sniffer revision 84685
11638Srgrimes 250476Speter#------------------------------------------------------------------------------ 31638Srgrimes# sniffer: file(1) magic for packet capture files 4115103Strhodes# 5115103Strhodes# From: guy@alum.mit.edu (Guy Harris) 6115103Strhodes# 7115103Strhodes 83470Srgrimes# 9115103Strhodes# Microsoft Network Monitor 1.x capture files. 10115103Strhodes# 111638Srgrimes0 string RTSS NetMon capture file 12115103Strhodes>4 byte x - version %d 13115103Strhodes>5 byte x \b.%d 14115103Strhodes>6 leshort 0 (Unknown) 15115103Strhodes>6 leshort 1 (Ethernet) 16115103Strhodes>6 leshort 2 (Token Ring) 17115103Strhodes>6 leshort 3 (FDDI) 18115103Strhodes 19115103Strhodes# 2023559Swosch# Microsoft Network Monitor 2.x capture files. 2123559Swosch# 22115103Strhodes0 string GMBU NetMon capture file 23115103Strhodes>4 byte x - version %d 2423559Swosch>5 byte x \b.%d 25115103Strhodes>6 leshort 0 (Unknown) 2623559Swosch>6 leshort 1 (Ethernet) 2723559Swosch>6 leshort 2 (Token Ring) 2823559Swosch>6 leshort 3 (FDDI) 29115103Strhodes 30115103Strhodes# 31115103Strhodes# Network General Sniffer capture files. 3223559Swosch# Sorry, make that "Network Associates Sniffer capture files." 3323559Swosch# 3423559Swosch0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file 35115103Strhodes>33 byte 2 (compressed) 36115103Strhodes>23 leshort x - version %d 3723559Swosch>25 leshort x \b.%d 3823559Swosch>32 byte 0 (Token Ring) 39152265Sharti>32 byte 1 (Ethernet) 4023559Swosch>32 byte 2 (ARCNET) 41115103Strhodes>32 byte 3 (StarLAN) 42264483Sjmmv>32 byte 4 (PC Network broadband) 43115103Strhodes>32 byte 5 (LocalTalk) 4423559Swosch>32 byte 6 (Znet) 45115103Strhodes>32 byte 7 (Internetwork Analyzer) 4623559Swosch>32 byte 9 (FDDI) 47115103Strhodes>32 byte 10 (ATM) 48115103Strhodes 491638Srgrimes# 50115103Strhodes# Cinco Networks NetXRay capture files. 5123578Swosch# Sorry, make that "Network General Sniffer Basic capture files." 52115103Strhodes# Sorry, make that "Network Associates Sniffer Basic capture files." 53115103Strhodes# Sorry, make that "Network Associates Sniffer Basic, and Windows 54115103Strhodes# Sniffer Pro", capture files." 55115103Strhodes# 56115103Strhodes0 string XCP\0 NetXRay capture file 57115103Strhodes>4 string >\0 - version %s 58115103Strhodes>44 leshort 0 (Ethernet) 59115103Strhodes>44 leshort 1 (Token Ring) 60115103Strhodes>44 leshort 2 (FDDI) 61115103Strhodes 62115103Strhodes# 631638Srgrimes# "libpcap" capture files. 641638Srgrimes# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 651638Srgrimes# the main program that uses that format, but there are other programs 661638Srgrimes# that use "libpcap", or that use the same capture file format.) 67115103Strhodes# 681638Srgrimes0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian) 691638Srgrimes>4 beshort x - version %d 701638Srgrimes>6 beshort x \b.%d 711638Srgrimes>20 belong 0 (No link-layer encapsulation 721638Srgrimes>20 belong 1 (Ethernet 731638Srgrimes>20 belong 2 (3Mb Ethernet 741638Srgrimes>20 belong 3 (AX.25 751638Srgrimes>20 belong 4 (ProNET 761638Srgrimes>20 belong 5 (CHAOS 771638Srgrimes>20 belong 6 (Token Ring 781638Srgrimes>20 belong 7 (ARCNET 791638Srgrimes>20 belong 8 (SLIP 801638Srgrimes>20 belong 9 (PPP 811638Srgrimes>20 belong 10 (FDDI 821638Srgrimes>20 belong 11 (RFC 1483 ATM 831638Srgrimes>20 belong 12 (raw IP 841638Srgrimes>20 belong 13 (BSD/OS SLIP 851638Srgrimes>20 belong 14 (BSD/OS PPP 861638Srgrimes>20 belong 50 (PPP or Cisco HDLC 871638Srgrimes>20 belong 51 (PPP-over-Ethernet 881638Srgrimes>20 belong 100 (RFC 1483 ATM 891638Srgrimes>20 belong 101 (raw IP 901638Srgrimes>20 belong 102 (BSD/OS SLIP 911638Srgrimes>20 belong 103 (BSD/OS PPP 921638Srgrimes>20 belong 104 (BSD/OS Cisco HDLC 931638Srgrimes>20 belong 105 (802.11 941638Srgrimes>20 belong 106 (Linux Classical IP over ATM 95208420Smaxim>20 belong 108 (OpenBSD loopback 96208420Smaxim>20 belong 109 (OpenBSD IPSEC encrypted 97208420Smaxim>20 belong 113 (Linux "cooked" 98208420Smaxim>20 belong 114 (LocalTalk 99208420Smaxim>16 belong x \b, capture length %d) 100208417Smaxim0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian) 1011638Srgrimes>4 leshort x - version %d 1021638Srgrimes>6 leshort x \b.%d 1031638Srgrimes>20 lelong 0 (No link-layer encapsulation 1041638Srgrimes>20 lelong 1 (Ethernet 1051638Srgrimes>20 lelong 2 (3Mb Ethernet 1061638Srgrimes>20 lelong 3 (AX.25 1071638Srgrimes>20 lelong 4 (ProNET 1081638Srgrimes>20 lelong 5 (CHAOS 1091638Srgrimes>20 lelong 6 (Token Ring 1101638Srgrimes>20 lelong 7 (ARCNET 1111638Srgrimes>20 lelong 8 (SLIP 1121638Srgrimes>20 lelong 9 (PPP 1131638Srgrimes>20 lelong 10 (FDDI 1141638Srgrimes>20 lelong 11 (RFC 1483 ATM 1151638Srgrimes>20 lelong 12 (raw IP 1161638Srgrimes>20 lelong 13 (BSD/OS SLIP 1171638Srgrimes>20 lelong 14 (BSD/OS PPP 1181638Srgrimes>20 lelong 50 (PPP or Cisco HDLC 1191638Srgrimes>20 lelong 51 (PPP-over-Ethernet 1201638Srgrimes>20 lelong 100 (RFC 1483 ATM 1211638Srgrimes>20 lelong 101 (raw IP 1221638Srgrimes>20 lelong 102 (BSD/OS SLIP 12383075Sru>20 lelong 103 (BSD/OS PPP 1241638Srgrimes>20 lelong 104 (BSD/OS Cisco HDLC 12583075Sru>20 lelong 105 (802.11 12683075Sru>20 lelong 106 (Linux Classical IP over ATM 1271638Srgrimes>20 lelong 108 (OpenBSD loopback 12883075Sru>20 lelong 109 (OpenBSD IPSEC encrypted 12983075Sru>20 lelong 113 (Linux "cooked" 13083075Sru>20 lelong 114 (LocalTalk 1311638Srgrimes>16 lelong x \b, capture length %d) 1321638Srgrimes 1331638Srgrimes# 1341638Srgrimes# "libpcap"-with-Alexey-Kuznetsov's-patches capture files. 1351638Srgrimes# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 1361638Srgrimes# the main program that uses that format, but there are other programs 1371638Srgrimes# that use "libpcap", or that use the same capture file format.) 1381638Srgrimes# 1391638Srgrimes0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) 1401638Srgrimes>4 beshort x - version %d 1411638Srgrimes>6 beshort x \b.%d 1421638Srgrimes>20 belong 0 (No link-layer encapsulation 1431638Srgrimes>20 belong 1 (Ethernet 1441638Srgrimes>20 belong 2 (3Mb Ethernet 14574942Sru>20 belong 3 (AX.25 1461638Srgrimes>20 belong 4 (ProNET 14758494Sru>20 belong 5 (CHAOS 1481638Srgrimes>20 belong 6 (Token Ring 1491638Srgrimes>20 belong 7 (ARCNET 1501638Srgrimes>20 belong 8 (SLIP 15174942Sru>20 belong 9 (PPP 15274942Sru>20 belong 10 (FDDI 1531638Srgrimes>20 belong 11 (RFC 1483 ATM 1541638Srgrimes>20 belong 12 (raw IP 1551638Srgrimes>20 belong 13 (BSD/OS SLIP 1561638Srgrimes>20 belong 14 (BSD/OS PPP 1571638Srgrimes>16 belong x \b, capture length %d) 1581638Srgrimes0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) 1591638Srgrimes>4 leshort x - version %d 1601638Srgrimes>6 leshort x \b.%d 1611638Srgrimes>20 lelong 0 (No link-layer encapsulation 1621638Srgrimes>20 lelong 1 (Ethernet 1631638Srgrimes>20 lelong 2 (3Mb Ethernet 1641638Srgrimes>20 lelong 3 (AX.25 1651638Srgrimes>20 lelong 4 (ProNET 1661638Srgrimes>20 lelong 5 (CHAOS 1671638Srgrimes>20 lelong 6 (Token Ring 1681638Srgrimes>20 lelong 7 (ARCNET 1691638Srgrimes>20 lelong 8 (SLIP 1701638Srgrimes>20 lelong 9 (PPP 1711638Srgrimes>20 lelong 10 (FDDI 1721638Srgrimes>20 lelong 11 (RFC 1483 ATM 1731638Srgrimes>20 lelong 12 (raw IP 1741638Srgrimes>20 lelong 13 (BSD/OS SLIP 1751638Srgrimes>20 lelong 14 (BSD/OS PPP 1761638Srgrimes>16 lelong x \b, capture length %d) 1771638Srgrimes 1781638Srgrimes# 1791638Srgrimes# AIX "iptrace" capture files. 1801638Srgrimes# 1811638Srgrimes0 string iptrace\ 2.0 "iptrace" capture file 1821638Srgrimes 1831638Srgrimes# 1841638Srgrimes# Novell LANalyzer capture files. 1851638Srgrimes# 1861638Srgrimes0 leshort 0x1001 LANalyzer capture file 1871638Srgrimes0 leshort 0x1007 LANalyzer capture file 1881638Srgrimes 1891638Srgrimes# 1901638Srgrimes# HP-UX "nettl" capture files. 191159721Syar# 1921638Srgrimes0 string \x54\x52\x00\x64\x00 "nettl" capture file 1931638Srgrimes 1941638Srgrimes# 1951638Srgrimes# RADCOM WAN/LAN Analyzer capture files. 1961638Srgrimes# 1971638Srgrimes0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file 1981638Srgrimes 1991638Srgrimes# 2001638Srgrimes# NetStumbler log files. Not really packets, per se, but about as 2011638Srgrimes# close as you can get. These are log files from NetStumbler, a 2021638Srgrimes# Windows program, that scans for 802.11b networks. 2031638Srgrimes# 2041638Srgrimes0 string NetS NetStumbler log file 2051638Srgrimes>8 lelong x \b, %d stations found 2061638Srgrimes