sniffer 8.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297
  1. #------------------------------------------------------------------------------
  2. # sniffer: file(1) magic for packet capture files
  3. #
  4. # From: guy@alum.mit.edu (Guy Harris)
  5. #
  6. #
  7. # Microsoft Network Monitor 1.x capture files.
  8. #
  9. 0 string RTSS NetMon capture file
  10. >5 byte x - version %d
  11. >4 byte x \b.%d
  12. >6 leshort 0 (Unknown)
  13. >6 leshort 1 (Ethernet)
  14. >6 leshort 2 (Token Ring)
  15. >6 leshort 3 (FDDI)
  16. >6 leshort 4 (ATM)
  17. #
  18. # Microsoft Network Monitor 2.x capture files.
  19. #
  20. 0 string GMBU NetMon capture file
  21. >5 byte x - version %d
  22. >4 byte x \b.%d
  23. >6 leshort 0 (Unknown)
  24. >6 leshort 1 (Ethernet)
  25. >6 leshort 2 (Token Ring)
  26. >6 leshort 3 (FDDI)
  27. >6 leshort 4 (ATM)
  28. #
  29. # Network General Sniffer capture files.
  30. # Sorry, make that "Network Associates Sniffer capture files."
  31. # Sorry, make that "Network General old DOS Sniffer capture files."
  32. #
  33. 0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
  34. >33 byte 2 (compressed)
  35. >23 leshort x - version %d
  36. >25 leshort x \b.%d
  37. >32 byte 0 (Token Ring)
  38. >32 byte 1 (Ethernet)
  39. >32 byte 2 (ARCNET)
  40. >32 byte 3 (StarLAN)
  41. >32 byte 4 (PC Network broadband)
  42. >32 byte 5 (LocalTalk)
  43. >32 byte 6 (Znet)
  44. >32 byte 7 (Internetwork Analyzer)
  45. >32 byte 9 (FDDI)
  46. >32 byte 10 (ATM)
  47. #
  48. # Cinco Networks NetXRay capture files.
  49. # Sorry, make that "Network General Sniffer Basic capture files."
  50. # Sorry, make that "Network Associates Sniffer Basic capture files."
  51. # Sorry, make that "Network Associates Sniffer Basic, and Windows
  52. # Sniffer Pro", capture files."
  53. # Sorry, make that "Network General Sniffer capture files."
  54. #
  55. 0 string XCP\0 NetXRay capture file
  56. >4 string >\0 - version %s
  57. >44 leshort 0 (Ethernet)
  58. >44 leshort 1 (Token Ring)
  59. >44 leshort 2 (FDDI)
  60. >44 leshort 3 (WAN)
  61. >44 leshort 8 (ATM)
  62. >44 leshort 9 (802.11)
  63. #
  64. # "libpcap" capture files.
  65. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
  66. # the main program that uses that format, but there are other programs
  67. # that use "libpcap", or that use the same capture file format.)
  68. #
  69. 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
  70. >4 beshort x - version %d
  71. >6 beshort x \b.%d
  72. >20 belong 0 (No link-layer encapsulation
  73. >20 belong 1 (Ethernet
  74. >20 belong 2 (3Mb Ethernet
  75. >20 belong 3 (AX.25
  76. >20 belong 4 (ProNET
  77. >20 belong 5 (CHAOS
  78. >20 belong 6 (Token Ring
  79. >20 belong 7 (BSD ARCNET
  80. >20 belong 8 (SLIP
  81. >20 belong 9 (PPP
  82. >20 belong 10 (FDDI
  83. >20 belong 11 (RFC 1483 ATM
  84. >20 belong 12 (raw IP
  85. >20 belong 13 (BSD/OS SLIP
  86. >20 belong 14 (BSD/OS PPP
  87. >20 belong 19 (Linux ATM Classical IP
  88. >20 belong 50 (PPP or Cisco HDLC
  89. >20 belong 51 (PPP-over-Ethernet
  90. >20 belong 99 (Symantec Enterprise Firewall
  91. >20 belong 100 (RFC 1483 ATM
  92. >20 belong 101 (raw IP
  93. >20 belong 102 (BSD/OS SLIP
  94. >20 belong 103 (BSD/OS PPP
  95. >20 belong 104 (BSD/OS Cisco HDLC
  96. >20 belong 105 (802.11
  97. >20 belong 106 (Linux Classical IP over ATM
  98. >20 belong 107 (Frame Relay
  99. >20 belong 108 (OpenBSD loopback
  100. >20 belong 109 (OpenBSD IPsec encrypted
  101. >20 belong 112 (Cisco HDLC
  102. >20 belong 113 (Linux "cooked"
  103. >20 belong 114 (LocalTalk
  104. >20 belong 117 (OpenBSD PFLOG
  105. >20 belong 119 (802.11 with Prism header
  106. >20 belong 122 (RFC 2625 IP over Fibre Channel
  107. >20 belong 123 (SunATM
  108. >20 belong 127 (802.11 with radiotap header
  109. >20 belong 129 (Linux ARCNET
  110. >20 belong 138 (Apple IP over IEEE 1394
  111. >20 belong 140 (MTP2
  112. >20 belong 141 (MTP3
  113. >20 belong 143 (DOCSIS
  114. >20 belong 144 (IrDA
  115. >20 belong 147 (Private use 0
  116. >20 belong 148 (Private use 1
  117. >20 belong 149 (Private use 2
  118. >20 belong 150 (Private use 3
  119. >20 belong 151 (Private use 4
  120. >20 belong 152 (Private use 5
  121. >20 belong 153 (Private use 6
  122. >20 belong 154 (Private use 7
  123. >20 belong 155 (Private use 8
  124. >20 belong 156 (Private use 9
  125. >20 belong 157 (Private use 10
  126. >20 belong 158 (Private use 11
  127. >20 belong 159 (Private use 12
  128. >20 belong 160 (Private use 13
  129. >20 belong 161 (Private use 14
  130. >20 belong 162 (Private use 15
  131. >20 belong 163 (802.11 with AVS header
  132. >16 belong x \b, capture length %d)
  133. 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
  134. >4 leshort x - version %d
  135. >6 leshort x \b.%d
  136. >20 lelong 0 (No link-layer encapsulation
  137. >20 lelong 1 (Ethernet
  138. >20 lelong 2 (3Mb Ethernet
  139. >20 lelong 3 (AX.25
  140. >20 lelong 4 (ProNET
  141. >20 lelong 5 (CHAOS
  142. >20 lelong 6 (Token Ring
  143. >20 lelong 7 (ARCNET
  144. >20 lelong 8 (SLIP
  145. >20 lelong 9 (PPP
  146. >20 lelong 10 (FDDI
  147. >20 lelong 11 (RFC 1483 ATM
  148. >20 lelong 12 (raw IP
  149. >20 lelong 13 (BSD/OS SLIP
  150. >20 lelong 14 (BSD/OS PPP
  151. >20 lelong 19 (Linux ATM Classical IP
  152. >20 lelong 50 (PPP or Cisco HDLC
  153. >20 lelong 51 (PPP-over-Ethernet
  154. >20 lelong 99 (Symantec Enterprise Firewall
  155. >20 lelong 100 (RFC 1483 ATM
  156. >20 lelong 101 (raw IP
  157. >20 lelong 102 (BSD/OS SLIP
  158. >20 lelong 103 (BSD/OS PPP
  159. >20 lelong 104 (BSD/OS Cisco HDLC
  160. >20 lelong 105 (802.11
  161. >20 lelong 106 (Linux Classical IP over ATM
  162. >20 lelong 107 (Frame Relay
  163. >20 lelong 108 (OpenBSD loopback
  164. >20 lelong 109 (OpenBSD IPsec encrypted
  165. >20 lelong 112 (Cisco HDLC
  166. >20 lelong 113 (Linux "cooked"
  167. >20 lelong 114 (LocalTalk
  168. >20 lelong 117 (OpenBSD PFLOG
  169. >20 lelong 119 (802.11 with Prism header
  170. >20 lelong 122 (RFC 2625 IP over Fibre Channel
  171. >20 lelong 123 (SunATM
  172. >20 lelong 127 (802.11 with radiotap header
  173. >20 lelong 129 (Linux ARCNET
  174. >20 lelong 138 (Apple IP over IEEE 1394
  175. >20 lelong 140 (MTP2
  176. >20 lelong 141 (MTP3
  177. >20 lelong 143 (DOCSIS
  178. >20 lelong 144 (IrDA
  179. >20 lelong 147 (Private use 0
  180. >20 lelong 148 (Private use 1
  181. >20 lelong 149 (Private use 2
  182. >20 lelong 150 (Private use 3
  183. >20 lelong 151 (Private use 4
  184. >20 lelong 152 (Private use 5
  185. >20 lelong 153 (Private use 6
  186. >20 lelong 154 (Private use 7
  187. >20 lelong 155 (Private use 8
  188. >20 lelong 156 (Private use 9
  189. >20 lelong 157 (Private use 10
  190. >20 lelong 158 (Private use 11
  191. >20 lelong 159 (Private use 12
  192. >20 lelong 160 (Private use 13
  193. >20 lelong 161 (Private use 14
  194. >20 lelong 162 (Private use 15
  195. >20 lelong 163 (802.11 with AVS header
  196. >16 lelong x \b, capture length %d)
  197. #
  198. # "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
  199. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
  200. # the main program that uses that format, but there are other programs
  201. # that use "libpcap", or that use the same capture file format.)
  202. #
  203. 0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian)
  204. >4 beshort x - version %d
  205. >6 beshort x \b.%d
  206. >20 belong 0 (No link-layer encapsulation
  207. >20 belong 1 (Ethernet
  208. >20 belong 2 (3Mb Ethernet
  209. >20 belong 3 (AX.25
  210. >20 belong 4 (ProNET
  211. >20 belong 5 (CHAOS
  212. >20 belong 6 (Token Ring
  213. >20 belong 7 (ARCNET
  214. >20 belong 8 (SLIP
  215. >20 belong 9 (PPP
  216. >20 belong 10 (FDDI
  217. >20 belong 11 (RFC 1483 ATM
  218. >20 belong 12 (raw IP
  219. >20 belong 13 (BSD/OS SLIP
  220. >20 belong 14 (BSD/OS PPP
  221. >16 belong x \b, capture length %d)
  222. 0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian)
  223. >4 leshort x - version %d
  224. >6 leshort x \b.%d
  225. >20 lelong 0 (No link-layer encapsulation
  226. >20 lelong 1 (Ethernet
  227. >20 lelong 2 (3Mb Ethernet
  228. >20 lelong 3 (AX.25
  229. >20 lelong 4 (ProNET
  230. >20 lelong 5 (CHAOS
  231. >20 lelong 6 (Token Ring
  232. >20 lelong 7 (ARCNET
  233. >20 lelong 8 (SLIP
  234. >20 lelong 9 (PPP
  235. >20 lelong 10 (FDDI
  236. >20 lelong 11 (RFC 1483 ATM
  237. >20 lelong 12 (raw IP
  238. >20 lelong 13 (BSD/OS SLIP
  239. >20 lelong 14 (BSD/OS PPP
  240. >16 lelong x \b, capture length %d)
  241. #
  242. # AIX "iptrace" capture files.
  243. #
  244. 0 string iptrace\ 1.0 "iptrace" capture file
  245. 0 string iptrace\ 2.0 "iptrace" capture file
  246. #
  247. # Novell LANalyzer capture files.
  248. #
  249. 0 leshort 0x1001 LANalyzer capture file
  250. 0 leshort 0x1007 LANalyzer capture file
  251. #
  252. # HP-UX "nettl" capture files.
  253. #
  254. 0 string \x54\x52\x00\x64\x00 "nettl" capture file
  255. #
  256. # RADCOM WAN/LAN Analyzer capture files.
  257. #
  258. 0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file
  259. #
  260. # NetStumbler log files. Not really packets, per se, but about as
  261. # close as you can get. These are log files from NetStumbler, a
  262. # Windows program, that scans for 802.11b networks.
  263. #
  264. 0 string NetS NetStumbler log file
  265. >8 lelong x \b, %d stations found
  266. #
  267. # EtherPeek/AiroPeek "version 9" capture files.
  268. #
  269. 0 string \177ver EtherPeek/AiroPeek capture file
  270. #
  271. # Visual Networks traffic capture files.
  272. #
  273. 0 string \x05VNF Visual Networks traffic capture file
  274. #
  275. # Network Instruments Observer capture files.
  276. #
  277. 0 string ObserverPktBuffe Network Instruments Observer capture file
  278. #
  279. # Files from Accellent Group's 5View products.
  280. #
  281. 0 string \xaa\xaa\xaa\xaa 5View capture file