usr.bin/file/magdir/sniffer


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242

#	$OpenBSD: sniffer,v 1.4 2004/06/03 03:36:46 tedu Exp $

#------------------------------------------------------------------------------
# sniffer:  file(1) magic for packet capture files
#
# From: guy@alum.mit.edu (Guy Harris)
#

#
# Microsoft Network Monitor 1.x capture files.
#
0	string		RTSS		NetMon capture file
>5	byte		x		- version %d
>4	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)
>6	leshort		4		(ATM)

#
# Microsoft Network Monitor 2.x capture files.
#
0	string		GMBU		NetMon capture file
>5	byte		x		- version %d
>4	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)
>6	leshort		4		(ATM)

#
# Network General Sniffer capture files.
# Sorry, make that "Network Associates Sniffer capture files."
#
0	string		TRSNIFF\ data\ \ \ \ \032	Sniffer capture file
>33	byte		2		(compressed)
>23	leshort		x		- version %d
>25	leshort		x		\b.%d
>32	byte		0		(Token Ring)
>32	byte		1		(Ethernet)
>32	byte		2		(ARCNET)
>32	byte		3		(StarLAN)
>32	byte		4		(PC Network broadband)
>32	byte		5		(LocalTalk)
>32	byte		6		(Znet)
>32	byte		7		(Internetwork Analyzer)
>32	byte		9		(FDDI)
>32	byte		10		(ATM)

#
# Cinco Networks NetXRay capture files.
# Sorry, make that "Network General Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic, and Windows
# Sniffer Pro", capture files."
#
0	string		XCP\0		NetXRay capture file
>4	string		>\0		- version %s
>44	leshort		0		(Ethernet)
>44	leshort		1		(Token Ring)
>44	leshort		2		(FDDI)
>44	leshort		3		(WAN)
>44	leshort		8		(ATM)
>44	leshort		9		(802.11)

#
# "libpcap" capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0	ubelong		0xa1b2c3d4	tcpdump capture file (big-endian)
>4	beshort		x		- version %d
>6	beshort		x		\b.%d
>20	belong		0		(No link-layer encapsulation
>20	belong		1		(Ethernet
>20	belong		2		(3Mb Ethernet
>20	belong		3		(AX.25
>20	belong		4		(ProNET
>20	belong		5		(CHAOS
>20	belong		6		(Token Ring
>20	belong		7		(BSD ARCNET
>20	belong		8		(SLIP
>20	belong		9		(PPP
>20	belong		10		(FDDI
>20	belong		11		(RFC 1483 ATM
>20	belong		12		(Loopback
>20	belong		13		(IPSec Enc
>20	belong		14		(Raw IP
>20	belong		15		(BSD/OS SLIP
>20	belong		16		(BSD/OS PPP
>20	belong		17		(Old PF Log
>20	belong		18		(PFSync
>20	belong		50		(PPP or Cisco HDLC
>20	belong		51		(PPP-over-Ethernet
>20	belong		100		(RFC 1483 ATM
>20	belong		101		(raw IP
>20	belong		102		(BSD/OS SLIP
>20	belong		103		(BSD/OS PPP
>20	belong		104		(BSD/OS Cisco HDLC
>20	belong		105		(802.11
>20	belong		106		(Linux Classical IP over ATM
>20	belong		107		(Frame Relay
>20	belong		108		(OpenBSD loopback
>20	belong		109		(OpenBSD IPsec encrypted
>20	belong		112		(Cisco HDLC
>20	belong		113		(Linux "cooked"
>20	belong		114		(LocalTalk
>20	belong		117		(OpenBSD PFLOG
>20	belong		119		(802.11 with Prism header
>20	belong		123		(SunATM
>20	belong		127		(802.11 with radiotap header
>20	belong		129		(Linux ARCNET
>20	belong		140		(MTP2
>20	belong		141		(MTP3
>20	belong		143		(DOCSIS
>20	belong		144		(IrDA
>16	belong		x		\b, capture length %d)
0	ulelong		0xa1b2c3d4	tcpdump capture file (little-endian)
>4	leshort		x		- version %d
>6	leshort		x		\b.%d
>20	lelong		0		(No link-layer encapsulation
>20	lelong		1		(Ethernet
>20	lelong		2		(3Mb Ethernet
>20	lelong		3		(AX.25
>20	lelong		4		(ProNET
>20	lelong		5		(CHAOS
>20	lelong		6		(Token Ring
>20	lelong		7		(ARCNET
>20	lelong		8		(SLIP
>20	lelong		9		(PPP
>20	lelong		10		(FDDI
>20	lelong		11		(RFC 1483 ATM
>20	lelong		12		(Loopback
>20	lelong		13		(IPSec Enc
>20	lelong		14		(Raw IP
>20	lelong		15		(BSD/OS SLIP
>20	lelong		16		(BSD/OS PPP
>20	lelong		17		(Old PF Log
>20	lelong		18		(PFSync
>20	lelong		50		(PPP or Cisco HDLC
>20	lelong		51		(PPP-over-Ethernet
>20	lelong		100		(RFC 1483 ATM
>20	lelong		101		(raw IP
>20	lelong		102		(BSD/OS SLIP
>20	lelong		103		(BSD/OS PPP
>20	lelong		104		(BSD/OS Cisco HDLC
>20	lelong		105		(802.11
>20	lelong		106		(Linux Classical IP over ATM
>20	lelong		107		(Frame Relay
>20	lelong		108		(OpenBSD loopback
>20	lelong		109		(OpenBSD IPSEC encrypted
>20	lelong		112		(Cisco HDLC
>20	lelong		113		(Linux "cooked"
>20	lelong		114		(LocalTalk
>20	lelong		117		(OpenBSD PFLOG
>20	lelong		119		(802.11 with Prism header
>20	lelong		123		(SunATM
>20	lelong		127		(802.11 with radiotap header
>20	lelong		129		(Linux ARCNET
>20	lelong		140		(MTP2
>20	lelong		141		(MTP3
>20	lelong		143		(DOCSIS
>20	lelong		144		(IrDA
>16	lelong		x		\b, capture length %d)

#
# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0	ubelong		0xa1b2cd34	extended tcpdump capture file (big-endian)
>4	beshort		x		- version %d
>6	beshort		x		\b.%d
>20	belong		0		(No link-layer encapsulation
>20	belong		1		(Ethernet
>20	belong		2		(3Mb Ethernet
>20	belong		3		(AX.25
>20	belong		4		(ProNET
>20	belong		5		(CHAOS
>20	belong		6		(Token Ring
>20	belong		7		(ARCNET
>20	belong		8		(SLIP
>20	belong		9		(PPP
>20	belong		10		(FDDI
>20	belong		11		(RFC 1483 ATM
>20	belong		12		(raw IP
>20	belong		13		(BSD/OS SLIP
>20	belong		14		(BSD/OS PPP
>16	belong		x		\b, capture length %d)
0	ulelong		0xa1b2cd34	extended tcpdump capture file (little-endian)
>4	leshort		x		- version %d
>6	leshort		x		\b.%d
>20	lelong		0		(No link-layer encapsulation
>20	lelong		1		(Ethernet
>20	lelong		2		(3Mb Ethernet
>20	lelong		3		(AX.25
>20	lelong		4		(ProNET
>20	lelong		5		(CHAOS
>20	lelong		6		(Token Ring
>20	lelong		7		(ARCNET
>20	lelong		8		(SLIP
>20	lelong		9		(PPP
>20	lelong		10		(FDDI
>20	lelong		11		(RFC 1483 ATM
>20	lelong		12		(raw IP
>20	lelong		13		(BSD/OS SLIP
>20	lelong		14		(BSD/OS PPP
>16	lelong		x		\b, capture length %d)

#
# AIX "iptrace" capture files.
#
0	string		iptrace\ 1.0	"iptrace" capture file
0	string		iptrace\ 2.0	"iptrace" capture file

#
# Novell LANalyzer capture files.
#
0	leshort		0x1001		LANalyzer capture file
0	leshort		0x1007		LANalyzer capture file

#
# HP-UX "nettl" capture files.
#
0	string		\x54\x52\x00\x64\x00	"nettl" capture file

#
# RADCOM WAN/LAN Analyzer capture files.
#
0	string		\x42\xd2\x00\x34\x12\x66\x22\x88	RADCOM WAN/LAN Analyzer capture file

#
# NetStumbler log files.  Not really packets, per se, but about as
# close as you can get.  These are log files from NetStumbler, a
# Windows program, that scans for 802.11b networks.
#
0	string		NetS		NetStumbler log file
>8	lelong		x		\b, %d stations found