bpf.h source code [xnu/bsd/net/bpf.h]

1	/*
2	* Copyright (c) 2000-2022 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28	/*
29	* Copyright (c) 1990, 1991, 1993
30	* The Regents of the University of California. All rights reserved.
31	*
32	* This code is derived from the Stanford/CMU enet packet filter,
33	* (net/enet.c) distributed as part of 4.3BSD, and code contributed
34	* to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
35	* Berkeley Laboratory.
36	*
37	* Redistribution and use in source and binary forms, with or without
38	* modification, are permitted provided that the following conditions
39	* are met:
40	* 1. Redistributions of source code must retain the above copyright
41	* notice, this list of conditions and the following disclaimer.
42	* 2. Redistributions in binary form must reproduce the above copyright
43	* notice, this list of conditions and the following disclaimer in the
44	* documentation and/or other materials provided with the distribution.
45	* 3. All advertising materials mentioning features or use of this software
46	* must display the following acknowledgement:
47	* This product includes software developed by the University of
48	* California, Berkeley and its contributors.
49	* 4. Neither the name of the University nor the names of its contributors
50	* may be used to endorse or promote products derived from this software
51	* without specific prior written permission.
52	*
53	* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
54	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56	* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
57	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63	* SUCH DAMAGE.
64	*
65	* @(#)bpf.h 8.1 (Berkeley) 6/10/93
66	* @(#)bpf.h 1.34 (LBL) 6/16/96
67	*
68	* $FreeBSD: src/sys/net/bpf.h,v 1.21.2.3 2001/08/01 00:23:13 fenner Exp $
69	*/
70	/*
71	* NOTICE: This file was modified by SPARTA, Inc. in 2006 to introduce
72	* support for mandatory and extensible security protections. This notice
73	* is included in support of clause 2.2 (b) of the Apple Public License,
74	* Version 2.0.
75	*/
76
77	#ifndef _NET_BPF_H_
78	#define _NET_BPF_H_
79
80	#include <stdint.h>
81
82	#if !defined(DRIVERKIT)
83	#include <sys/param.h>
84	#include <sys/appleapiopts.h>
85	#include <sys/types.h>
86	#include <sys/time.h>
87	#include <sys/cdefs.h>
88
89	#ifdef PRIVATE
90	#include <net/if_var.h>
91	#include <uuid/uuid.h>
92
93	struct bpf_setup_args {
94	uuid_t bsa_uuid;
95	char bsa_ifname[IFNAMSIZ];
96	};
97	#endif /* PRIVATE */
98
99	#ifdef KERNEL
100	#include <sys/kernel_types.h>
101
102	#if !defined(__i386__) && !defined(__x86_64__)
103	#define BPF_ALIGN 1
104	#else /* defined(__i386__) \|\| defined(__x86_64__) */
105	#define BPF_ALIGN 0
106	#endif /* defined(__i386__) \|\| defined(__x86_64__) */
107
108	#if !BPF_ALIGN
109	#define EXTRACT_SHORT(p) ((u_int16_t)ntohs((u_int16_t )(void *)p))
110	#define EXTRACT_LONG(p) (ntohl((u_int32_t )(void *)p))
111	#else
112	#define EXTRACT_SHORT(p) \
113	((u_int16_t)\
114	((u_int16_t)((u_char )p+0)<<8\|\
115	(u_int16_t)((u_char )p+1)<<0))
116	#define EXTRACT_LONG(p) \
117	((u_int32_t)((u_char )p+0)<<24\|\
118	(u_int32_t)((u_char )p+1)<<16\|\
119	(u_int32_t)((u_char )p+2)<<8\|\
120	(u_int32_t)((u_char )p+3)<<0)
121	#endif
122
123	#endif /* KERNEL */
124
125	/ BSD style release date /
126	#define BPF_RELEASE 199606
127
128	typedef int32_t bpf_int32;
129	typedef u_int32_t bpf_u_int32;
130
131	/*
132	* Alignment macros. BPF_WORDALIGN rounds up to the next
133	* even multiple of BPF_ALIGNMENT.
134	*/
135	#define BPF_ALIGNMENT sizeof(int32_t)
136	#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
137
138	#define BPF_MAXINSNS 512
139	#define BPF_MAXBUFSIZE 0x80000
140	#define BPF_MINBUFSIZE 32
141
142	/*
143	* Structure for BIOCSETF.
144	*/
145	struct bpf_program {
146	u_int bf_len;
147	struct bpf_insn *bf_insns;
148	};
149
150	#ifdef KERNEL_PRIVATE
151	/*
152	* LP64 version of bpf_program. all pointers
153	* grow when we're dealing with a 64-bit process.
154	* WARNING - keep in sync with bpf_program
155	*/
156	struct bpf_program64 {
157	u_int bf_len;
158	user64_addr_t bf_insns __attribute__((aligned(`8`)));
159	};
160
161	struct bpf_program32 {
162	u_int bf_len;
163	user32_addr_t bf_insns;
164	};
165	#endif /* KERNEL_PRIVATE */
166
167	/*
168	* Struct returned by BIOCGSTATS.
169	*/
170	struct bpf_stat {
171	u_int bs_recv; / number of packets received /
172	u_int bs_drop; / number of packets dropped /
173	};
174
175	/*
176	* Struct return by BIOCVERSION. This represents the version number of
177	* the filter language described by the instruction encodings below.
178	* bpf understands a program iff kernel_major == filter_major &&
179	* kernel_minor >= filter_minor, that is, if the value returned by the
180	* running kernel has the same major number and a minor number equal
181	* equal to or less than the filter being downloaded. Otherwise, the
182	* results are undefined, meaning an error may be returned or packets
183	* may be accepted haphazardly.
184	* It has nothing to do with the source code version.
185	*/
186	struct bpf_version {
187	u_short bv_major;
188	u_short bv_minor;
189	};
190
191	#ifdef PRIVATE
192	struct bpf_comp_stats {
193	uint64_t bcs_total_read; / number of packets read from device /
194	uint64_t bcs_total_size; / total size of filtered packets /
195	uint64_t bcs_total_hdr_size; / total header size of captured packets /
196	uint64_t bcs_count_no_common_prefix; / count of packets not compressible /
197	uint64_t bcs_count_compressed_prefix; / count of compressed packets /
198	uint64_t bcs_total_compressed_prefix_size; / total size of compressed data /
199	uint64_t bcs_max_compressed_prefix_size; / max compressed data size /
200	};
201	#endif /* PRIVATE */
202
203	#if defined(__LP64__)
204	#include <sys/_types/_timeval32.h>
205
206	#define BPF_TIMEVAL timeval32
207	#else
208	#define BPF_TIMEVAL timeval
209	#endif /* __LP64__ */
210	/ Current version number of filter architecture. /
211	#define BPF_MAJOR_VERSION 1
212	#define BPF_MINOR_VERSION 1
213
214	#define BIOCGBLEN _IOR('B',102, u_int)
215	#define BIOCSBLEN _IOWR('B',102, u_int)
216	#define BIOCSETF _IOW('B',103, struct bpf_program)
217	#ifdef KERNEL_PRIVATE
218	#define BIOCSETF64 _IOW('B',103, struct bpf_program64)
219	#define BIOCSETF32 _IOW('B',103, struct bpf_program32)
220	#endif /* KERNEL_PRIVATE */
221	#define BIOCFLUSH _IO('B',104)
222	#define BIOCPROMISC _IO('B',105)
223	#define BIOCGDLT _IOR('B',106, u_int)
224	#define BIOCGETIF _IOR('B',107, struct ifreq)
225	#define BIOCSETIF _IOW('B',108, struct ifreq)
226	#define BIOCSRTIMEOUT _IOW('B',109, struct timeval)
227	#ifdef KERNEL_PRIVATE
228	#define BIOCSRTIMEOUT64 _IOW('B',109, struct user64_timeval)
229	#define BIOCSRTIMEOUT32 _IOW('B',109, struct user32_timeval)
230	#endif /* KERNEL_PRIVATE */
231	#define BIOCGRTIMEOUT _IOR('B',110, struct timeval)
232	#ifdef KERNEL_PRIVATE
233	#define BIOCGRTIMEOUT64 _IOR('B',110, struct user64_timeval)
234	#define BIOCGRTIMEOUT32 _IOR('B',110, struct user32_timeval)
235	#endif /* KERNEL_PRIVATE */
236	#define BIOCGSTATS _IOR('B',111, struct bpf_stat)
237	#define BIOCIMMEDIATE _IOW('B',112, u_int)
238	#define BIOCVERSION _IOR('B',113, struct bpf_version)
239	#define BIOCGRSIG _IOR('B',114, u_int)
240	#define BIOCSRSIG _IOW('B',115, u_int)
241	#define BIOCGHDRCMPLT _IOR('B',116, u_int)
242	#define BIOCSHDRCMPLT _IOW('B',117, u_int)
243	#define BIOCGSEESENT _IOR('B',118, u_int)
244	#define BIOCSSEESENT _IOW('B',119, u_int)
245	#define BIOCSDLT _IOW('B',120, u_int)
246	#define BIOCGDLTLIST _IOWR('B',121, struct bpf_dltlist)
247	#ifdef PRIVATE
248	#define BIOCGETTC _IOR('B', 122, int)
249	#define BIOCSETTC _IOW('B', 123, int)
250	#define BIOCSEXTHDR _IOW('B', 124, u_int)
251	#define BIOCGIFATTACHCOUNT _IOWR('B', 125, struct ifreq)
252	#endif /* PRIVATE */
253	#define BIOCSETFNR _IOW('B', 126, struct bpf_program)
254	#ifdef KERNEL_PRIVATE
255	#define BIOCSETFNR64 _IOW('B',126, struct bpf_program64)
256	#define BIOCSETFNR32 _IOW('B',126, struct bpf_program32)
257	#endif /* KERNEL_PRIVATE */
258	#ifdef PRIVATE
259	#define BIOCGWANTPKTAP _IOR('B', 127, u_int)
260	#define BIOCSWANTPKTAP _IOWR('B', 127, u_int)
261	#define BIOCSHEADDROP _IOW('B', 128, int)
262	#define BIOCGHEADDROP _IOR('B', 128, int)
263	#define BIOCSTRUNCATE _IOW('B', 129, u_int)
264	#define BIOCGETUUID _IOR('B', 130, uuid_t)
265	#define BIOCSETUP _IOW('B', 131, struct bpf_setup_args)
266	#define BIOCSPKTHDRV2 _IOW('B', 132, int)
267	#define BIOCGPKTHDRV2 _IOW('B', 133, int)
268	#define BIOCGHDRCOMP _IOR('B', 134, int)
269	#define BIOCSHDRCOMP _IOW('B', 135, int)
270	#define BIOCGHDRCOMPSTATS _IOR('B', 136, struct bpf_comp_stats)
271	#define BIOCGHDRCOMPON _IOR('B', 137, int)
272	#define BIOCGDIRECTION _IOR('B', 138, int)
273	#define BIOCSDIRECTION _IOW('B', 139, int)
274	#define BIOCSWRITEMAX _IOW('B', 140, u_int)
275	#define BIOCGWRITEMAX _IOR('B', 141, u_int)
276	#define BIOCGBATCHWRITE _IOR('B', 142, int)
277	#define BIOCSBATCHWRITE _IOW('B', 143, int)
278	#endif /* PRIVATE */
279
280	/*
281	* Structure prepended to each packet.
282	*/
283	struct bpf_hdr {
284	struct BPF_TIMEVAL bh_tstamp; / time stamp /
285	bpf_u_int32 bh_caplen; / length of captured portion /
286	bpf_u_int32 bh_datalen; / original length of packet /
287	u_short bh_hdrlen; / length of bpf header (this struct*
288	* plus alignment padding) */
289	};
290	#ifdef KERNEL
291	/*
292	* Because the structure above is not a multiple of 4 bytes, some compilers
293	* will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
294	* Only the kernel needs to know about it; applications use bh_hdrlen.
295	*/
296	#define SIZEOF_BPF_HDR (sizeof(struct bpf_hdr) <= 20 ? 18 : \
297	sizeof(struct bpf_hdr))
298	#endif
299	#ifdef PRIVATE
300	/*
301	* This structure must be a multiple of 4 bytes.
302	* It includes padding and spare fields that we can use later if desired.
303	*/
304	struct bpf_hdr_ext {
305	struct BPF_TIMEVAL bh_tstamp; / time stamp /
306	bpf_u_int32 bh_caplen; / length of captured portion /
307	bpf_u_int32 bh_datalen; / original length of packet /
308	u_short bh_hdrlen; / length of bpf header /
309	u_char bh_complen;
310	u_char bh_flags;
311	#define BPF_HDR_EXT_FLAGS_DIR_IN 0x00
312	#define BPF_HDR_EXT_FLAGS_DIR_OUT 0x01
313	#ifdef BSD_KERNEL_PRIVATE
314	#define BPF_HDR_EXT_FLAGS_TCP 0x02
315	#define BPF_HDR_EXT_FLAGS_UDP 0x04
316	#endif /* BSD_KERNEL_PRIVATE */
317	pid_t bh_pid; / process PID /
318	char bh_comm[MAXCOMLEN + `1`]; / process command /
319	u_char bh_pktflags;
320	#define BPF_PKTFLAGS_TCP_REXMT 0x01
321	#define BPF_PKTFLAGS_START_SEQ 0x02
322	#define BPF_PKTFLAGS_LAST_PKT 0x04
323	#define BPF_PKTFLAGS_WAKE_PKT 0x08
324	uint16_t bh_trace_tag;
325	bpf_u_int32 bh_svc; / service class /
326	bpf_u_int32 bh_flowid; / kernel reserved; 0 in userland /
327	bpf_u_int32 bh_unsent_bytes; / unsent bytes at interface /
328	bpf_u_int32 bh_unsent_snd; / unsent bytes at socket buffer /
329	};
330
331	#define BPF_HDR_EXT_HAS_TRACE_TAG 1
332
333	/*
334	* External representation of the bpf descriptor
335	*/
336	struct xbpf_d {
337	uint32_t bd_structsize; / Size of this structure. /
338	int32_t bd_dev_minor;
339	int32_t bd_sig;
340	uint32_t bd_slen;
341	uint32_t bd_hlen;
342	uint32_t bd_bufsize;
343	pid_t bd_pid;
344
345	uint8_t bd_promisc;
346	uint8_t bd_immediate;
347	uint8_t bd_hdrcmplt;
348	uint8_t bd_async;
349
350	uint8_t bd_headdrop;
351	uint8_t bd_direction;
352	uint8_t bh_compreq;
353	uint8_t bh_compenabled;
354
355	uint8_t bd_exthdr;
356	uint8_t bd_trunc;
357	uint8_t bd_pkthdrv2;
358	uint8_t bd_pad;
359
360	uint64_t bd_rcount;
361	uint64_t bd_dcount;
362	uint64_t bd_fcount;
363	uint64_t bd_wcount;
364	uint64_t bd_wdcount;
365
366	char bd_ifname[IFNAMSIZ];
367
368	uint64_t bd_comp_count;
369	uint64_t bd_comp_size;
370
371	uint32_t bd_scnt; / number of packets in store buffer /
372	uint32_t bd_hcnt; / number of packets in hold buffer /
373
374	uint64_t bd_read_count;
375	uint64_t bd_fsize;
376	};
377
378	#ifndef bd_seesent
379	/*
380	* Code compatibility workaround so that old versions of network_cmds will continue to build
381	* even if netstat -B shows an incorrect value.
382	*/
383	#define bd_seesent bd_direction
384	#endif /* bd_seesent */
385
386	#define _HAS_STRUCT_XBPF_D_ 2
387
388	struct bpf_comp_hdr {
389	struct BPF_TIMEVAL bh_tstamp; / time stamp /
390	bpf_u_int32 bh_caplen; / length of captured portion /
391	bpf_u_int32 bh_datalen; / original length of packet /
392	u_short bh_hdrlen; / length of bpf header (this struct*
393	* plus alignment padding) */
394	u_char bh_complen; / data portion compressed /
395	u_char bh_padding; / data portion compressed /
396	};
397
398	#define HAS_BPF_HDR_COMP 1
399	#define BPF_HDR_COMP_LEN_MAX 255
400
401	/*
402	* Packet tap directions
403	*/
404	#define BPF_D_NONE 0x0 /* See no packet (for writing only) */
405	#define BPF_D_IN 0x1 /* See incoming packets */
406	#define BPF_D_OUT 0x2 /* See outgoing packets */
407	#define BPF_D_INOUT 0x3 /* See incoming and outgoing packets */
408
409	#endif /* PRIVATE */
410	#endif /* !defined(DRIVERKIT) */
411
412	/*
413	* Data-link level type codes.
414	*/
415	#define DLT_NULL 0 /* no link-layer encapsulation */
416	#define DLT_EN10MB 1 /* Ethernet (10Mb) */
417	#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */
418	#define DLT_AX25 3 /* Amateur Radio AX.25 */
419	#define DLT_PRONET 4 /* Proteon ProNET Token Ring */
420	#define DLT_CHAOS 5 /* Chaos */
421	#define DLT_IEEE802 6 /* IEEE 802 Networks */
422	#define DLT_ARCNET 7 /* ARCNET */
423	#define DLT_SLIP 8 /* Serial Line IP */
424	#define DLT_PPP 9 /* Point-to-point Protocol */
425	#define DLT_FDDI 10 /* FDDI */
426	#define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */
427	#define DLT_RAW 12 /* raw IP */
428
429	/*
430	* These are values from BSD/OS's "bpf.h".
431	* These are not the same as the values from the traditional libpcap
432	* "bpf.h"; however, these values shouldn't be generated by any
433	* OS other than BSD/OS, so the correct values to use here are the
434	* BSD/OS values.
435	*
436	* Platforms that have already assigned these values to other
437	* DLT_ codes, however, should give these codes the values
438	* from that platform, so that programs that use these codes will
439	* continue to compile - even though they won't correctly read
440	* files of these types.
441	*/
442	#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */
443	#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */
444
445	/*
446	* 17 was used for DLT_PFLOG in OpenBSD; it no longer is.
447	*
448	* It was DLT_LANE8023 in SuSE 6.3, so we defined LINKTYPE_PFLOG
449	* as 117 so that pflog captures would use a link-layer header type
450	* value that didn't collide with any other values. On all
451	* platforms other than OpenBSD, we defined DLT_PFLOG as 117,
452	* and we mapped between LINKTYPE_PFLOG and DLT_PFLOG.
453	*
454	* OpenBSD eventually switched to using 117 for DLT_PFLOG as well.
455	*
456	* Don't use 17 for anything else.
457	*/
458
459	/*
460	* 18 is used for DLT_PFSYNC in OpenBSD, NetBSD, DragonFly BSD and
461	* Mac OS X; don't use it for anything else. (FreeBSD uses 121,
462	* which collides with DLT_HHDLC, even though it doesn't use 18
463	* for anything and doesn't appear to have ever used it for anything.)
464	*
465	* We define it as 18 on those platforms; it is, unfortunately, used
466	* for DLT_CIP in Suse 6.3, so we don't define it as DLT_PFSYNC
467	* in general. As the packet format for it, like that for
468	* DLT_PFLOG, is not only OS-dependent but OS-version-dependent,
469	* we don't support printing it in tcpdump except on OSes that
470	* have the relevant header files, so it's not that useful on
471	* other platforms.
472	*/
473	#define DLT_PFSYNC 18 /* Packet filter state syncing */
474
475	#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */
476
477	/*
478	* These values are defined by NetBSD; other platforms should refrain from
479	* using them for other purposes, so that NetBSD savefiles with link
480	* types of 50 or 51 can be read as this type on all platforms.
481	*/
482	#define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */
483	#define DLT_PPP_ETHER 51 /* PPP over Ethernet */
484
485	/*
486	* The Axent Raptor firewall - now the Symantec Enterprise Firewall - uses
487	* a link-layer type of 99 for the tcpdump it supplies. The link-layer
488	* header has 6 bytes of unknown data, something that appears to be an
489	* Ethernet type, and 36 bytes that appear to be 0 in at least one capture
490	* I've seen.
491	*/
492	#define DLT_SYMANTEC_FIREWALL 99
493
494	/*
495	* Values between 100 and 103 are used in capture file headers as
496	* link-layer header type LINKTYPE_ values corresponding to DLT_ types
497	* that differ between platforms; don't use those values for new DLT_
498	* new types.
499	*/
500
501	/*
502	* Values starting with 104 are used for newly-assigned link-layer
503	* header type values; for those link-layer header types, the DLT_
504	* value returned by pcap_datalink() and passed to pcap_open_dead(),
505	* and the LINKTYPE_ value that appears in capture files, are the
506	* same.
507	*
508	* DLT_MATCHING_MIN is the lowest such value; DLT_MATCHING_MAX is
509	* the highest such value.
510	*/
511	#define DLT_MATCHING_MIN 104
512
513	/*
514	* This value was defined by libpcap 0.5; platforms that have defined
515	* it with a different value should define it here with that value -
516	* a link type of 104 in a save file will be mapped to DLT_C_HDLC,
517	* whatever value that happens to be, so programs will correctly
518	* handle files with that link type regardless of the value of
519	* DLT_C_HDLC.
520	*
521	* The name DLT_C_HDLC was used by BSD/OS; we use that name for source
522	* compatibility with programs written for BSD/OS.
523	*
524	* libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
525	* for source compatibility with programs written for libpcap 0.5.
526	*/
527	#define DLT_C_HDLC 104 /* Cisco HDLC */
528	#define DLT_CHDLC DLT_C_HDLC
529
530	#define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */
531
532	/*
533	* Values between 106 and 107 are used in capture file headers as
534	* link-layer types corresponding to DLT_ types that might differ
535	* between platforms; don't use those values for new DLT_ new types.
536	*/
537
538	/*
539	* Frame Relay; BSD/OS has a DLT_FR with a value of 11, but that collides
540	* with other values.
541	* DLT_FR and DLT_FRELAY packets start with the Q.922 Frame Relay header
542	* (DLCI, etc.).
543	*/
544	#define DLT_FRELAY 107
545
546	/*
547	* OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
548	* that the AF_ type in the link-layer header is in network byte order.
549	*
550	* OpenBSD defines it as 12, but that collides with DLT_RAW, so we
551	* define it as 108 here. If OpenBSD picks up this file, it should
552	* define DLT_LOOP as 12 in its version, as per the comment above -
553	* and should not use 108 for any purpose.
554	*/
555	#define DLT_LOOP 108
556
557	/*
558	* Values between 109 and 112 are used in capture file headers as
559	* link-layer types corresponding to DLT_ types that might differ
560	* between platforms; don't use those values for new DLT_ new types.
561	*/
562
563	/*
564	* Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's
565	* DLT_SLIP_BSDOS in NetBSD, so we don't use 13 for it in OSes other
566	* than OpenBSD.
567	*/
568	#define DLT_ENC 109
569
570	/*
571	* This is for Linux cooked sockets.
572	*/
573	#define DLT_LINUX_SLL 113
574
575	/*
576	* Apple LocalTalk hardware.
577	*/
578	#define DLT_LTALK 114
579
580	/*
581	* Acorn Econet.
582	*/
583	#define DLT_ECONET 115
584
585	/*
586	* Reserved for use with OpenBSD ipfilter.
587	*/
588	#define DLT_IPFILTER 116
589
590	/*
591	* For use in capture-file headers as a link-layer type corresponding
592	* to OpenBSD PF (Packet Filter) log.
593	*/
594	#define DLT_PFLOG 117
595
596	/*
597	* Registered for Cisco-internal use.
598	*/
599	#define DLT_CISCO_IOS 118
600
601	/*
602	* Reserved for 802.11 cards using the Prism II chips, with a link-layer
603	* header including Prism monitor mode information plus an 802.11
604	* header.
605	*/
606	#define DLT_PRISM_HEADER 119
607
608	/*
609	* Reserved for Aironet 802.11 cards, with an Aironet link-layer header
610	* (see Doug Ambrisko's FreeBSD patches).
611	*/
612	#define DLT_AIRONET_HEADER 120
613
614	/*
615	* Reserved for Siemens HiPath HDLC. XXX
616	*/
617	#define DLT_HHDLC 121
618
619	/*
620	* Reserved for RFC 2625 IP-over-Fibre Channel.
621	*/
622	#define DLT_IP_OVER_FC 122
623
624	/*
625	* Reserved for Full Frontal ATM on Solaris.
626	*/
627	#define DLT_SUNATM 123
628
629	/*
630	* Reserved as per request from Kent Dahlgren <kent@praesum.com>
631	* for private use.
632	*/
633	#define DLT_RIO 124 /* RapidIO */
634	#define DLT_PCI_EXP 125 /* PCI Express */
635	#define DLT_AURORA 126 /* Xilinx Aurora link layer */
636
637	/*
638	* BSD header for 802.11 plus a number of bits of link-layer information
639	* including radio information.
640	*/
641	#ifndef DLT_IEEE802_11_RADIO
642	#define DLT_IEEE802_11_RADIO 127
643	#endif
644
645	/*
646	* Reserved for TZSP encapsulation.
647	*/
648	#define DLT_TZSP 128 /* Tazmen Sniffer Protocol */
649
650	/*
651	* Reserved for Linux ARCNET.
652	*/
653	#define DLT_ARCNET_LINUX 129
654
655	/*
656	* Juniper-private data link types.
657	*/
658	#define DLT_JUNIPER_MLPPP 130
659	#define DLT_JUNIPER_MLFR 131
660	#define DLT_JUNIPER_ES 132
661	#define DLT_JUNIPER_GGSN 133
662	#define DLT_JUNIPER_MFR 134
663	#define DLT_JUNIPER_ATM2 135
664	#define DLT_JUNIPER_SERVICES 136
665	#define DLT_JUNIPER_ATM1 137
666
667	/*
668	* Apple IP-over-IEEE 1394, as per a request from Dieter Siegmund
669	* <dieter@apple.com>. The header that's presented is an Ethernet-like
670	* header:
671	*
672	* #define FIREWIRE_EUI64_LEN 8
673	* struct firewire_header {
674	* u_char firewire_dhost[FIREWIRE_EUI64_LEN];
675	* u_char firewire_shost[FIREWIRE_EUI64_LEN];
676	* u_short firewire_type;
677	* };
678	*
679	* with "firewire_type" being an Ethernet type value, rather than,
680	* for example, raw GASP frames being handed up.
681	*/
682	#define DLT_APPLE_IP_OVER_IEEE1394 138
683
684	/*
685	* Various SS7 encapsulations, as per a request from Jeff Morriss
686	* <jeff.morriss[AT]ulticom.com> and subsequent discussions.
687	*/
688	#define DLT_MTP2_WITH_PHDR 139 /* pseudo-header with various info, followed by MTP2 */
689	#define DLT_MTP2 140 /* MTP2, without pseudo-header */
690	#define DLT_MTP3 141 /* MTP3, without pseudo-header or MTP2 */
691	#define DLT_SCCP 142 /* SCCP, without pseudo-header or MTP2 or MTP3 */
692
693	/*
694	* Reserved for DOCSIS.
695	*/
696	#define DLT_DOCSIS 143
697
698	/*
699	* Reserved for Linux IrDA.
700	*/
701	#define DLT_LINUX_IRDA 144
702
703	/*
704	* Reserved for IBM SP switch and IBM Next Federation switch.
705	*/
706	#define DLT_IBM_SP 145
707	#define DLT_IBM_SN 146
708
709	/*
710	* Reserved for private use. If you have some link-layer header type
711	* that you want to use within your organization, with the capture files
712	* using that link-layer header type not ever be sent outside your
713	* organization, you can use these values.
714	*
715	* No libpcap release will use these for any purpose, nor will any
716	* tcpdump release use them, either.
717	*
718	* Do NOT use these in capture files that you expect anybody not using
719	* your private versions of capture-file-reading tools to read; in
720	* particular, do NOT use them in products, otherwise you may find that
721	* people won't be able to use tcpdump, or snort, or Ethereal, or... to
722	* read capture files from your firewall/intrusion detection/traffic
723	* monitoring/etc. appliance, or whatever product uses that DLT_ value,
724	* and you may also find that the developers of those applications will
725	* not accept patches to let them read those files.
726	*
727	* Also, do not use them if somebody might send you a capture using them
728	* for their private type and tools using them for your private type
729	* would have to read them.
730	*
731	* Instead, ask "tcpdump-workers@tcpdump.org" for a new DLT_ value,
732	* as per the comment above, and use the type you're given.
733	*/
734	#define DLT_USER0 147
735	#define DLT_USER1 148
736	#define DLT_USER2 149
737	#define DLT_USER3 150
738	#define DLT_USER4 151
739	#define DLT_USER5 152
740	#define DLT_USER6 153
741	#define DLT_USER7 154
742	#define DLT_USER8 155
743	#define DLT_USER9 156
744	#define DLT_USER10 157
745	#define DLT_USER11 158
746	#define DLT_USER12 159
747	#define DLT_USER13 160
748	#define DLT_USER14 161
749	#define DLT_USER15 162
750
751	#ifdef PRIVATE
752	/*
753	* For Apple private usage
754	*/
755	#define DLT_USER0_APPLE_INTERNAL DLT_USER0 /* rdar://12019509 */
756	#define DLT_USER1_APPLE_INTERNAL DLT_USER1 /* rdar://12019509 */
757	#define DLT_PKTAP DLT_USER2 /* rdar://11779467 */
758	#define DLT_USER3_APPLE_INTERNAL DLT_USER3 /* rdar://19614531 */
759	#define DLT_USER4_APPLE_INTERNAL DLT_USER4 /* rdar://19614531 */
760	#endif /* PRIVATE */
761
762	/*
763	* For future use with 802.11 captures - defined by AbsoluteValue
764	* Systems to store a number of bits of link-layer information
765	* including radio information:
766	*
767	* http://www.shaftnet.org/~pizza/software/capturefrm.txt
768	*
769	* but it might be used by some non-AVS drivers now or in the
770	* future.
771	*/
772	#define DLT_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */
773
774	/*
775	* Juniper-private data link type, as per request from
776	* Hannes Gredler <hannes@juniper.net>. The DLT_s are used
777	* for passing on chassis-internal metainformation such as
778	* QOS profiles, etc..
779	*/
780	#define DLT_JUNIPER_MONITOR 164
781
782	/*
783	* Reserved for BACnet MS/TP.
784	*/
785	#define DLT_BACNET_MS_TP 165
786
787	/*
788	* Another PPP variant as per request from Karsten Keil <kkeil@suse.de>.
789	*
790	* This is used in some OSes to allow a kernel socket filter to distinguish
791	* between incoming and outgoing packets, on a socket intended to
792	* supply pppd with outgoing packets so it can do dial-on-demand and
793	* hangup-on-lack-of-demand; incoming packets are filtered out so they
794	* don't cause pppd to hold the connection up (you don't want random
795	* input packets such as port scans, packets from old lost connections,
796	* etc. to force the connection to stay up).
797	*
798	* The first byte of the PPP header (0xff03) is modified to accomodate
799	* the direction - 0x00 = IN, 0x01 = OUT.
800	*/
801	#define DLT_PPP_PPPD 166
802
803	/*
804	* Names for backwards compatibility with older versions of some PPP
805	* software; new software should use DLT_PPP_PPPD.
806	*/
807	#define DLT_PPP_WITH_DIRECTION DLT_PPP_PPPD
808	#define DLT_LINUX_PPP_WITHDIRECTION DLT_PPP_PPPD
809
810	/*
811	* Juniper-private data link type, as per request from
812	* Hannes Gredler <hannes@juniper.net>. The DLT_s are used
813	* for passing on chassis-internal metainformation such as
814	* QOS profiles, cookies, etc..
815	*/
816	#define DLT_JUNIPER_PPPOE 167
817	#define DLT_JUNIPER_PPPOE_ATM 168
818
819	#define DLT_GPRS_LLC 169 /* GPRS LLC */
820	#define DLT_GPF_T 170 /* GPF-T (ITU-T G.7041/Y.1303) */
821	#define DLT_GPF_F 171 /* GPF-F (ITU-T G.7041/Y.1303) */
822
823	/*
824	* Requested by Oolan Zimmer <oz@gcom.com> for use in Gcom's T1/E1 line
825	* monitoring equipment.
826	*/
827	#define DLT_GCOM_T1E1 172
828	#define DLT_GCOM_SERIAL 173
829
830	/*
831	* Juniper-private data link type, as per request from
832	* Hannes Gredler <hannes@juniper.net>. The DLT_ is used
833	* for internal communication to Physical Interface Cards (PIC)
834	*/
835	#define DLT_JUNIPER_PIC_PEER 174
836
837	/*
838	* Link types requested by Gregor Maier <gregor@endace.com> of Endace
839	* Measurement Systems. They add an ERF header (see
840	* http://www.endace.com/support/EndaceRecordFormat.pdf) in front of
841	* the link-layer header.
842	*/
843	#define DLT_ERF_ETH 175 /* Ethernet */
844	#define DLT_ERF_POS 176 /* Packet-over-SONET */
845
846	/*
847	* Requested by Daniele Orlandi <daniele@orlandi.com> for raw LAPD
848	* for vISDN (http://www.orlandi.com/visdn/). Its link-layer header
849	* includes additional information before the LAPD header, so it's
850	* not necessarily a generic LAPD header.
851	*/
852	#define DLT_LINUX_LAPD 177
853
854	/*
855	* Juniper-private data link type, as per request from
856	* Hannes Gredler <hannes@juniper.net>.
857	* The DLT_ are used for prepending meta-information
858	* like interface index, interface name
859	* before standard Ethernet, PPP, Frelay & C-HDLC Frames
860	*/
861	#define DLT_JUNIPER_ETHER 178
862	#define DLT_JUNIPER_PPP 179
863	#define DLT_JUNIPER_FRELAY 180
864	#define DLT_JUNIPER_CHDLC 181
865
866	/*
867	* Multi Link Frame Relay (FRF.16)
868	*/
869	#define DLT_MFR 182
870
871	/*
872	* Juniper-private data link type, as per request from
873	* Hannes Gredler <hannes@juniper.net>.
874	* The DLT_ is used for internal communication with a
875	* voice Adapter Card (PIC)
876	*/
877	#define DLT_JUNIPER_VP 183
878
879	/*
880	* Arinc 429 frames.
881	* DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
882	* Every frame contains a 32bit A429 label.
883	* More documentation on Arinc 429 can be found at
884	* http://www.condoreng.com/support/downloads/tutorials/ARINCTutorial.pdf
885	*/
886	#define DLT_A429 184
887
888	/*
889	* Arinc 653 Interpartition Communication messages.
890	* DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
891	* Please refer to the A653-1 standard for more information.
892	*/
893	#define DLT_A653_ICM 185
894
895	/*
896	* USB packets, beginning with a USB setup header; requested by
897	* Paolo Abeni <paolo.abeni@email.it>.
898	*/
899	#define DLT_USB 186
900
901	/*
902	* Bluetooth HCI UART transport layer (part H:4); requested by
903	* Paolo Abeni.
904	*/
905	#define DLT_BLUETOOTH_HCI_H4 187
906
907	/*
908	* IEEE 802.16 MAC Common Part Sublayer; requested by Maria Cruz
909	* <cruz_petagay@bah.com>.
910	*/
911	#define DLT_IEEE802_16_MAC_CPS 188
912
913	/*
914	* USB packets, beginning with a Linux USB header; requested by
915	* Paolo Abeni <paolo.abeni@email.it>.
916	*/
917	#define DLT_USB_LINUX 189
918
919	/*
920	* Controller Area Network (CAN) v. 2.0B packets.
921	* DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
922	* Used to dump CAN packets coming from a CAN Vector board.
923	* More documentation on the CAN v2.0B frames can be found at
924	* http://www.can-cia.org/downloads/?269
925	*/
926	#define DLT_CAN20B 190
927
928	/*
929	* IEEE 802.15.4, with address fields padded, as is done by Linux
930	* drivers; requested by Juergen Schimmer.
931	*/
932	#define DLT_IEEE802_15_4_LINUX 191
933
934	/*
935	* Per Packet Information encapsulated packets.
936	* DLT_ requested by Gianluca Varenni <gianluca.varenni@cacetech.com>.
937	*/
938	#define DLT_PPI 192
939
940	/*
941	* Header for 802.16 MAC Common Part Sublayer plus a radiotap radio header;
942	* requested by Charles Clancy.
943	*/
944	#define DLT_IEEE802_16_MAC_CPS_RADIO 193
945
946	/*
947	* Juniper-private data link type, as per request from
948	* Hannes Gredler <hannes@juniper.net>.
949	* The DLT_ is used for internal communication with a
950	* integrated service module (ISM).
951	*/
952	#define DLT_JUNIPER_ISM 194
953
954	/*
955	* IEEE 802.15.4, exactly as it appears in the spec (no padding, no
956	* nothing); requested by Mikko Saarnivala <mikko.saarnivala@sensinode.com>.
957	*/
958	#define DLT_IEEE802_15_4 195
959
960	/*
961	* Various link-layer types, with a pseudo-header, for SITA
962	* (http://www.sita.aero/); requested by Fulko Hew (fulko.hew@gmail.com).
963	*/
964	#define DLT_SITA 196
965
966	/*
967	* Various link-layer types, with a pseudo-header, for Endace DAG cards;
968	* encapsulates Endace ERF records. Requested by Stephen Donnelly
969	* <stephen@endace.com>.
970	*/
971	#define DLT_ERF 197
972
973	/*
974	* Special header prepended to Ethernet packets when capturing from a
975	* u10 Networks board. Requested by Phil Mulholland
976	* <phil@u10networks.com>.
977	*/
978	#define DLT_RAIF1 198
979
980	/*
981	* IPMB packet for IPMI, beginning with the I2C slave address, followed
982	* by the netFn and LUN, etc.. Requested by Chanthy Toeung
983	* <chanthy.toeung@ca.kontron.com>.
984	*/
985	#define DLT_IPMB 199
986
987	/*
988	* Juniper-private data link type, as per request from
989	* Hannes Gredler <hannes@juniper.net>.
990	* The DLT_ is used for capturing data on a secure tunnel interface.
991	*/
992	#define DLT_JUNIPER_ST 200
993
994	/*
995	* Bluetooth HCI UART transport layer (part H:4), with pseudo-header
996	* that includes direction information; requested by Paolo Abeni.
997	*/
998	#define DLT_BLUETOOTH_HCI_H4_WITH_PHDR 201
999
1000	/*
1001	* AX.25 packet with a 1-byte KISS header; see
1002	*
1003	* http://www.ax25.net/kiss.htm
1004	*
1005	* as per Richard Stearn <richard@rns-stearn.demon.co.uk>.
1006	*/
1007	#define DLT_AX25_KISS 202
1008
1009	/*
1010	* LAPD packets from an ISDN channel, starting with the address field,
1011	* with no pseudo-header.
1012	* Requested by Varuna De Silva <varunax@gmail.com>.
1013	*/
1014	#define DLT_LAPD 203
1015
1016	/*
1017	* Variants of various link-layer headers, with a one-byte direction
1018	* pseudo-header prepended - zero means "received by this host",
1019	* non-zero (any non-zero value) means "sent by this host" - as per
1020	* Will Barker <w.barker@zen.co.uk>.
1021	*/
1022	#define DLT_PPP_WITH_DIR 204 /* PPP - don't confuse with DLT_PPP_WITH_DIRECTION */
1023	#define DLT_C_HDLC_WITH_DIR 205 /* Cisco HDLC */
1024	#define DLT_FRELAY_WITH_DIR 206 /* Frame Relay */
1025	#define DLT_LAPB_WITH_DIR 207 /* LAPB */
1026
1027	/*
1028	* 208 is reserved for an as-yet-unspecified proprietary link-layer
1029	* type, as requested by Will Barker.
1030	*/
1031
1032	/*
1033	* IPMB with a Linux-specific pseudo-header; as requested by Alexey Neyman
1034	* <avn@pigeonpoint.com>.
1035	*/
1036	#define DLT_IPMB_LINUX 209
1037
1038	/*
1039	* FlexRay automotive bus - http://www.flexray.com/ - as requested
1040	* by Hannes Kaelber <hannes.kaelber@x2e.de>.
1041	*/
1042	#define DLT_FLEXRAY 210
1043
1044	/*
1045	* Media Oriented Systems Transport (MOST) bus for multimedia
1046	* transport - http://www.mostcooperation.com/ - as requested
1047	* by Hannes Kaelber <hannes.kaelber@x2e.de>.
1048	*/
1049	#define DLT_MOST 211
1050
1051	/*
1052	* Local Interconnect Network (LIN) bus for vehicle networks -
1053	* http://www.lin-subbus.org/ - as requested by Hannes Kaelber
1054	* <hannes.kaelber@x2e.de>.
1055	*/
1056	#define DLT_LIN 212
1057
1058	/*
1059	* X2E-private data link type used for serial line capture,
1060	* as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
1061	*/
1062	#define DLT_X2E_SERIAL 213
1063
1064	/*
1065	* X2E-private data link type used for the Xoraya data logger
1066	* family, as requested by Hannes Kaelber <hannes.kaelber@x2e.de>.
1067	*/
1068	#define DLT_X2E_XORAYA 214
1069
1070	/*
1071	* IEEE 802.15.4, exactly as it appears in the spec (no padding, no
1072	* nothing), but with the PHY-level data for non-ASK PHYs (4 octets
1073	* of 0 as preamble, one octet of SFD, one octet of frame length+
1074	* reserved bit, and then the MAC-layer data, starting with the
1075	* frame control field).
1076	*
1077	* Requested by Max Filippov <jcmvbkbc@gmail.com>.
1078	*/
1079	#define DLT_IEEE802_15_4_NONASK_PHY 215
1080
1081	/*
1082	* David Gibson <david@gibson.dropbear.id.au> requested this for
1083	* captures from the Linux kernel /dev/input/eventN devices. This
1084	* is used to communicate keystrokes and mouse movements from the
1085	* Linux kernel to display systems, such as Xorg.
1086	*/
1087	#define DLT_LINUX_EVDEV 216
1088
1089	/*
1090	* GSM Um and Abis interfaces, preceded by a "gsmtap" header.
1091	*
1092	* Requested by Harald Welte <laforge@gnumonks.org>.
1093	*/
1094	#define DLT_GSMTAP_UM 217
1095	#define DLT_GSMTAP_ABIS 218
1096
1097	/*
1098	* MPLS, with an MPLS label as the link-layer header.
1099	* Requested by Michele Marchetto <michele@openbsd.org> on behalf
1100	* of OpenBSD.
1101	*/
1102	#define DLT_MPLS 219
1103
1104	/*
1105	* USB packets, beginning with a Linux USB header, with the USB header
1106	* padded to 64 bytes; required for memory-mapped access.
1107	*/
1108	#define DLT_USB_LINUX_MMAPPED 220
1109
1110	/*
1111	* DECT packets, with a pseudo-header; requested by
1112	* Matthias Wenzel <tcpdump@mazzoo.de>.
1113	*/
1114	#define DLT_DECT 221
1115
1116	/*
1117	* From: "Lidwa, Eric (GSFC-582.0)[SGT INC]" <eric.lidwa-1@nasa.gov>
1118	* Date: Mon, 11 May 2009 11:18:30 -0500
1119	*
1120	* DLT_AOS. We need it for AOS Space Data Link Protocol.
1121	* I have already written dissectors for but need an OK from
1122	* legal before I can submit a patch.
1123	*
1124	*/
1125	#define DLT_AOS 222
1126
1127	/*
1128	* Wireless HART (Highway Addressable Remote Transducer)
1129	* From the HART Communication Foundation
1130	* IES/PAS 62591
1131	*
1132	* Requested by Sam Roberts <vieuxtech@gmail.com>.
1133	*/
1134	#define DLT_WIHART 223
1135
1136	/*
1137	* Fibre Channel FC-2 frames, beginning with a Frame_Header.
1138	* Requested by Kahou Lei <kahou82@gmail.com>.
1139	*/
1140	#define DLT_FC_2 224
1141
1142	/*
1143	* Fibre Channel FC-2 frames, beginning with an encoding of the
1144	* SOF, and ending with an encoding of the EOF.
1145	*
1146	* The encodings represent the frame delimiters as 4-byte sequences
1147	* representing the corresponding ordered sets, with K28.5
1148	* represented as 0xBC, and the D symbols as the corresponding
1149	* byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2,
1150	* is represented as 0xBC 0xB5 0x55 0x55.
1151	*
1152	* Requested by Kahou Lei <kahou82@gmail.com>.
1153	*/
1154	#define DLT_FC_2_WITH_FRAME_DELIMS 225
1155
1156	/*
1157	* Solaris ipnet pseudo-header; requested by Darren Reed <Darren.Reed@Sun.COM>.
1158	*
1159	* The pseudo-header starts with a one-byte version number; for version 2,
1160	* the pseudo-header is:
1161	*
1162	* struct dl_ipnetinfo {
1163	* u_int8_t dli_version;
1164	* u_int8_t dli_family;
1165	* u_int16_t dli_htype;
1166	* u_int32_t dli_pktlen;
1167	* u_int32_t dli_ifindex;
1168	* u_int32_t dli_grifindex;
1169	* u_int32_t dli_zsrc;
1170	* u_int32_t dli_zdst;
1171	* };
1172	*
1173	* dli_version is 2 for the current version of the pseudo-header.
1174	*
1175	* dli_family is a Solaris address family value, so it's 2 for IPv4
1176	* and 26 for IPv6.
1177	*
1178	* dli_htype is a "hook type" - 0 for incoming packets, 1 for outgoing
1179	* packets, and 2 for packets arriving from another zone on the same
1180	* machine.
1181	*
1182	* dli_pktlen is the length of the packet data following the pseudo-header
1183	* (so the captured length minus dli_pktlen is the length of the
1184	* pseudo-header, assuming the entire pseudo-header was captured).
1185	*
1186	* dli_ifindex is the interface index of the interface on which the
1187	* packet arrived.
1188	*
1189	* dli_grifindex is the group interface index number (for IPMP interfaces).
1190	*
1191	* dli_zsrc is the zone identifier for the source of the packet.
1192	*
1193	* dli_zdst is the zone identifier for the destination of the packet.
1194	*
1195	* A zone number of 0 is the global zone; a zone number of 0xffffffff
1196	* means that the packet arrived from another host on the network, not
1197	* from another zone on the same machine.
1198	*
1199	* An IPv4 or IPv6 datagram follows the pseudo-header; dli_family indicates
1200	* which of those it is.
1201	*/
1202	#define DLT_IPNET 226
1203
1204	/*
1205	* CAN (Controller Area Network) frames, with a pseudo-header as supplied
1206	* by Linux SocketCAN. See Documentation/networking/can.txt in the Linux
1207	* source.
1208	*
1209	* Requested by Felix Obenhuber <felix@obenhuber.de>.
1210	*/
1211	#define DLT_CAN_SOCKETCAN 227
1212
1213	/*
1214	* Raw IPv4/IPv6; different from DLT_RAW in that the DLT_ value specifies
1215	* whether it's v4 or v6. Requested by Darren Reed <Darren.Reed@Sun.COM>.
1216	*/
1217	#define DLT_IPV4 228
1218	#define DLT_IPV6 229
1219
1220	/*
1221	* IEEE 802.15.4, exactly as it appears in the spec (no padding, no
1222	* nothing), and with no FCS at the end of the frame; requested by
1223	* Jon Smirl <jonsmirl@gmail.com>.
1224	*/
1225	#define DLT_IEEE802_15_4_NOFCS 230
1226
1227	/*
1228	* Raw D-Bus:
1229	*
1230	* http://www.freedesktop.org/wiki/Software/dbus
1231	*
1232	* messages:
1233	*
1234	* http://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-messages
1235	*
1236	* starting with the endianness flag, followed by the message type, etc.,
1237	* but without the authentication handshake before the message sequence:
1238	*
1239	* http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
1240	*
1241	* Requested by Martin Vidner <martin@vidner.net>.
1242	*/
1243	#define DLT_DBUS 231
1244
1245	/*
1246	* Juniper-private data link type, as per request from
1247	* Hannes Gredler <hannes@juniper.net>.
1248	*/
1249	#define DLT_JUNIPER_VS 232
1250	#define DLT_JUNIPER_SRX_E2E 233
1251	#define DLT_JUNIPER_FIBRECHANNEL 234
1252
1253	/*
1254	* DVB-CI (DVB Common Interface for communication between a PC Card
1255	* module and a DVB receiver). See
1256	*
1257	* http://www.kaiser.cx/pcap-dvbci.html
1258	*
1259	* for the specification.
1260	*
1261	* Requested by Martin Kaiser <martin@kaiser.cx>.
1262	*/
1263	#define DLT_DVB_CI 235
1264
1265	/*
1266	* Variant of 3GPP TS 27.010 multiplexing protocol (similar to, but
1267	* not the same as, 27.010). Requested by Hans-Christoph Schemmel
1268	* <hans-christoph.schemmel@cinterion.com>.
1269	*/
1270	#define DLT_MUX27010 236
1271
1272	/*
1273	* STANAG 5066 D_PDUs. Requested by M. Baris Demiray
1274	* <barisdemiray@gmail.com>.
1275	*/
1276	#define DLT_STANAG_5066_D_PDU 237
1277
1278	/*
1279	* Juniper-private data link type, as per request from
1280	* Hannes Gredler <hannes@juniper.net>.
1281	*/
1282	#define DLT_JUNIPER_ATM_CEMIC 238
1283
1284	/*
1285	* NetFilter LOG messages
1286	* (payload of netlink NFNL_SUBSYS_ULOG/NFULNL_MSG_PACKET packets)
1287	*
1288	* Requested by Jakub Zawadzki <darkjames-ws@darkjames.pl>
1289	*/
1290	#define DLT_NFLOG 239
1291
1292	/*
1293	* Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
1294	* for Ethernet packets with a 4-byte pseudo-header and always
1295	* with the payload including the FCS, as supplied by their
1296	* netANALYZER hardware and software.
1297	*
1298	* Requested by Holger P. Frommer <HPfrommer@hilscher.com>
1299	*/
1300	#define DLT_NETANALYZER 240
1301
1302	/*
1303	* Hilscher Gesellschaft fuer Systemautomation mbH link-layer type
1304	* for Ethernet packets with a 4-byte pseudo-header and FCS and
1305	* with the Ethernet header preceded by 7 bytes of preamble and
1306	* 1 byte of SFD, as supplied by their netANALYZER hardware and
1307	* software.
1308	*
1309	* Requested by Holger P. Frommer <HPfrommer@hilscher.com>
1310	*/
1311	#define DLT_NETANALYZER_TRANSPARENT 241
1312
1313	/*
1314	* IP-over-Infiniband, as specified by RFC 4391.
1315	*
1316	* Requested by Petr Sumbera <petr.sumbera@oracle.com>.
1317	*/
1318	#define DLT_IPOIB 242
1319
1320	/*
1321	* MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0).
1322	*
1323	* Requested by Guy Martin <gmsoft@tuxicoman.be>.
1324	*/
1325	#define DLT_MPEG_2_TS 243
1326
1327	/*
1328	* ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as
1329	* used by their ng40 protocol tester.
1330	*
1331	* Requested by Jens Grimmer <jens.grimmer@ng4t.com>.
1332	*/
1333	#define DLT_NG40 244
1334
1335	/*
1336	* Pseudo-header giving adapter number and flags, followed by an NFC
1337	* (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU,
1338	* as specified by NFC Forum Logical Link Control Protocol Technical
1339	* Specification LLCP 1.1.
1340	*
1341	* Requested by Mike Wakerly <mikey@google.com>.
1342	*/
1343	#define DLT_NFC_LLCP 245
1344
1345	/*
1346	* USB packets, beginning with a Darwin (macOS, etc.) USB header.
1347	*/
1348	#define DLT_USB_DARWIN 266
1349
1350	#define DLT_MATCHING_MAX 266 /* highest value in the "matching" range */
1351
1352	#if !defined(DRIVERKIT)
1353	/*
1354	* The instruction encodings.
1355	*/
1356	/ instruction classes /
1357	#define BPF_CLASS(code) ((code) & 0x07)
1358	#define BPF_LD 0x00
1359	#define BPF_LDX 0x01
1360	#define BPF_ST 0x02
1361	#define BPF_STX 0x03
1362	#define BPF_ALU 0x04
1363	#define BPF_JMP 0x05
1364	#define BPF_RET 0x06
1365	#define BPF_MISC 0x07
1366
1367	/ ld/ldx fields /
1368	#define BPF_SIZE(code) ((code) & 0x18)
1369	#define BPF_W 0x00
1370	#define BPF_H 0x08
1371	#define BPF_B 0x10
1372	#define BPF_MODE(code) ((code) & 0xe0)
1373	#define BPF_IMM 0x00
1374	#define BPF_ABS 0x20
1375	#define BPF_IND 0x40
1376	#define BPF_MEM 0x60
1377	#define BPF_LEN 0x80
1378	#define BPF_MSH 0xa0
1379
1380	/ alu/jmp fields /
1381	#define BPF_OP(code) ((code) & 0xf0)
1382	#define BPF_ADD 0x00
1383	#define BPF_SUB 0x10
1384	#define BPF_MUL 0x20
1385	#define BPF_DIV 0x30
1386	#define BPF_OR 0x40
1387	#define BPF_AND 0x50
1388	#define BPF_LSH 0x60
1389	#define BPF_RSH 0x70
1390	#define BPF_NEG 0x80
1391	#define BPF_JA 0x00
1392	#define BPF_JEQ 0x10
1393	#define BPF_JGT 0x20
1394	#define BPF_JGE 0x30
1395	#define BPF_JSET 0x40
1396	#define BPF_SRC(code) ((code) & 0x08)
1397	#define BPF_K 0x00
1398	#define BPF_X 0x08
1399
1400	/ ret - BPF_K and BPF_X also apply /
1401	#define BPF_RVAL(code) ((code) & 0x18)
1402	#define BPF_A 0x10
1403
1404	/ misc /
1405	#define BPF_MISCOP(code) ((code) & 0xf8)
1406	#define BPF_TAX 0x00
1407	#define BPF_TXA 0x80
1408
1409	/*
1410	* Number of scratch memory words (for BPF_LD\|BPF_MEM and BPF_ST).
1411	*/
1412	#define BPF_MEMWORDS 16
1413
1414	/*
1415	* The instruction data structure.
1416	*/
1417	struct bpf_insn {
1418	u_short code;
1419	u_char jt;
1420	u_char jf;
1421	bpf_u_int32 k;
1422	};
1423
1424	/*
1425	* Macros for insn array initializers.
1426	*/
1427	#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
1428	#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
1429
1430	#pragma pack(4)
1431
1432	/*
1433	* Structure to retrieve available DLTs for the interface.
1434	*/
1435	struct bpf_dltlist {
1436	u_int32_t bfl_len; / number of bfd_list array /
1437	union {
1438	u_int32_t bflu_list; /* array of DLTs /
1439	u_int64_t bflu_pad;
1440	} bfl_u;
1441	};
1442	#define bfl_list bfl_u.bflu_list
1443
1444	#pragma pack()
1445
1446	#ifdef KERNEL_PRIVATE
1447	#define BPF_MIN_PKT_SIZE 40
1448	#define PORT_DNS 53
1449	#define PORT_BOOTPS 67
1450	#define PORT_BOOTPC 68
1451	#define PORT_ISAKMP 500
1452	#define PORT_ISAKMP_NATT 4500 /* rfc3948 */
1453
1454	/ Forward declerations /
1455	struct ifnet;
1456	struct mbuf;
1457
1458	#define BPF_PACKET_TYPE_MBUF 0
1459	#if SKYWALK
1460	#define BPF_PACKET_TYPE_PKT 1
1461	#include <skywalk/os_skywalk.h>
1462	#endif /* SKYWALK */
1463
1464	struct bpf_packet {
1465	int bpfp_type;
1466	void * bpfp_header; / optional /
1467	size_t bpfp_header_length;
1468	union {
1469	struct mbuf *bpfpu_mbuf;
1470	void * bpfpu_ptr;
1471	#if SKYWALK
1472	kern_packet_t bpfpu_pkt;
1473	#define bpfp_pkt bpfp_u.bpfpu_pkt
1474	#endif /* SKYWALK */
1475	} bpfp_u;
1476	#define bpfp_mbuf bpfp_u.bpfpu_mbuf
1477	#define bpfp_ptr bpfp_u.bpfpu_ptr
1478	size_t bpfp_total_length; / length including optional header /
1479	};
1480
1481	extern int bpf_validate(const struct bpf_insn , int*);
1482	extern void bpfdetach(struct ifnet *);
1483	extern void bpfilterattach(int);
1484	extern u_int bpf_filter(const struct bpf_insn , u_char , u_int, u_int);
1485	#endif /* KERNEL_PRIVATE */
1486
1487	#endif /* !defined(DRIVERKIT) */
1488
1489	#if defined(DRIVERKIT) \|\| defined(KERNEL)
1490	#ifndef BPF_TAP_MODE_T
1491	#define BPF_TAP_MODE_T
1492	/!*
1493	* @enum BPF tap mode
1494	* @abstract Constants defining interface families.
1495	* @constant BPF_MODE_DISABLED Disable bpf.
1496	* @constant BPF_MODE_INPUT Enable input only.
1497	* @constant BPF_MODE_OUTPUT Enable output only.
1498	* @constant BPF_MODE_INPUT_OUTPUT Enable input and output.
1499	*/
1500
1501	enum {
1502	BPF_MODE_DISABLED = `0`,
1503	BPF_MODE_INPUT = `1`,
1504	BPF_MODE_OUTPUT = `2`,
1505	BPF_MODE_INPUT_OUTPUT = `3`
1506	};
1507	/!*
1508	* @typedef bpf_tap_mode
1509	* @abstract Mode for tapping. BPF_MODE_DISABLED/BPF_MODE_INPUT_OUTPUT etc.
1510	*/
1511	typedef uint32_t bpf_tap_mode;
1512	#endif /* !BPF_TAP_MODE_T */
1513	#endif /* defined(DRIVERKIT) \|\| defined(KERNEL) */
1514
1515	#ifdef KERNEL
1516	/!*
1517	* @typedef bpf_send_func
1518	* @discussion bpf_send_func is called when a bpf file descriptor is
1519	* used to send a raw packet on the interface. The mbuf and data
1520	* link type are specified. The callback is responsible for
1521	* releasing the mbuf whether or not it returns an error.
1522	* @param interface The interface the packet is being sent on.
1523	* @param data_link_type The data link type the bpf device is attached to.
1524	* @param packet The packet to be sent.
1525	*/
1526	typedef errno_t (*bpf_send_func)(ifnet_t interface, u_int32_t data_link_type,
1527	mbuf_t packet);
1528
1529	/!*
1530	* @typedef bpf_tap_func
1531	* @discussion bpf_tap_func is called when the tap state of the
1532	* interface changes. This happens when a bpf device attaches to an
1533	* interface or detaches from an interface. The tap mode will join
1534	* together (bit or) the modes of all bpf devices using that
1535	* interface for that dlt. If you return an error from this
1536	* function, the bpf device attach attempt that triggered the tap
1537	* will fail. If this function was called bacuse the tap state was
1538	* decreasing (tap in or out is stopping), the error will be
1539	* ignored.
1540	* @param interface The interface being tapped.
1541	* @param data_link_type The data link type being tapped.
1542	* @param direction The direction of the tap.
1543	*/
1544	typedef errno_t (*bpf_tap_func)(ifnet_t interface, u_int32_t data_link_type,
1545	bpf_tap_mode direction);
1546
1547	/!*
1548	* @function bpfattach
1549	* @discussion Registers an interface with BPF. This allows bpf devices
1550	* to attach to your interface to capture packets. Your interface
1551	* will be unregistered automatically when your interface is
1552	* detached.
1553	* @param interface The interface to register with BPF.
1554	* @param data_link_type The data link type of the interface. See the
1555	* DLT_* defines in bpf.h.
1556	* @param header_length The length, in bytes, of the data link header.
1557	*/
1558	extern void bpfattach(ifnet_t interface, u_int data_link_type,
1559	u_int header_length);
1560
1561	/!*
1562	* @function bpf_attach
1563	* @discussion Registers an interface with BPF. This allows bpf devices
1564	* to attach to your interface to capture and transmit packets.
1565	* Your interface will be unregistered automatically when your
1566	* interface is detached. You may register multiple times with
1567	* different data link types. An 802.11 interface would use this to
1568	* allow clients to pick whether they want just an ethernet style
1569	* frame or the 802.11 wireless headers as well. The first dlt you
1570	* register will be considered the default. Any bpf device attaches
1571	* that do not specify a data link type will use the default.
1572	* @param interface The interface to register with BPF.
1573	* @param data_link_type The data link type of the interface. See the
1574	* DLT_* defines in bpf.h.
1575	* @param header_length The length, in bytes, of the data link header.
1576	* @param send See the bpf_send_func described above.
1577	* @param tap See the bpf_tap_func described above.
1578	*/
1579	extern errno_t bpf_attach(ifnet_t interface, u_int32_t data_link_type,
1580	u_int32_t header_length, bpf_send_func send, bpf_tap_func tap);
1581
1582	/!*
1583	* @function bpf_tap_in
1584	* @discussion Call this function when your interface receives a
1585	* packet. This function will check if any bpf devices need a
1586	* a copy of the packet.
1587	* @param interface The interface the packet was received on.
1588	* @param dlt The data link type of the packet.
1589	* @param packet The packet received.
1590	* @param header An optional pointer to a header that will be prepended.
1591	* @param header_len If the header was specified, the length of the header.
1592	*/
1593	extern void bpf_tap_in(ifnet_t interface, u_int32_t dlt, mbuf_t packet,
1594	void *header, size_t header_len);
1595
1596	/!*
1597	* @function bpf_tap_out
1598	* @discussion Call this function when your interface transmits a
1599	* packet. This function will check if any bpf devices need a
1600	* a copy of the packet.
1601	* @param interface The interface the packet was or will be transmitted on.
1602	* @param dlt The data link type of the packet.
1603	* @param packet The packet received.
1604	* @param header An optional pointer to a header that will be prepended.
1605	* @param header_len If the header was specified, the length of the header.
1606	*/
1607	extern void bpf_tap_out(ifnet_t interface, u_int32_t dlt, mbuf_t packet,
1608	void *header, size_t header_len);
1609
1610	#if SKYWALK
1611	/!*
1612	* @function bpf_tap_packet_in
1613	* @discussion Call this function when your interface receives a
1614	* packet. This function will check if any bpf devices need a
1615	* a copy of the packet.
1616	* @param interface The interface the packet was received on.
1617	* @param dlt The data link type of the packet.
1618	* @param packet The packet received.
1619	* @param header An optional pointer to a header that will be prepended.
1620	* @param header_len If the header was specified, the length of the header.
1621	*/
1622	extern void bpf_tap_packet_in(ifnet_t interface, u_int32_t dlt,
1623	kern_packet_t packet, void *header, size_t header_len);
1624
1625	/!*
1626	* @function bpf_tap_packet_out
1627	* @discussion Call this function when your interface transmits a
1628	* packet. This function will check if any bpf devices need a
1629	* a copy of the packet.
1630	* @param interface The interface the packet was or will be transmitted on.
1631	* @param dlt The data link type of the packet.
1632	* @param packet The packet received.
1633	* @param header An optional pointer to a header that will be prepended.
1634	* @param header_len If the header was specified, the length of the header.
1635	*/
1636	extern void bpf_tap_packet_out(ifnet_t interface, u_int32_t dlt,
1637	kern_packet_t packet, void *header, size_t header_len);
1638
1639	#endif /* SKYWALK */
1640	#endif /* KERNEL */
1641
1642	#endif /* _NET_BPF_H_ */
1643

Browse the source code of xnu/bsd/net/bpf.h