1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
/** @file
*
* Definitions for exported_pdu TLVs
* Copyright 2013, Anders Broman <anders-broman@ericsson.com>
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef EXPORTED_PDU_TLVS_H
#define EXPORTED_PDU_TLVS_H
/**
* This is the format of the link-layer header of packets of type
* LINKTYPE_WIRESHARK_UPPER_PDU in pcap and pcapng files.
*
* It is a sequence of TLVs; at least one TLV MUST indicate what protocol is
* in the PDU following the TLVs.
*
* Each TLV contains, in order:
*
* a 2-byte big-endian type field;
* a 2-byte big-endian length field;
* a value, the length of which is indicated by the value of
* the length field (that value does not include the length
* of the type or length fields themselves).
*
* TLVs are not guaranteed to be aligned to any particular number
* of bytes.
*
* The list of TLVs may begin with a TLV of type EXP_PDU_TAG_OPTIONS_LENGTH;
* its value is a 4-byte integer value, giving the length of all TLVs
* following that TLV (i.e., the length does not include the length of
* the EXP_PDU_TAG_OPTIONS_LENGTH TLV). This tag is deprecated; it is
* not guaranteed to be present, and code reading packets should not
* require it to be present.
*
* The last TLV is of type EXP_PDU_TAG_END_OF_OPT; it has a length
* of 0, and the value is zero-length.
*
* For string values, a string may have zero, one, or more null bytes
* at the end; code that reads the string value must not assume that
* there are, or are not, null bytes at the end. Null bytes are included
* in the length field, but are not part of the string value.
*
* For integral values, the values are in big-endian format.
*/
/* Tag values
*
* Do NOT add new values to this list without asking
* wireshark-dev[AT]wireshark.org for a value. Otherwise, you run the risk of
* using a value that's already being used for some other purpose, and of
* having tools that read exported_pdu captures not being able to handle
* captures with your new tag value, with no hope that they will ever be
* changed to do so (as that would destroy their ability to read captures
* using that value for that other purpose).
*/
#define EXP_PDU_TAG_END_OF_OPT 0 /**< End-of-options Tag. */
/* 1 - 9 reserved */
#define EXP_PDU_TAG_OPTIONS_LENGTH 10 /**< Total length of the options excluding this TLV
* Deprecated - do not use
*/
#define EXP_PDU_TAG_LINKTYPE 11 /**< Deprecated - do not use */
#define EXP_PDU_TAG_DISSECTOR_NAME 12 /**< The value part should be an ASCII non NULL terminated string
* of the registered dissector used by Wireshark e.g "sip"
* Will be used to call the next dissector.
* NOTE: this is NOT a protocol name;
* a given protocol may have multiple
* dissectors, if, for example, the
* protocol headers depend on the
* protocol being used to transport
* the protocol in question.
*/
#define EXP_PDU_TAG_HEUR_DISSECTOR_NAME 13 /**< The value part should be an ASCII non NULL terminated string
* containing the heuristic dissector unique short name given
* during registration, e.g "sip_udp"
* Will be used to call the next dissector.
*/
#define EXP_PDU_TAG_DISSECTOR_TABLE_NAME 14 /**< The value part should be an ASCII non NULL terminated string
* containing the dissector table name given
* during registration, e.g "gsm_map.v3.arg.opcode"
* Will be used to call the next dissector.
*/
/* For backwards source compatibility */
#define EXP_PDU_TAG_PROTO_NAME EXP_PDU_TAG_DISSECTOR_NAME
#define EXP_PDU_TAG_HEUR_PROTO_NAME EXP_PDU_TAG_HEUR_DISSECTOR_NAME
/* Add protocol type related tags here.
* NOTE Only one protocol type tag may be present in a packet, the first one
* found will be used*/
/* 13 - 19 reserved */
#define EXP_PDU_TAG_IPV4_SRC 20 /**< IPv4 source address - 4 bytes */
#define EXP_PDU_TAG_IPV4_DST 21 /**< IPv4 destination address - 4 bytes */
#define EXP_PDU_TAG_IPV6_SRC 22 /**< IPv6 source address - 16 bytes */
#define EXP_PDU_TAG_IPV6_DST 23 /**< IPv6 destination address - 16 bytes */
/* Port type values for EXP_PDU_TAG_PORT_TYPE; these do not necessarily
* correspond to port type values inside libwireshark. */
#define EXP_PDU_PT_NONE 0
#define EXP_PDU_PT_SCTP 1
#define EXP_PDU_PT_TCP 2
#define EXP_PDU_PT_UDP 3
#define EXP_PDU_PT_DCCP 4
#define EXP_PDU_PT_IPX 5
#define EXP_PDU_PT_NCP 6
#define EXP_PDU_PT_EXCHG 7
#define EXP_PDU_PT_DDP 8
#define EXP_PDU_PT_SBCCS 9
#define EXP_PDU_PT_IDP 10
#define EXP_PDU_PT_TIPC 11
#define EXP_PDU_PT_USB 12
#define EXP_PDU_PT_I2C 13
#define EXP_PDU_PT_IBQP 14
#define EXP_PDU_PT_BLUETOOTH 15
#define EXP_PDU_PT_TDMOP 16
#define EXP_PDU_PT_IWARP_MPA 17
#define EXP_PDU_PT_MCTP 18
#define EXP_PDU_TAG_PORT_TYPE 24 /**< part type - 4 bytes, EXP_PDU_PT value */
#define EXP_PDU_TAG_SRC_PORT 25 /**< source port - 4 bytes (even for protocols with 2-byte ports) */
#define EXP_PDU_TAG_DST_PORT 26 /**< destination port - 4 bytes (even for protocols with 2-byte ports) */
#define EXP_PDU_TAG_SS7_OPC 28
#define EXP_PDU_TAG_SS7_DPC 29
#define EXP_PDU_TAG_ORIG_FNO 30
#define EXP_PDU_TAG_DVBCI_EVT 31
#define EXP_PDU_TAG_DISSECTOR_TABLE_NAME_NUM_VAL 32 /**< value part is the numeric value to be used calling the dissector table
* given with tag EXP_PDU_TAG_DISSECTOR_TABLE_NAME, must follow immediately after the table tag.
*/
#define EXP_PDU_TAG_COL_PROT_TEXT 33 /**< UTF-8 text string to put in COL_PROTOCOL, one use case is in conjunction with dissector tables where
* COL_PROTOCOL might not be filled in.
*/
/**< value part is structure passed into TCP subdissectors. The field
begins with a 2-byte version number; if the version number value is
1, the value part is in the form:
version 2 bytes - xport PDU version of structure (for backwards/forwards compatibility)
seq 4 bytes - Sequence number of first byte in the data
nxtseq 4 bytes - Sequence number of first byte after data
lastackseq 4 bytes - Sequence number of last ack
is_reassembled 1 byte - Non-zero if this is reassembled data
flags 2 bytes - TCP flags
urgent_pointer 2 bytes - Urgent pointer value for the current packet
All multi-byte values are in big-endian format. There is no alignment
padding between values, so seq. nxtseq, and lastackseq are not aligned
on 4-byte boundaries, andflags and urgent_pointer are not aligned on
2-byte boundaries.
*/
#define EXP_PDU_TAG_TCP_INFO_DATA 34
#define EXP_PDU_TAG_P2P_DIRECTION 35 /**< The packet direction (P2P_DIR_SENT, P2P_DIR_RECV). */
#define EXP_PDU_TAG_IPV4_LEN 4
#define EXP_PDU_TAG_IPV6_LEN 16
#define EXP_PDU_TAG_PORT_TYPE_LEN 4
#define EXP_PDU_TAG_PORT_LEN 4
#define EXP_PDU_TAG_SS7_OPC_LEN 8 /* 4 bytes PC, 2 bytes standard type, 1 byte NI, 1 byte padding */
#define EXP_PDU_TAG_SS7_DPC_LEN 8 /* 4 bytes PC, 2 bytes standard type, 1 byte NI, 1 byte padding */
#define EXP_PDU_TAG_ORIG_FNO_LEN 4
#define EXP_PDU_TAG_DVBCI_EVT_LEN 1
#define EXP_PDU_TAG_DISSECTOR_TABLE_NUM_VAL_LEN 4
#endif /* EXPORTED_PDU_TLVS_H */
|
