2 #------------------------------------------------------------------------------
3 # sniffer: file(1) magic for packet capture files
5 # From: guy@alum.mit.edu (Guy Harris)
9 # Microsoft Network Monitor 1.x capture files.
11 0 string RTSS NetMon capture file
12 >4 byte x - version %d
14 >6 leshort 0 (Unknown)
15 >6 leshort 1 (Ethernet)
16 >6 leshort 2 (Token Ring)
20 # Microsoft Network Monitor 2.x capture files.
22 0 string GMBU NetMon capture file
23 >4 byte x - version %d
25 >6 leshort 0 (Unknown)
26 >6 leshort 1 (Ethernet)
27 >6 leshort 2 (Token Ring)
31 # Network General Sniffer capture files.
32 # Sorry, make that "Network Associates Sniffer capture files."
34 0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
35 >33 byte 2 (compressed)
36 >23 leshort x - version %d
38 >32 byte 0 (Token Ring)
42 >32 byte 4 (PC Network broadband)
43 >32 byte 5 (LocalTalk)
45 >32 byte 7 (Internetwork Analyzer)
50 # Cinco Networks NetXRay capture files.
51 # Sorry, make that "Network General Sniffer Basic capture files."
52 # Sorry, make that "Network Associates Sniffer Basic capture files."
53 # Sorry, make that "Network Associates Sniffer Basic, and Windows
54 # Sniffer Pro", capture files."
56 0 string XCP\0 NetXRay capture file
57 >4 string >\0 - version %s
58 >44 leshort 0 (Ethernet)
59 >44 leshort 1 (Token Ring)
63 # "libpcap" capture files.
64 # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
65 # the main program that uses that format, but there are other programs
66 # that use "libpcap", or that use the same capture file format.)
68 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
69 >4 beshort x - version %d
71 >20 belong 0 (No link-layer encapsulation
72 >20 belong 1 (Ethernet
73 >20 belong 2 (3Mb Ethernet
77 >20 belong 6 (Token Ring
82 >20 belong 11 (RFC 1483 ATM
84 >20 belong 13 (BSD/OS SLIP
85 >20 belong 14 (BSD/OS PPP
86 >20 belong 50 (PPP or Cisco HDLC
87 >20 belong 51 (PPP-over-Ethernet
88 >20 belong 100 (RFC 1483 ATM
89 >20 belong 101 (raw IP
90 >20 belong 102 (BSD/OS SLIP
91 >20 belong 103 (BSD/OS PPP
92 >20 belong 104 (BSD/OS Cisco HDLC
93 >20 belong 105 (802.11
94 >20 belong 106 (Linux Classical IP over ATM
95 >20 belong 108 (OpenBSD loopback
96 >20 belong 109 (OpenBSD IPSEC encrypted
97 >20 belong 113 (Linux "cooked"
98 >20 belong 114 (LocalTalk
99 >16 belong x \b, capture length %d)
100 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
101 >4 leshort x - version %d
103 >20 lelong 0 (No link-layer encapsulation
104 >20 lelong 1 (Ethernet
105 >20 lelong 2 (3Mb Ethernet
109 >20 lelong 6 (Token Ring
114 >20 lelong 11 (RFC 1483 ATM
115 >20 lelong 12 (raw IP
116 >20 lelong 13 (BSD/OS SLIP
117 >20 lelong 14 (BSD/OS PPP
118 >20 lelong 50 (PPP or Cisco HDLC
119 >20 lelong 51 (PPP-over-Ethernet
120 >20 lelong 100 (RFC 1483 ATM
121 >20 lelong 101 (raw IP
122 >20 lelong 102 (BSD/OS SLIP
123 >20 lelong 103 (BSD/OS PPP
124 >20 lelong 104 (BSD/OS Cisco HDLC
125 >20 lelong 105 (802.11
126 >20 lelong 106 (Linux Classical IP over ATM
127 >20 lelong 108 (OpenBSD loopback
128 >20 lelong 109 (OpenBSD IPSEC encrypted
129 >20 lelong 113 (Linux "cooked"
130 >20 lelong 114 (LocalTalk
131 >16 lelong x \b, capture length %d)
134 # "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
135 # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
136 # the main program that uses that format, but there are other programs
137 # that use "libpcap", or that use the same capture file format.)
139 0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian)
140 >4 beshort x - version %d
142 >20 belong 0 (No link-layer encapsulation
143 >20 belong 1 (Ethernet
144 >20 belong 2 (3Mb Ethernet
148 >20 belong 6 (Token Ring
153 >20 belong 11 (RFC 1483 ATM
154 >20 belong 12 (raw IP
155 >20 belong 13 (BSD/OS SLIP
156 >20 belong 14 (BSD/OS PPP
157 >16 belong x \b, capture length %d)
158 0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian)
159 >4 leshort x - version %d
161 >20 lelong 0 (No link-layer encapsulation
162 >20 lelong 1 (Ethernet
163 >20 lelong 2 (3Mb Ethernet
167 >20 lelong 6 (Token Ring
172 >20 lelong 11 (RFC 1483 ATM
173 >20 lelong 12 (raw IP
174 >20 lelong 13 (BSD/OS SLIP
175 >20 lelong 14 (BSD/OS PPP
176 >16 lelong x \b, capture length %d)
179 # AIX "iptrace" capture files.
181 0 string iptrace\ 2.0 "iptrace" capture file
184 # Novell LANalyzer capture files.
186 0 leshort 0x1001 LANalyzer capture file
187 0 leshort 0x1007 LANalyzer capture file
190 # HP-UX "nettl" capture files.
192 0 string \x54\x52\x00\x64\x00 "nettl" capture file
195 # RADCOM WAN/LAN Analyzer capture files.
197 0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file
200 # NetStumbler log files. Not really packets, per se, but about as
201 # close as you can get. These are log files from NetStumbler, a
202 # Windows program, that scans for 802.11b networks.
204 0 string NetS NetStumbler log file
205 >8 lelong x \b, %d stations found