"Fossies" - the Fresh Open Source Software Archive

Member "file-5.35/magic/Magdir/sniffer" (18 Oct 2018, 8332 Bytes) of package /linux/misc/file-5.35.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "sniffer": 5.34_vs_5.35.

    1 
    2 #------------------------------------------------------------------------------
    3 # $File: sniffer,v 1.20 2018/10/18 16:49:19 christos Exp $
    4 # sniffer:  file(1) magic for packet capture files
    5 #
    6 # From: guy@alum.mit.edu (Guy Harris)
    7 #
    8 
    9 #
   10 # Microsoft Network Monitor 1.x capture files.
   11 #
   12 0	string		RTSS		NetMon capture file
   13 >5	byte		x		- version %d
   14 >4	byte		x		\b.%d
   15 >6	leshort		0		(Unknown)
   16 >6	leshort		1		(Ethernet)
   17 >6	leshort		2		(Token Ring)
   18 >6	leshort		3		(FDDI)
   19 >6	leshort		4		(ATM)
   20 >6	leshort		>4		(type %d)
   21 
   22 #
   23 # Microsoft Network Monitor 2.x capture files.
   24 #
   25 0	string		GMBU		NetMon capture file
   26 >5	byte		x		- version %d
   27 >4	byte		x		\b.%d
   28 >6	leshort		0		(Unknown)
   29 >6	leshort		1		(Ethernet)
   30 >6	leshort		2		(Token Ring)
   31 >6	leshort		3		(FDDI)
   32 >6	leshort		4		(ATM)
   33 >6	leshort		5		(IP-over-IEEE 1394)
   34 >6	leshort		6		(802.11)
   35 >6	leshort		7		(Raw IP)
   36 >6	leshort		8		(Raw IP)
   37 >6	leshort		9		(Raw IP)
   38 >6	leshort		>9		(type %d)
   39 
   40 #
   41 # Network General Sniffer capture files.
   42 # Sorry, make that "Network Associates Sniffer capture files."
   43 # Sorry, make that "Network General old DOS Sniffer capture files."
   44 #
   45 0	string		TRSNIFF\040data\040\040\040\040\032	Sniffer capture file
   46 >33	byte		2		(compressed)
   47 >23	leshort		x		- version %d
   48 >25	leshort		x		\b.%d
   49 >32	byte		0		(Token Ring)
   50 >32	byte		1		(Ethernet)
   51 >32	byte		2		(ARCNET)
   52 >32	byte		3		(StarLAN)
   53 >32	byte		4		(PC Network broadband)
   54 >32	byte		5		(LocalTalk)
   55 >32	byte		6		(Znet)
   56 >32	byte		7		(Internetwork Analyzer)
   57 >32	byte		9		(FDDI)
   58 >32	byte		10		(ATM)
   59 
   60 #
   61 # Cinco Networks NetXRay capture files.
   62 # Sorry, make that "Network General Sniffer Basic capture files."
   63 # Sorry, make that "Network Associates Sniffer Basic capture files."
   64 # Sorry, make that "Network Associates Sniffer Basic, and Windows
   65 # Sniffer Pro", capture files."
   66 # Sorry, make that "Network General Sniffer capture files."
   67 # Sorry, make that "NetScout Sniffer capture files."
   68 #
   69 0	string		XCP\0		NetXRay capture file
   70 >4	string		>\0		- version %s
   71 >44	leshort		0		(Ethernet)
   72 >44	leshort		1		(Token Ring)
   73 >44	leshort		2		(FDDI)
   74 >44	leshort		3		(WAN)
   75 >44	leshort		8		(ATM)
   76 >44	leshort		9		(802.11)
   77 
   78 #
   79 # "libpcap" capture files.
   80 # https://www.tcpdump.org/manpages/pcap-savefile.5.html
   81 # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
   82 # the main program that uses that format, but there are other programs
   83 # that use "libpcap", or that use the same capture file format.)
   84 #
   85 0	name		pcap-be
   86 >4	beshort		x		- version %d
   87 >6	beshort		x		\b.%d
   88 >20	belong		0		(No link-layer encapsulation
   89 >20	belong		1		(Ethernet
   90 >20	belong		2		(3Mb Ethernet
   91 >20	belong		3		(AX.25
   92 >20	belong		4		(ProNET
   93 >20	belong		5		(CHAOS
   94 >20	belong		6		(Token Ring
   95 >20	belong		7		(BSD ARCNET
   96 >20	belong		8		(SLIP
   97 >20	belong		9		(PPP
   98 >20	belong		10		(FDDI
   99 >20	belong		11		(RFC 1483 ATM
  100 >20	belong		12		(raw IP
  101 >20	belong		13		(BSD/OS SLIP
  102 >20	belong		14		(BSD/OS PPP
  103 >20	belong		19		(Linux ATM Classical IP
  104 >20	belong		50		(PPP or Cisco HDLC
  105 >20	belong		51		(PPP-over-Ethernet
  106 >20	belong		99		(Symantec Enterprise Firewall
  107 >20	belong		100		(RFC 1483 ATM
  108 >20	belong		101		(raw IP
  109 >20	belong		102		(BSD/OS SLIP
  110 >20	belong		103		(BSD/OS PPP
  111 >20	belong		104		(BSD/OS Cisco HDLC
  112 >20	belong		105		(802.11
  113 >20	belong		106		(Linux Classical IP over ATM
  114 >20	belong		107		(Frame Relay
  115 >20	belong		108		(OpenBSD loopback
  116 >20	belong		109		(OpenBSD IPsec encrypted
  117 >20	belong		112		(Cisco HDLC
  118 >20	belong		113		(Linux "cooked"
  119 >20	belong		114		(LocalTalk
  120 >20	belong		117		(OpenBSD PFLOG
  121 >20	belong		119		(802.11 with Prism header
  122 >20	belong		122		(RFC 2625 IP over Fibre Channel
  123 >20	belong		123		(SunATM
  124 >20	belong		127		(802.11 with radiotap header
  125 >20	belong		129		(Linux ARCNET
  126 >20	belong		138		(Apple IP over IEEE 1394
  127 >20	belong		139		(MTP2 with pseudo-header
  128 >20	belong		140		(MTP2
  129 >20	belong		141		(MTP3
  130 >20	belong		142		(SCCP
  131 >20	belong		143		(DOCSIS
  132 >20	belong		144		(IrDA
  133 >20	belong		147		(Private use 0
  134 >20	belong		148		(Private use 1
  135 >20	belong		149		(Private use 2
  136 >20	belong		150		(Private use 3
  137 >20	belong		151		(Private use 4
  138 >20	belong		152		(Private use 5
  139 >20	belong		153		(Private use 6
  140 >20	belong		154		(Private use 7
  141 >20	belong		155		(Private use 8
  142 >20	belong		156		(Private use 9
  143 >20	belong		157		(Private use 10
  144 >20	belong		158		(Private use 11
  145 >20	belong		159		(Private use 12
  146 >20	belong		160		(Private use 13
  147 >20	belong		161		(Private use 14
  148 >20	belong		162		(Private use 15
  149 >20	belong		163		(802.11 with AVS header
  150 >20	belong		165		(BACnet MS/TP
  151 >20	belong		166		(PPPD
  152 >20	belong		169		(GPRS LLC
  153 >20	belong		177		(Linux LAPD
  154 >20	belong		187		(Bluetooth HCI H4
  155 >20	belong		189		(Linux USB
  156 >20	belong		192		(PPI
  157 >20	belong		195		(802.15.4
  158 >20	belong		196		(SITA
  159 >20	belong		197		(Endace ERF
  160 >20	belong		201		(Bluetooth HCI H4 with pseudo-header
  161 >20	belong		202		(AX.25 with KISS header
  162 >20	belong		203		(LAPD
  163 >20	belong		204		(PPP with direction pseudo-header
  164 >20	belong		205		(Cisco HDLC with direction pseudo-header
  165 >20	belong		206		(Frame Relay with direction pseudo-header
  166 >20	belong		209		(Linux IPMB
  167 >20	belong		215		(802.15.4 with non-ASK PHY header
  168 >20	belong		220		(Memory-mapped Linux USB
  169 >20	belong		224		(Fibre Channel FC-2
  170 >20	belong		225		(Fibre Channel FC-2 with frame delimiters
  171 >20	belong		226		(Solaris IPNET
  172 >20	belong		227		(SocketCAN
  173 >20	belong		228		(Raw IPv4
  174 >20	belong		229		(Raw IPv6
  175 >20	belong		230		(802.15.4 without FCS
  176 >20	belong		231		(D-Bus messages
  177 >20	belong		235		(DVB-CI
  178 >20	belong		236		(MUX27010
  179 >20	belong		237		(STANAG 5066 D_PDUs
  180 >20	belong		239		(Linux netlink NFLOG messages
  181 >20	belong		240		(Hilscher netAnalyzer
  182 >20	belong		241		(Hilscher netAnalyzer with delimiters
  183 >20	belong		242		(IP-over-Infiniband
  184 >20	belong		243		(MPEG-2 Transport Stream packets
  185 >20	belong		244		(ng4t ng40
  186 >20	belong		245		(NFC LLCP
  187 >20	belong		247		(Infiniband
  188 >20	belong		248		(SCTP
  189 >16	belong		x		\b, capture length %d)
  190 
  191 # packets time stamps in seconds and microseconds.
  192 0	ubelong		0xa1b2c3d4	pcap capture file, microseconds ts (big-endian)
  193 !:mime	application/vnd.tcpdump.pcap
  194 >0	use	pcap-be
  195 0	ulelong		0xa1b2c3d4	pcap capture file, microsecond ts (little-endian)
  196 !:mime	application/vnd.tcpdump.pcap
  197 >0	use	\^pcap-be
  198 
  199 # packets time stamps in seconds and nanoseconds.
  200 0	ubelong		0xa1b23c4d	pcap capture file, nanosecond ts (big-endian)
  201 !:mime	application/vnd.tcpdump.pcap
  202 >0	use	pcap-be
  203 0	ulelong		0xa1b23c4d	pcap capture file, nanosecond ts (little-endian)
  204 !:mime	application/vnd.tcpdump.pcap
  205 >0	use	\^pcap-be
  206 
  207 #
  208 # "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
  209 #
  210 0	ubelong		0xa1b2cd34	pcap capture file, microsecond ts, extensions (big-endian)
  211 >0	use	pcap-be
  212 0	ulelong		0xa1b2cd34	pcap capture file, microsecond ts, extensions (little-endian)
  213 >0	use	\^pcap-be
  214 
  215 #
  216 # "pcap-ng" capture files.
  217 # http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
  218 # Pcap-ng files can contain multiple sections. Printing the endianness,
  219 # snaplen, or other information from the first SHB may be misleading.
  220 #
  221 0	ubelong		0x0a0d0d0a
  222 >8	ubelong		0x1a2b3c4d	pcap-ng capture file
  223 >>12	beshort		x		- version %d
  224 >>14	beshort		x		\b.%d
  225 0	ulelong		0x0a0d0d0a
  226 >8	ulelong		0x1a2b3c4d	pcap-ng capture file
  227 >>12	leshort		x		- version %d
  228 >>14	leshort		x		\b.%d
  229 
  230 #
  231 # AIX "iptrace" capture files.
  232 #
  233 0	string		iptrace\0401.0	AIX iptrace capture file
  234 0	string		iptrace\0402.0	AIX iptrace capture file
  235 
  236 #
  237 # Novell LANalyzer capture files.
  238 #
  239 0	leshort		0x1001		Novell LANalyzer capture file
  240 0	leshort		0x1007		Novell LANalyzer capture file
  241 
  242 #
  243 # HP-UX "nettl" capture files.
  244 #
  245 0	string		\x54\x52\x00\x64\x00	HP/UX nettl capture file
  246 
  247 #
  248 # RADCOM WAN/LAN Analyzer capture files.
  249 #
  250 0	string		\x42\xd2\x00\x34\x12\x66\x22\x88	RADCOM WAN/LAN Analyzer capture file
  251 
  252 #
  253 # NetStumbler log files.  Not really packets, per se, but about as
  254 # close as you can get.  These are log files from NetStumbler, a
  255 # Windows program, that scans for 802.11b networks.
  256 #
  257 0	string		NetS		NetStumbler log file
  258 >8	lelong		x		\b, %d stations found
  259 
  260 #
  261 # *Peek tagged capture files.
  262 #
  263 0	string		\177ver		EtherPeek/AiroPeek/OmniPeek capture file
  264 
  265 #
  266 # Visual Networks traffic capture files.
  267 #
  268 0	string		\x05VNF		Visual Networks traffic capture file
  269 
  270 #
  271 # Network Instruments Observer capture files.
  272 #
  273 0	string		ObserverPktBuffe	Network Instruments Observer capture file
  274 
  275 #
  276 # Files from Accellent Group's 5View products.
  277 #
  278 0	string		\xaa\xaa\xaa\xaa	5View capture file