sniffer 9.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327
  1. #------------------------------------------------------------------------------
  2. # $File: sniffer,v 1.17 2011/07/11 19:42:02 christos Exp $
  3. # sniffer: file(1) magic for packet capture files
  4. #
  5. # From: guy@alum.mit.edu (Guy Harris)
  6. #
  7. #
  8. # Microsoft Network Monitor 1.x capture files.
  9. #
  10. 0 string RTSS NetMon capture file
  11. >5 byte x - version %d
  12. >4 byte x \b.%d
  13. >6 leshort 0 (Unknown)
  14. >6 leshort 1 (Ethernet)
  15. >6 leshort 2 (Token Ring)
  16. >6 leshort 3 (FDDI)
  17. >6 leshort 4 (ATM)
  18. #
  19. # Microsoft Network Monitor 2.x capture files.
  20. #
  21. 0 string GMBU NetMon capture file
  22. >5 byte x - version %d
  23. >4 byte x \b.%d
  24. >6 leshort 0 (Unknown)
  25. >6 leshort 1 (Ethernet)
  26. >6 leshort 2 (Token Ring)
  27. >6 leshort 3 (FDDI)
  28. >6 leshort 4 (ATM)
  29. #
  30. # Network General Sniffer capture files.
  31. # Sorry, make that "Network Associates Sniffer capture files."
  32. # Sorry, make that "Network General old DOS Sniffer capture files."
  33. #
  34. 0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
  35. >33 byte 2 (compressed)
  36. >23 leshort x - version %d
  37. >25 leshort x \b.%d
  38. >32 byte 0 (Token Ring)
  39. >32 byte 1 (Ethernet)
  40. >32 byte 2 (ARCNET)
  41. >32 byte 3 (StarLAN)
  42. >32 byte 4 (PC Network broadband)
  43. >32 byte 5 (LocalTalk)
  44. >32 byte 6 (Znet)
  45. >32 byte 7 (Internetwork Analyzer)
  46. >32 byte 9 (FDDI)
  47. >32 byte 10 (ATM)
  48. #
  49. # Cinco Networks NetXRay capture files.
  50. # Sorry, make that "Network General Sniffer Basic capture files."
  51. # Sorry, make that "Network Associates Sniffer Basic capture files."
  52. # Sorry, make that "Network Associates Sniffer Basic, and Windows
  53. # Sniffer Pro", capture files."
  54. # Sorry, make that "Network General Sniffer capture files."
  55. #
  56. 0 string XCP\0 NetXRay capture file
  57. >4 string >\0 - version %s
  58. >44 leshort 0 (Ethernet)
  59. >44 leshort 1 (Token Ring)
  60. >44 leshort 2 (FDDI)
  61. >44 leshort 3 (WAN)
  62. >44 leshort 8 (ATM)
  63. >44 leshort 9 (802.11)
  64. #
  65. # "libpcap" capture files.
  66. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
  67. # the main program that uses that format, but there are other programs
  68. # that use "libpcap", or that use the same capture file format.)
  69. #
  70. 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
  71. !:mime application/vnd.tcpdump.pcap
  72. >4 beshort x - version %d
  73. >6 beshort x \b.%d
  74. >20 belong 0 (No link-layer encapsulation
  75. >20 belong 1 (Ethernet
  76. >20 belong 2 (3Mb Ethernet
  77. >20 belong 3 (AX.25
  78. >20 belong 4 (ProNET
  79. >20 belong 5 (CHAOS
  80. >20 belong 6 (Token Ring
  81. >20 belong 7 (BSD ARCNET
  82. >20 belong 8 (SLIP
  83. >20 belong 9 (PPP
  84. >20 belong 10 (FDDI
  85. >20 belong 11 (RFC 1483 ATM
  86. >20 belong 12 (raw IP
  87. >20 belong 13 (BSD/OS SLIP
  88. >20 belong 14 (BSD/OS PPP
  89. >20 belong 19 (Linux ATM Classical IP
  90. >20 belong 50 (PPP or Cisco HDLC
  91. >20 belong 51 (PPP-over-Ethernet
  92. >20 belong 99 (Symantec Enterprise Firewall
  93. >20 belong 100 (RFC 1483 ATM
  94. >20 belong 101 (raw IP
  95. >20 belong 102 (BSD/OS SLIP
  96. >20 belong 103 (BSD/OS PPP
  97. >20 belong 104 (BSD/OS Cisco HDLC
  98. >20 belong 105 (802.11
  99. >20 belong 106 (Linux Classical IP over ATM
  100. >20 belong 107 (Frame Relay
  101. >20 belong 108 (OpenBSD loopback
  102. >20 belong 109 (OpenBSD IPsec encrypted
  103. >20 belong 112 (Cisco HDLC
  104. >20 belong 113 (Linux "cooked"
  105. >20 belong 114 (LocalTalk
  106. >20 belong 117 (OpenBSD PFLOG
  107. >20 belong 119 (802.11 with Prism header
  108. >20 belong 122 (RFC 2625 IP over Fibre Channel
  109. >20 belong 123 (SunATM
  110. >20 belong 127 (802.11 with radiotap header
  111. >20 belong 129 (Linux ARCNET
  112. >20 belong 138 (Apple IP over IEEE 1394
  113. >20 belong 140 (MTP2
  114. >20 belong 141 (MTP3
  115. >20 belong 143 (DOCSIS
  116. >20 belong 144 (IrDA
  117. >20 belong 147 (Private use 0
  118. >20 belong 148 (Private use 1
  119. >20 belong 149 (Private use 2
  120. >20 belong 150 (Private use 3
  121. >20 belong 151 (Private use 4
  122. >20 belong 152 (Private use 5
  123. >20 belong 153 (Private use 6
  124. >20 belong 154 (Private use 7
  125. >20 belong 155 (Private use 8
  126. >20 belong 156 (Private use 9
  127. >20 belong 157 (Private use 10
  128. >20 belong 158 (Private use 11
  129. >20 belong 159 (Private use 12
  130. >20 belong 160 (Private use 13
  131. >20 belong 161 (Private use 14
  132. >20 belong 162 (Private use 15
  133. >20 belong 163 (802.11 with AVS header
  134. >16 belong x \b, capture length %d)
  135. 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
  136. !:mime application/vnd.tcpdump.pcap
  137. >4 leshort x - version %d
  138. >6 leshort x \b.%d
  139. >20 lelong 0 (No link-layer encapsulation
  140. >20 lelong 1 (Ethernet
  141. >20 lelong 2 (3Mb Ethernet
  142. >20 lelong 3 (AX.25
  143. >20 lelong 4 (ProNET
  144. >20 lelong 5 (CHAOS
  145. >20 lelong 6 (Token Ring
  146. >20 lelong 7 (ARCNET
  147. >20 lelong 8 (SLIP
  148. >20 lelong 9 (PPP
  149. >20 lelong 10 (FDDI
  150. >20 lelong 11 (RFC 1483 ATM
  151. >20 lelong 12 (raw IP
  152. >20 lelong 13 (BSD/OS SLIP
  153. >20 lelong 14 (BSD/OS PPP
  154. >20 lelong 19 (Linux ATM Classical IP
  155. >20 lelong 50 (PPP or Cisco HDLC
  156. >20 lelong 51 (PPP-over-Ethernet
  157. >20 lelong 99 (Symantec Enterprise Firewall
  158. >20 lelong 100 (RFC 1483 ATM
  159. >20 lelong 101 (raw IP
  160. >20 lelong 102 (BSD/OS SLIP
  161. >20 lelong 103 (BSD/OS PPP
  162. >20 lelong 104 (BSD/OS Cisco HDLC
  163. >20 lelong 105 (802.11
  164. >20 lelong 106 (Linux Classical IP over ATM
  165. >20 lelong 107 (Frame Relay
  166. >20 lelong 108 (OpenBSD loopback
  167. >20 lelong 109 (OpenBSD IPsec encrypted
  168. >20 lelong 112 (Cisco HDLC
  169. >20 lelong 113 (Linux "cooked"
  170. >20 lelong 114 (LocalTalk
  171. >20 lelong 117 (OpenBSD PFLOG
  172. >20 lelong 119 (802.11 with Prism header
  173. >20 lelong 122 (RFC 2625 IP over Fibre Channel
  174. >20 lelong 123 (SunATM
  175. >20 lelong 127 (802.11 with radiotap header
  176. >20 lelong 129 (Linux ARCNET
  177. >20 lelong 138 (Apple IP over IEEE 1394
  178. >20 lelong 140 (MTP2
  179. >20 lelong 141 (MTP3
  180. >20 lelong 143 (DOCSIS
  181. >20 lelong 144 (IrDA
  182. >20 lelong 147 (Private use 0
  183. >20 lelong 148 (Private use 1
  184. >20 lelong 149 (Private use 2
  185. >20 lelong 150 (Private use 3
  186. >20 lelong 151 (Private use 4
  187. >20 lelong 152 (Private use 5
  188. >20 lelong 153 (Private use 6
  189. >20 lelong 154 (Private use 7
  190. >20 lelong 155 (Private use 8
  191. >20 lelong 156 (Private use 9
  192. >20 lelong 157 (Private use 10
  193. >20 lelong 158 (Private use 11
  194. >20 lelong 159 (Private use 12
  195. >20 lelong 160 (Private use 13
  196. >20 lelong 161 (Private use 14
  197. >20 lelong 162 (Private use 15
  198. >20 lelong 163 (802.11 with AVS header
  199. >16 lelong x \b, capture length %d)
  200. #
  201. # "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
  202. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
  203. # the main program that uses that format, but there are other programs
  204. # that use "libpcap", or that use the same capture file format.)
  205. #
  206. 0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian)
  207. >4 beshort x - version %d
  208. >6 beshort x \b.%d
  209. >20 belong 0 (No link-layer encapsulation
  210. >20 belong 1 (Ethernet
  211. >20 belong 2 (3Mb Ethernet
  212. >20 belong 3 (AX.25
  213. >20 belong 4 (ProNET
  214. >20 belong 5 (CHAOS
  215. >20 belong 6 (Token Ring
  216. >20 belong 7 (ARCNET
  217. >20 belong 8 (SLIP
  218. >20 belong 9 (PPP
  219. >20 belong 10 (FDDI
  220. >20 belong 11 (RFC 1483 ATM
  221. >20 belong 12 (raw IP
  222. >20 belong 13 (BSD/OS SLIP
  223. >20 belong 14 (BSD/OS PPP
  224. >16 belong x \b, capture length %d)
  225. 0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian)
  226. >4 leshort x - version %d
  227. >6 leshort x \b.%d
  228. >20 lelong 0 (No link-layer encapsulation
  229. >20 lelong 1 (Ethernet
  230. >20 lelong 2 (3Mb Ethernet
  231. >20 lelong 3 (AX.25
  232. >20 lelong 4 (ProNET
  233. >20 lelong 5 (CHAOS
  234. >20 lelong 6 (Token Ring
  235. >20 lelong 7 (ARCNET
  236. >20 lelong 8 (SLIP
  237. >20 lelong 9 (PPP
  238. >20 lelong 10 (FDDI
  239. >20 lelong 11 (RFC 1483 ATM
  240. >20 lelong 12 (raw IP
  241. >20 lelong 13 (BSD/OS SLIP
  242. >20 lelong 14 (BSD/OS PPP
  243. >16 lelong x \b, capture length %d)
  244. #
  245. # "pcapng" capture files.
  246. # http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
  247. #
  248. 0 ubelong 0x0a0d0d0a
  249. >8 ubelong 0x1a2b3c4d pcapng capture file (big-endian)
  250. >>12 beshort x - version %d
  251. >>14 beshort x \b.%d
  252. >8 ulelong 0x1a2b3c4d pcapng capture file (little-endian)
  253. >>12 leshort x - version %d
  254. >>14 leshort x \b.%d
  255. #
  256. # "pcap-ng" capture files.
  257. # http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
  258. # Pcap-ng files can contain multiple sections. Printing the endianness,
  259. # snaplen, or other information from the first SHB may be misleading.
  260. #
  261. 0 ubelong 0x0a0d0d0a
  262. >8 ubelong 0x1a2b3c4d pcap-ng capture file
  263. >>12 beshort x - version %d
  264. >>14 beshort x \b.%d
  265. 0 ulelong 0x0a0d0d0a
  266. >8 ulelong 0x1a2b3c4d pcap-ng capture file
  267. >>12 leshort x - version %d
  268. >>14 leshort x \b.%d
  269. #
  270. # AIX "iptrace" capture files.
  271. #
  272. 0 string iptrace\ 1.0 "iptrace" capture file
  273. 0 string iptrace\ 2.0 "iptrace" capture file
  274. #
  275. # Novell LANalyzer capture files.
  276. #
  277. 0 leshort 0x1001 LANalyzer capture file
  278. 0 leshort 0x1007 LANalyzer capture file
  279. #
  280. # HP-UX "nettl" capture files.
  281. #
  282. 0 string \x54\x52\x00\x64\x00 "nettl" capture file
  283. #
  284. # RADCOM WAN/LAN Analyzer capture files.
  285. #
  286. 0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file
  287. #
  288. # NetStumbler log files. Not really packets, per se, but about as
  289. # close as you can get. These are log files from NetStumbler, a
  290. # Windows program, that scans for 802.11b networks.
  291. #
  292. 0 string NetS NetStumbler log file
  293. >8 lelong x \b, %d stations found
  294. #
  295. # EtherPeek/AiroPeek "version 9" capture files.
  296. #
  297. 0 string \177ver EtherPeek/AiroPeek capture file
  298. #
  299. # Visual Networks traffic capture files.
  300. #
  301. 0 string \x05VNF Visual Networks traffic capture file
  302. #
  303. # Network Instruments Observer capture files.
  304. #
  305. 0 string ObserverPktBuffe Network Instruments Observer capture file
  306. #
  307. # Files from Accellent Group's 5View products.
  308. #
  309. 0 string \xaa\xaa\xaa\xaa 5View capture file