| Internet-Draft | pcaplinktype | December 2025 |
| Harris & Richardson | Expires 16 June 2026 | [Page] |
This document describes a set of Packet CAPture (PCAP)-related LinkType values and creates an IANA registry for those values. These values are used by the PCAP and PCAP-Now-Generic specifications.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-opsawg-pcaplinktype/.¶
Discussion of this document takes place on the opsawg Working Group mailing list (mailto:opsawg@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/opsawg/. Subscribe at https://www.ietf.org/mailman/listinfo/opsawg/.¶
Source for this draft and an issue tracker can be found at https://github.com/IETF-OPSAWG-WG/pcapng.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 16 June 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In the late 1980s, Van Jacobson, Steve McCanne, and others at the Network Research Group at Lawrence Berkeley National Laboratory developed the tcpdump program to capture and dissect network traces. The code to capture traffic, using low-level mechanisms in various operating systems, and to read and write network traces to a file was later put into a library named libpcap [LIBPCAP].¶
Other documents describe the original (legacy) file format used by tcpdump (PCAP, [I-D.ietf-opsawg-pcap]), as well as a revised file format [I-D.ietf-opsawg-pcapng], both of which are used by tcpdump and Wireshark [Wireshark].¶
Within those file formats each packet that is captured is indicated by a LinkType value. The LinkType value selects one of many hundred formats for metadata and Layer 2 encapsulation of the packet.¶
This document creates an IANA registry for LinkType values, establishing the IANA Considerations by which other uses of the PCAP-related formats may register new LinkType values.¶
IANA is requested to create a new registry group entitled "The PCAP Registry".¶
IANA is also requested to create a registry entitled "PCAP-related LinkType List" under The PCAP registry group (Section 2.1).¶
The registry has the following structure:¶
LinkType Value: Indicates the 16-bit unsigned integer assigned for this LinkType.¶
LinkType Name: Indicates the symbolic name for this LinkType. The name is prefixed with "LINKTYPE_" (i.e., LINKTYPE_something).¶
Change Controller: as per [RFC8126], Section 2.3¶
Description: Provides a very short description.¶
Reference: Indicates an authoritative document reference for the LinkType or a requester reference.¶
The policy allocation for the LinkType values is as follows:¶
Values from 0 to 65000 are allocated following an Expert Review policy (Section 4.5 of [RFC8126]). Values in the ranges 0-10, 50-51, and 98-301 are already assigned; values in the ranges 11-49 and 52-97 are reserved and must not be assigned.¶
Values from 65001 to 65535 are reserved for Experimental Use (Section 4.2 of [RFC8126]).¶
The initial version of the registry is provided in Section 2.2.1. In each case here, the reference should be set to [TCPDUMP] and the RFC number to be assigned to this document, which is not repeated each time.¶
The initial contents of the table are based upon the link-layer header type list maintained by libpcap, and published on [TCPDUMP]. The change controller for all initial entries that have no other reference is linktype@tcpdump.org.¶
LinkType values 147 to 162 named LINKTYPE_RESERVED_xx were originally reserved for Experimental/Private Use, and that use continues to be supported. However, new private use cases should use the values in the 65001-65535 range.¶
In general, Experimental Use values should never leak out of the entity that uses it. As the FCFS range is large and easily obtained, official values are recommended.¶
There is often an associated Data Link Type (DLT) value which is often identical in value, but not universally so. DLT values are associated with specific operating systems, and the numerical values for some of them are operating system specific, and are thus not subject to standardization.¶
This is the initial table for the registry:¶
2¶
LINKTYPE_EXP_ETHERNET¶
Xerox experimental 3Mb Ethernet¶
7¶
LINKTYPE_ARCNET_BSD¶
ARCNET Data Packets with BSD encapsulation¶
11-49¶
Not available for assignment¶
Do not use these values¶
52-98¶
Not available for assignment¶
Used historically by NetBSD¶
99¶
LINKTYPE_SYMANTEC_FIREWALL¶
Symantec Enterprise Firewall¶
100¶
LINKTYPE_ATM_RFC1483¶
LLC/SNAP-encapsulated ATM¶
101¶
LINKTYPE_RAW¶
IP without link-layer headers¶
[LINKTYPE__RAW] [RFC791] [RFC8200]¶
104¶
LINKTYPE_C_HDLC¶
Cisco PPP with HDLC framing¶
106¶
LINKTYPE_ATM_CLIP¶
ATM Classical IP, with no header preceding IP¶
108¶
LINKTYPE_LOOP¶
OpenBSD loopback encapsulation¶
113¶
LINKTYPE_LINUX_SLL¶
Linux "cooked" capture encapsulation¶
119¶
LINKTYPE_IEEE802_11_PRISM¶
IEEE 802.11 wireless LAN, preceded by a Prism monitor mode header¶
120¶
LINKTYPE_IEEE802_11_AIRONET¶
802.11 + FreeBSD Aironet radio metadata¶
122¶
LINKTYPE_IP_OVER_FC¶
IP and ATM over Fibre Channel¶
123¶
LINKTYPE_SUNATM¶
ATM traffic captured from a SunATM device¶
127¶
LINKTYPE_IEEE802_11_RADIOTAP¶
IEEE 802.11 wireless LAN, preceded by a Radiotap header¶
129¶
LINKTYPE_ARCNET_LINUX¶
ARCNET Data Packets with Linux encapsulation¶
138¶
LINKTYPE_APPLE_IP_OVER_IEEE1394¶
Apple IP-over-IEEE 1394 cooked header¶
139¶
LINKTYPE_MTP2_WITH_PHDR¶
SS7 MTP2 frames, with a pseudo-header¶
163¶
LINKTYPE_IEEE802_11_AVS¶
IEEE 802.11 wireless LAN, preceded by an AVS header¶
166¶
LINKTYPE_PPP_PPPD¶
PPP preceded by a direction octet and an HDLC-like control field¶
169¶
LINKTYPE_GPRS_LLC¶
General Packet Radio Service Logical Link Control, as per 3GPP TS 04.64¶
170¶
LINKTYPE_GPF_T¶
Transparent-mapped generic framing procedure¶
171¶
LINKTYPE_GPF_F¶
Frame-mapped generic framing procedure¶
172¶
LINKTYPE_GCOM_T1E1¶
Gcom T1/E1 line monitoring equipment¶
173¶
LINKTYPE_GCOM_SERIAL¶
Gcom T1/E1 line monitoring equipment¶
175¶
LINKTYPE_ERF_ETH¶
Endace TYPE_ETH ERF records¶
176¶
LINKTYPE_ERF_POS¶
Endace TYPE_POS_HDLC ERF records¶
177¶
LINKTYPE_LINUX_LAPD¶
Linux vISDN LAPD frames¶
182¶
LINKTYPE_MFR¶
FRF.16.1 Multi-Link Frame Relay frames¶
185¶
LINKTYPE_A653_ICM¶
Arinc 653 Interpartition Communication messages¶
186¶
LINKTYPE_USB_FREEBSD¶
USB traffic captured on FreeBSD¶
187¶
LINKTYPE_BLUETOOTH_HCI_H4¶
Bluetooth HCI UART Transport Layer packets¶
188¶
LINKTYPE_IEEE802_16_MAC_CPS¶
IEEE 802.16 MAC Common Part Sublayer¶
189¶
LINKTYPE_USB_LINUX¶
USB packets, beginning with a Linux USB header¶
190¶
LINKTYPE_CAN20B¶
Controller Area Network (CAN) v. 2.0B packets¶
191¶
LINKTYPE_IEEE802_15_4_LINUX¶
IEEE 802.15.4 with address fields padded by Linux¶
192¶
LINKTYPE_PPI¶
Per-Packet Information header preceding packet data¶
193¶
LINKTYPE_IEEE802_16_MAC_CPS_RADIO¶
802.16 MAC Common Part Sublayer plus radio header¶
195¶
LINKTYPE_IEEE802_15_4_WITHFCS¶
IEEE 802.15.4 with FCS¶
196¶
LINKTYPE_SITA¶
Various link-layer types, with a pseudo-header¶
198¶
LINKTYPE_RAIF1¶
Ethernet packets captured from a u10 Networks board¶
199¶
LINKTYPE_IPMB_KONTRON¶
IPMB packet for IPMI, with a 2-octet header¶
201¶
LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR¶
Bluetooth HCI UART Transport Layer packets with a direction pseudo-header¶
202¶
LINKTYPE_AX25_KISS¶
KISS frames between a host and an AX.25 TNC¶
204¶
LINKTYPE_PPP_WITH_DIR¶
PPP, with a direction header¶
205¶
LINKTYPE_C_HDLC_WITH_DIR¶
Cisco PPP with HDLC framing, with a direction header¶
206¶
LINKTYPE_FRELAY_WITH_DIR¶
Frame Relay LAPF, with a direction header¶
207¶
LINKTYPE_LAPB_WITH_DIR¶
X.25 LAPB, with a direction header¶
210¶
LINKTYPE_FLEXRAY¶
FlexRay frames or symbols, with a pseudo-header¶
211¶
LINKTYPE_MOST¶
Media Oriented Systems Transport (MOST) bus¶
212¶
LINKTYPE_LIN¶
Local Interconnect Network (LIN) automotive bus, with a metadata header¶
215¶
LINKTYPE_IEEE802_15_4_NONASK_PHY¶
IEEE 802.15.4 with PHY header¶
217¶
LINKTYPE_GSMTAP_UM¶
GSM Um interface, with gsmtap header¶
218¶
LINKTYPE_GSMTAP_ABIS¶
GSM Abis interface, with gsmtap header¶
219¶
LINKTYPE_MPLS¶
MPLS packets with MPLS label as the header¶
220¶
LINKTYPE_USB_LINUX_MMAPPED¶
USB packets, beginning with an extended Linux USB header¶
223¶
LINKTYPE_WIHART¶
Wireless HART (Highway Addressable Remote Transducer)¶
225¶
LINKTYPE_FC_2_WITH_FRAME_DELIMS¶
Fibre Channel FC-2 frames with SOF and EOF¶
227¶
LINKTYPE_CAN_SOCKETCAN¶
Controller Area Network (CAN) frames, with a metadata header¶
228¶
LINKTYPE_IPV4¶
IPv4 without link-layer headers¶
229¶
LINKTYPE_IPV6¶
IPv6 without link-layer headers¶
230¶
LINKTYPE_IEEE802_15_4_NOFCS¶
IEEE 802.15.4 without FCS¶
235¶
LINKTYPE_DVB_CI¶
DVB-CI messages, with a pseudo-header¶
236¶
LINKTYPE_MUX27010¶
Variant of 3GPP TS 27.010 multiplexing protocol¶
237¶
LINKTYPE_STANAG_5066_D_PDU¶
STANAG 5066 D_PDUs¶
239¶
LINKTYPE_NFLOG¶
Linux netlink NETLINK NFLOG socket log messages¶
240¶
LINKTYPE_NETANALYZER¶
Ethernet frames with netANALYZER pseudo-header¶
241¶
LINKTYPE_NETANALYZER_TRANSPARENT¶
Ethernet frames with netANALYZER pseudo-header, preamble, and SFD¶
243¶
LINKTYPE_MPEG_2_TS¶
MPEG-2 Transport Stream transport packets¶
244¶
LINKTYPE_NG40¶
Frames from ng4T GmbH's ng40 protocol tester¶
245¶
LINKTYPE_NFC_LLCP¶
NFC Logical Link Control Protocol frames, with a pseudo-header¶
247¶
LINKTYPE_INFINIBAND¶
InfiniBand data packets¶
248¶
LINKTYPE_SCTP¶
SCTP packets, with no lower-level protocols such as IPv4 or IPv6¶
249¶
LINKTYPE_USBPCAP¶
USB packets, beginning with a USBPcap header¶
250¶
LINKTYPE_RTAC_SERIAL¶
Serial-line packet from the Schweitzer Engineering Laboratories RTAC product¶
251¶
LINKTYPE_BLUETOOTH_LE_LL¶
Bluetooth Low Energy link-layer packets¶
253¶
LINKTYPE_NETLINK¶
Linux Netlink capture encapsulation¶
254¶
LINKTYPE_BLUETOOTH_LINUX_MONITOR¶
Bluetooth Linux Monitor¶
255¶
LINKTYPE_BLUETOOTH_BREDR_BB¶
Bluetooth Basic Rate and Enhanced Data Rate baseband packets¶
256¶
LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR¶
Bluetooth Low Energy link-layer packets¶
257¶
LINKTYPE_PROFIBUS_DL¶
PROFIBUS data link layer packets¶
258¶
LINKTYPE_PKTAP¶
Apple PKTAP capture encapsulation¶
259¶
LINKTYPE_EPON¶
Ethernet-over-passive-optical-network packets, including preamble octets¶
260¶
LINKTYPE_IPMI_HPM_2¶
IPMI HPM.2 trace packets¶
261¶
LINKTYPE_ZWAVE_R1_R2¶
Z-Wave RF profile R1 and R2 packets¶
262¶
LINKTYPE_ZWAVE_R3¶
Z-Wave RF profile R3 packets¶
263¶
LINKTYPE_WATTSTOPPER_DLM¶
WattStopper Digital Lighting Management (DLM) and Legrand Nitoo Open protocol packets¶
264¶
LINKTYPE_ISO_14443¶
ISO 14443 contactless smartcard messages¶
265¶
LINKTYPE_RDS¶
IEC 62106 Radio data system (RDS) groups¶
266¶
LINKTYPE_USB_DARWIN¶
USB packets captured on a Darwin-based operating system (macOS, etc.)¶
269¶
LINKTYPE_TI_LLN_SNIFFER¶
Texas Instruments protocol sniffer¶
270¶
LINKTYPE_LORATAP¶
LoRaWan packets with a LoRaTap pseudo-header¶
271¶
LINKTYPE_VSOCK¶
Protocol for communication between host and guest machines in VMware and KVM hypervisors¶
272¶
LINKTYPE_NORDIC_BLE¶
Messages to and from a Nordic Semiconductor nRF Sniffer for Bluetooth LE packets¶
273¶
LINKTYPE_DOCSIS31_XRA31¶
DOCSIS packets and bursts, preceded by a pseudo-header¶
274¶
LINKTYPE_ETHERNET_MPACKET¶
IEEE 802.3 mPackets¶
275¶
LINKTYPE_DISPLAYPORT_AUX¶
DisplayPort AUX channel monitoring messages¶
276¶
LINKTYPE_LINUX_SLL2¶
Linux cooked capture encapsulation v2¶
278¶
LINKTYPE_OPENVIZSLA¶
OpenVizsla FPGA-based USB sniffer¶
279¶
LINKTYPE_EBHSCR¶
Elektrobit High Speed Capture and Replay (EBHSCR) format¶
280¶
LINKTYPE_VPP_DISPATCH¶
fd.io VPP graph dispatcher trace records¶
281¶
LINKTYPE_DSA_TAG_BRCM¶
Ethernet frames, with a Broadcom switch tag inserted¶
282¶
LINKTYPE_DSA_TAG_BRCM_PREPEND¶
Ethernet frames, with a Broadcom switch tag prepended¶
283¶
LINKTYPE_IEEE802_15_4_TAP¶
IEEE 802.15.4 with a tap header preceding it¶
284¶
LINKTYPE_DSA_TAG_DSA¶
Ethernet frames, with a Marvell DSA switch tag inserted¶
285¶
LINKTYPE_DSA_TAG_EDSA¶
Ethernet frames, with a Marvell EDSA switch tag inserted¶
287¶
LINKTYPE_Z_WAVE_SERIAL¶
Serial frames transmitted between a host and a Z-Wave chip over an RS-232 or USB serial connection¶
[Z-WAVE-SERIAL] section 5¶
288¶
LINKTYPE_USB_2_0¶
USB 2.0, 1.1, or 1.0 packets¶
289¶
LINKTYPE_ATSC_ALP¶
ATSC Link-Layer Protocol frames¶
290¶
LINKTYPE_ETW¶
Event Tracing for Windows messages¶
291¶
LINKTYPE_NETANALYZER_NG¶
Hilscher Gesellschaft fuer Systemautomation mbH netANALYZER NG hardware and software¶
292¶
LINKTYPE_ZBOSS_NCP¶
ZBOSS NCP Serial Protocol, with a pseudo-header¶
293¶
LINKTYPE_USB_2_0_LOW_SPEED¶
Low-Speed USB 2.0, 1.1, or 1.0 packets¶
294¶
LINKTYPE_USB_2_0_FULL_SPEED¶
Full-Speed USB 2.0, 1.1, or 1.0 packets¶
295¶
LINKTYPE_USB_2_0_HIGH_SPEED¶
High-Speed USB 2.0 packets¶
296¶
LINKTYPE_AUERSWALD_LOG¶
Auerswald Logger Protocol¶
297¶
LINKTYPE_ZWAVE_TAP¶
Z-Wave packets, with a metadata header¶
298¶
LINKTYPE_SILABS_DEBUG_CHANNEL¶
Silicon Labs debug channel protocol¶
299¶
LINKTYPE_FIRA_UCI¶
Ultra-wideband (UWB) controller interface protocol (UCI)¶
300¶
LINKTYPE_MDB¶
MDB (Multi-Drop Bus) protocol¶
When processing a request for an allocation, the Designated Experts will encourage the requester to provide a specification at a stable URL.¶
There is no requirement for a specification, but often review of the specification allows the Designated Expert to determine if the allocation actually is a duplicate of another specification.¶
When the contents of the link type can contain an IPv4 or IPv6 header, then the octets between the beginning of the link type and the IP header needs to be clearly specified.¶
Registrations for specifications that are not publicly available are acceptable. This includes specifications obtained via liaison agreements (such as to ITU-T, drafts, IEEE, etc.), those that may eventually be made public, or those for which no public document will be available.¶
The minimal requirement is to provide a contact for that link type.¶
For other documents, the Designated Expert will need use their judgement, or consult the OPSAWG or an Area Director.¶
This document describes the IANA registration rules for the LinkType encapsulations. PCAP-related packet file formats use this value to determine what kind of headers precede network packet captures. Many of these formats can contain IPv4 and IPv6 packets. A system reading PCAP-related format captures can be subject to arbitrary inputs that may be controlled by malicious entities, so utmost caution is required.¶
Many LinkType formats include a "snapshot" length, which may be smaller than the actual packet. It is therefore very likely that trailing parts of a packet capture may be omitted, yet internal length fields in the packets will claim the packet is bigger than the capture. This leads to trivial buffer overreads, and systems interpreting the packets need to carefully scrutinize all attempts to read data from a capture.¶
PCAP has been developed over three and half decades by a variety of developers, including: Bill Fenner, Denis Ovsienko, Francois-Xavier Le Bail, Fulvio Risso, Gerald Combs, Gianluca Varenni, Gisle Vanem, Hannes Gredler, Joerg Mayer, Michal Sekletar, Stephen Donnelly, Torsten Landschoff, and Jun-ichiro itojun Hagino.¶
PCAP was originally created at LBL by Steve McCanne, Craig Leres, and Van Jacobson.¶
The authors wish to thank: Michael Tuexen, Mohamed Boucadair, Carsten Bormann, Henk Birkholtz, and Robert Wilton their invaluable comments and encouragement.¶