HardenedBSD/contrib/file/Magdir/sniffer

206 lines
5.6 KiB
Plaintext

#------------------------------------------------------------------------------
# sniffer: file(1) magic for packet capture files
#
# From: guy@alum.mit.edu (Guy Harris)
#
#
# Microsoft Network Monitor 1.x capture files.
#
0 string RTSS NetMon capture file
>4 byte x - version %d
>5 byte x \b.%d
>6 leshort 0 (Unknown)
>6 leshort 1 (Ethernet)
>6 leshort 2 (Token Ring)
>6 leshort 3 (FDDI)
#
# Microsoft Network Monitor 2.x capture files.
#
0 string GMBU NetMon capture file
>4 byte x - version %d
>5 byte x \b.%d
>6 leshort 0 (Unknown)
>6 leshort 1 (Ethernet)
>6 leshort 2 (Token Ring)
>6 leshort 3 (FDDI)
#
# Network General Sniffer capture files.
# Sorry, make that "Network Associates Sniffer capture files."
#
0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
>33 byte 2 (compressed)
>23 leshort x - version %d
>25 leshort x \b.%d
>32 byte 0 (Token Ring)
>32 byte 1 (Ethernet)
>32 byte 2 (ARCNET)
>32 byte 3 (StarLAN)
>32 byte 4 (PC Network broadband)
>32 byte 5 (LocalTalk)
>32 byte 6 (Znet)
>32 byte 7 (Internetwork Analyzer)
>32 byte 9 (FDDI)
>32 byte 10 (ATM)
#
# Cinco Networks NetXRay capture files.
# Sorry, make that "Network General Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic, and Windows
# Sniffer Pro", capture files."
#
0 string XCP\0 NetXRay capture file
>4 string >\0 - version %s
>44 leshort 0 (Ethernet)
>44 leshort 1 (Token Ring)
>44 leshort 2 (FDDI)
#
# "libpcap" capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
>4 beshort x - version %d
>6 beshort x \b.%d
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25
>20 belong 4 (ProNET
>20 belong 5 (CHAOS
>20 belong 6 (Token Ring
>20 belong 7 (ARCNET
>20 belong 8 (SLIP
>20 belong 9 (PPP
>20 belong 10 (FDDI
>20 belong 11 (RFC 1483 ATM
>20 belong 12 (raw IP
>20 belong 13 (BSD/OS SLIP
>20 belong 14 (BSD/OS PPP
>20 belong 50 (PPP or Cisco HDLC
>20 belong 51 (PPP-over-Ethernet
>20 belong 100 (RFC 1483 ATM
>20 belong 101 (raw IP
>20 belong 102 (BSD/OS SLIP
>20 belong 103 (BSD/OS PPP
>20 belong 104 (BSD/OS Cisco HDLC
>20 belong 105 (802.11
>20 belong 106 (Linux Classical IP over ATM
>20 belong 108 (OpenBSD loopback
>20 belong 109 (OpenBSD IPSEC encrypted
>20 belong 113 (Linux "cooked"
>20 belong 114 (LocalTalk
>16 belong x \b, capture length %d)
0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
>4 leshort x - version %d
>6 leshort x \b.%d
>20 lelong 0 (No link-layer encapsulation
>20 lelong 1 (Ethernet
>20 lelong 2 (3Mb Ethernet
>20 lelong 3 (AX.25
>20 lelong 4 (ProNET
>20 lelong 5 (CHAOS
>20 lelong 6 (Token Ring
>20 lelong 7 (ARCNET
>20 lelong 8 (SLIP
>20 lelong 9 (PPP
>20 lelong 10 (FDDI
>20 lelong 11 (RFC 1483 ATM
>20 lelong 12 (raw IP
>20 lelong 13 (BSD/OS SLIP
>20 lelong 14 (BSD/OS PPP
>20 lelong 50 (PPP or Cisco HDLC
>20 lelong 51 (PPP-over-Ethernet
>20 lelong 100 (RFC 1483 ATM
>20 lelong 101 (raw IP
>20 lelong 102 (BSD/OS SLIP
>20 lelong 103 (BSD/OS PPP
>20 lelong 104 (BSD/OS Cisco HDLC
>20 lelong 105 (802.11
>20 lelong 106 (Linux Classical IP over ATM
>20 lelong 108 (OpenBSD loopback
>20 lelong 109 (OpenBSD IPSEC encrypted
>20 lelong 113 (Linux "cooked"
>20 lelong 114 (LocalTalk
>16 lelong x \b, capture length %d)
#
# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian)
>4 beshort x - version %d
>6 beshort x \b.%d
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25
>20 belong 4 (ProNET
>20 belong 5 (CHAOS
>20 belong 6 (Token Ring
>20 belong 7 (ARCNET
>20 belong 8 (SLIP
>20 belong 9 (PPP
>20 belong 10 (FDDI
>20 belong 11 (RFC 1483 ATM
>20 belong 12 (raw IP
>20 belong 13 (BSD/OS SLIP
>20 belong 14 (BSD/OS PPP
>16 belong x \b, capture length %d)
0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian)
>4 leshort x - version %d
>6 leshort x \b.%d
>20 lelong 0 (No link-layer encapsulation
>20 lelong 1 (Ethernet
>20 lelong 2 (3Mb Ethernet
>20 lelong 3 (AX.25
>20 lelong 4 (ProNET
>20 lelong 5 (CHAOS
>20 lelong 6 (Token Ring
>20 lelong 7 (ARCNET
>20 lelong 8 (SLIP
>20 lelong 9 (PPP
>20 lelong 10 (FDDI
>20 lelong 11 (RFC 1483 ATM
>20 lelong 12 (raw IP
>20 lelong 13 (BSD/OS SLIP
>20 lelong 14 (BSD/OS PPP
>16 lelong x \b, capture length %d)
#
# AIX "iptrace" capture files.
#
0 string iptrace\ 2.0 "iptrace" capture file
#
# Novell LANalyzer capture files.
#
0 leshort 0x1001 LANalyzer capture file
0 leshort 0x1007 LANalyzer capture file
#
# HP-UX "nettl" capture files.
#
0 string \x54\x52\x00\x64\x00 "nettl" capture file
#
# RADCOM WAN/LAN Analyzer capture files.
#
0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file
#
# NetStumbler log files. Not really packets, per se, but about as
# close as you can get. These are log files from NetStumbler, a
# Windows program, that scans for 802.11b networks.
#
0 string NetS NetStumbler log file
>8 lelong x \b, %d stations found