1 2#------------------------------------------------------------------------------ 3# sniffer: file(1) magic for packet capture files 4# 5# From: guy@alum.mit.edu (Guy Harris) 6# 7 8# 9# Microsoft Network Monitor 1.x capture files. 10# 110 string RTSS NetMon capture file 12>5 byte x - version %d 13>4 byte x \b.%d 14>6 leshort 0 (Unknown) 15>6 leshort 1 (Ethernet) 16>6 leshort 2 (Token Ring) 17>6 leshort 3 (FDDI) 18>6 leshort 4 (ATM) 19 20# 21# Microsoft Network Monitor 2.x capture files. 22# 230 string GMBU NetMon capture file 24>5 byte x - version %d 25>4 byte x \b.%d 26>6 leshort 0 (Unknown) 27>6 leshort 1 (Ethernet) 28>6 leshort 2 (Token Ring) 29>6 leshort 3 (FDDI) 30>6 leshort 4 (ATM) 31 32# 33# Network General Sniffer capture files. 34# Sorry, make that "Network Associates Sniffer capture files." 35# Sorry, make that "Network General old DOS Sniffer capture files." 36# 370 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file 38>33 byte 2 (compressed) 39>23 leshort x - version %d 40>25 leshort x \b.%d 41>32 byte 0 (Token Ring) 42>32 byte 1 (Ethernet) 43>32 byte 2 (ARCNET) 44>32 byte 3 (StarLAN) 45>32 byte 4 (PC Network broadband) 46>32 byte 5 (LocalTalk) 47>32 byte 6 (Znet) 48>32 byte 7 (Internetwork Analyzer) 49>32 byte 9 (FDDI) 50>32 byte 10 (ATM) 51 52# 53# Cinco Networks NetXRay capture files. 54# Sorry, make that "Network General Sniffer Basic capture files." 55# Sorry, make that "Network Associates Sniffer Basic capture files." 56# Sorry, make that "Network Associates Sniffer Basic, and Windows 57# Sniffer Pro", capture files." 58# Sorry, make that "Network General Sniffer capture files." 59# 600 string XCP\0 NetXRay capture file 61>4 string >\0 - version %s 62>44 leshort 0 (Ethernet) 63>44 leshort 1 (Token Ring) 64>44 leshort 2 (FDDI) 65>44 leshort 3 (WAN) 66>44 leshort 8 (ATM) 67>44 leshort 9 (802.11) 68 69# 70# "libpcap" capture files. 71# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 72# the main program that uses that format, but there are other programs 73# that use "libpcap", or that use the same capture file format.) 74# 750 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian) 76>4 beshort x - version %d 77>6 beshort x \b.%d 78>20 belong 0 (No link-layer encapsulation 79>20 belong 1 (Ethernet 80>20 belong 2 (3Mb Ethernet 81>20 belong 3 (AX.25 82>20 belong 4 (ProNET 83>20 belong 5 (CHAOS 84>20 belong 6 (Token Ring 85>20 belong 7 (BSD ARCNET 86>20 belong 8 (SLIP 87>20 belong 9 (PPP 88>20 belong 10 (FDDI 89>20 belong 11 (RFC 1483 ATM 90>20 belong 12 (raw IP 91>20 belong 13 (BSD/OS SLIP 92>20 belong 14 (BSD/OS PPP 93>20 belong 19 (Linux ATM Classical IP 94>20 belong 50 (PPP or Cisco HDLC 95>20 belong 51 (PPP-over-Ethernet 96>20 belong 99 (Symantec Enterprise Firewall 97>20 belong 100 (RFC 1483 ATM 98>20 belong 101 (raw IP 99>20 belong 102 (BSD/OS SLIP 100>20 belong 103 (BSD/OS PPP 101>20 belong 104 (BSD/OS Cisco HDLC 102>20 belong 105 (802.11 103>20 belong 106 (Linux Classical IP over ATM 104>20 belong 107 (Frame Relay 105>20 belong 108 (OpenBSD loopback 106>20 belong 109 (OpenBSD IPsec encrypted 107>20 belong 112 (Cisco HDLC 108>20 belong 113 (Linux "cooked" 109>20 belong 114 (LocalTalk 110>20 belong 117 (OpenBSD PFLOG 111>20 belong 119 (802.11 with Prism header 112>20 belong 122 (RFC 2625 IP over Fibre Channel 113>20 belong 123 (SunATM 114>20 belong 127 (802.11 with radiotap header 115>20 belong 129 (Linux ARCNET 116>20 belong 138 (Apple IP over IEEE 1394 117>20 belong 140 (MTP2 118>20 belong 141 (MTP3 119>20 belong 143 (DOCSIS 120>20 belong 144 (IrDA 121>20 belong 147 (Private use 0 122>20 belong 148 (Private use 1 123>20 belong 149 (Private use 2 124>20 belong 150 (Private use 3 125>20 belong 151 (Private use 4 126>20 belong 152 (Private use 5 127>20 belong 153 (Private use 6 128>20 belong 154 (Private use 7 129>20 belong 155 (Private use 8 130>20 belong 156 (Private use 9 131>20 belong 157 (Private use 10 132>20 belong 158 (Private use 11 133>20 belong 159 (Private use 12 134>20 belong 160 (Private use 13 135>20 belong 161 (Private use 14 136>20 belong 162 (Private use 15 137>20 belong 163 (802.11 with AVS header 138>16 belong x \b, capture length %d) 1390 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian) 140>4 leshort x - version %d 141>6 leshort x \b.%d 142>20 lelong 0 (No link-layer encapsulation 143>20 lelong 1 (Ethernet 144>20 lelong 2 (3Mb Ethernet 145>20 lelong 3 (AX.25 146>20 lelong 4 (ProNET 147>20 lelong 5 (CHAOS 148>20 lelong 6 (Token Ring 149>20 lelong 7 (ARCNET 150>20 lelong 8 (SLIP 151>20 lelong 9 (PPP 152>20 lelong 10 (FDDI 153>20 lelong 11 (RFC 1483 ATM 154>20 lelong 12 (raw IP 155>20 lelong 13 (BSD/OS SLIP 156>20 lelong 14 (BSD/OS PPP 157>20 lelong 19 (Linux ATM Classical IP 158>20 lelong 50 (PPP or Cisco HDLC 159>20 lelong 51 (PPP-over-Ethernet 160>20 lelong 99 (Symantec Enterprise Firewall 161>20 lelong 100 (RFC 1483 ATM 162>20 lelong 101 (raw IP 163>20 lelong 102 (BSD/OS SLIP 164>20 lelong 103 (BSD/OS PPP 165>20 lelong 104 (BSD/OS Cisco HDLC 166>20 lelong 105 (802.11 167>20 lelong 106 (Linux Classical IP over ATM 168>20 lelong 107 (Frame Relay 169>20 lelong 108 (OpenBSD loopback 170>20 lelong 109 (OpenBSD IPsec encrypted 171>20 lelong 112 (Cisco HDLC 172>20 lelong 113 (Linux "cooked" 173>20 lelong 114 (LocalTalk 174>20 lelong 117 (OpenBSD PFLOG 175>20 lelong 119 (802.11 with Prism header 176>20 lelong 122 (RFC 2625 IP over Fibre Channel 177>20 lelong 123 (SunATM 178>20 lelong 127 (802.11 with radiotap header 179>20 lelong 129 (Linux ARCNET 180>20 lelong 138 (Apple IP over IEEE 1394 181>20 lelong 140 (MTP2 182>20 lelong 141 (MTP3 183>20 lelong 143 (DOCSIS 184>20 lelong 144 (IrDA 185>20 lelong 147 (Private use 0 186>20 lelong 148 (Private use 1 187>20 lelong 149 (Private use 2 188>20 lelong 150 (Private use 3 189>20 lelong 151 (Private use 4 190>20 lelong 152 (Private use 5 191>20 lelong 153 (Private use 6 192>20 lelong 154 (Private use 7 193>20 lelong 155 (Private use 8 194>20 lelong 156 (Private use 9 195>20 lelong 157 (Private use 10 196>20 lelong 158 (Private use 11 197>20 lelong 159 (Private use 12 198>20 lelong 160 (Private use 13 199>20 lelong 161 (Private use 14 200>20 lelong 162 (Private use 15 201>20 lelong 163 (802.11 with AVS header 202>16 lelong x \b, capture length %d) 203 204# 205# "libpcap"-with-Alexey-Kuznetsov's-patches capture files. 206# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 207# the main program that uses that format, but there are other programs 208# that use "libpcap", or that use the same capture file format.) 209# 2100 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) 211>4 beshort x - version %d 212>6 beshort x \b.%d 213>20 belong 0 (No link-layer encapsulation 214>20 belong 1 (Ethernet 215>20 belong 2 (3Mb Ethernet 216>20 belong 3 (AX.25 217>20 belong 4 (ProNET 218>20 belong 5 (CHAOS 219>20 belong 6 (Token Ring 220>20 belong 7 (ARCNET 221>20 belong 8 (SLIP 222>20 belong 9 (PPP 223>20 belong 10 (FDDI 224>20 belong 11 (RFC 1483 ATM 225>20 belong 12 (raw IP 226>20 belong 13 (BSD/OS SLIP 227>20 belong 14 (BSD/OS PPP 228>16 belong x \b, capture length %d) 2290 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) 230>4 leshort x - version %d 231>6 leshort x \b.%d 232>20 lelong 0 (No link-layer encapsulation 233>20 lelong 1 (Ethernet 234>20 lelong 2 (3Mb Ethernet 235>20 lelong 3 (AX.25 236>20 lelong 4 (ProNET 237>20 lelong 5 (CHAOS 238>20 lelong 6 (Token Ring 239>20 lelong 7 (ARCNET 240>20 lelong 8 (SLIP 241>20 lelong 9 (PPP 242>20 lelong 10 (FDDI 243>20 lelong 11 (RFC 1483 ATM 244>20 lelong 12 (raw IP 245>20 lelong 13 (BSD/OS SLIP 246>20 lelong 14 (BSD/OS PPP 247>16 lelong x \b, capture length %d) 248 249# 250# AIX "iptrace" capture files. 251# 2520 string iptrace\ 1.0 "iptrace" capture file 2530 string iptrace\ 2.0 "iptrace" capture file 254 255# 256# Novell LANalyzer capture files. 257# 2580 leshort 0x1001 LANalyzer capture file 2590 leshort 0x1007 LANalyzer capture file 260 261# 262# HP-UX "nettl" capture files. 263# 2640 string \x54\x52\x00\x64\x00 "nettl" capture file 265 266# 267# RADCOM WAN/LAN Analyzer capture files. 268# 2690 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file 270 271# 272# NetStumbler log files. Not really packets, per se, but about as 273# close as you can get. These are log files from NetStumbler, a 274# Windows program, that scans for 802.11b networks. 275# 2760 string NetS NetStumbler log file 277>8 lelong x \b, %d stations found 278 279# 280# EtherPeek/AiroPeek "version 9" capture files. 281# 2820 string \177ver EtherPeek/AiroPeek capture file 283 284# 285# Visual Networks traffic capture files. 286# 2870 string \x05VNF Visual Networks traffic capture file 288 289# 290# Network Instruments Observer capture files. 291# 2920 string ObserverPktBuffe Network Instruments Observer capture file 293 294# 295# Files from Accellent Group's 5View products. 296# 2970 string \xaa\xaa\xaa\xaa 5View capture file 298