168349Sobrien 268349Sobrien#------------------------------------------------------------------------------ 3267843Sdelphij# $File: sniffer,v 1.19 2013/01/06 01:11:04 christos Exp $ 468349Sobrien# sniffer: file(1) magic for packet capture files 568349Sobrien# 668349Sobrien# From: guy@alum.mit.edu (Guy Harris) 768349Sobrien# 868349Sobrien 968349Sobrien# 1068349Sobrien# Microsoft Network Monitor 1.x capture files. 1168349Sobrien# 1268349Sobrien0 string RTSS NetMon capture file 13133359Sobrien>5 byte x - version %d 14133359Sobrien>4 byte x \b.%d 1568349Sobrien>6 leshort 0 (Unknown) 1668349Sobrien>6 leshort 1 (Ethernet) 1768349Sobrien>6 leshort 2 (Token Ring) 1868349Sobrien>6 leshort 3 (FDDI) 19133359Sobrien>6 leshort 4 (ATM) 20267843Sdelphij>6 leshort >4 (type %d) 2168349Sobrien 2268349Sobrien# 2368349Sobrien# Microsoft Network Monitor 2.x capture files. 2468349Sobrien# 2568349Sobrien0 string GMBU NetMon capture file 26133359Sobrien>5 byte x - version %d 27133359Sobrien>4 byte x \b.%d 2868349Sobrien>6 leshort 0 (Unknown) 2968349Sobrien>6 leshort 1 (Ethernet) 3068349Sobrien>6 leshort 2 (Token Ring) 3168349Sobrien>6 leshort 3 (FDDI) 32133359Sobrien>6 leshort 4 (ATM) 33267843Sdelphij>6 leshort 5 (IP-over-IEEE 1394) 34267843Sdelphij>6 leshort 6 (802.11) 35267843Sdelphij>6 leshort 7 (Raw IP) 36267843Sdelphij>6 leshort 8 (Raw IP) 37267843Sdelphij>6 leshort 9 (Raw IP) 38267843Sdelphij>6 leshort >9 (type %d) 3968349Sobrien 4068349Sobrien# 4168349Sobrien# Network General Sniffer capture files. 4268349Sobrien# Sorry, make that "Network Associates Sniffer capture files." 43139368Sobrien# Sorry, make that "Network General old DOS Sniffer capture files." 4468349Sobrien# 4568349Sobrien0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file 4668349Sobrien>33 byte 2 (compressed) 4768349Sobrien>23 leshort x - version %d 4868349Sobrien>25 leshort x \b.%d 4968349Sobrien>32 byte 0 (Token Ring) 5068349Sobrien>32 byte 1 (Ethernet) 5168349Sobrien>32 byte 2 (ARCNET) 5268349Sobrien>32 byte 3 (StarLAN) 5368349Sobrien>32 byte 4 (PC Network broadband) 5468349Sobrien>32 byte 5 (LocalTalk) 5568349Sobrien>32 byte 6 (Znet) 5668349Sobrien>32 byte 7 (Internetwork Analyzer) 5768349Sobrien>32 byte 9 (FDDI) 5868349Sobrien>32 byte 10 (ATM) 5968349Sobrien 6068349Sobrien# 6168349Sobrien# Cinco Networks NetXRay capture files. 6268349Sobrien# Sorry, make that "Network General Sniffer Basic capture files." 6368349Sobrien# Sorry, make that "Network Associates Sniffer Basic capture files." 6468349Sobrien# Sorry, make that "Network Associates Sniffer Basic, and Windows 6568349Sobrien# Sniffer Pro", capture files." 66139368Sobrien# Sorry, make that "Network General Sniffer capture files." 67267843Sdelphij# Sorry, make that "NetScout Sniffer capture files." 6868349Sobrien# 6968349Sobrien0 string XCP\0 NetXRay capture file 7068349Sobrien>4 string >\0 - version %s 7168349Sobrien>44 leshort 0 (Ethernet) 7268349Sobrien>44 leshort 1 (Token Ring) 7368349Sobrien>44 leshort 2 (FDDI) 74133359Sobrien>44 leshort 3 (WAN) 75133359Sobrien>44 leshort 8 (ATM) 76133359Sobrien>44 leshort 9 (802.11) 7768349Sobrien 7868349Sobrien# 7968349Sobrien# "libpcap" capture files. 8068349Sobrien# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 8168349Sobrien# the main program that uses that format, but there are other programs 8268349Sobrien# that use "libpcap", or that use the same capture file format.) 8368349Sobrien# 84267843Sdelphij0 name pcap-be 8568349Sobrien>4 beshort x - version %d 8668349Sobrien>6 beshort x \b.%d 8768349Sobrien>20 belong 0 (No link-layer encapsulation 8868349Sobrien>20 belong 1 (Ethernet 8968349Sobrien>20 belong 2 (3Mb Ethernet 9068349Sobrien>20 belong 3 (AX.25 9168349Sobrien>20 belong 4 (ProNET 9268349Sobrien>20 belong 5 (CHAOS 9380588Sobrien>20 belong 6 (Token Ring 94133359Sobrien>20 belong 7 (BSD ARCNET 9568349Sobrien>20 belong 8 (SLIP 9668349Sobrien>20 belong 9 (PPP 9768349Sobrien>20 belong 10 (FDDI 9868349Sobrien>20 belong 11 (RFC 1483 ATM 9968349Sobrien>20 belong 12 (raw IP 10068349Sobrien>20 belong 13 (BSD/OS SLIP 10168349Sobrien>20 belong 14 (BSD/OS PPP 102139368Sobrien>20 belong 19 (Linux ATM Classical IP 10380588Sobrien>20 belong 50 (PPP or Cisco HDLC 10484685Sobrien>20 belong 51 (PPP-over-Ethernet 105139368Sobrien>20 belong 99 (Symantec Enterprise Firewall 10680588Sobrien>20 belong 100 (RFC 1483 ATM 10780588Sobrien>20 belong 101 (raw IP 10880588Sobrien>20 belong 102 (BSD/OS SLIP 10980588Sobrien>20 belong 103 (BSD/OS PPP 11080588Sobrien>20 belong 104 (BSD/OS Cisco HDLC 11184685Sobrien>20 belong 105 (802.11 11284685Sobrien>20 belong 106 (Linux Classical IP over ATM 113133359Sobrien>20 belong 107 (Frame Relay 11480588Sobrien>20 belong 108 (OpenBSD loopback 115133359Sobrien>20 belong 109 (OpenBSD IPsec encrypted 116133359Sobrien>20 belong 112 (Cisco HDLC 11780588Sobrien>20 belong 113 (Linux "cooked" 11884685Sobrien>20 belong 114 (LocalTalk 119133359Sobrien>20 belong 117 (OpenBSD PFLOG 120133359Sobrien>20 belong 119 (802.11 with Prism header 121139368Sobrien>20 belong 122 (RFC 2625 IP over Fibre Channel 122133359Sobrien>20 belong 123 (SunATM 123133359Sobrien>20 belong 127 (802.11 with radiotap header 124133359Sobrien>20 belong 129 (Linux ARCNET 125139368Sobrien>20 belong 138 (Apple IP over IEEE 1394 126267843Sdelphij>20 belong 139 (MTP2 with pseudo-header 127133359Sobrien>20 belong 140 (MTP2 128133359Sobrien>20 belong 141 (MTP3 129267843Sdelphij>20 belong 142 (SCCP 130133359Sobrien>20 belong 143 (DOCSIS 131133359Sobrien>20 belong 144 (IrDA 132139368Sobrien>20 belong 147 (Private use 0 133139368Sobrien>20 belong 148 (Private use 1 134139368Sobrien>20 belong 149 (Private use 2 135139368Sobrien>20 belong 150 (Private use 3 136139368Sobrien>20 belong 151 (Private use 4 137139368Sobrien>20 belong 152 (Private use 5 138139368Sobrien>20 belong 153 (Private use 6 139139368Sobrien>20 belong 154 (Private use 7 140139368Sobrien>20 belong 155 (Private use 8 141139368Sobrien>20 belong 156 (Private use 9 142139368Sobrien>20 belong 157 (Private use 10 143139368Sobrien>20 belong 158 (Private use 11 144139368Sobrien>20 belong 159 (Private use 12 145139368Sobrien>20 belong 160 (Private use 13 146139368Sobrien>20 belong 161 (Private use 14 147139368Sobrien>20 belong 162 (Private use 15 148139368Sobrien>20 belong 163 (802.11 with AVS header 149267843Sdelphij>20 belong 165 (BACnet MS/TP 150267843Sdelphij>20 belong 166 (PPPD 151267843Sdelphij>20 belong 169 (GPRS LLC 152267843Sdelphij>20 belong 177 (Linux LAPD 153267843Sdelphij>20 belong 187 (Bluetooth HCI H4 154267843Sdelphij>20 belong 189 (Linux USB 155267843Sdelphij>20 belong 192 (PPI 156267843Sdelphij>20 belong 195 (802.15.4 157267843Sdelphij>20 belong 196 (SITA 158267843Sdelphij>20 belong 197 (Endace ERF 159267843Sdelphij>20 belong 201 (Bluetooth HCI H4 with pseudo-header 160267843Sdelphij>20 belong 202 (AX.25 with KISS header 161267843Sdelphij>20 belong 203 (LAPD 162267843Sdelphij>20 belong 204 (PPP with direction pseudo-header 163267843Sdelphij>20 belong 205 (Cisco HDLC with direction pseudo-header 164267843Sdelphij>20 belong 206 (Frame Relay with direction pseudo-header 165267843Sdelphij>20 belong 209 (Linux IPMB 166267843Sdelphij>20 belong 215 (802.15.4 with non-ASK PHY header 167267843Sdelphij>20 belong 220 (Memory-mapped Linux USB 168267843Sdelphij>20 belong 224 (Fibre Channel FC-2 169267843Sdelphij>20 belong 225 (Fibre Channel FC-2 with frame delimiters 170267843Sdelphij>20 belong 226 (Solaris IPNET 171267843Sdelphij>20 belong 227 (SocketCAN 172267843Sdelphij>20 belong 228 (Raw IPv4 173267843Sdelphij>20 belong 229 (Raw IPv6 174267843Sdelphij>20 belong 230 (802.15.4 without FCS 175267843Sdelphij>20 belong 231 (D-Bus messages 176267843Sdelphij>20 belong 235 (DVB-CI 177267843Sdelphij>20 belong 236 (MUX27010 178267843Sdelphij>20 belong 237 (STANAG 5066 D_PDUs 179267843Sdelphij>20 belong 239 (Linux netlink NFLOG messages 180267843Sdelphij>20 belong 240 (Hilscher netAnalyzer 181267843Sdelphij>20 belong 241 (Hilscher netAnalyzer with delimiters 182267843Sdelphij>20 belong 242 (IP-over-Infiniband 183267843Sdelphij>20 belong 243 (MPEG-2 Transport Stream packets 184267843Sdelphij>20 belong 244 (ng4t ng40 185267843Sdelphij>20 belong 245 (NFC LLCP 186267843Sdelphij>20 belong 247 (Infiniband 187267843Sdelphij>20 belong 248 (SCTP 18868349Sobrien>16 belong x \b, capture length %d) 189267843Sdelphij 190267843Sdelphij0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian) 191267843Sdelphij!:mime application/vnd.tcpdump.pcap 192267843Sdelphij>0 use pcap-be 19368349Sobrien0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian) 194226048Sobrien!:mime application/vnd.tcpdump.pcap 195267843Sdelphij>0 use \^pcap-be 19668349Sobrien 19768349Sobrien# 19868349Sobrien# "libpcap"-with-Alexey-Kuznetsov's-patches capture files. 19968349Sobrien# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 20068349Sobrien# the main program that uses that format, but there are other programs 20168349Sobrien# that use "libpcap", or that use the same capture file format.) 20268349Sobrien# 20368349Sobrien0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) 204267843Sdelphij>0 use pcap-be 20568349Sobrien0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) 206267843Sdelphij>0 use \^pcap-be 20768349Sobrien 20868349Sobrien# 209226048Sobrien# "pcap-ng" capture files. 210226048Sobrien# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html 211226048Sobrien# Pcap-ng files can contain multiple sections. Printing the endianness, 212226048Sobrien# snaplen, or other information from the first SHB may be misleading. 213226048Sobrien# 214226048Sobrien0 ubelong 0x0a0d0d0a 215226048Sobrien>8 ubelong 0x1a2b3c4d pcap-ng capture file 216226048Sobrien>>12 beshort x - version %d 217226048Sobrien>>14 beshort x \b.%d 218226048Sobrien0 ulelong 0x0a0d0d0a 219226048Sobrien>8 ulelong 0x1a2b3c4d pcap-ng capture file 220226048Sobrien>>12 leshort x - version %d 221226048Sobrien>>14 leshort x \b.%d 222226048Sobrien 223226048Sobrien# 22468349Sobrien# AIX "iptrace" capture files. 22568349Sobrien# 226133359Sobrien0 string iptrace\ 1.0 "iptrace" capture file 22768349Sobrien0 string iptrace\ 2.0 "iptrace" capture file 22868349Sobrien 22968349Sobrien# 23068349Sobrien# Novell LANalyzer capture files. 23168349Sobrien# 23268349Sobrien0 leshort 0x1001 LANalyzer capture file 23368349Sobrien0 leshort 0x1007 LANalyzer capture file 23468349Sobrien 23568349Sobrien# 23668349Sobrien# HP-UX "nettl" capture files. 23768349Sobrien# 23868349Sobrien0 string \x54\x52\x00\x64\x00 "nettl" capture file 23968349Sobrien 24068349Sobrien# 24168349Sobrien# RADCOM WAN/LAN Analyzer capture files. 24268349Sobrien# 24368349Sobrien0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file 24484685Sobrien 24584685Sobrien# 24684685Sobrien# NetStumbler log files. Not really packets, per se, but about as 24784685Sobrien# close as you can get. These are log files from NetStumbler, a 24884685Sobrien# Windows program, that scans for 802.11b networks. 24984685Sobrien# 25084685Sobrien0 string NetS NetStumbler log file 25184685Sobrien>8 lelong x \b, %d stations found 252139368Sobrien 253139368Sobrien# 254267843Sdelphij# *Peek tagged capture files. 255139368Sobrien# 256267843Sdelphij0 string \177ver EtherPeek/AiroPeek/OmniPeek capture file 257139368Sobrien 258139368Sobrien# 259139368Sobrien# Visual Networks traffic capture files. 260139368Sobrien# 261139368Sobrien0 string \x05VNF Visual Networks traffic capture file 262139368Sobrien 263139368Sobrien# 264139368Sobrien# Network Instruments Observer capture files. 265139368Sobrien# 266139368Sobrien0 string ObserverPktBuffe Network Instruments Observer capture file 267139368Sobrien 268139368Sobrien# 269139368Sobrien# Files from Accellent Group's 5View products. 270139368Sobrien# 271139368Sobrien0 string \xaa\xaa\xaa\xaa 5View capture file 272