| blob | 282c44fec4541f575142e77edc2b41ec7543642b |
2 #------------------------------------------------------------------------------
3 # sniffer: file(1) magic for packet capture files
4 #
5 # From: guy@alum.mit.edu (Guy Harris)
6 #
8 #
9 # Microsoft Network Monitor 1.x capture files.
10 #
11 0 string RTSS NetMon capture file
12 >5 byte x - version %d
13 >4 byte x \b.%d
14 >6 leshort 0 (Unknown)
15 >6 leshort 1 (Ethernet)
16 >6 leshort 2 (Token Ring)
17 >6 leshort 3 (FDDI)
18 >6 leshort 4 (ATM)
20 #
21 # Microsoft Network Monitor 2.x capture files.
22 #
23 0 string GMBU NetMon capture file
24 >5 byte x - version %d
25 >4 byte x \b.%d
26 >6 leshort 0 (Unknown)
27 >6 leshort 1 (Ethernet)
28 >6 leshort 2 (Token Ring)
29 >6 leshort 3 (FDDI)
30 >6 leshort 4 (ATM)
32 #
33 # Network General Sniffer capture files.
34 # Sorry, make that "Network Associates Sniffer capture files."
35 # Sorry, make that "Network General old DOS Sniffer capture files."
36 #
37 0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
38 >33 byte 2 (compressed)
39 >23 leshort x - version %d
40 >25 leshort x \b.%d
41 >32 byte 0 (Token Ring)
42 >32 byte 1 (Ethernet)
43 >32 byte 2 (ARCNET)
44 >32 byte 3 (StarLAN)
45 >32 byte 4 (PC Network broadband)
46 >32 byte 5 (LocalTalk)
47 >32 byte 6 (Znet)
48 >32 byte 7 (Internetwork Analyzer)
49 >32 byte 9 (FDDI)
50 >32 byte 10 (ATM)
52 #
53 # Cinco Networks NetXRay capture files.
54 # Sorry, make that "Network General Sniffer Basic capture files."
55 # Sorry, make that "Network Associates Sniffer Basic capture files."
56 # Sorry, make that "Network Associates Sniffer Basic, and Windows
57 # Sniffer Pro", capture files."
58 # Sorry, make that "Network General Sniffer capture files."
59 #
60 0 string XCP\0 NetXRay capture file
61 >4 string >\0 - version %s
62 >44 leshort 0 (Ethernet)
63 >44 leshort 1 (Token Ring)
64 >44 leshort 2 (FDDI)
65 >44 leshort 3 (WAN)
66 >44 leshort 8 (ATM)
67 >44 leshort 9 (802.11)
69 #
70 # "libpcap" capture files.
71 # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
72 # the main program that uses that format, but there are other programs
73 # that use "libpcap", or that use the same capture file format.)
74 #
75 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
76 >4 beshort x - version %d
77 >6 beshort x \b.%d
78 >20 belong 0 (No link-layer encapsulation
79 >20 belong 1 (Ethernet
80 >20 belong 2 (3Mb Ethernet
81 >20 belong 3 (AX.25
82 >20 belong 4 (ProNET
83 >20 belong 5 (CHAOS
84 >20 belong 6 (Token Ring
85 >20 belong 7 (BSD ARCNET
86 >20 belong 8 (SLIP
87 >20 belong 9 (PPP
88 >20 belong 10 (FDDI
89 >20 belong 11 (RFC 1483 ATM
90 >20 belong 12 (raw IP
91 >20 belong 13 (BSD/OS SLIP
92 >20 belong 14 (BSD/OS PPP
93 >20 belong 19 (Linux ATM Classical IP
94 >20 belong 50 (PPP or Cisco HDLC
95 >20 belong 51 (PPP-over-Ethernet
96 >20 belong 99 (Symantec Enterprise Firewall
97 >20 belong 100 (RFC 1483 ATM
98 >20 belong 101 (raw IP
99 >20 belong 102 (BSD/OS SLIP
100 >20 belong 103 (BSD/OS PPP
101 >20 belong 104 (BSD/OS Cisco HDLC
102 >20 belong 105 (802.11
103 >20 belong 106 (Linux Classical IP over ATM
104 >20 belong 107 (Frame Relay
105 >20 belong 108 (OpenBSD loopback
106 >20 belong 109 (OpenBSD IPsec encrypted
107 >20 belong 112 (Cisco HDLC
108 >20 belong 113 (Linux "cooked"
109 >20 belong 114 (LocalTalk
110 >20 belong 117 (OpenBSD PFLOG
111 >20 belong 119 (802.11 with Prism header
112 >20 belong 122 (RFC 2625 IP over Fibre Channel
113 >20 belong 123 (SunATM
114 >20 belong 127 (802.11 with radiotap header
115 >20 belong 129 (Linux ARCNET
116 >20 belong 138 (Apple IP over IEEE 1394
117 >20 belong 140 (MTP2
118 >20 belong 141 (MTP3
119 >20 belong 143 (DOCSIS
120 >20 belong 144 (IrDA
121 >20 belong 147 (Private use 0
122 >20 belong 148 (Private use 1
123 >20 belong 149 (Private use 2
124 >20 belong 150 (Private use 3
125 >20 belong 151 (Private use 4
126 >20 belong 152 (Private use 5
127 >20 belong 153 (Private use 6
128 >20 belong 154 (Private use 7
129 >20 belong 155 (Private use 8
130 >20 belong 156 (Private use 9
131 >20 belong 157 (Private use 10
132 >20 belong 158 (Private use 11
133 >20 belong 159 (Private use 12
134 >20 belong 160 (Private use 13
135 >20 belong 161 (Private use 14
136 >20 belong 162 (Private use 15
137 >20 belong 163 (802.11 with AVS header
138 >16 belong x \b, capture length %d)
139 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
140 >4 leshort x - version %d
141 >6 leshort x \b.%d
142 >20 lelong 0 (No link-layer encapsulation
143 >20 lelong 1 (Ethernet
144 >20 lelong 2 (3Mb Ethernet
145 >20 lelong 3 (AX.25
146 >20 lelong 4 (ProNET
147 >20 lelong 5 (CHAOS
148 >20 lelong 6 (Token Ring
149 >20 lelong 7 (ARCNET
150 >20 lelong 8 (SLIP
151 >20 lelong 9 (PPP
152 >20 lelong 10 (FDDI
153 >20 lelong 11 (RFC 1483 ATM
154 >20 lelong 12 (raw IP
155 >20 lelong 13 (BSD/OS SLIP
156 >20 lelong 14 (BSD/OS PPP
157 >20 lelong 19 (Linux ATM Classical IP
158 >20 lelong 50 (PPP or Cisco HDLC
159 >20 lelong 51 (PPP-over-Ethernet
160 >20 lelong 99 (Symantec Enterprise Firewall
161 >20 lelong 100 (RFC 1483 ATM
162 >20 lelong 101 (raw IP
163 >20 lelong 102 (BSD/OS SLIP
164 >20 lelong 103 (BSD/OS PPP
165 >20 lelong 104 (BSD/OS Cisco HDLC
166 >20 lelong 105 (802.11
167 >20 lelong 106 (Linux Classical IP over ATM
168 >20 lelong 107 (Frame Relay
169 >20 lelong 108 (OpenBSD loopback
170 >20 lelong 109 (OpenBSD IPsec encrypted
171 >20 lelong 112 (Cisco HDLC
172 >20 lelong 113 (Linux "cooked"
173 >20 lelong 114 (LocalTalk
174 >20 lelong 117 (OpenBSD PFLOG
175 >20 lelong 119 (802.11 with Prism header
176 >20 lelong 122 (RFC 2625 IP over Fibre Channel
177 >20 lelong 123 (SunATM
178 >20 lelong 127 (802.11 with radiotap header
179 >20 lelong 129 (Linux ARCNET
180 >20 lelong 138 (Apple IP over IEEE 1394
181 >20 lelong 140 (MTP2
182 >20 lelong 141 (MTP3
183 >20 lelong 143 (DOCSIS
184 >20 lelong 144 (IrDA
185 >20 lelong 147 (Private use 0
186 >20 lelong 148 (Private use 1
187 >20 lelong 149 (Private use 2
188 >20 lelong 150 (Private use 3
189 >20 lelong 151 (Private use 4
190 >20 lelong 152 (Private use 5
191 >20 lelong 153 (Private use 6
192 >20 lelong 154 (Private use 7
193 >20 lelong 155 (Private use 8
194 >20 lelong 156 (Private use 9
195 >20 lelong 157 (Private use 10
196 >20 lelong 158 (Private use 11
197 >20 lelong 159 (Private use 12
198 >20 lelong 160 (Private use 13
199 >20 lelong 161 (Private use 14
200 >20 lelong 162 (Private use 15
201 >20 lelong 163 (802.11 with AVS header
202 >16 lelong x \b, capture length %d)
204 #
205 # "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
206 # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
207 # the main program that uses that format, but there are other programs
208 # that use "libpcap", or that use the same capture file format.)
209 #
210 0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian)
211 >4 beshort x - version %d
212 >6 beshort x \b.%d
213 >20 belong 0 (No link-layer encapsulation
214 >20 belong 1 (Ethernet
215 >20 belong 2 (3Mb Ethernet
216 >20 belong 3 (AX.25
217 >20 belong 4 (ProNET
218 >20 belong 5 (CHAOS
219 >20 belong 6 (Token Ring
220 >20 belong 7 (ARCNET
221 >20 belong 8 (SLIP
222 >20 belong 9 (PPP
223 >20 belong 10 (FDDI
224 >20 belong 11 (RFC 1483 ATM
225 >20 belong 12 (raw IP
226 >20 belong 13 (BSD/OS SLIP
227 >20 belong 14 (BSD/OS PPP
228 >16 belong x \b, capture length %d)
229 0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian)
230 >4 leshort x - version %d
231 >6 leshort x \b.%d
232 >20 lelong 0 (No link-layer encapsulation
233 >20 lelong 1 (Ethernet
234 >20 lelong 2 (3Mb Ethernet
235 >20 lelong 3 (AX.25
236 >20 lelong 4 (ProNET
237 >20 lelong 5 (CHAOS
238 >20 lelong 6 (Token Ring
239 >20 lelong 7 (ARCNET
240 >20 lelong 8 (SLIP
241 >20 lelong 9 (PPP
242 >20 lelong 10 (FDDI
243 >20 lelong 11 (RFC 1483 ATM
244 >20 lelong 12 (raw IP
245 >20 lelong 13 (BSD/OS SLIP
246 >20 lelong 14 (BSD/OS PPP
247 >16 lelong x \b, capture length %d)
249 #
250 # AIX "iptrace" capture files.
251 #
252 0 string iptrace\ 1.0 "iptrace" capture file
253 0 string iptrace\ 2.0 "iptrace" capture file
255 #
256 # Novell LANalyzer capture files.
257 #
258 0 leshort 0x1001 LANalyzer capture file
259 0 leshort 0x1007 LANalyzer capture file
261 #
262 # HP-UX "nettl" capture files.
263 #
264 0 string \x54\x52\x00\x64\x00 "nettl" capture file
266 #
267 # RADCOM WAN/LAN Analyzer capture files.
268 #
269 0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file
271 #
272 # NetStumbler log files. Not really packets, per se, but about as
273 # close as you can get. These are log files from NetStumbler, a
274 # Windows program, that scans for 802.11b networks.
275 #
276 0 string NetS NetStumbler log file
277 >8 lelong x \b, %d stations found
279 #
280 # EtherPeek/AiroPeek "version 9" capture files.
281 #
282 0 string \177ver EtherPeek/AiroPeek capture file
284 #
285 # Visual Networks traffic capture files.
286 #
287 0 string \x05VNF Visual Networks traffic capture file
289 #
290 # Network Instruments Observer capture files.
291 #
292 0 string ObserverPktBuffe Network Instruments Observer capture file
294 #
295 # Files from Accellent Group's 5View products.
296 #
297 0 string \xaa\xaa\xaa\xaa 5View capture file