LINKTYPE_NFLOG

Packet structure

+---------------------------+
|       Address family      |
|          (1 Octet)        |
+---------------------------+
|           Version         |
|          (1 Octet)        |
+---------------------------+
|         Resource ID       |
|          (2 Octets)       |
+---------------------------+
|          TLV length       |
|          (2 Octets)       |
+---------------------------+
|           TLV type        |
|          (2 Octets)       |
+---------------------------+
|           TLV value       |
.                           .
.                           .
.                           .

Description

The address family is a Linux AF_ value, so it's 2 for IPv4 and 10 for IPv6.

The version field is 0 for the current version of the pseudo-header.

The resource ID is in network byte order (big-endian). On one netlink socket it's possible to listen to several nflog groups; the resource ID is the nflog group for the packet.

Following the resource ID is a sequence of zero or more TLVs, running to the end of the packet; the length and type are in the host byte order for the pcap file, as specified by the file's magic number, or for the section of the pcap-ng file, as specified by the Section Header Block.

The type values are, as per the Linux linux/netfilter/nfnetlink_log.h header:

  • 1, for a packet header structure;
  • 2, for the 32-bit packet mark value from the skbuff for the packet;
  • 3, for a packet time stamp structure;
  • 4, for the 32-bit ifindex of the device on which the packet was received, which could be a bridge group;
  • 5, for the 32-bit ifindex of the device on which the packet was sent, which could be a bridge group;
  • 6, for the 32-bit ifindex of the physical device on which the packet was received, which is not a bridge group;
  • 7, for the 32-bit ifindex of the physical device on which the packet was sent, which is not a bridge group;
  • 8, for a hardware address structure;
  • 9, for the packet payload following the link-layer header;
  • 10, for a null-terminated text string;
  • 11, for the 32-bit user ID that owned the socket on which the packet was sent or received;
  • 12, for a 32-bit sequence number for packets provided by this nflog device;
  • 13, for a 32-bit sequence number for packets provided by all nflog devices;
  • 14, for the 32-bit group ID that owned the socket on which the packet was sent or received;
  • 15, for the 32-bit Linux ARPHRD_ value for the device associated with the skbuff for the packet;
  • 16, for the MAC-layer header for the skbuff for the packet;
  • 17, for the length of the MAC-layer header.

The length value includes the 4 octets for the length and type.

The packet header structure is:

+---------------------------+
|      Hardware protocol    |
|         (2 Octets)        |
+---------------------------+
|       Netfilter hook      |
|          (1 Octet)        |
+---------------------------+
|           Padding         |
|          (1 Octet)        |
+---------------------------+

The packet time stamp structure is:

+---------------------------+
|           Seconds         |
|          (8 Octets)       |
+---------------------------+
|         Microseconds      |
|          (8 Octets)       |
+---------------------------+

The hardware address structure is:

+-------------------------------+
|         Address length        |
|           (2 Octets)          |
+-------------------------------+
|             Padding           |
|            (1 Octet)          |
+-------------------------------+
|            Address            |
| (8 Octets, including padding) |
+-------------------------------+

All 32-bit integral values, and all multi-byte integral values in structures listed above, are in big-endian (network) byte order.