2 #------------------------------------------------------------------------------
3 # sniffer: file(1) magic for packet captured files
5 # From: guy@netapp.com (Guy Harris)
7 # Microsoft NetMon (packet capture/display program) capture files.
9 0 string RTSS NetMon capture file
10 >4 byte x - version %d
13 # Network General Sniffer capture files.
15 0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
16 >23 leshort x - version %d
18 >33 byte x (Format %d,
19 >32 byte 0 Token ring)
23 >32 byte 4 PC Network broadband)
27 # "libpcap" capture files.
28 # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
29 # the main program that uses that format, but there's also "tcpview",
30 # and there may be others in the future.)
32 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
33 >4 beshort x - version %d
35 >20 belong 0 (No link-layer encapsulation
36 >20 belong 1 (Ethernet
37 >20 belong 2 (3Mb Ethernet
41 >20 belong 6 (IEEE 802.x network
46 >20 belong 11 (RFC 1483 ATM
47 >16 belong x \b, capture length %d)
48 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
49 >4 leshort x - version %d
51 >20 lelong 0 (No link-layer encapsulation
52 >20 lelong 1 (Ethernet
53 >20 lelong 2 (3Mb Ethernet
57 >20 lelong 6 (IEEE 802.x network
62 >20 lelong 11 (RFC 1483 ATM
63 >16 lelong x \b, capture length %d)