sniffer revision 226048
178346Sbenno 278346Sbenno#------------------------------------------------------------------------------ 378346Sbenno# $File: sniffer,v 1.18 2011/08/08 08:49:27 christos Exp $ 478346Sbenno# sniffer: file(1) magic for packet capture files 578346Sbenno# 678346Sbenno# From: guy@alum.mit.edu (Guy Harris) 778346Sbenno# 878346Sbenno 978346Sbenno# 1078346Sbenno# Microsoft Network Monitor 1.x capture files. 1178346Sbenno# 1278346Sbenno0 string RTSS NetMon capture file 1378346Sbenno>5 byte x - version %d 1478346Sbenno>4 byte x \b.%d 1578346Sbenno>6 leshort 0 (Unknown) 1678346Sbenno>6 leshort 1 (Ethernet) 1778346Sbenno>6 leshort 2 (Token Ring) 1878346Sbenno>6 leshort 3 (FDDI) 1978346Sbenno>6 leshort 4 (ATM) 2078346Sbenno 2178346Sbenno# 2278346Sbenno# Microsoft Network Monitor 2.x capture files. 2378346Sbenno# 2478346Sbenno0 string GMBU NetMon capture file 2578346Sbenno>5 byte x - version %d 2678346Sbenno>4 byte x \b.%d 2778346Sbenno>6 leshort 0 (Unknown) 2878346Sbenno>6 leshort 1 (Ethernet) 2978346Sbenno>6 leshort 2 (Token Ring) 3078346Sbenno>6 leshort 3 (FDDI) 3178346Sbenno>6 leshort 4 (ATM) 3278346Sbenno 3378346Sbenno# 3478346Sbenno# Network General Sniffer capture files. 3578346Sbenno# Sorry, make that "Network Associates Sniffer capture files." 3678346Sbenno# Sorry, make that "Network General old DOS Sniffer capture files." 3778346Sbenno# 3878346Sbenno0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file 3978346Sbenno>33 byte 2 (compressed) 4078346Sbenno>23 leshort x - version %d 4178346Sbenno>25 leshort x \b.%d 4278346Sbenno>32 byte 0 (Token Ring) 4378346Sbenno>32 byte 1 (Ethernet) 4478346Sbenno>32 byte 2 (ARCNET) 4578346Sbenno>32 byte 3 (StarLAN) 4678346Sbenno>32 byte 4 (PC Network broadband) 4778346Sbenno>32 byte 5 (LocalTalk) 4878346Sbenno>32 byte 6 (Znet) 4978346Sbenno>32 byte 7 (Internetwork Analyzer) 5078346Sbenno>32 byte 9 (FDDI) 5178346Sbenno>32 byte 10 (ATM) 5278346Sbenno 5378346Sbenno# 5478346Sbenno# Cinco Networks NetXRay capture files. 5578346Sbenno# Sorry, make that "Network General Sniffer Basic capture files." 5678346Sbenno# Sorry, make that "Network Associates Sniffer Basic capture files." 5778346Sbenno# Sorry, make that "Network Associates Sniffer Basic, and Windows 5878346Sbenno# Sniffer Pro", capture files." 5978346Sbenno# Sorry, make that "Network General Sniffer capture files." 6078346Sbenno# 6178346Sbenno0 string XCP\0 NetXRay capture file 6278346Sbenno>4 string >\0 - version %s 6378346Sbenno>44 leshort 0 (Ethernet) 6478346Sbenno>44 leshort 1 (Token Ring) 6578346Sbenno>44 leshort 2 (FDDI) 6678346Sbenno>44 leshort 3 (WAN) 6778346Sbenno>44 leshort 8 (ATM) 6878346Sbenno>44 leshort 9 (802.11) 6978346Sbenno 7078346Sbenno# 7178346Sbenno# "libpcap" capture files. 7278346Sbenno# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 7378346Sbenno# the main program that uses that format, but there are other programs 7478346Sbenno# that use "libpcap", or that use the same capture file format.) 7578346Sbenno# 7678346Sbenno0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian) 7778346Sbenno!:mime application/vnd.tcpdump.pcap 7878346Sbenno>4 beshort x - version %d 7978346Sbenno>6 beshort x \b.%d 8078346Sbenno>20 belong 0 (No link-layer encapsulation 8178346Sbenno>20 belong 1 (Ethernet 8278346Sbenno>20 belong 2 (3Mb Ethernet 8378346Sbenno>20 belong 3 (AX.25 8478346Sbenno>20 belong 4 (ProNET 8578346Sbenno>20 belong 5 (CHAOS 8678346Sbenno>20 belong 6 (Token Ring 8778346Sbenno>20 belong 7 (BSD ARCNET 8878346Sbenno>20 belong 8 (SLIP 8978346Sbenno>20 belong 9 (PPP 9078346Sbenno>20 belong 10 (FDDI 9178346Sbenno>20 belong 11 (RFC 1483 ATM 9278346Sbenno>20 belong 12 (raw IP 9378346Sbenno>20 belong 13 (BSD/OS SLIP 9478346Sbenno>20 belong 14 (BSD/OS PPP 9578346Sbenno>20 belong 19 (Linux ATM Classical IP 9678346Sbenno>20 belong 50 (PPP or Cisco HDLC 9778346Sbenno>20 belong 51 (PPP-over-Ethernet 9878346Sbenno>20 belong 99 (Symantec Enterprise Firewall 9978346Sbenno>20 belong 100 (RFC 1483 ATM 10078346Sbenno>20 belong 101 (raw IP 10178346Sbenno>20 belong 102 (BSD/OS SLIP 10278346Sbenno>20 belong 103 (BSD/OS PPP 10378346Sbenno>20 belong 104 (BSD/OS Cisco HDLC 10478346Sbenno>20 belong 105 (802.11 10578346Sbenno>20 belong 106 (Linux Classical IP over ATM 10678346Sbenno>20 belong 107 (Frame Relay 10778346Sbenno>20 belong 108 (OpenBSD loopback 10878346Sbenno>20 belong 109 (OpenBSD IPsec encrypted 10978346Sbenno>20 belong 112 (Cisco HDLC 11078346Sbenno>20 belong 113 (Linux "cooked" 11178346Sbenno>20 belong 114 (LocalTalk 11278346Sbenno>20 belong 117 (OpenBSD PFLOG 11378346Sbenno>20 belong 119 (802.11 with Prism header 11478346Sbenno>20 belong 122 (RFC 2625 IP over Fibre Channel 11578346Sbenno>20 belong 123 (SunATM 11678346Sbenno>20 belong 127 (802.11 with radiotap header 11778346Sbenno>20 belong 129 (Linux ARCNET 11878346Sbenno>20 belong 138 (Apple IP over IEEE 1394 11978346Sbenno>20 belong 140 (MTP2 12078346Sbenno>20 belong 141 (MTP3 12178346Sbenno>20 belong 143 (DOCSIS 12278346Sbenno>20 belong 144 (IrDA 12378346Sbenno>20 belong 147 (Private use 0 12478346Sbenno>20 belong 148 (Private use 1 12578346Sbenno>20 belong 149 (Private use 2 12678346Sbenno>20 belong 150 (Private use 3 12778346Sbenno>20 belong 151 (Private use 4 12878346Sbenno>20 belong 152 (Private use 5 12978346Sbenno>20 belong 153 (Private use 6 13078346Sbenno>20 belong 154 (Private use 7 13178346Sbenno>20 belong 155 (Private use 8 13278346Sbenno>20 belong 156 (Private use 9 13378346Sbenno>20 belong 157 (Private use 10 13478346Sbenno>20 belong 158 (Private use 11 13578346Sbenno>20 belong 159 (Private use 12 13678346Sbenno>20 belong 160 (Private use 13 13778346Sbenno>20 belong 161 (Private use 14 13878346Sbenno>20 belong 162 (Private use 15 13978346Sbenno>20 belong 163 (802.11 with AVS header 14078346Sbenno>16 belong x \b, capture length %d) 14178346Sbenno0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian) 14278346Sbenno!:mime application/vnd.tcpdump.pcap 14378346Sbenno>4 leshort x - version %d 14478346Sbenno>6 leshort x \b.%d 14578346Sbenno>20 lelong 0 (No link-layer encapsulation 14678346Sbenno>20 lelong 1 (Ethernet 14778346Sbenno>20 lelong 2 (3Mb Ethernet 14878346Sbenno>20 lelong 3 (AX.25 14978346Sbenno>20 lelong 4 (ProNET 15078346Sbenno>20 lelong 5 (CHAOS 15178346Sbenno>20 lelong 6 (Token Ring 15278346Sbenno>20 lelong 7 (ARCNET 15378346Sbenno>20 lelong 8 (SLIP 15478346Sbenno>20 lelong 9 (PPP 15578346Sbenno>20 lelong 10 (FDDI 15678346Sbenno>20 lelong 11 (RFC 1483 ATM 15778346Sbenno>20 lelong 12 (raw IP 15878346Sbenno>20 lelong 13 (BSD/OS SLIP 15978346Sbenno>20 lelong 14 (BSD/OS PPP 16078346Sbenno>20 lelong 19 (Linux ATM Classical IP 16178346Sbenno>20 lelong 50 (PPP or Cisco HDLC 16280696Sjake>20 lelong 51 (PPP-over-Ethernet 16380696Sjake>20 lelong 99 (Symantec Enterprise Firewall 16478346Sbenno>20 lelong 100 (RFC 1483 ATM 16578346Sbenno>20 lelong 101 (raw IP 16678346Sbenno>20 lelong 102 (BSD/OS SLIP 16778346Sbenno>20 lelong 103 (BSD/OS PPP 16878346Sbenno>20 lelong 104 (BSD/OS Cisco HDLC 16978346Sbenno>20 lelong 105 (802.11 17078346Sbenno>20 lelong 106 (Linux Classical IP over ATM 17178346Sbenno>20 lelong 107 (Frame Relay 17278346Sbenno>20 lelong 108 (OpenBSD loopback 17378346Sbenno>20 lelong 109 (OpenBSD IPsec encrypted 17478346Sbenno>20 lelong 112 (Cisco HDLC 17578346Sbenno>20 lelong 113 (Linux "cooked" 17678346Sbenno>20 lelong 114 (LocalTalk 17778346Sbenno>20 lelong 117 (OpenBSD PFLOG 17878346Sbenno>20 lelong 119 (802.11 with Prism header 17978346Sbenno>20 lelong 122 (RFC 2625 IP over Fibre Channel 18078346Sbenno>20 lelong 123 (SunATM 18178346Sbenno>20 lelong 127 (802.11 with radiotap header 18278346Sbenno>20 lelong 129 (Linux ARCNET 18378346Sbenno>20 lelong 138 (Apple IP over IEEE 1394 18478346Sbenno>20 lelong 140 (MTP2 18578346Sbenno>20 lelong 141 (MTP3 18678346Sbenno>20 lelong 143 (DOCSIS 18778346Sbenno>20 lelong 144 (IrDA 18878346Sbenno>20 lelong 147 (Private use 0 18978346Sbenno>20 lelong 148 (Private use 1 19078346Sbenno>20 lelong 149 (Private use 2 19178346Sbenno>20 lelong 150 (Private use 3 19278346Sbenno>20 lelong 151 (Private use 4 19378346Sbenno>20 lelong 152 (Private use 5 19478346Sbenno>20 lelong 153 (Private use 6 19578346Sbenno>20 lelong 154 (Private use 7 19678346Sbenno>20 lelong 155 (Private use 8 19778346Sbenno>20 lelong 156 (Private use 9 19878346Sbenno>20 lelong 157 (Private use 10 19978346Sbenno>20 lelong 158 (Private use 11 20078346Sbenno>20 lelong 159 (Private use 12 20178346Sbenno>20 lelong 160 (Private use 13 20278346Sbenno>20 lelong 161 (Private use 14 20378346Sbenno>20 lelong 162 (Private use 15 20478346Sbenno>20 lelong 163 (802.11 with AVS header 20578346Sbenno>16 lelong x \b, capture length %d) 20678346Sbenno 20778346Sbenno# 20878346Sbenno# "libpcap"-with-Alexey-Kuznetsov's-patches capture files. 20978346Sbenno# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 21078346Sbenno# the main program that uses that format, but there are other programs 21178346Sbenno# that use "libpcap", or that use the same capture file format.) 21278346Sbenno# 21378346Sbenno0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) 21478346Sbenno>4 beshort x - version %d 21578346Sbenno>6 beshort x \b.%d 21678346Sbenno>20 belong 0 (No link-layer encapsulation 21778346Sbenno>20 belong 1 (Ethernet 21878346Sbenno>20 belong 2 (3Mb Ethernet 21978346Sbenno>20 belong 3 (AX.25 22078346Sbenno>20 belong 4 (ProNET 22178346Sbenno>20 belong 5 (CHAOS 22278346Sbenno>20 belong 6 (Token Ring 22378346Sbenno>20 belong 7 (ARCNET 22478346Sbenno>20 belong 8 (SLIP 22578346Sbenno>20 belong 9 (PPP 22678346Sbenno>20 belong 10 (FDDI 22778346Sbenno>20 belong 11 (RFC 1483 ATM 22878346Sbenno>20 belong 12 (raw IP 22978346Sbenno>20 belong 13 (BSD/OS SLIP 23078346Sbenno>20 belong 14 (BSD/OS PPP 23178346Sbenno>16 belong x \b, capture length %d) 23278346Sbenno0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) 23378346Sbenno>4 leshort x - version %d 23478346Sbenno>6 leshort x \b.%d 23578346Sbenno>20 lelong 0 (No link-layer encapsulation 23678346Sbenno>20 lelong 1 (Ethernet 23778346Sbenno>20 lelong 2 (3Mb Ethernet 23878346Sbenno>20 lelong 3 (AX.25 23978346Sbenno>20 lelong 4 (ProNET 24078346Sbenno>20 lelong 5 (CHAOS 24178346Sbenno>20 lelong 6 (Token Ring 24278346Sbenno>20 lelong 7 (ARCNET 24378346Sbenno>20 lelong 8 (SLIP 24478346Sbenno>20 lelong 9 (PPP 24578346Sbenno>20 lelong 10 (FDDI 24678346Sbenno>20 lelong 11 (RFC 1483 ATM 24778346Sbenno>20 lelong 12 (raw IP 24878346Sbenno>20 lelong 13 (BSD/OS SLIP 24978346Sbenno>20 lelong 14 (BSD/OS PPP 25078346Sbenno>16 lelong x \b, capture length %d) 25178346Sbenno 25278346Sbenno# 25378346Sbenno# "pcap-ng" capture files. 25478346Sbenno# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html 25578346Sbenno# Pcap-ng files can contain multiple sections. Printing the endianness, 25678346Sbenno# snaplen, or other information from the first SHB may be misleading. 25778346Sbenno# 25878346Sbenno0 ubelong 0x0a0d0d0a 25978346Sbenno>8 ubelong 0x1a2b3c4d pcap-ng capture file 26078346Sbenno>>12 beshort x - version %d 26178346Sbenno>>14 beshort x \b.%d 26278346Sbenno0 ulelong 0x0a0d0d0a 26378346Sbenno>8 ulelong 0x1a2b3c4d pcap-ng capture file 26478346Sbenno>>12 leshort x - version %d 26578346Sbenno>>14 leshort x \b.%d 26678346Sbenno 26778346Sbenno# 26878346Sbenno# AIX "iptrace" capture files. 26978346Sbenno# 27078346Sbenno0 string iptrace\ 1.0 "iptrace" capture file 27178346Sbenno0 string iptrace\ 2.0 "iptrace" capture file 27278346Sbenno 27378346Sbenno# 27478346Sbenno# Novell LANalyzer capture files. 27578346Sbenno# 27678346Sbenno0 leshort 0x1001 LANalyzer capture file 27778346Sbenno0 leshort 0x1007 LANalyzer capture file 27878346Sbenno 27978346Sbenno# 28078346Sbenno# HP-UX "nettl" capture files. 28178346Sbenno# 28278346Sbenno0 string \x54\x52\x00\x64\x00 "nettl" capture file 28378346Sbenno 28478346Sbenno# 28578346Sbenno# RADCOM WAN/LAN Analyzer capture files. 28678346Sbenno# 28778346Sbenno0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file 28878346Sbenno 28978346Sbenno# 29078346Sbenno# NetStumbler log files. Not really packets, per se, but about as 29178346Sbenno# close as you can get. These are log files from NetStumbler, a 29278346Sbenno# Windows program, that scans for 802.11b networks. 29378346Sbenno# 29478346Sbenno0 string NetS NetStumbler log file 29578346Sbenno>8 lelong x \b, %d stations found 29678346Sbenno 29778346Sbenno# 29878346Sbenno# EtherPeek/AiroPeek "version 9" capture files. 29978346Sbenno# 30078346Sbenno0 string \177ver EtherPeek/AiroPeek capture file 30178346Sbenno 30278346Sbenno# 30378346Sbenno# Visual Networks traffic capture files. 30478346Sbenno# 30578346Sbenno0 string \x05VNF Visual Networks traffic capture file 30678346Sbenno 30778346Sbenno# 30878346Sbenno# Network Instruments Observer capture files. 309# 3100 string ObserverPktBuffe Network Instruments Observer capture file 311 312# 313# Files from Accellent Group's 5View products. 314# 3150 string \xaa\xaa\xaa\xaa 5View capture file 316