1
2#------------------------------------------------------------------------------
3# $File: sniffer,v 1.18 2011/08/08 08:49:27 christos Exp $
4# sniffer: file(1) magic for packet capture files
5#
6# From: guy@alum.mit.edu (Guy Harris)
7#
8
9#
10# Microsoft Network Monitor 1.x capture files.
11#
--- 57 unchanged lines hidden (view full) ---
69
70#
71# "libpcap" capture files.
72# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
73# the main program that uses that format, but there are other programs
74# that use "libpcap", or that use the same capture file format.)
75#
760 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
77!:mime application/vnd.tcpdump.pcap
78>4 beshort x - version %d
79>6 beshort x \b.%d
80>20 belong 0 (No link-layer encapsulation
81>20 belong 1 (Ethernet
82>20 belong 2 (3Mb Ethernet
83>20 belong 3 (AX.25
84>20 belong 4 (ProNET
85>20 belong 5 (CHAOS
--- 48 unchanged lines hidden (view full) ---
134>20 belong 158 (Private use 11
135>20 belong 159 (Private use 12
136>20 belong 160 (Private use 13
137>20 belong 161 (Private use 14
138>20 belong 162 (Private use 15
139>20 belong 163 (802.11 with AVS header
140>16 belong x \b, capture length %d)
1410 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
142!:mime application/vnd.tcpdump.pcap
143>4 leshort x - version %d
144>6 leshort x \b.%d
145>20 lelong 0 (No link-layer encapsulation
146>20 lelong 1 (Ethernet
147>20 lelong 2 (3Mb Ethernet
148>20 lelong 3 (AX.25
149>20 lelong 4 (ProNET
150>20 lelong 5 (CHAOS
--- 94 unchanged lines hidden (view full) ---
245>20 lelong 10 (FDDI
246>20 lelong 11 (RFC 1483 ATM
247>20 lelong 12 (raw IP
248>20 lelong 13 (BSD/OS SLIP
249>20 lelong 14 (BSD/OS PPP
250>16 lelong x \b, capture length %d)
251
252#
253# "pcap-ng" capture files.
254# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
255# Pcap-ng files can contain multiple sections. Printing the endianness,
256# snaplen, or other information from the first SHB may be misleading.
257#
2580 ubelong 0x0a0d0d0a
259>8 ubelong 0x1a2b3c4d pcap-ng capture file
260>>12 beshort x - version %d
261>>14 beshort x \b.%d
2620 ulelong 0x0a0d0d0a
263>8 ulelong 0x1a2b3c4d pcap-ng capture file
264>>12 leshort x - version %d
265>>14 leshort x \b.%d
266
267#
268# AIX "iptrace" capture files.
269#
2700 string iptrace\ 1.0 "iptrace" capture file
2710 string iptrace\ 2.0 "iptrace" capture file
272
273#
274# Novell LANalyzer capture files.
275#
--- 40 unchanged lines hidden ---
2#------------------------------------------------------------------------------
3# $File: sniffer,v 1.18 2011/08/08 08:49:27 christos Exp $
4# sniffer: file(1) magic for packet capture files
5#
6# From: guy@alum.mit.edu (Guy Harris)
7#
8
9#
10# Microsoft Network Monitor 1.x capture files.
11#
--- 57 unchanged lines hidden (view full) ---
69
70#
71# "libpcap" capture files.
72# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
73# the main program that uses that format, but there are other programs
74# that use "libpcap", or that use the same capture file format.)
75#
760 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
77!:mime application/vnd.tcpdump.pcap
78>4 beshort x - version %d
79>6 beshort x \b.%d
80>20 belong 0 (No link-layer encapsulation
81>20 belong 1 (Ethernet
82>20 belong 2 (3Mb Ethernet
83>20 belong 3 (AX.25
84>20 belong 4 (ProNET
85>20 belong 5 (CHAOS
--- 48 unchanged lines hidden (view full) ---
134>20 belong 158 (Private use 11
135>20 belong 159 (Private use 12
136>20 belong 160 (Private use 13
137>20 belong 161 (Private use 14
138>20 belong 162 (Private use 15
139>20 belong 163 (802.11 with AVS header
140>16 belong x \b, capture length %d)
1410 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
142!:mime application/vnd.tcpdump.pcap
143>4 leshort x - version %d
144>6 leshort x \b.%d
145>20 lelong 0 (No link-layer encapsulation
146>20 lelong 1 (Ethernet
147>20 lelong 2 (3Mb Ethernet
148>20 lelong 3 (AX.25
149>20 lelong 4 (ProNET
150>20 lelong 5 (CHAOS
--- 94 unchanged lines hidden (view full) ---
245>20 lelong 10 (FDDI
246>20 lelong 11 (RFC 1483 ATM
247>20 lelong 12 (raw IP
248>20 lelong 13 (BSD/OS SLIP
249>20 lelong 14 (BSD/OS PPP
250>16 lelong x \b, capture length %d)
251
252#
253# "pcap-ng" capture files.
254# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
255# Pcap-ng files can contain multiple sections. Printing the endianness,
256# snaplen, or other information from the first SHB may be misleading.
257#
2580 ubelong 0x0a0d0d0a
259>8 ubelong 0x1a2b3c4d pcap-ng capture file
260>>12 beshort x - version %d
261>>14 beshort x \b.%d
2620 ulelong 0x0a0d0d0a
263>8 ulelong 0x1a2b3c4d pcap-ng capture file
264>>12 leshort x - version %d
265>>14 leshort x \b.%d
266
267#
268# AIX "iptrace" capture files.
269#
2700 string iptrace\ 1.0 "iptrace" capture file
2710 string iptrace\ 2.0 "iptrace" capture file
272
273#
274# Novell LANalyzer capture files.
275#
--- 40 unchanged lines hidden ---