]> git.saurik.com Git - apple/file_cmds.git/blob - file/magdir/sniffer
file_cmds-60.tar.gz
[apple/file_cmds.git] / file / magdir / sniffer
1
2 #------------------------------------------------------------------------------
3 # sniffer: file(1) magic for packet captured files
4 #
5 # From: guy@netapp.com (Guy Harris)
6 #
7 # Microsoft NetMon (packet capture/display program) capture files.
8 #
9 0 string RTSS NetMon capture file
10 >4 byte x - version %d
11 >5 byte x \b.%d
12 #
13 # Network General Sniffer capture files.
14 #
15 0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
16 >23 leshort x - version %d
17 >25 leshort x \b.%d
18 >33 byte x (Format %d,
19 >32 byte 0 Token ring)
20 >32 byte 1 Ethernet)
21 >32 byte 2 ARCnet)
22 >32 byte 3 StarLAN)
23 >32 byte 4 PC Network broadband)
24 >32 byte 5 LocalTalk)
25 >32 byte 6 Znet)
26 #
27 # "libpcap" capture files.
28 # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
29 # the main program that uses that format, but there's also "tcpview",
30 # and there may be others in the future.)
31 #
32 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
33 >4 beshort x - version %d
34 >6 beshort x \b.%d
35 >20 belong 0 (No link-layer encapsulation
36 >20 belong 1 (Ethernet
37 >20 belong 2 (3Mb Ethernet
38 >20 belong 3 (AX.25
39 >20 belong 4 (ProNet
40 >20 belong 5 (Chaos
41 >20 belong 6 (IEEE 802.x network
42 >20 belong 7 (ARCnet
43 >20 belong 8 (SLIP
44 >20 belong 9 (PPP
45 >20 belong 10 (FDDI
46 >20 belong 11 (RFC 1483 ATM
47 >16 belong x \b, capture length %d)
48 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
49 >4 leshort x - version %d
50 >6 leshort x \b.%d
51 >20 lelong 0 (No link-layer encapsulation
52 >20 lelong 1 (Ethernet
53 >20 lelong 2 (3Mb Ethernet
54 >20 lelong 3 (AX.25
55 >20 lelong 4 (ProNet
56 >20 lelong 5 (Chaos
57 >20 lelong 6 (IEEE 802.x network
58 >20 lelong 7 (ARCnet
59 >20 lelong 8 (SLIP
60 >20 lelong 9 (PPP
61 >20 lelong 10 (FDDI
62 >20 lelong 11 (RFC 1483 ATM
63 >16 lelong x \b, capture length %d)