sniffer revision 80588
1 2#------------------------------------------------------------------------------ 3# sniffer: file(1) magic for packet capture files 4# 5# From: guy@alum.mit.edu (Guy Harris) 6# 7 8# 9# Microsoft Network Monitor 1.x capture files. 10# 110 string RTSS NetMon capture file 12>4 byte x - version %d 13>5 byte x \b.%d 14>6 leshort 0 (Unknown) 15>6 leshort 1 (Ethernet) 16>6 leshort 2 (Token Ring) 17>6 leshort 3 (FDDI) 18 19# 20# Microsoft Network Monitor 2.x capture files. 21# 220 string GMBU NetMon capture file 23>4 byte x - version %d 24>5 byte x \b.%d 25>6 leshort 0 (Unknown) 26>6 leshort 1 (Ethernet) 27>6 leshort 2 (Token Ring) 28>6 leshort 3 (FDDI) 29 30# 31# Network General Sniffer capture files. 32# Sorry, make that "Network Associates Sniffer capture files." 33# 340 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file 35>33 byte 2 (compressed) 36>23 leshort x - version %d 37>25 leshort x \b.%d 38>32 byte 0 (Token Ring) 39>32 byte 1 (Ethernet) 40>32 byte 2 (ARCNET) 41>32 byte 3 (StarLAN) 42>32 byte 4 (PC Network broadband) 43>32 byte 5 (LocalTalk) 44>32 byte 6 (Znet) 45>32 byte 7 (Internetwork Analyzer) 46>32 byte 9 (FDDI) 47>32 byte 10 (ATM) 48 49# 50# Cinco Networks NetXRay capture files. 51# Sorry, make that "Network General Sniffer Basic capture files." 52# Sorry, make that "Network Associates Sniffer Basic capture files." 53# Sorry, make that "Network Associates Sniffer Basic, and Windows 54# Sniffer Pro", capture files." 55# 560 string XCP\0 NetXRay capture file 57>4 string >\0 - version %s 58>44 leshort 0 (Ethernet) 59>44 leshort 1 (Token Ring) 60>44 leshort 2 (FDDI) 61 62# 63# "libpcap" capture files. 64# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 65# the main program that uses that format, but there are other programs 66# that use "libpcap", or that use the same capture file format.) 67# 680 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian) 69>4 beshort x - version %d 70>6 beshort x \b.%d 71>20 belong 0 (No link-layer encapsulation 72>20 belong 1 (Ethernet 73>20 belong 2 (3Mb Ethernet 74>20 belong 3 (AX.25 75>20 belong 4 (ProNET 76>20 belong 5 (CHAOS 77>20 belong 6 (Token Ring 78>20 belong 7 (ARCNET 79>20 belong 8 (SLIP 80>20 belong 9 (PPP 81>20 belong 10 (FDDI 82>20 belong 11 (RFC 1483 ATM 83>20 belong 12 (raw IP 84>20 belong 13 (BSD/OS SLIP 85>20 belong 14 (BSD/OS PPP 86>20 belong 50 (PPP or Cisco HDLC 87>20 belong 100 (RFC 1483 ATM 88>20 belong 101 (raw IP 89>20 belong 102 (BSD/OS SLIP 90>20 belong 103 (BSD/OS PPP 91>20 belong 104 (BSD/OS Cisco HDLC 92>20 belong 105 (Linux Classical IP over ATM 93>20 belong 108 (OpenBSD loopback 94>20 belong 109 (OpenBSD IPSEC encrypted 95>20 belong 113 (Linux "cooked" 96>16 belong x \b, capture length %d) 970 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian) 98>4 leshort x - version %d 99>6 leshort x \b.%d 100>20 lelong 0 (No link-layer encapsulation 101>20 lelong 1 (Ethernet 102>20 lelong 2 (3Mb Ethernet 103>20 lelong 3 (AX.25 104>20 lelong 4 (ProNET 105>20 lelong 5 (CHAOS 106>20 lelong 6 (Token Ring 107>20 lelong 7 (ARCNET 108>20 lelong 8 (SLIP 109>20 lelong 9 (PPP 110>20 lelong 10 (FDDI 111>20 lelong 11 (RFC 1483 ATM 112>20 lelong 12 (raw IP 113>20 lelong 13 (BSD/OS SLIP 114>20 lelong 14 (BSD/OS PPP 115>20 lelong 50 (PPP or Cisco HDLC 116>20 lelong 100 (RFC 1483 ATM 117>20 lelong 101 (raw IP 118>20 lelong 102 (BSD/OS SLIP 119>20 lelong 103 (BSD/OS PPP 120>20 lelong 104 (BSD/OS Cisco HDLC 121>20 lelong 105 (Linux Classical IP over ATM 122>20 lelong 108 (OpenBSD loopback 123>20 lelong 109 (OpenBSD IPSEC encrypted 124>20 lelong 113 (Linux "cooked" 125>16 lelong x \b, capture length %d) 126 127# 128# "libpcap"-with-Alexey-Kuznetsov's-patches capture files. 129# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 130# the main program that uses that format, but there are other programs 131# that use "libpcap", or that use the same capture file format.) 132# 1330 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) 134>4 beshort x - version %d 135>6 beshort x \b.%d 136>20 belong 0 (No link-layer encapsulation 137>20 belong 1 (Ethernet 138>20 belong 2 (3Mb Ethernet 139>20 belong 3 (AX.25 140>20 belong 4 (ProNET 141>20 belong 5 (CHAOS 142>20 belong 6 (Token Ring 143>20 belong 7 (ARCNET 144>20 belong 8 (SLIP 145>20 belong 9 (PPP 146>20 belong 10 (FDDI 147>20 belong 11 (RFC 1483 ATM 148>20 belong 12 (raw IP 149>20 belong 13 (BSD/OS SLIP 150>20 belong 14 (BSD/OS PPP 151>16 belong x \b, capture length %d) 1520 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) 153>4 leshort x - version %d 154>6 leshort x \b.%d 155>20 lelong 0 (No link-layer encapsulation 156>20 lelong 1 (Ethernet 157>20 lelong 2 (3Mb Ethernet 158>20 lelong 3 (AX.25 159>20 lelong 4 (ProNET 160>20 lelong 5 (CHAOS 161>20 lelong 6 (Token Ring 162>20 lelong 7 (ARCNET 163>20 lelong 8 (SLIP 164>20 lelong 9 (PPP 165>20 lelong 10 (FDDI 166>20 lelong 11 (RFC 1483 ATM 167>20 lelong 12 (raw IP 168>20 lelong 13 (BSD/OS SLIP 169>20 lelong 14 (BSD/OS PPP 170>16 lelong x \b, capture length %d) 171 172# 173# AIX "iptrace" capture files. 174# 1750 string iptrace\ 2.0 "iptrace" capture file 176 177# 178# Novell LANalyzer capture files. 179# 1800 leshort 0x1001 LANalyzer capture file 1810 leshort 0x1007 LANalyzer capture file 182 183# 184# HP-UX "nettl" capture files. 185# 1860 string \x54\x52\x00\x64\x00 "nettl" capture file 187 188# 189# RADCOM WAN/LAN Analyzer capture files. 190# 1910 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file 192