LINKTYPE_NFLOG
Packet structure
+---------------------------+ | Address family | | (1 Octet) | +---------------------------+ | Version | | (1 Octet) | +---------------------------+ | Resource ID | | (2 Octets) | +---------------------------+ | TLV length | | (2 Octets) | +---------------------------+ | TLV type | | (2 Octets) | +---------------------------+ | TLV value | . . . . . .
Description
The address family is a Linux AF_
value, so it's 2 for IPv4 and 10 for
IPv6.
The version field is 0 for the current version of the pseudo-header.
The resource ID is in network byte order (big-endian). On one netlink socket it's possible to listen to several nflog groups; the resource ID is the nflog group for the packet.
Following the resource ID is a sequence of zero or more TLVs, running to the end of the packet; the length and type are in the host byte order for the pcap file, as specified by the file's magic number, or for the section of the pcap-ng file, as specified by the Section Header Block.
The type values are, as per the Linux
linux/netfilter/nfnetlink_log.h
header:
- 1, for a packet header structure;
- 2, for the 32-bit packet mark value from the
skbuff
for the packet; - 3, for a packet time stamp structure;
- 4, for the 32-bit
ifindex
of the device on which the packet was received, which could be a bridge group; - 5, for the 32-bit
ifindex
of the device on which the packet was sent, which could be a bridge group; - 6, for the 32-bit
ifindex
of the physical device on which the packet was received, which is not a bridge group; - 7, for the 32-bit
ifindex
of the physical device on which the packet was sent, which is not a bridge group; - 8, for a hardware address structure;
- 9, for the packet payload following the link-layer header;
- 10, for a null-terminated text string;
- 11, for the 32-bit user ID that owned the socket on which the packet was sent or received;
- 12, for a 32-bit sequence number for packets provided by this nflog device;
- 13, for a 32-bit sequence number for packets provided by all nflog devices;
- 14, for the 32-bit group ID that owned the socket on which the packet was sent or received;
- 15, for the 32-bit Linux
ARPHRD_
value for the device associated with theskbuff
for the packet; - 16, for the MAC-layer header for the
skbuff
for the packet; - 17, for the length of the MAC-layer header.
The length value includes the 4 octets for the length and type.
The packet header structure is:
+---------------------------+ | Hardware protocol | | (2 Octets) | +---------------------------+ | Netfilter hook | | (1 Octet) | +---------------------------+ | Padding | | (1 Octet) | +---------------------------+
The packet time stamp structure is:
+---------------------------+ | Seconds | | (8 Octets) | +---------------------------+ | Microseconds | | (8 Octets) | +---------------------------+
The hardware address structure is:
+-------------------------------+ | Address length | | (2 Octets) | +-------------------------------+ | Padding | | (1 Octet) | +-------------------------------+ | Address | | (8 Octets, including padding) | +-------------------------------+
All 32-bit integral values, and all multi-byte integral values in structures listed above, are in big-endian (network) byte order.