xref: /dragonfly/contrib/file/magic/Magdir/sniffer (revision 235099c3) 
1
2#------------------------------------------------------------------------------
3# sniffer:  file(1) magic for packet capture files
4#
5# From: guy@alum.mit.edu (Guy Harris)
6#
7
8#
9# Microsoft Network Monitor 1.x capture files.
10#
110	string		RTSS		NetMon capture file
12>5	byte		x		- version %d
13>4	byte		x		\b.%d
14>6	leshort		0		(Unknown)
15>6	leshort		1		(Ethernet)
16>6	leshort		2		(Token Ring)
17>6	leshort		3		(FDDI)
18>6	leshort		4		(ATM)
19
20#
21# Microsoft Network Monitor 2.x capture files.
22#
230	string		GMBU		NetMon capture file
24>5	byte		x		- version %d
25>4	byte		x		\b.%d
26>6	leshort		0		(Unknown)
27>6	leshort		1		(Ethernet)
28>6	leshort		2		(Token Ring)
29>6	leshort		3		(FDDI)
30>6	leshort		4		(ATM)
31
32#
33# Network General Sniffer capture files.
34# Sorry, make that "Network Associates Sniffer capture files."
35# Sorry, make that "Network General old DOS Sniffer capture files."
36#
370	string		TRSNIFF\ data\ \ \ \ \032	Sniffer capture file
38>33	byte		2		(compressed)
39>23	leshort		x		- version %d
40>25	leshort		x		\b.%d
41>32	byte		0		(Token Ring)
42>32	byte		1		(Ethernet)
43>32	byte		2		(ARCNET)
44>32	byte		3		(StarLAN)
45>32	byte		4		(PC Network broadband)
46>32	byte		5		(LocalTalk)
47>32	byte		6		(Znet)
48>32	byte		7		(Internetwork Analyzer)
49>32	byte		9		(FDDI)
50>32	byte		10		(ATM)
51
52#
53# Cinco Networks NetXRay capture files.
54# Sorry, make that "Network General Sniffer Basic capture files."
55# Sorry, make that "Network Associates Sniffer Basic capture files."
56# Sorry, make that "Network Associates Sniffer Basic, and Windows
57# Sniffer Pro", capture files."
58# Sorry, make that "Network General Sniffer capture files."
59#
600	string		XCP\0		NetXRay capture file
61>4	string		>\0		- version %s
62>44	leshort		0		(Ethernet)
63>44	leshort		1		(Token Ring)
64>44	leshort		2		(FDDI)
65>44	leshort		3		(WAN)
66>44	leshort		8		(ATM)
67>44	leshort		9		(802.11)
68
69#
70# "libpcap" capture files.
71# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
72# the main program that uses that format, but there are other programs
73# that use "libpcap", or that use the same capture file format.)
74#
750	ubelong		0xa1b2c3d4	tcpdump capture file (big-endian)
76>4	beshort		x		- version %d
77>6	beshort		x		\b.%d
78>20	belong		0		(No link-layer encapsulation
79>20	belong		1		(Ethernet
80>20	belong		2		(3Mb Ethernet
81>20	belong		3		(AX.25
82>20	belong		4		(ProNET
83>20	belong		5		(CHAOS
84>20	belong		6		(Token Ring
85>20	belong		7		(BSD ARCNET
86>20	belong		8		(SLIP
87>20	belong		9		(PPP
88>20	belong		10		(FDDI
89>20	belong		11		(RFC 1483 ATM
90>20	belong		12		(raw IP
91>20	belong		13		(BSD/OS SLIP
92>20	belong		14		(BSD/OS PPP
93>20	belong		19		(Linux ATM Classical IP
94>20	belong		50		(PPP or Cisco HDLC
95>20	belong		51		(PPP-over-Ethernet
96>20	belong		99		(Symantec Enterprise Firewall
97>20	belong		100		(RFC 1483 ATM
98>20	belong		101		(raw IP
99>20	belong		102		(BSD/OS SLIP
100>20	belong		103		(BSD/OS PPP
101>20	belong		104		(BSD/OS Cisco HDLC
102>20	belong		105		(802.11
103>20	belong		106		(Linux Classical IP over ATM
104>20	belong		107		(Frame Relay
105>20	belong		108		(OpenBSD loopback
106>20	belong		109		(OpenBSD IPsec encrypted
107>20	belong		112		(Cisco HDLC
108>20	belong		113		(Linux "cooked"
109>20	belong		114		(LocalTalk
110>20	belong		117		(OpenBSD PFLOG
111>20	belong		119		(802.11 with Prism header
112>20	belong		122		(RFC 2625 IP over Fibre Channel
113>20	belong		123		(SunATM
114>20	belong		127		(802.11 with radiotap header
115>20	belong		129		(Linux ARCNET
116>20	belong		138		(Apple IP over IEEE 1394
117>20	belong		140		(MTP2
118>20	belong		141		(MTP3
119>20	belong		143		(DOCSIS
120>20	belong		144		(IrDA
121>20	belong		147		(Private use 0
122>20	belong		148		(Private use 1
123>20	belong		149		(Private use 2
124>20	belong		150		(Private use 3
125>20	belong		151		(Private use 4
126>20	belong		152		(Private use 5
127>20	belong		153		(Private use 6
128>20	belong		154		(Private use 7
129>20	belong		155		(Private use 8
130>20	belong		156		(Private use 9
131>20	belong		157		(Private use 10
132>20	belong		158		(Private use 11
133>20	belong		159		(Private use 12
134>20	belong		160		(Private use 13
135>20	belong		161		(Private use 14
136>20	belong		162		(Private use 15
137>20	belong		163		(802.11 with AVS header
138>16	belong		x		\b, capture length %d)
1390	ulelong		0xa1b2c3d4	tcpdump capture file (little-endian)
140>4	leshort		x		- version %d
141>6	leshort		x		\b.%d
142>20	lelong		0		(No link-layer encapsulation
143>20	lelong		1		(Ethernet
144>20	lelong		2		(3Mb Ethernet
145>20	lelong		3		(AX.25
146>20	lelong		4		(ProNET
147>20	lelong		5		(CHAOS
148>20	lelong		6		(Token Ring
149>20	lelong		7		(ARCNET
150>20	lelong		8		(SLIP
151>20	lelong		9		(PPP
152>20	lelong		10		(FDDI
153>20	lelong		11		(RFC 1483 ATM
154>20	lelong		12		(raw IP
155>20	lelong		13		(BSD/OS SLIP
156>20	lelong		14		(BSD/OS PPP
157>20	lelong		19		(Linux ATM Classical IP
158>20	lelong		50		(PPP or Cisco HDLC
159>20	lelong		51		(PPP-over-Ethernet
160>20	lelong		99		(Symantec Enterprise Firewall
161>20	lelong		100		(RFC 1483 ATM
162>20	lelong		101		(raw IP
163>20	lelong		102		(BSD/OS SLIP
164>20	lelong		103		(BSD/OS PPP
165>20	lelong		104		(BSD/OS Cisco HDLC
166>20	lelong		105		(802.11
167>20	lelong		106		(Linux Classical IP over ATM
168>20	lelong		107		(Frame Relay
169>20	lelong		108		(OpenBSD loopback
170>20	lelong		109		(OpenBSD IPsec encrypted
171>20	lelong		112		(Cisco HDLC
172>20	lelong		113		(Linux "cooked"
173>20	lelong		114		(LocalTalk
174>20	lelong		117		(OpenBSD PFLOG
175>20	lelong		119		(802.11 with Prism header
176>20	lelong		122		(RFC 2625 IP over Fibre Channel
177>20	lelong		123		(SunATM
178>20	lelong		127		(802.11 with radiotap header
179>20	lelong		129		(Linux ARCNET
180>20	lelong		138		(Apple IP over IEEE 1394
181>20	lelong		140		(MTP2
182>20	lelong		141		(MTP3
183>20	lelong		143		(DOCSIS
184>20	lelong		144		(IrDA
185>20	lelong		147		(Private use 0
186>20	lelong		148		(Private use 1
187>20	lelong		149		(Private use 2
188>20	lelong		150		(Private use 3
189>20	lelong		151		(Private use 4
190>20	lelong		152		(Private use 5
191>20	lelong		153		(Private use 6
192>20	lelong		154		(Private use 7
193>20	lelong		155		(Private use 8
194>20	lelong		156		(Private use 9
195>20	lelong		157		(Private use 10
196>20	lelong		158		(Private use 11
197>20	lelong		159		(Private use 12
198>20	lelong		160		(Private use 13
199>20	lelong		161		(Private use 14
200>20	lelong		162		(Private use 15
201>20	lelong		163		(802.11 with AVS header
202>16	lelong		x		\b, capture length %d)
203
204#
205# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
206# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
207# the main program that uses that format, but there are other programs
208# that use "libpcap", or that use the same capture file format.)
209#
2100	ubelong		0xa1b2cd34	extended tcpdump capture file (big-endian)
211>4	beshort		x		- version %d
212>6	beshort		x		\b.%d
213>20	belong		0		(No link-layer encapsulation
214>20	belong		1		(Ethernet
215>20	belong		2		(3Mb Ethernet
216>20	belong		3		(AX.25
217>20	belong		4		(ProNET
218>20	belong		5		(CHAOS
219>20	belong		6		(Token Ring
220>20	belong		7		(ARCNET
221>20	belong		8		(SLIP
222>20	belong		9		(PPP
223>20	belong		10		(FDDI
224>20	belong		11		(RFC 1483 ATM
225>20	belong		12		(raw IP
226>20	belong		13		(BSD/OS SLIP
227>20	belong		14		(BSD/OS PPP
228>16	belong		x		\b, capture length %d)
2290	ulelong		0xa1b2cd34	extended tcpdump capture file (little-endian)
230>4	leshort		x		- version %d
231>6	leshort		x		\b.%d
232>20	lelong		0		(No link-layer encapsulation
233>20	lelong		1		(Ethernet
234>20	lelong		2		(3Mb Ethernet
235>20	lelong		3		(AX.25
236>20	lelong		4		(ProNET
237>20	lelong		5		(CHAOS
238>20	lelong		6		(Token Ring
239>20	lelong		7		(ARCNET
240>20	lelong		8		(SLIP
241>20	lelong		9		(PPP
242>20	lelong		10		(FDDI
243>20	lelong		11		(RFC 1483 ATM
244>20	lelong		12		(raw IP
245>20	lelong		13		(BSD/OS SLIP
246>20	lelong		14		(BSD/OS PPP
247>16	lelong		x		\b, capture length %d)
248
249#
250# AIX "iptrace" capture files.
251#
2520	string		iptrace\ 1.0	"iptrace" capture file
2530	string		iptrace\ 2.0	"iptrace" capture file
254
255#
256# Novell LANalyzer capture files.
257#
2580	leshort		0x1001		LANalyzer capture file
2590	leshort		0x1007		LANalyzer capture file
260
261#
262# HP-UX "nettl" capture files.
263#
2640	string		\x54\x52\x00\x64\x00	"nettl" capture file
265
266#
267# RADCOM WAN/LAN Analyzer capture files.
268#
2690	string		\x42\xd2\x00\x34\x12\x66\x22\x88	RADCOM WAN/LAN Analyzer capture file
270
271#
272# NetStumbler log files.  Not really packets, per se, but about as
273# close as you can get.  These are log files from NetStumbler, a
274# Windows program, that scans for 802.11b networks.
275#
2760	string		NetS		NetStumbler log file
277>8	lelong		x		\b, %d stations found
278
279#
280# EtherPeek/AiroPeek "version 9" capture files.
281#
2820	string		\177ver		EtherPeek/AiroPeek capture file
283
284#
285# Visual Networks traffic capture files.
286#
2870	string		\x05VNF		Visual Networks traffic capture file
288
289#
290# Network Instruments Observer capture files.
291#
2920	string		ObserverPktBuffe	Network Instruments Observer capture file
293
294#
295# Files from Accellent Group's 5View products.
296#
2970	string		\xaa\xaa\xaa\xaa	5View capture file
298