Network Working Group G. Harris, Ed. Internet-Draft Intended status: Informational M. Richardson Expires: 17 February 2025 Sandelman 16 August 2024 Link-Layer Types for PCAP and PCAPNG Capture File Formats pcaplinktype-test Abstract This document creates an IANA registry for the PCAP and PCAPNG LINKTYPE values. The PCAP and PCAPNG formats are used to save network captures from programs such as tcpdump and wireshark, when using libraries such as libpcap. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-opsawg-pcaplinktype/. Discussion of this document takes place on the opsawg Working Group mailing list (mailto:opsawg@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/opsawg/. Subscribe at https://www.ietf.org/mailman/listinfo/opsawg/. Source for this draft and an issue tracker can be found at https://github.com/IETF-OPSAWG-WG/pcapng. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 17 February 2025. Harris & Richardson Expires 17 February 2025 [Page 1] Internet-Draft pcaplinktype August 2024 Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 3.1. PCAP Registry . . . . . . . . . . . . . . . . . . . . . . 3 3.2. LinkType Registry . . . . . . . . . . . . . . . . . . . . 3 3.2.1. Initial Values . . . . . . . . . . . . . . . . . . . 4 4. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. Normative References . . . . . . . . . . . . . . . . . . 6 4.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1. Introduction In the late 1980's, Van Jacobson, Steve McCanne, and others at the Network Research Group at Lawrence Berkeley National Laboratory developed the tcpdump program to capture and dissect network traces. The code to capture traffic, using low-level mechanisms in various operating systems, and to read and write network traces to a file was later put into a library named libpcap [LIBPCAP]. Other documents describe the original (legacy) format used by tcpdump (pcap), as well as the revised format (pcapng) which is used by tcpdump and Wireshark [Wireshark]. Within those formats each packet that is captured is described by a LINKTYPE value. The LINKTYPE value selects one of many hundred formats for metadata and Layer 2 encapsulation of the packet. This document creates an IANA registry for the LINKTYPE format, establishing the IANA Considerations by which other uses of the pcap and pcapng formats may register new LINKTYPE values. Harris & Richardson Expires 17 February 2025 [Page 2] Internet-Draft pcaplinktype August 2024 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. IANA Considerations 3.1. PCAP Registry IANA is requested to create a new registry group entitled "The PCAP Registry". 3.2. LinkType Registry IANA is also requested to create a registry entitled "PCAP LinkType List" under The PCAP registry group (Section 3.1). The registry has the following structure: * LINKTYPE Name: Indicates the symbolic name for this LinkType. The name is prefixed with "LINKTYPE_" (i.e., LINKTYPE_something). * LINKTYPE Value: Indicates the integer value assigned for this LinkType. * Description: Provides a very short description. * Reference: Indicates an authoritative the document reference for the LinkType or a requester reference. The LinkType value is a 16-bit number. The policy allocation for the LinkType values is as follows: * Values from 0 to 32767 must be allocated via Specification Required (Section 4.6 of [RFC8126]). Guidance for Designated Experts is provided in Section X. * Values from 32768 to 65000 are allocated following a First-Come First-Served policy (Section 4.4 of [RFC8126]). * Values from 65001 to 65535 are reserved for Private Use (Section 4.1 of [RFC8126]). Harris & Richardson Expires 17 February 2025 [Page 3] Internet-Draft pcaplinktype August 2024 The initial version of the registry is provided in Section 3.2.1. In each case here, the reference should be to [TCPDUMP] and the RFC number to be assigned to this document, which is not repeated each time. The initial values table is based upon the Link type list maintained by libpcap, and published on [TCPDUMP]. Note that historically, values were assigned incrementally following First Come First Served policy, with a preference for a public specification, but with no mandate. Some historical values may have less specification than desired. LinkType values 147 to 162 named LINKTYPE_RESERVED_xx were originally reserved for Private Use. Their use is Deprecated in favour of the values in the 65001-65535 range. In general, Private Use values should never leak out of the entity that uses it. As the First Come First Served range is large and easily obtained, official values are recommended. There is often an associated DLT value which is often identical in value, but not universally so. DLT values are associated with specific operation system captures, and are operating system specific, and are thus not subject to standardization. 3.2.1. Initial Values Option A: Initial Values of "PCAP LinkType List" Registry Value: 0 Name: LINKTYPE_NULL Description: BSD loopback encapsulation Reference: [LINKTYPE_NULL] Value: 1 Name: LINKTYPE_ETHERNET Description: IEEE 802.3 Ethernet Reference: - Value: 189 Name: LINKTYPE_USB_LINUX Description: USB packets, beginning with a Linux USB header, as specified by the struct usbmon_packet in the Documentation/usb/ usbmon.txt file in the Linux source tree. Only the first 48 octets of that header are present. All fields in the header are in host byte order. When performing a live capture, the host byte order is the byte order of the machine on which the packets are Harris & Richardson Expires 17 February 2025 [Page 4] Internet-Draft pcaplinktype August 2024 captured. When reading a pcap file, the byte order is the byte order for the file, as specified by the file's magic number; when reading a pcapng file, the byte order is the byte order for the section of the pcapng file, as specified by the Section Header Block Reference: - Value: 237 Name: LINKTYPE_STANAG_5066_D_PDU Description: D_PDUs as described by NATO standard STANAG 5066, starting with the synchronization sequence, and including both header and data CRCs. The current version of STANAG 5066 is backwards-compatible with the 1.0.2 version , although newer versions are classified Reference: [STANAG-5066] ---------------------------------------------- Option B: Initial Values of "PCAP LinkType List" Registry +=======+=================================+=================+ | Value | Name | Reference | | | Description | | +=======+=================================+=================+ | 0 | LINKTYPE_NULL | [LINKTYPE_NULL] | | | BSD loopback encapsulation | | +-------+---------------------------------+-----------------+ | 1 | LINKTYPE_ETHERNET | | | | IEEE 802.3 Ethernet | | +-------+---------------------------------+-----------------+ | 189 | LINKTYPE_USB_LINUX | | | | USB packets, beginning with | | | | a Linux USB header, as | | | | specified by the struct | | | | usbmon_packet in the | | | | Documentation/usb/usbmon.txt | | | | file in the Linux source | | | | tree. Only the first 48 | | | | octets of that header are | | | | present. All fields in the | | | | header are in host byte | | | | order. When performing a | | | | live capture, the host byte | | | | order is the byte order of | | | | the machine on which the | | | | packets are captured. When | | | | reading a pcap file, the | | | | byte order is the byte order | | Harris & Richardson Expires 17 February 2025 [Page 5] Internet-Draft pcaplinktype August 2024 | | for the file, as specified | | | | by the file's magic number; | | | | when reading a pcapng file, | | | | the byte order is the byte | | | | order for the section of the | | | | pcapng file, as specified by | | | | the Section Header Block | | +-------+---------------------------------+-----------------+ | 237 | LINKTYPE_STANAG_5066_D_PDU | [STANAG-5066] | | | D_PDUs as described by NATO | | | | standard STANAG 5066, | | | | starting with the | | | | synchronization sequence, | | | | and including both header | | | | and data CRCs. The current | | | | version of STANAG 5066 is | | | | backwards-compatible with | | | | the 1.0.2 version , although | | | | newer versions are | | | | classified | | +-------+---------------------------------+-----------------+ Table 1: Initial Values of the "PCAP LinkType List" Registry 4. References 4.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, . 4.2. Informative References [TCPDUMP] "LINK-LAYER HEADER TYPES", n.d., . Harris & Richardson Expires 17 February 2025 [Page 6] Internet-Draft pcaplinktype August 2024 [LIBPCAP] "libpcap", n.d., . [Wireshark] "Homepage of Wireshark", n.d., . [_3GPP-TS-04.64] "Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (GPRS); Mobile Station - Serving GPRS Support Node (MS-SGSN) Logical Link Control (LLC) layer specification", 3GPP TS 04.64, n.d.. [ASHRAE-135] "BACnet(TM): A Data Communication Protocol for Building Automation and Control Networks", ANSI/ASHRAE Standard 135, n.d.. [AVS] Peachy, S., "Archived AVS specification", n.d., . [AX.25] Beech, W. A., Nielsen, D. E., and J. Taylor, "AX.25 Link Access Protocol for Amateur Packet Radio Version 2.2", July 1998, . [D-Bus] Pennington, H., Carlsson, A., Larsson, A., Herzberg, S., McVittie, S., and D. Zeuthen, "D-Bus Specification", n.d., . [DOCSIS-4.0-MULP] "DOCSIS 4.0 MAC and Upper Layer Protocols Interface Specification", n.d., . [DOCSIS-XRA] "Excentis XRA Header", n.d., . [DVB-CI] "Common Interface Specification for Conditional Access and other Digital Video Broadcasting Decoder Applications", n.d., . Harris & Richardson Expires 17 February 2025 [Page 7] Internet-Draft pcaplinktype August 2024 [DVB-CI-PCAP] Kaiser, M., "PCAP format for DVB-CI", January 2021, . [EBHSCR] "Documentation EBHSCR", n.d., . [ERF] "ERF Types Reference Guide", n.d., . [Exegin-TAP-Link] "IEEE 802.15.4 TAP Link Type Specification", n.d., . [FD.io-VPP] "VNET (VPP Network Stack)", n.d., . [FRF.16.1] "Multilink Frame Relay UNI/NNI Implementation Agreement FRF.16.1", May 2002, . [G.7041] "Generic Framing Procedure", ITU-T Recommendation G.7041/ Y.1303, n.d., . [G.9959] "Short range narrow-band digital radiocommunication transceivers - PHY, MAC, SAR and LLC layer specifications", ITU-T Recommendation G.9959, n.d., . [H.222.0] "Information technology - Generic coding of moving pictures and associated audio information: Systems", ITU-T Recommendation H.222.0, n.d., . [ISO-14443-PCAP] Kaiser, M., "PCAP format for ISO14443", January 2021, . [KISS] "The KISS TNC - A simple Host-to-TNC communications protocol", n.d., . Harris & Richardson Expires 17 February 2025 [Page 8] Internet-Draft pcaplinktype August 2024 [LINKTYPE_APPLE_IP_OVER_IEEE1394] "LINKTYPE_APPLE_IP_OVER_IEEE1394", n.d., . [LINKTYPE_BLUETOOTH_BREDR_BB] "LINKTYPE_BLUETOOTH_BREDR_BB", n.d., . [LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR] "LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR", n.d., . [LINKTYPE_BLUETOOTH_LINUX_MONITOR] "LINKTYPE_BLUETOOTH_LINUX_MONITOR", n.d., . [LINKTYPE_CAN_SOCKETCAN] "LINKTYPE_CAN_SOCKETCAN", n.d., . [LINKTYPE_DISPLAYPORT_AUX] "LINKTYPE_DISPLAYPORT_AUX", n.d., . [LINKTYPE_DSA_TAG_BRCM] "LINKTYPE_DSA_TAG_BRCM", n.d., . [LINKTYPE_DSA_TAG_BRCM_PREPEND] "LINKTYPE_DSA_TAG_BRCM_PREPEND", n.d., . [LINKTYPE_DSA_TAG_DSA] "LINKTYPE_DSA_TAG_DSA", n.d., . Harris & Richardson Expires 17 February 2025 [Page 9] Internet-Draft pcaplinktype August 2024 [LINKTYPE_DSA_TAG_EDSA] "LINKTYPE_DSA_TAG_EDSA", n.d., . [LINKTYPE_ETW] "LINKTYPE_ETW", n.d., . [LINKTYPE_FIRA_UCI] "LINKTYPE_FIRA_UCI", n.d., . [LINKTYPE_FLEXRAY] "LINKTYPE_FLEXRAY", n.d., . [LINKTYPE_I2C_LINUX] "LINKTYPE_I2C_LINUX", n.d., . [LINKTYPE_IEEE802_11_PRISM] "LINKTYPE_IEEE802_11_PRISM", n.d., . [LINKTYPE_IPNET] "LINKTYPE_IPNET", n.d., . [LINKTYPE_LIN] "LINKTYPE_LIN", n.d., . [LINKTYPE_LINUX_IRDA] "LINKTYPE_LINUX_IRDA", n.d., . [LINKTYPE_LINUX_LAPD] "LINKTYPE_LINUX_LAPD", n.d., . Harris & Richardson Expires 17 February 2025 [Page 10] Internet-Draft pcaplinktype August 2024 [LINKTYPE_LINUX_SLL] "LINKTYPE_LINUX_SLL", n.d., . [LINKTYPE_LINUX_SLL2] "LINKTYPE_LINUX_SLL2", n.d., . [LINKTYPE_LOOP] "LINKTYPE_LOOP", n.d., . [LINKTYPE_MUX27010] "LINKTYPE_MUX27010", n.d., . [LINKTYPE_NETANALYZER] "LINKTYPE_NETANALYZER", n.d., . [LINKTYPE_NETANALYZER_TRANSPARENT] "LINKTYPE_NETANALYZER_TRANSPARENT", n.d., . [LINKTYPE_NETLINK] "LINKTYPE_NETLINK", n.d., . [LINKTYPE_NFC_LLCP] "LINKTYPE_NFC_LLCP", n.d., . [LINKTYPE_NFLOG] "LINKTYPE_NFLOG", n.d., . [LINKTYPE_NG40] "LINKTYPE_NG40", n.d., . Harris & Richardson Expires 17 February 2025 [Page 11] Internet-Draft pcaplinktype August 2024 [LINKTYPE_NORDIC_BLE] "LINKTYPE_NORDIC_BLE", n.d., . [LINKTYPE_NULL] "LINKTYPE_NULL", n.d., . [LINKTYPE_PKTAP] "LINKTYPE_PKTAP", n.d., . [LINKTYPE_RDS] "LINKTYPE_RDS", n.d., . [LINKTYPE_RTAC_SERIAL] "LINKTYPE_RTAC_SERIAL", n.d., . [LINKTYPE_SITA] "LINKTYPE_SITA", n.d., . [LINKTYPE_SLIP] "LINKTYPE_SLIP", n.d., . [LINKTYPE_SUNATM] "LINKTYPE_SUNATM", n.d., . [LINKTYPE_USB_DARWIN] "LINKTYPE_USB_DARWIN", n.d., . [LINKTYPE_VSOCK] "LINKTYPE_VSOCK", n.d., . [LINKTYPE_WATTSTOPPER_DLM] "LINKTYPE_WATTSTOPPER_DLM", n.d., . Harris & Richardson Expires 17 February 2025 [Page 12] Internet-Draft pcaplinktype August 2024 [LINKTYPE_ZBOSS_NCP] "LINKTYPE_ZBOSS_NCP", n.d., . [LINKTYPE_ZWAVE_R1_R2] "LINKTYPE_ZWAVE_R1_R2", n.d., . [LINKTYPE_ZWAVE_R3] "LINKTYPE_ZWAVE_R3", n.d., . [LoRaTap] "LoRaTap", n.d., . [LoRaWAN] "About the LoRaWAN Standards", n.d., . [OpenVizsla] "OpenVizsla protocol description", August 2018, . [PPI] "Per-Packet Information Header Specification", May 2007, . [Q.703] "Specifications of Signalling System No. 7 Signalling Link", ITU-T Recommendation Q.703, n.d., . [Q.704] "Specifications of Signalling System No. 7 Signalling Network Functions And Messages", ITU-T Recommendation Q.704, n.d., . [Q.711] "Specifications of Signalling System No. 7 Functional description of the signalling connection control part", ITU-T Recommendation Q.711, n.d., . [Q.712] "Specifications of Signalling System No. 7 Definition and function of signalling connection control part messages", ITU-T Recommendation Q.712, n.d., . Harris & Richardson Expires 17 February 2025 [Page 13] Internet-Draft pcaplinktype August 2024 [Q.713] "Specifications of Signalling System No. 7 Signalling connection control part functions and codes", ITU-T Recommendation Q.713, n.d., . [Q.714] "Specifications of Signalling System No. 7 Signalling connection control part procedures", ITU-T Recommendation Q.714, n.d., . [Radiotap] radiotap.org, "Radiotap Web site", n.d., . [Q.920] "Digital Subscriber Signalling System No. 1 (DSS1) - ISDN User-Network Interface Data Link Layer - General aspects", ITU-T Recommendation Q.920, n.d., . [Q.921] "ISDN user-network interface - Data Link Layer specification", ITU-T Recommendation Q.921, n.d., . [STANAG-5066] "Profile for Maritime High Frequency (HF) Radio Data Communications", STANAG 5066, n.d., . [USBPcap] "USBPcap Capture format specification", n.d., . [Z_WAVE_SERIAL] "Z-Wave Serial API Host Application Programming Guide", n.d., . [RFC1661] Simpson, W., Ed., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, DOI 10.17487/RFC1661, July 1994, . [RFC1662] Simpson, W., Ed., "PPP in HDLC-like Framing", STD 51, RFC 1662, DOI 10.17487/RFC1662, July 1994, . [RFC2516] Mamakos, L., Lidl, K., Evarts, J., Carrel, D., Simone, D., and R. Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)", RFC 2516, DOI 10.17487/RFC2516, February 1999, . Harris & Richardson Expires 17 February 2025 [Page 14] Internet-Draft pcaplinktype August 2024 [RFC1483] Heinanen, J., "Multiprotocol Encapsulation over ATM Adaptation Layer 5", RFC 1483, DOI 10.17487/RFC1483, July 1993, . [RFC1547] Perkins, D., "Requirements for an Internet Standard Point- to-Point Protocol", RFC 1547, DOI 10.17487/RFC1547, December 1993, . [RFC2625] Rajagopal, M., Bhagwat, R., and W. Rickard, "IP and ARP over Fibre Channel", RFC 2625, DOI 10.17487/RFC2625, June 1999, . [RFC4391] Chu, J. and V. Kashyap, "Transmission of IP over InfiniBand (IPoIB)", RFC 4391, DOI 10.17487/RFC4391, April 2006, . [RFC3549] Salim, J., Khosravi, H., Kleen, A., and A. Kuznetsov, "Linux Netlink as an IP Services Protocol", RFC 3549, DOI 10.17487/RFC3549, July 2003, . Authors' Addresses Guy Harris (editor) Email: gharris@sonic.net Michael C. Richardson Sandelman Software Works Inc Email: mcr+ietf@sandelman.ca URI: http://www.sandelman.ca/ Harris & Richardson Expires 17 February 2025 [Page 15]