't* have the same value as the corresponding
+ * LINKTYPE because, for some reason, not all OSes have the
+ * same value for that DLT (note that the DLT's value might be
+ * outside the matching range on some of those OSes).
+ */
+ if (dlt == DLT_PFSYNC)
+ return (LINKTYPE_PFSYNC);
+ if (dlt == DLT_PKTAP)
+ return (LINKTYPE_PKTAP);
+
+ /*
+ * For all other values in the matching range, the DLT
+ * value is the same as the LINKTYPE value.
+ */
+ if (dlt >= DLT_MATCHING_MIN && dlt <= DLT_MATCHING_MAX)
+ return (dlt);
+
+ /*
+ * Map the values outside that range.
+ */
for (i = 0; map[i].dlt != -1; i++) {
if (map[i].dlt == dlt)
return (map[i].linktype);
}
/*
- * If we don't have a mapping for this DLT_ code, return an
- * error; that means that the table above needs to have an
- * entry added.
+ * If we don't have a mapping for this DLT, return an
+ * error; that means that this is a value with no corresponding
+ * LINKTYPE, and we need to assign one.
*/
return (-1);
}
{
int i;
+ /*
+ * LINKTYPEs in the matching range that *don't*
+ * have the same value as the corresponding DLTs
+ * because, for some reason, not all OSes have the
+ * same value for that DLT.
+ */
+ if (linktype == LINKTYPE_PFSYNC)
+ return (DLT_PFSYNC);
+ if (linktype == LINKTYPE_PKTAP)
+ return (DLT_PKTAP);
+
+ /*
+ * For all other values in the matching range, the LINKTYPE
+ * value is the same as the DLT value.
+ */
+ if (linktype >= LINKTYPE_MATCHING_MIN &&
+ linktype <= LINKTYPE_MATCHING_MAX)
+ return (linktype);
+
+ /*
+ * Map the values outside that range.
+ */
for (i = 0; map[i].linktype != -1; i++) {
if (map[i].linktype == linktype)
return (map[i].dlt);
}
/*
- * If we don't have an entry for this link type, return
- * the link type value; it may be a DLT_ value from an
- * older version of libpcap.
+ * If we don't have an entry for this LINKTYPE, return
+ * the link type value; it may be a DLT from an older
+ * version of libpcap.
*/
return linktype;
}
* memory-mapped buffer shared by the kernel).
*
* When reading a DLT_USB_LINUX or DLT_USB_LINUX_MMAPPED capture file,
- * we need to convert it from the capturing host's byte order to
- * the reading host's byte order.
+ * we need to convert it from the byte order of the host that wrote
+ * the file to this host's byte order.
*/
-void
+static void
swap_linux_usb_header(const struct pcap_pkthdr *hdr, u_char *buf,
int header_len_64_bytes)
{
pcap_usb_header_mmapped *uhdr = (pcap_usb_header_mmapped *)buf;
bpf_u_int32 offset = 0;
- usb_isodesc *pisodesc;
- int32_t numdesc, i;
/*
* "offset" is the offset *past* the field we're swapping;
*/
/*
- * The URB id is a totally opaque value; do we really need to
+ * The URB id is a totally opaque value; do we really need to
* convert it to the reading host's byte order???
*/
offset += 8; /* skip past id */
} else
offset += 8; /* skip USB setup header */
+ /*
+ * With the old header, there are no isochronous descriptors
+ * after the header.
+ *
+ * With the new header, the actual number of descriptors in
+ * the header is not s.iso.numdesc, it's ndesc - only the
+ * first N descriptors, for some value of N, are put into
+ * the header, and ndesc is set to the actual number copied.
+ * In addition, if s.iso.numdesc is negative, no descriptors
+ * are captured, and ndesc is set to 0.
+ */
if (header_len_64_bytes) {
/*
* This is either the "version 1" header, with
if (hdr->caplen < offset)
return;
uhdr->ndesc = SWAPLONG(uhdr->ndesc);
- }
- if (uhdr->transfer_type == URB_ISOCHRONOUS) {
- /* swap the values in struct linux_usb_isodesc */
- pisodesc = (usb_isodesc *)(void *)(buf+offset);
- numdesc = uhdr->s.iso.numdesc;
- for (i = 0; i < numdesc; i++) {
- offset += 4; /* skip past status */
- if (hdr->caplen < offset)
- return;
- pisodesc->status = SWAPLONG(pisodesc->status);
-
- offset += 4; /* skip past offset */
- if (hdr->caplen < offset)
- return;
- pisodesc->offset = SWAPLONG(pisodesc->offset);
-
- offset += 4; /* skip past len */
- if (hdr->caplen < offset)
- return;
- pisodesc->len = SWAPLONG(pisodesc->len);
-
- offset += 4; /* skip past padding */
-
- pisodesc++;
+ if (uhdr->transfer_type == URB_ISOCHRONOUS) {
+ /* swap the values in struct linux_usb_isodesc */
+ usb_isodesc *pisodesc;
+ u_int32_t i;
+
+ pisodesc = (usb_isodesc *)(void *)(buf+offset);
+ for (i = 0; i < uhdr->ndesc; i++) {
+ offset += 4; /* skip past status */
+ if (hdr->caplen < offset)
+ return;
+ pisodesc->status = SWAPLONG(pisodesc->status);
+
+ offset += 4; /* skip past offset */
+ if (hdr->caplen < offset)
+ return;
+ pisodesc->offset = SWAPLONG(pisodesc->offset);
+
+ offset += 4; /* skip past len */
+ if (hdr->caplen < offset)
+ return;
+ pisodesc->len = SWAPLONG(pisodesc->len);
+
+ offset += 4; /* skip past padding */
+
+ pisodesc++;
+ }
+ }
+ }
+}
+
+/*
+ * The DLT_NFLOG "packets" have a mixture of big-endian and host-byte-order
+ * data. They begin with a fixed-length header with big-endian fields,
+ * followed by a set of TLVs, where the type and length are in host
+ * byte order but the values are either big-endian or are a raw byte
+ * sequence that's the same regardless of the host's byte order.
+ *
+ * When reading a DLT_NFLOG capture file, we need to convert the type
+ * and length values from the byte order of the host that wrote the
+ * file to the byte order of this host.
+ */
+static void
+swap_nflog_header(const struct pcap_pkthdr *hdr, u_char *buf)
+{
+ u_char *p = buf;
+ nflog_hdr_t *nfhdr = (nflog_hdr_t *)buf;
+ nflog_tlv_t *tlv;
+ u_int caplen = hdr->caplen;
+ u_int length = hdr->len;
+ u_int16_t size;
+
+ if (caplen < (int) sizeof(nflog_hdr_t) || length < (int) sizeof(nflog_hdr_t)) {
+ /* Not enough data to have any TLVs. */
+ return;
+ }
+
+ if (nfhdr->nflog_version != 0) {
+ /* Unknown NFLOG version */
+ return;
+ }
+
+ length -= sizeof(nflog_hdr_t);
+ caplen -= sizeof(nflog_hdr_t);
+ p += sizeof(nflog_hdr_t);
+
+ while (caplen >= sizeof(nflog_tlv_t)) {
+ tlv = (nflog_tlv_t *) p;
+
+ /* Swap the type and length. */
+ tlv->tlv_type = SWAPSHORT(tlv->tlv_type);
+ tlv->tlv_length = SWAPSHORT(tlv->tlv_length);
+
+ /* Get the length of the TLV. */
+ size = tlv->tlv_length;
+ if (size % 4 != 0)
+ size += 4 - size % 4;
+
+ /* Is the TLV's length less than the minimum? */
+ if (size < sizeof(nflog_tlv_t)) {
+ /* Yes. Give up now. */
+ return;
+ }
+
+ /* Do we have enough data for the full TLV? */
+ if (caplen < size || length < size) {
+ /* No. */
+ return;
}
+
+ /* Skip over the TLV. */
+ length -= size;
+ caplen -= size;
+ p += size;
+ }
+}
+
+void
+swap_pseudo_headers(int linktype, struct pcap_pkthdr *hdr, u_char *data)
+{
+ /*
+ * Convert pseudo-headers from the byte order of
+ * the host on which the file was saved to our
+ * byte order, as necessary.
+ */
+ switch (linktype) {
+
+ case DLT_USB_LINUX:
+ swap_linux_usb_header(hdr, data, 0);
+ break;
+
+ case DLT_USB_LINUX_MMAPPED:
+ swap_linux_usb_header(hdr, data, 1);
+ break;
+
+ case DLT_NFLOG:
+ swap_nflog_header(hdr, data);
+ break;
}
}
projects / libpcap / blobdiff