pcap-linktype - link-layer header types supported by libpcap
For a live capture or ‘‘savefile’’, libpcap supplies, as the return
value of the pcap_datalink(3PCAP) routine, a value that indicates the
type of link-layer header at the beginning of the packets it provides.
This is not necessarily the type of link-layer header that the packets
being captured have on the network from which they’re being captured;
for example, packets from an IEEE 802.11 network might be provided by
libpcap with Ethernet headers that the network adapter or the network
adapter driver generates from the 802.11 headers. The names for those
values begin with DLT_, so they are sometimes called "DLT_ values".
The values stored in the link-layer header type field in the savefile
header are, in most but not all cases, the same as the values returned
by pcap_datalink(). The names for those values begin with LINKTYPE_.
The link-layer header types supported by libpcap are listed here. The
value corresponding to LINKTYPE_ names are given; the value
corresponding to DLT_ values are, in some cases, platform dependent,
and are not given; applications should check for particular DLT_ values
BSD loopback encapsulation; the link-layer header is a 4-byte
field, in host byte order, containing a PF_ value from
socket.h for the network-layer protocol of the packet.
Note that ‘‘host byte order’’ is the byte order of the
machine on which the packets are captured, and the PF_ values
are for the OS of the machine on which the packets are
captured; if a live capture is being done, ‘‘host byte
order’’ is the byte order of the machine capturing the
packets, and the PF_ values are those of the OS of the
machine capturing the packets, but if a ‘‘savefile’’ is being
read, the byte order and PF_ values are not necessarily those
of the machine reading the capture file.
Ethernet (10Mb, 100Mb, 1000Mb, and up); the 10MB in the DLT_
name is historical.
IEEE 802.5 Token Ring; the IEEE802 in the DLT_ name is
SLIP; the link-layer header contains, in order:
a 1-byte flag, which is 0 for packets received by the
machine and 1 for packets sent by the machine;
a 1-byte field, the upper 4 bits of which indicate the
type of packet, as per RFC 1144:
0x40 an unmodified IP datagram (TYPE_IP);
0x70 an uncompressed-TCP IP datagram
(UNCOMPRESSED_TCP), with that byte being the
first byte of the raw IP header on the wire,
containing the connection number in the
0x80 a compressed-TCP IP datagram (COMPRESSED_TCP),
with that byte being the first byte of the
compressed TCP/IP datagram header;
for UNCOMPRESSED_TCP, the rest of the modified IP
header, and for COMPRESSED_TCP, the compressed TCP/IP
for a total of 16 bytes; the uncompressed IP datagram follows
PPP; if the first 2 bytes are 0xff and 0x03, it’s PPP in
HDLC-like framing, with the PPP header following those two
bytes, otherwise it’s PPP without framing, and the packet
begins with the PPP header.
RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an
IEEE 802.2 LLC header.
raw IP; the packet begins with an IP header.
PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with
HDLC framing, as per section 4.3.1 of RFC 1547; the first
byte will be 0xFF for PPP in HDLC-like framing, and will be
0x0F or 0x8F for Cisco PPP with HDLC framing.
PPPoE; the packet begins with a PPPoE header, as per RFC
Cisco PPP with HDLC framing, as per section 4.3.1 of RFC
IEEE 802.11 wireless LAN
OpenBSD loopback encapsulation; the link-layer header is a
4-byte field, in network byte order, containing a PF_ value
from OpenBSD’s socket.h for the network-layer protocol of the
Note that, if a ‘‘savefile’’ is being read, those PF_ values
are not necessarily those of the machine reading the capture
Linux "cooked" capture encapsulation; the link-layer header
contains, in order:
a 2-byte "packet type", in network byte order, which is
0 packet was sent to us by somebody else
1 packet was broadcast by somebody else
2 packet was multicast, but not broadcast, by
3 packet was sent by somebody else to somebody
4 packet was sent by us
a 2-byte field, in network byte order, containing a
Linux ARPHRD_ value for the link-layer device type;
a 2-byte field, in network byte order, containing the
length of the link-layer address of the sender of the
packet (which could be 0);
an 8-byte field containing that number of bytes of the
link-layer address of the sender (if there are more than
8 bytes, only the first 8 are present, and if there are
fewer than 8 bytes, there are padding bytes after the
address to pad the field to 8 bytes);
a 2-byte field containing an Ethernet protocol type, in
network byte order, or containing 1 for Novell 802.3
frames without an 802.2 LLC header or 4 for frames
beginning with an 802.2 LLC header.
Apple LocalTalk; the packet begins with an AppleTalk LLAP
OpenBSD pflog; the link-layer header contains a struct
pfloghdr structure, as defined by the host on which the file
was saved. (This differs from operating system to operating
system and release to release; there is nothing in the file
to indicate what the layout of that structure is.)
Prism monitor mode information followed by an 802.11 header.
RFC 2625 IP-over-Fibre Channel, with the link-layer header
being the Network_Header as described in that RFC.
SunATM devices; the link-layer header contains, in order:
a 1-byte flag field, containing a direction flag in the
uppermost bit, which is set for packets transmitted by
the machine and clear for packets received by the
machine, and a 4-byte traffic type in the low-order 4
bits, which is one of:
0 raw traffic
1 LANE traffic
2 LLC-encapsulated traffic
3 MARS traffic
4 IFMP traffic
5 ILMI traffic
6 Q.2931 traffic
a 1-byte VPI value;
a 2-byte VCI field, in network byte order.
link-layer information followed by an 802.11 header - see
http://www.shaftnet.org/~pizza/software/capturefrm.txt for a
description of the link-layer information.
ARCNET, with no exception frames, reassembled packets rather
than raw frames, and an extra 16-bit offset field between the
destination host and type bytes.
Linux-IrDA packets, with a DLT_LINUX_SLL header followed by
the IrLAP header.
LAPD (Q.921) frames, with a DLT_LINUX_SLL header captured via
23 October 2008