sniffer 5.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205
  1. #------------------------------------------------------------------------------
  2. # sniffer: file(1) magic for packet capture files
  3. #
  4. # From: guy@alum.mit.edu (Guy Harris)
  5. #
  6. #
  7. # Microsoft Network Monitor 1.x capture files.
  8. #
  9. 0 string RTSS NetMon capture file
  10. >4 byte x - version %d
  11. >5 byte x \b.%d
  12. >6 leshort 0 (Unknown)
  13. >6 leshort 1 (Ethernet)
  14. >6 leshort 2 (Token Ring)
  15. >6 leshort 3 (FDDI)
  16. #
  17. # Microsoft Network Monitor 2.x capture files.
  18. #
  19. 0 string GMBU NetMon capture file
  20. >4 byte x - version %d
  21. >5 byte x \b.%d
  22. >6 leshort 0 (Unknown)
  23. >6 leshort 1 (Ethernet)
  24. >6 leshort 2 (Token Ring)
  25. >6 leshort 3 (FDDI)
  26. #
  27. # Network General Sniffer capture files.
  28. # Sorry, make that "Network Associates Sniffer capture files."
  29. #
  30. 0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
  31. >33 byte 2 (compressed)
  32. >23 leshort x - version %d
  33. >25 leshort x \b.%d
  34. >32 byte 0 (Token Ring)
  35. >32 byte 1 (Ethernet)
  36. >32 byte 2 (ARCNET)
  37. >32 byte 3 (StarLAN)
  38. >32 byte 4 (PC Network broadband)
  39. >32 byte 5 (LocalTalk)
  40. >32 byte 6 (Znet)
  41. >32 byte 7 (Internetwork Analyzer)
  42. >32 byte 9 (FDDI)
  43. >32 byte 10 (ATM)
  44. #
  45. # Cinco Networks NetXRay capture files.
  46. # Sorry, make that "Network General Sniffer Basic capture files."
  47. # Sorry, make that "Network Associates Sniffer Basic capture files."
  48. # Sorry, make that "Network Associates Sniffer Basic, and Windows
  49. # Sniffer Pro", capture files."
  50. #
  51. 0 string XCP\0 NetXRay capture file
  52. >4 string >\0 - version %s
  53. >44 leshort 0 (Ethernet)
  54. >44 leshort 1 (Token Ring)
  55. >44 leshort 2 (FDDI)
  56. #
  57. # "libpcap" capture files.
  58. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
  59. # the main program that uses that format, but there are other programs
  60. # that use "libpcap", or that use the same capture file format.)
  61. #
  62. 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
  63. >4 beshort x - version %d
  64. >6 beshort x \b.%d
  65. >20 belong 0 (No link-layer encapsulation
  66. >20 belong 1 (Ethernet
  67. >20 belong 2 (3Mb Ethernet
  68. >20 belong 3 (AX.25
  69. >20 belong 4 (ProNET
  70. >20 belong 5 (CHAOS
  71. >20 belong 6 (Token Ring
  72. >20 belong 7 (ARCNET
  73. >20 belong 8 (SLIP
  74. >20 belong 9 (PPP
  75. >20 belong 10 (FDDI
  76. >20 belong 11 (RFC 1483 ATM
  77. >20 belong 12 (raw IP
  78. >20 belong 13 (BSD/OS SLIP
  79. >20 belong 14 (BSD/OS PPP
  80. >20 belong 50 (PPP or Cisco HDLC
  81. >20 belong 51 (PPP-over-Ethernet
  82. >20 belong 100 (RFC 1483 ATM
  83. >20 belong 101 (raw IP
  84. >20 belong 102 (BSD/OS SLIP
  85. >20 belong 103 (BSD/OS PPP
  86. >20 belong 104 (BSD/OS Cisco HDLC
  87. >20 belong 105 (802.11
  88. >20 belong 106 (Linux Classical IP over ATM
  89. >20 belong 108 (OpenBSD loopback
  90. >20 belong 109 (OpenBSD IPSEC encrypted
  91. >20 belong 113 (Linux "cooked"
  92. >20 belong 114 (LocalTalk
  93. >16 belong x \b, capture length %d)
  94. 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
  95. >4 leshort x - version %d
  96. >6 leshort x \b.%d
  97. >20 lelong 0 (No link-layer encapsulation
  98. >20 lelong 1 (Ethernet
  99. >20 lelong 2 (3Mb Ethernet
  100. >20 lelong 3 (AX.25
  101. >20 lelong 4 (ProNET
  102. >20 lelong 5 (CHAOS
  103. >20 lelong 6 (Token Ring
  104. >20 lelong 7 (ARCNET
  105. >20 lelong 8 (SLIP
  106. >20 lelong 9 (PPP
  107. >20 lelong 10 (FDDI
  108. >20 lelong 11 (RFC 1483 ATM
  109. >20 lelong 12 (raw IP
  110. >20 lelong 13 (BSD/OS SLIP
  111. >20 lelong 14 (BSD/OS PPP
  112. >20 lelong 50 (PPP or Cisco HDLC
  113. >20 lelong 51 (PPP-over-Ethernet
  114. >20 lelong 100 (RFC 1483 ATM
  115. >20 lelong 101 (raw IP
  116. >20 lelong 102 (BSD/OS SLIP
  117. >20 lelong 103 (BSD/OS PPP
  118. >20 lelong 104 (BSD/OS Cisco HDLC
  119. >20 lelong 105 (802.11
  120. >20 lelong 106 (Linux Classical IP over ATM
  121. >20 lelong 108 (OpenBSD loopback
  122. >20 lelong 109 (OpenBSD IPSEC encrypted
  123. >20 lelong 113 (Linux "cooked"
  124. >20 lelong 114 (LocalTalk
  125. >16 lelong x \b, capture length %d)
  126. #
  127. # "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
  128. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
  129. # the main program that uses that format, but there are other programs
  130. # that use "libpcap", or that use the same capture file format.)
  131. #
  132. 0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian)
  133. >4 beshort x - version %d
  134. >6 beshort x \b.%d
  135. >20 belong 0 (No link-layer encapsulation
  136. >20 belong 1 (Ethernet
  137. >20 belong 2 (3Mb Ethernet
  138. >20 belong 3 (AX.25
  139. >20 belong 4 (ProNET
  140. >20 belong 5 (CHAOS
  141. >20 belong 6 (Token Ring
  142. >20 belong 7 (ARCNET
  143. >20 belong 8 (SLIP
  144. >20 belong 9 (PPP
  145. >20 belong 10 (FDDI
  146. >20 belong 11 (RFC 1483 ATM
  147. >20 belong 12 (raw IP
  148. >20 belong 13 (BSD/OS SLIP
  149. >20 belong 14 (BSD/OS PPP
  150. >16 belong x \b, capture length %d)
  151. 0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian)
  152. >4 leshort x - version %d
  153. >6 leshort x \b.%d
  154. >20 lelong 0 (No link-layer encapsulation
  155. >20 lelong 1 (Ethernet
  156. >20 lelong 2 (3Mb Ethernet
  157. >20 lelong 3 (AX.25
  158. >20 lelong 4 (ProNET
  159. >20 lelong 5 (CHAOS
  160. >20 lelong 6 (Token Ring
  161. >20 lelong 7 (ARCNET
  162. >20 lelong 8 (SLIP
  163. >20 lelong 9 (PPP
  164. >20 lelong 10 (FDDI
  165. >20 lelong 11 (RFC 1483 ATM
  166. >20 lelong 12 (raw IP
  167. >20 lelong 13 (BSD/OS SLIP
  168. >20 lelong 14 (BSD/OS PPP
  169. >16 lelong x \b, capture length %d)
  170. #
  171. # AIX "iptrace" capture files.
  172. #
  173. 0 string iptrace\ 2.0 "iptrace" capture file
  174. #
  175. # Novell LANalyzer capture files.
  176. #
  177. 0 leshort 0x1001 LANalyzer capture file
  178. 0 leshort 0x1007 LANalyzer capture file
  179. #
  180. # HP-UX "nettl" capture files.
  181. #
  182. 0 string \x54\x52\x00\x64\x00 "nettl" capture file
  183. #
  184. # RADCOM WAN/LAN Analyzer capture files.
  185. #
  186. 0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file
  187. #
  188. # NetStumbler log files. Not really packets, per se, but about as
  189. # close as you can get. These are log files from NetStumbler, a
  190. # Windows program, that scans for 802.11b networks.
  191. #
  192. 0 string NetS NetStumbler log file
  193. >8 lelong x \b, %d stations found