Add LINKTYPE_ names to the pcap-linktype man page, and include the
values, as those are not platform-dependent and appear in the per-file header of capture files. Note that the "10MB" in DLT_EN10MB, and the "IEEE802" in "DLT_IEEE802", are historical (so people don't think DLT_EN10MB is only for 10MB Ethernet). Don't describe the DLT_PFLOG header - it's in the format of a "struct pfloghdr" on the OS on which the file was saved, which is OS-dependent and release-dependent. Refer to the pcap-linktype man page in the pcap-savefile man page.
This commit is contained in:
parent
e16bb01d4c
commit
174d9b71ca
|
@ -1,4 +1,4 @@
|
||||||
.\" @(#) $Header: /tcpdump/master/libpcap/pcap-linktype.manmisc.in,v 1.1 2008-10-21 07:33:01 guy Exp $
|
.\" @(#) $Header: /tcpdump/master/libpcap/pcap-linktype.manmisc.in,v 1.2 2008-10-24 07:33:50 guy Exp $
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
|
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
|
||||||
.\" The Regents of the University of California. All rights reserved.
|
.\" The Regents of the University of California. All rights reserved.
|
||||||
|
@ -20,22 +20,42 @@
|
||||||
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
||||||
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
.\"
|
.\"
|
||||||
.TH PCAP-LINKTYPE @MAN_MISC_INFO@ "4 April 2008"
|
.TH PCAP-LINKTYPE @MAN_MISC_INFO@ "23 October 2008"
|
||||||
.SH NAME
|
.SH NAME
|
||||||
pcap-linktype \- link-layer header types supported by libpcap
|
pcap-linktype \- link-layer header types supported by libpcap
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
Libpcap supplies for a live capture or ``savefile'' value that indicates
|
For a live capture or ``savefile'', libpcap supplies, as the return
|
||||||
the type of link-layer header at the beginning of the packets it
|
value of the
|
||||||
provides. This is not necessarily the type of link-layer header that
|
.BR pcap_datalink (3PCAP)
|
||||||
the packets being captured have on the network from which they're being
|
routine, a value that indicates the type of link-layer header at the
|
||||||
captured; for example, packets from an IEEE 802.11 network might be
|
beginning of the packets it provides. This is not necessarily the type
|
||||||
provided by libpcap with Ethernet headers that the network adapter or
|
of link-layer header that the packets being captured have on the network
|
||||||
the network adapter driver generates from the 802.11 headers.
|
from which they're being captured; for example, packets from an IEEE
|
||||||
|
802.11 network might be provided by libpcap with Ethernet headers that
|
||||||
|
the network adapter or the network adapter driver generates from the
|
||||||
|
802.11 headers. The names for those values begin with
|
||||||
|
.BR DLT_ ,
|
||||||
|
so they are sometimes called "DLT_ values".
|
||||||
.PP
|
.PP
|
||||||
The link-layer header types supported by libpcap are:
|
The values stored in the link-layer header type field in the savefile
|
||||||
|
header are, in most but not all cases, the same as the values returned
|
||||||
|
by
|
||||||
|
.BR pcap_datalink() .
|
||||||
|
The names for those values begin with
|
||||||
|
.BR LINKTYPE_ .
|
||||||
|
.PP
|
||||||
|
The link-layer header types supported by libpcap are listed here. The
|
||||||
|
value corresponding to
|
||||||
|
.B LINKTYPE_
|
||||||
|
names are given; the value corresponding to
|
||||||
|
.B DLT_
|
||||||
|
values are, in some cases, platform dependent, and are not given;
|
||||||
|
applications should check for particular
|
||||||
|
.B DLT_
|
||||||
|
values by name.
|
||||||
.RS 5
|
.RS 5
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_NULL
|
.BR DLT_NULL ", " LINKTYPE_NULL = 0
|
||||||
BSD loopback encapsulation; the link layer header is a 4-byte field, in
|
BSD loopback encapsulation; the link layer header is a 4-byte field, in
|
||||||
.I host
|
.I host
|
||||||
byte order, containing a PF_ value from
|
byte order, containing a PF_ value from
|
||||||
|
@ -52,16 +72,24 @@ values are
|
||||||
.I not
|
.I not
|
||||||
necessarily those of the machine reading the capture file.
|
necessarily those of the machine reading the capture file.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_EN10MB
|
.BR DLT_EN10MB ", " LINKTYPE_ETHERNET = 1
|
||||||
Ethernet (10Mb, 100Mb, 1000Mb, and up)
|
Ethernet (10Mb, 100Mb, 1000Mb, and up); the
|
||||||
|
.B 10MB
|
||||||
|
in the
|
||||||
|
.B DLT_
|
||||||
|
name is historical.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_IEEE802
|
.BR DLT_IEEE802 ", " LINKTYPE_TOKEN_RING = 6
|
||||||
IEEE 802.5 Token Ring
|
IEEE 802.5 Token Ring; the
|
||||||
|
.B IEEE802
|
||||||
|
in the
|
||||||
|
.B DLT_
|
||||||
|
name is historical.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_ARCNET
|
.BR DLT_ARCNET ", " LINKTYPE_ARCNET = 7
|
||||||
ARCNET
|
ARCNET
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_SLIP
|
.BR DLT_SLIP ", " LINKTYPE_SLIP = 8
|
||||||
SLIP; the link layer header contains, in order:
|
SLIP; the link layer header contains, in order:
|
||||||
.RS 10
|
.RS 10
|
||||||
.LP
|
.LP
|
||||||
|
@ -93,40 +121,40 @@ COMPRESSED_TCP, the compressed TCP/IP datagram header;
|
||||||
for a total of 16 bytes; the uncompressed IP datagram follows the header.
|
for a total of 16 bytes; the uncompressed IP datagram follows the header.
|
||||||
.RE
|
.RE
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_PPP
|
.BR DLT_PPP ", " LINKTYPE_PPP = 9
|
||||||
PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like
|
PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like
|
||||||
framing, with the PPP header following those two bytes, otherwise it's
|
framing, with the PPP header following those two bytes, otherwise it's
|
||||||
PPP without framing, and the packet begins with the PPP header.
|
PPP without framing, and the packet begins with the PPP header.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_FDDI
|
.BR DLT_FDDI ", " LINKTYPE_FDDI = 10
|
||||||
FDDI
|
FDDI
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_ATM_RFC1483
|
.BR DLT_ATM_RFC1483 ", " LINKTYPE_ATM_RFC1483 = 100
|
||||||
RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2
|
RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2
|
||||||
LLC header.
|
LLC header.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_RAW
|
.BR DLT_RAW ", " LINKTYPE_RAW = 101
|
||||||
raw IP; the packet begins with an IP header.
|
raw IP; the packet begins with an IP header.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_PPP_SERIAL
|
.BR DLT_PPP_SERIAL ", " LINKTYPE_PPP_HDLC = 50
|
||||||
PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC
|
PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC
|
||||||
framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF
|
framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF
|
||||||
for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP
|
for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP
|
||||||
with HDLC framing.
|
with HDLC framing.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_PPP_ETHER
|
.BR DLT_PPP_ETHER ", " LINKTYPE_PPP_ETHER = 51
|
||||||
PPPoE; the packet begins with a PPPoE header, as per RFC 2516.
|
PPPoE; the packet begins with a PPPoE header, as per RFC 2516.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_C_HDLC
|
.BR DLT_C_HDLC ", " LINKTYPE_C_HDLC = 104
|
||||||
Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.
|
Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_IEEE802_11
|
.BR DLT_IEEE802_11 ", " LINKTYPE_IEEE802_11 = 105
|
||||||
IEEE 802.11 wireless LAN
|
IEEE 802.11 wireless LAN
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_FRELAY
|
.BR DLT_FRELAY ", " LINKTYPE_FRELAY = 107
|
||||||
Frame Relay
|
Frame Relay
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_LOOP
|
.BR DLT_LOOP ", " LINKTYPE_LOOP = 108
|
||||||
OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in
|
OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in
|
||||||
.I network
|
.I network
|
||||||
byte order, containing a PF_ value from OpenBSD's
|
byte order, containing a PF_ value from OpenBSD's
|
||||||
|
@ -137,7 +165,7 @@ Note that, if a ``savefile'' is being read, those PF_ values are
|
||||||
.I not
|
.I not
|
||||||
necessarily those of the machine reading the capture file.
|
necessarily those of the machine reading the capture file.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_LINUX_SLL
|
.BR DLT_LINUX_SLL ", " LINKTYPE_LINUX_SLL = 113
|
||||||
Linux "cooked" capture encapsulation; the link layer header contains, in
|
Linux "cooked" capture encapsulation; the link layer header contains, in
|
||||||
order:
|
order:
|
||||||
.RS 10
|
.RS 10
|
||||||
|
@ -175,82 +203,25 @@ order, or containing 1 for Novell 802.3 frames without an 802.2 LLC
|
||||||
header or 4 for frames beginning with an 802.2 LLC header.
|
header or 4 for frames beginning with an 802.2 LLC header.
|
||||||
.RE
|
.RE
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_LTALK
|
.BR DLT_LTALK ", " LINKTYPE_LTALK = 104
|
||||||
Apple LocalTalk; the packet begins with an AppleTalk LLAP header.
|
Apple LocalTalk; the packet begins with an AppleTalk LLAP header.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_PFLOG
|
.BR DLT_PFLOG ", " LINKTYPE_PFLOG = 117
|
||||||
OpenBSD pflog; the link layer header contains, in order:
|
OpenBSD pflog; the link layer header contains a
|
||||||
.RS 10
|
.B "struct pfloghdr"
|
||||||
.LP
|
structure, as defined by the host on which the file was saved. (This
|
||||||
a 1-byte header length, in host byte order;
|
differs from operating system to operating system and release to
|
||||||
.LP
|
release; there is nothing in the file to indicate what the layout of
|
||||||
a 4-byte PF_ value, in host byte order;
|
that structure is.)
|
||||||
.LP
|
|
||||||
a 2-byte action code, in network byte order, which is one of:
|
|
||||||
.RS 5
|
|
||||||
.TP 5
|
.TP 5
|
||||||
0
|
.BR DLT_PRISM_HEADER ", " LINKTYPE_PRISM_HEADER = 119
|
||||||
passed
|
|
||||||
.TP 5
|
|
||||||
1
|
|
||||||
dropped
|
|
||||||
.TP 5
|
|
||||||
2
|
|
||||||
scrubbed
|
|
||||||
.RE
|
|
||||||
.LP
|
|
||||||
a 2-byte reason code, in network byte order, which is one of:
|
|
||||||
.RS 5
|
|
||||||
.TP 5
|
|
||||||
0
|
|
||||||
match
|
|
||||||
.TP 5
|
|
||||||
1
|
|
||||||
bad offset
|
|
||||||
.TP 5
|
|
||||||
2
|
|
||||||
fragment
|
|
||||||
.TP 5
|
|
||||||
3
|
|
||||||
short
|
|
||||||
.TP 5
|
|
||||||
4
|
|
||||||
normalize
|
|
||||||
.TP 5
|
|
||||||
5
|
|
||||||
memory
|
|
||||||
.RE
|
|
||||||
.LP
|
|
||||||
a 16-character interface name;
|
|
||||||
.LP
|
|
||||||
a 16-character ruleset name (only meaningful if subrule is set);
|
|
||||||
.LP
|
|
||||||
a 4-byte rule number, in network byte order;
|
|
||||||
.LP
|
|
||||||
a 4-byte subrule number, in network byte order;
|
|
||||||
.LP
|
|
||||||
a 1-byte direction, in network byte order, which is one of:
|
|
||||||
.RS 5
|
|
||||||
.TP 5
|
|
||||||
0
|
|
||||||
incoming or outgoing
|
|
||||||
.TP 5
|
|
||||||
1
|
|
||||||
incoming
|
|
||||||
.TP 5
|
|
||||||
2
|
|
||||||
outgoing
|
|
||||||
.RE
|
|
||||||
.RE
|
|
||||||
.TP 5
|
|
||||||
.B DLT_PRISM_HEADER
|
|
||||||
Prism monitor mode information followed by an 802.11 header.
|
Prism monitor mode information followed by an 802.11 header.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_IP_OVER_FC
|
.BR DLT_IP_OVER_FC ", " LINKTYPE_IP_OVER_FC = 122
|
||||||
RFC 2625 IP-over-Fibre Channel, with the link-layer header being the
|
RFC 2625 IP-over-Fibre Channel, with the link-layer header being the
|
||||||
Network_Header as described in that RFC.
|
Network_Header as described in that RFC.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_SUNATM
|
.BR DLT_SUNATM ", " LINKTYPE_SUNATM = 123
|
||||||
SunATM devices; the link layer header contains, in order:
|
SunATM devices; the link layer header contains, in order:
|
||||||
.RS 10
|
.RS 10
|
||||||
.LP
|
.LP
|
||||||
|
@ -287,23 +258,25 @@ a 1-byte VPI value;
|
||||||
a 2-byte VCI field, in network byte order.
|
a 2-byte VCI field, in network byte order.
|
||||||
.RE
|
.RE
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_IEEE802_11_RADIO
|
.BR DLT_IEEE802_11_RADIO ", " LINKTYPE_IEEE802_11_RADIO = 127
|
||||||
link-layer information followed by an 802.11 header - see
|
link-layer information followed by an 802.11 header - see
|
||||||
http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description
|
http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description
|
||||||
of the link-layer information.
|
of the link-layer information.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_ARCNET_LINUX
|
.BR DLT_ARCNET_LINUX ", " LINKTYPE_ARCNET_LINUX = 129
|
||||||
ARCNET, with no exception frames, reassembled packets rather than raw
|
ARCNET, with no exception frames, reassembled packets rather than raw
|
||||||
frames, and an extra 16-bit offset field between the destination host
|
frames, and an extra 16-bit offset field between the destination host
|
||||||
and type bytes.
|
and type bytes.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_LINUX_IRDA
|
.BR DLT_LINUX_IRDA ", " LINKTYPE_LINUX_IRDA = 144
|
||||||
Linux-IrDA packets, with a
|
Linux-IrDA packets, with a
|
||||||
.B DLT_LINUX_SLL
|
.B DLT_LINUX_SLL
|
||||||
header followed by the IrLAP header.
|
header followed by the IrLAP header.
|
||||||
.TP 5
|
.TP 5
|
||||||
.B DLT_LINUX_LAPD
|
.BR DLT_LINUX_LAPD ", " LINKTYPE_LINUX_LAPD = 177
|
||||||
LAPD (Q.921) frames, with a
|
LAPD (Q.921) frames, with a
|
||||||
.B DLT_LINUX_SLL
|
.B DLT_LINUX_SLL
|
||||||
header captured via vISDN.
|
header captured via vISDN.
|
||||||
.RE
|
.RE
|
||||||
|
.SH SEE ALSO
|
||||||
|
pcap_datalink(3PCAP)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
'\" t
|
'\" t
|
||||||
.\" @(#) $Header: /tcpdump/master/libpcap/pcap-savefile.manfile.in,v 1.1 2008-10-23 05:56:59 guy Exp $
|
.\" @(#) $Header: /tcpdump/master/libpcap/pcap-savefile.manfile.in,v 1.2 2008-10-24 07:33:50 guy Exp $
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright (c) 1994, 1996, 1997
|
.\" Copyright (c) 1994, 1996, 1997
|
||||||
.\" The Regents of the University of California. All rights reserved.
|
.\" The Regents of the University of California. All rights reserved.
|
||||||
|
@ -89,7 +89,11 @@ bytes of a packet longer than
|
||||||
bytes will be saved in the capture.
|
bytes will be saved in the capture.
|
||||||
.IP
|
.IP
|
||||||
a 4-byte number giving the link-layer header type for packets in the
|
a 4-byte number giving the link-layer header type for packets in the
|
||||||
capture.
|
capture; see
|
||||||
|
.BR pcap-linktype (@MAN_MISC_INFO@)
|
||||||
|
for the
|
||||||
|
.B LINKTYPE_
|
||||||
|
values that can appear in this field.
|
||||||
.PP
|
.PP
|
||||||
Following the per-file header are zero or more packets; each packet
|
Following the per-file header are zero or more packets; each packet
|
||||||
begins with a per-packet header, which is immediately followed by the
|
begins with a per-packet header, which is immediately followed by the
|
||||||
|
@ -120,4 +124,4 @@ been present had the packet not been truncated by the snapshot length.
|
||||||
The two lengths will be equal if the number of bytes of packet data are
|
The two lengths will be equal if the number of bytes of packet data are
|
||||||
less than or equal to the snapshot length.
|
less than or equal to the snapshot length.
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
pcap(3PCAP)
|
pcap(3PCAP), pcap-linktype(@MAN_MISC_INFO@)
|
||||||
|
|
Reference in New Issue