sniffer revision 226048 
178346Sbenno
278346Sbenno#------------------------------------------------------------------------------
378346Sbenno# $File: sniffer,v 1.18 2011/08/08 08:49:27 christos Exp $
478346Sbenno# sniffer:  file(1) magic for packet capture files
578346Sbenno#
678346Sbenno# From: guy@alum.mit.edu (Guy Harris)
778346Sbenno#
878346Sbenno
978346Sbenno#
1078346Sbenno# Microsoft Network Monitor 1.x capture files.
1178346Sbenno#
1278346Sbenno0	string		RTSS		NetMon capture file
1378346Sbenno>5	byte		x		- version %d
1478346Sbenno>4	byte		x		\b.%d
1578346Sbenno>6	leshort		0		(Unknown)
1678346Sbenno>6	leshort		1		(Ethernet)
1778346Sbenno>6	leshort		2		(Token Ring)
1878346Sbenno>6	leshort		3		(FDDI)
1978346Sbenno>6	leshort		4		(ATM)
2078346Sbenno
2178346Sbenno#
2278346Sbenno# Microsoft Network Monitor 2.x capture files.
2378346Sbenno#
2478346Sbenno0	string		GMBU		NetMon capture file
2578346Sbenno>5	byte		x		- version %d
2678346Sbenno>4	byte		x		\b.%d
2778346Sbenno>6	leshort		0		(Unknown)
2878346Sbenno>6	leshort		1		(Ethernet)
2978346Sbenno>6	leshort		2		(Token Ring)
3078346Sbenno>6	leshort		3		(FDDI)
3178346Sbenno>6	leshort		4		(ATM)
3278346Sbenno
3378346Sbenno#
3478346Sbenno# Network General Sniffer capture files.
3578346Sbenno# Sorry, make that "Network Associates Sniffer capture files."
3678346Sbenno# Sorry, make that "Network General old DOS Sniffer capture files."
3778346Sbenno#
3878346Sbenno0	string		TRSNIFF\ data\ \ \ \ \032	Sniffer capture file
3978346Sbenno>33	byte		2		(compressed)
4078346Sbenno>23	leshort		x		- version %d
4178346Sbenno>25	leshort		x		\b.%d
4278346Sbenno>32	byte		0		(Token Ring)
4378346Sbenno>32	byte		1		(Ethernet)
4478346Sbenno>32	byte		2		(ARCNET)
4578346Sbenno>32	byte		3		(StarLAN)
4678346Sbenno>32	byte		4		(PC Network broadband)
4778346Sbenno>32	byte		5		(LocalTalk)
4878346Sbenno>32	byte		6		(Znet)
4978346Sbenno>32	byte		7		(Internetwork Analyzer)
5078346Sbenno>32	byte		9		(FDDI)
5178346Sbenno>32	byte		10		(ATM)
5278346Sbenno
5378346Sbenno#
5478346Sbenno# Cinco Networks NetXRay capture files.
5578346Sbenno# Sorry, make that "Network General Sniffer Basic capture files."
5678346Sbenno# Sorry, make that "Network Associates Sniffer Basic capture files."
5778346Sbenno# Sorry, make that "Network Associates Sniffer Basic, and Windows
5878346Sbenno# Sniffer Pro", capture files."
5978346Sbenno# Sorry, make that "Network General Sniffer capture files."
6078346Sbenno#
6178346Sbenno0	string		XCP\0		NetXRay capture file
6278346Sbenno>4	string		>\0		- version %s
6378346Sbenno>44	leshort		0		(Ethernet)
6478346Sbenno>44	leshort		1		(Token Ring)
6578346Sbenno>44	leshort		2		(FDDI)
6678346Sbenno>44	leshort		3		(WAN)
6778346Sbenno>44	leshort		8		(ATM)
6878346Sbenno>44	leshort		9		(802.11)
6978346Sbenno
7078346Sbenno#
7178346Sbenno# "libpcap" capture files.
7278346Sbenno# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
7378346Sbenno# the main program that uses that format, but there are other programs
7478346Sbenno# that use "libpcap", or that use the same capture file format.)
7578346Sbenno#
7678346Sbenno0	ubelong		0xa1b2c3d4	tcpdump capture file (big-endian)
7778346Sbenno!:mime	application/vnd.tcpdump.pcap
7878346Sbenno>4	beshort		x		- version %d
7978346Sbenno>6	beshort		x		\b.%d
8078346Sbenno>20	belong		0		(No link-layer encapsulation
8178346Sbenno>20	belong		1		(Ethernet
8278346Sbenno>20	belong		2		(3Mb Ethernet
8378346Sbenno>20	belong		3		(AX.25
8478346Sbenno>20	belong		4		(ProNET
8578346Sbenno>20	belong		5		(CHAOS
8678346Sbenno>20	belong		6		(Token Ring
8778346Sbenno>20	belong		7		(BSD ARCNET
8878346Sbenno>20	belong		8		(SLIP
8978346Sbenno>20	belong		9		(PPP
9078346Sbenno>20	belong		10		(FDDI
9178346Sbenno>20	belong		11		(RFC 1483 ATM
9278346Sbenno>20	belong		12		(raw IP
9378346Sbenno>20	belong		13		(BSD/OS SLIP
9478346Sbenno>20	belong		14		(BSD/OS PPP
9578346Sbenno>20	belong		19		(Linux ATM Classical IP
9678346Sbenno>20	belong		50		(PPP or Cisco HDLC
9778346Sbenno>20	belong		51		(PPP-over-Ethernet
9878346Sbenno>20	belong		99		(Symantec Enterprise Firewall
9978346Sbenno>20	belong		100		(RFC 1483 ATM
10078346Sbenno>20	belong		101		(raw IP
10178346Sbenno>20	belong		102		(BSD/OS SLIP
10278346Sbenno>20	belong		103		(BSD/OS PPP
10378346Sbenno>20	belong		104		(BSD/OS Cisco HDLC
10478346Sbenno>20	belong		105		(802.11
10578346Sbenno>20	belong		106		(Linux Classical IP over ATM
10678346Sbenno>20	belong		107		(Frame Relay
10778346Sbenno>20	belong		108		(OpenBSD loopback
10878346Sbenno>20	belong		109		(OpenBSD IPsec encrypted
10978346Sbenno>20	belong		112		(Cisco HDLC
11078346Sbenno>20	belong		113		(Linux "cooked"
11178346Sbenno>20	belong		114		(LocalTalk
11278346Sbenno>20	belong		117		(OpenBSD PFLOG
11378346Sbenno>20	belong		119		(802.11 with Prism header
11478346Sbenno>20	belong		122		(RFC 2625 IP over Fibre Channel
11578346Sbenno>20	belong		123		(SunATM
11678346Sbenno>20	belong		127		(802.11 with radiotap header
11778346Sbenno>20	belong		129		(Linux ARCNET
11878346Sbenno>20	belong		138		(Apple IP over IEEE 1394
11978346Sbenno>20	belong		140		(MTP2
12078346Sbenno>20	belong		141		(MTP3
12178346Sbenno>20	belong		143		(DOCSIS
12278346Sbenno>20	belong		144		(IrDA
12378346Sbenno>20	belong		147		(Private use 0
12478346Sbenno>20	belong		148		(Private use 1
12578346Sbenno>20	belong		149		(Private use 2
12678346Sbenno>20	belong		150		(Private use 3
12778346Sbenno>20	belong		151		(Private use 4
12878346Sbenno>20	belong		152		(Private use 5
12978346Sbenno>20	belong		153		(Private use 6
13078346Sbenno>20	belong		154		(Private use 7
13178346Sbenno>20	belong		155		(Private use 8
13278346Sbenno>20	belong		156		(Private use 9
13378346Sbenno>20	belong		157		(Private use 10
13478346Sbenno>20	belong		158		(Private use 11
13578346Sbenno>20	belong		159		(Private use 12
13678346Sbenno>20	belong		160		(Private use 13
13778346Sbenno>20	belong		161		(Private use 14
13878346Sbenno>20	belong		162		(Private use 15
13978346Sbenno>20	belong		163		(802.11 with AVS header
14078346Sbenno>16	belong		x		\b, capture length %d)
14178346Sbenno0	ulelong		0xa1b2c3d4	tcpdump capture file (little-endian)
14278346Sbenno!:mime	application/vnd.tcpdump.pcap
14378346Sbenno>4	leshort		x		- version %d
14478346Sbenno>6	leshort		x		\b.%d
14578346Sbenno>20	lelong		0		(No link-layer encapsulation
14678346Sbenno>20	lelong		1		(Ethernet
14778346Sbenno>20	lelong		2		(3Mb Ethernet
14878346Sbenno>20	lelong		3		(AX.25
14978346Sbenno>20	lelong		4		(ProNET
15078346Sbenno>20	lelong		5		(CHAOS
15178346Sbenno>20	lelong		6		(Token Ring
15278346Sbenno>20	lelong		7		(ARCNET
15378346Sbenno>20	lelong		8		(SLIP
15478346Sbenno>20	lelong		9		(PPP
15578346Sbenno>20	lelong		10		(FDDI
15678346Sbenno>20	lelong		11		(RFC 1483 ATM
15778346Sbenno>20	lelong		12		(raw IP
15878346Sbenno>20	lelong		13		(BSD/OS SLIP
15978346Sbenno>20	lelong		14		(BSD/OS PPP
16078346Sbenno>20	lelong		19		(Linux ATM Classical IP
16178346Sbenno>20	lelong		50		(PPP or Cisco HDLC
16280696Sjake>20	lelong		51		(PPP-over-Ethernet
16380696Sjake>20	lelong		99		(Symantec Enterprise Firewall
16478346Sbenno>20	lelong		100		(RFC 1483 ATM
16578346Sbenno>20	lelong		101		(raw IP
16678346Sbenno>20	lelong		102		(BSD/OS SLIP
16778346Sbenno>20	lelong		103		(BSD/OS PPP
16878346Sbenno>20	lelong		104		(BSD/OS Cisco HDLC
16978346Sbenno>20	lelong		105		(802.11
17078346Sbenno>20	lelong		106		(Linux Classical IP over ATM
17178346Sbenno>20	lelong		107		(Frame Relay
17278346Sbenno>20	lelong		108		(OpenBSD loopback
17378346Sbenno>20	lelong		109		(OpenBSD IPsec encrypted
17478346Sbenno>20	lelong		112		(Cisco HDLC
17578346Sbenno>20	lelong		113		(Linux "cooked"
17678346Sbenno>20	lelong		114		(LocalTalk
17778346Sbenno>20	lelong		117		(OpenBSD PFLOG
17878346Sbenno>20	lelong		119		(802.11 with Prism header
17978346Sbenno>20	lelong		122		(RFC 2625 IP over Fibre Channel
18078346Sbenno>20	lelong		123		(SunATM
18178346Sbenno>20	lelong		127		(802.11 with radiotap header
18278346Sbenno>20	lelong		129		(Linux ARCNET
18378346Sbenno>20	lelong		138		(Apple IP over IEEE 1394
18478346Sbenno>20	lelong		140		(MTP2
18578346Sbenno>20	lelong		141		(MTP3
18678346Sbenno>20	lelong		143		(DOCSIS
18778346Sbenno>20	lelong		144		(IrDA
18878346Sbenno>20	lelong		147		(Private use 0
18978346Sbenno>20	lelong		148		(Private use 1
19078346Sbenno>20	lelong		149		(Private use 2
19178346Sbenno>20	lelong		150		(Private use 3
19278346Sbenno>20	lelong		151		(Private use 4
19378346Sbenno>20	lelong		152		(Private use 5
19478346Sbenno>20	lelong		153		(Private use 6
19578346Sbenno>20	lelong		154		(Private use 7
19678346Sbenno>20	lelong		155		(Private use 8
19778346Sbenno>20	lelong		156		(Private use 9
19878346Sbenno>20	lelong		157		(Private use 10
19978346Sbenno>20	lelong		158		(Private use 11
20078346Sbenno>20	lelong		159		(Private use 12
20178346Sbenno>20	lelong		160		(Private use 13
20278346Sbenno>20	lelong		161		(Private use 14
20378346Sbenno>20	lelong		162		(Private use 15
20478346Sbenno>20	lelong		163		(802.11 with AVS header
20578346Sbenno>16	lelong		x		\b, capture length %d)
20678346Sbenno
20778346Sbenno#
20878346Sbenno# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
20978346Sbenno# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
21078346Sbenno# the main program that uses that format, but there are other programs
21178346Sbenno# that use "libpcap", or that use the same capture file format.)
21278346Sbenno#
21378346Sbenno0	ubelong		0xa1b2cd34	extended tcpdump capture file (big-endian)
21478346Sbenno>4	beshort		x		- version %d
21578346Sbenno>6	beshort		x		\b.%d
21678346Sbenno>20	belong		0		(No link-layer encapsulation
21778346Sbenno>20	belong		1		(Ethernet
21878346Sbenno>20	belong		2		(3Mb Ethernet
21978346Sbenno>20	belong		3		(AX.25
22078346Sbenno>20	belong		4		(ProNET
22178346Sbenno>20	belong		5		(CHAOS
22278346Sbenno>20	belong		6		(Token Ring
22378346Sbenno>20	belong		7		(ARCNET
22478346Sbenno>20	belong		8		(SLIP
22578346Sbenno>20	belong		9		(PPP
22678346Sbenno>20	belong		10		(FDDI
22778346Sbenno>20	belong		11		(RFC 1483 ATM
22878346Sbenno>20	belong		12		(raw IP
22978346Sbenno>20	belong		13		(BSD/OS SLIP
23078346Sbenno>20	belong		14		(BSD/OS PPP
23178346Sbenno>16	belong		x		\b, capture length %d)
23278346Sbenno0	ulelong		0xa1b2cd34	extended tcpdump capture file (little-endian)
23378346Sbenno>4	leshort		x		- version %d
23478346Sbenno>6	leshort		x		\b.%d
23578346Sbenno>20	lelong		0		(No link-layer encapsulation
23678346Sbenno>20	lelong		1		(Ethernet
23778346Sbenno>20	lelong		2		(3Mb Ethernet
23878346Sbenno>20	lelong		3		(AX.25
23978346Sbenno>20	lelong		4		(ProNET
24078346Sbenno>20	lelong		5		(CHAOS
24178346Sbenno>20	lelong		6		(Token Ring
24278346Sbenno>20	lelong		7		(ARCNET
24378346Sbenno>20	lelong		8		(SLIP
24478346Sbenno>20	lelong		9		(PPP
24578346Sbenno>20	lelong		10		(FDDI
24678346Sbenno>20	lelong		11		(RFC 1483 ATM
24778346Sbenno>20	lelong		12		(raw IP
24878346Sbenno>20	lelong		13		(BSD/OS SLIP
24978346Sbenno>20	lelong		14		(BSD/OS PPP
25078346Sbenno>16	lelong		x		\b, capture length %d)
25178346Sbenno
25278346Sbenno#
25378346Sbenno# "pcap-ng" capture files.
25478346Sbenno# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
25578346Sbenno# Pcap-ng files can contain multiple sections. Printing the endianness,
25678346Sbenno# snaplen, or other information from the first SHB may be misleading.
25778346Sbenno#
25878346Sbenno0	ubelong		0x0a0d0d0a
25978346Sbenno>8	ubelong		0x1a2b3c4d	pcap-ng capture file
26078346Sbenno>>12	beshort		x		- version %d
26178346Sbenno>>14	beshort		x		\b.%d
26278346Sbenno0	ulelong		0x0a0d0d0a
26378346Sbenno>8	ulelong		0x1a2b3c4d	pcap-ng capture file
26478346Sbenno>>12	leshort		x		- version %d
26578346Sbenno>>14	leshort		x		\b.%d
26678346Sbenno
26778346Sbenno#
26878346Sbenno# AIX "iptrace" capture files.
26978346Sbenno#
27078346Sbenno0	string		iptrace\ 1.0	"iptrace" capture file
27178346Sbenno0	string		iptrace\ 2.0	"iptrace" capture file
27278346Sbenno
27378346Sbenno#
27478346Sbenno# Novell LANalyzer capture files.
27578346Sbenno#
27678346Sbenno0	leshort		0x1001		LANalyzer capture file
27778346Sbenno0	leshort		0x1007		LANalyzer capture file
27878346Sbenno
27978346Sbenno#
28078346Sbenno# HP-UX "nettl" capture files.
28178346Sbenno#
28278346Sbenno0	string		\x54\x52\x00\x64\x00	"nettl" capture file
28378346Sbenno
28478346Sbenno#
28578346Sbenno# RADCOM WAN/LAN Analyzer capture files.
28678346Sbenno#
28778346Sbenno0	string		\x42\xd2\x00\x34\x12\x66\x22\x88	RADCOM WAN/LAN Analyzer capture file
28878346Sbenno
28978346Sbenno#
29078346Sbenno# NetStumbler log files.  Not really packets, per se, but about as
29178346Sbenno# close as you can get.  These are log files from NetStumbler, a
29278346Sbenno# Windows program, that scans for 802.11b networks.
29378346Sbenno#
29478346Sbenno0	string		NetS		NetStumbler log file
29578346Sbenno>8	lelong		x		\b, %d stations found
29678346Sbenno
29778346Sbenno#
29878346Sbenno# EtherPeek/AiroPeek "version 9" capture files.
29978346Sbenno#
30078346Sbenno0	string		\177ver		EtherPeek/AiroPeek capture file
30178346Sbenno
30278346Sbenno#
30378346Sbenno# Visual Networks traffic capture files.
30478346Sbenno#
30578346Sbenno0	string		\x05VNF		Visual Networks traffic capture file
30678346Sbenno
30778346Sbenno#
30878346Sbenno# Network Instruments Observer capture files.
309#
3100	string		ObserverPktBuffe	Network Instruments Observer capture file
311
312#
313# Files from Accellent Group's 5View products.
314#
3150	string		\xaa\xaa\xaa\xaa	5View capture file
316