sniffer revision 80588 
1
2#------------------------------------------------------------------------------
3# sniffer:  file(1) magic for packet capture files
4#
5# From: guy@alum.mit.edu (Guy Harris)
6#
7
8#
9# Microsoft Network Monitor 1.x capture files.
10#
110	string		RTSS		NetMon capture file
12>4	byte		x		- version %d
13>5	byte		x		\b.%d
14>6	leshort		0		(Unknown)
15>6	leshort		1		(Ethernet)
16>6	leshort		2		(Token Ring)
17>6	leshort		3		(FDDI)
18
19#
20# Microsoft Network Monitor 2.x capture files.
21#
220	string		GMBU		NetMon capture file
23>4	byte		x		- version %d
24>5	byte		x		\b.%d
25>6	leshort		0		(Unknown)
26>6	leshort		1		(Ethernet)
27>6	leshort		2		(Token Ring)
28>6	leshort		3		(FDDI)
29
30#
31# Network General Sniffer capture files.
32# Sorry, make that "Network Associates Sniffer capture files."
33#
340	string		TRSNIFF\ data\ \ \ \ \032	Sniffer capture file
35>33	byte		2		(compressed)
36>23	leshort		x		- version %d
37>25	leshort		x		\b.%d
38>32	byte		0		(Token Ring)
39>32	byte		1		(Ethernet)
40>32	byte		2		(ARCNET)
41>32	byte		3		(StarLAN)
42>32	byte		4		(PC Network broadband)
43>32	byte		5		(LocalTalk)
44>32	byte		6		(Znet)
45>32	byte		7		(Internetwork Analyzer)
46>32	byte		9		(FDDI)
47>32	byte		10		(ATM)
48
49#
50# Cinco Networks NetXRay capture files.
51# Sorry, make that "Network General Sniffer Basic capture files."
52# Sorry, make that "Network Associates Sniffer Basic capture files."
53# Sorry, make that "Network Associates Sniffer Basic, and Windows
54# Sniffer Pro", capture files."
55#
560	string		XCP\0		NetXRay capture file
57>4	string		>\0		- version %s
58>44	leshort		0		(Ethernet)
59>44	leshort		1		(Token Ring)
60>44	leshort		2		(FDDI)
61
62#
63# "libpcap" capture files.
64# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
65# the main program that uses that format, but there are other programs
66# that use "libpcap", or that use the same capture file format.)
67#
680	ubelong		0xa1b2c3d4	tcpdump capture file (big-endian)
69>4	beshort		x		- version %d
70>6	beshort		x		\b.%d
71>20	belong		0		(No link-layer encapsulation
72>20	belong		1		(Ethernet
73>20	belong		2		(3Mb Ethernet
74>20	belong		3		(AX.25
75>20	belong		4		(ProNET
76>20	belong		5		(CHAOS
77>20	belong		6		(Token Ring
78>20	belong		7		(ARCNET
79>20	belong		8		(SLIP
80>20	belong		9		(PPP
81>20	belong		10		(FDDI
82>20	belong		11		(RFC 1483 ATM
83>20	belong		12		(raw IP
84>20	belong		13		(BSD/OS SLIP
85>20	belong		14		(BSD/OS PPP
86>20	belong		50		(PPP or Cisco HDLC
87>20	belong		100		(RFC 1483 ATM
88>20	belong		101		(raw IP
89>20	belong		102		(BSD/OS SLIP
90>20	belong		103		(BSD/OS PPP
91>20	belong		104		(BSD/OS Cisco HDLC
92>20	belong		105		(Linux Classical IP over ATM
93>20	belong		108		(OpenBSD loopback
94>20	belong		109		(OpenBSD IPSEC encrypted
95>20	belong		113		(Linux "cooked"
96>16	belong		x		\b, capture length %d)
970	ulelong		0xa1b2c3d4	tcpdump capture file (little-endian)
98>4	leshort		x		- version %d
99>6	leshort		x		\b.%d
100>20	lelong		0		(No link-layer encapsulation
101>20	lelong		1		(Ethernet
102>20	lelong		2		(3Mb Ethernet
103>20	lelong		3		(AX.25
104>20	lelong		4		(ProNET
105>20	lelong		5		(CHAOS
106>20	lelong		6		(Token Ring
107>20	lelong		7		(ARCNET
108>20	lelong		8		(SLIP
109>20	lelong		9		(PPP
110>20	lelong		10		(FDDI
111>20	lelong		11		(RFC 1483 ATM
112>20	lelong		12		(raw IP
113>20	lelong		13		(BSD/OS SLIP
114>20	lelong		14		(BSD/OS PPP
115>20	lelong		50		(PPP or Cisco HDLC
116>20	lelong		100		(RFC 1483 ATM
117>20	lelong		101		(raw IP
118>20	lelong		102		(BSD/OS SLIP
119>20	lelong		103		(BSD/OS PPP
120>20	lelong		104		(BSD/OS Cisco HDLC
121>20	lelong		105		(Linux Classical IP over ATM
122>20	lelong		108		(OpenBSD loopback
123>20	lelong		109		(OpenBSD IPSEC encrypted
124>20	lelong		113		(Linux "cooked"
125>16	lelong		x		\b, capture length %d)
126
127#
128# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
129# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
130# the main program that uses that format, but there are other programs
131# that use "libpcap", or that use the same capture file format.)
132#
1330	ubelong		0xa1b2cd34	extended tcpdump capture file (big-endian)
134>4	beshort		x		- version %d
135>6	beshort		x		\b.%d
136>20	belong		0		(No link-layer encapsulation
137>20	belong		1		(Ethernet
138>20	belong		2		(3Mb Ethernet
139>20	belong		3		(AX.25
140>20	belong		4		(ProNET
141>20	belong		5		(CHAOS
142>20	belong		6		(Token Ring
143>20	belong		7		(ARCNET
144>20	belong		8		(SLIP
145>20	belong		9		(PPP
146>20	belong		10		(FDDI
147>20	belong		11		(RFC 1483 ATM
148>20	belong		12		(raw IP
149>20	belong		13		(BSD/OS SLIP
150>20	belong		14		(BSD/OS PPP
151>16	belong		x		\b, capture length %d)
1520	ulelong		0xa1b2cd34	extended tcpdump capture file (little-endian)
153>4	leshort		x		- version %d
154>6	leshort		x		\b.%d
155>20	lelong		0		(No link-layer encapsulation
156>20	lelong		1		(Ethernet
157>20	lelong		2		(3Mb Ethernet
158>20	lelong		3		(AX.25
159>20	lelong		4		(ProNET
160>20	lelong		5		(CHAOS
161>20	lelong		6		(Token Ring
162>20	lelong		7		(ARCNET
163>20	lelong		8		(SLIP
164>20	lelong		9		(PPP
165>20	lelong		10		(FDDI
166>20	lelong		11		(RFC 1483 ATM
167>20	lelong		12		(raw IP
168>20	lelong		13		(BSD/OS SLIP
169>20	lelong		14		(BSD/OS PPP
170>16	lelong		x		\b, capture length %d)
171
172#
173# AIX "iptrace" capture files.
174#
1750	string		iptrace\ 2.0	"iptrace" capture file
176
177#
178# Novell LANalyzer capture files.
179#
1800	leshort		0x1001		LANalyzer capture file
1810	leshort		0x1007		LANalyzer capture file
182
183#
184# HP-UX "nettl" capture files.
185#
1860	string		\x54\x52\x00\x64\x00	"nettl" capture file
187
188#
189# RADCOM WAN/LAN Analyzer capture files.
190#
1910	string		\x42\xd2\x00\x34\x12\x66\x22\x88	RADCOM WAN/LAN Analyzer capture file
192