1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
#------------------------------------------------------------------------------
# sniffer: file(1) magic for packet capture files
#
# From: guy@alum.mit.edu (Guy Harris)
#
#
# Microsoft Network Monitor 1.x capture files.
#
0 string RTSS NetMon capture file
>4 byte x - version %d
>5 byte x \b.%d
>6 leshort 0 (Unknown)
>6 leshort 1 (Ethernet)
>6 leshort 2 (Token Ring)
>6 leshort 3 (FDDI)
#
# Microsoft Network Monitor 2.x capture files.
#
0 string GMBU NetMon capture file
>4 byte x - version %d
>5 byte x \b.%d
>6 leshort 0 (Unknown)
>6 leshort 1 (Ethernet)
>6 leshort 2 (Token Ring)
>6 leshort 3 (FDDI)
#
# Network General Sniffer capture files.
# Sorry, make that "Network Associates Sniffer capture files."
#
0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
>33 byte 2 (compressed)
>23 leshort x - version %d
>25 leshort x \b.%d
>32 byte 0 (Token Ring)
>32 byte 1 (Ethernet)
>32 byte 2 (ARCNET)
>32 byte 3 (StarLAN)
>32 byte 4 (PC Network broadband)
>32 byte 5 (LocalTalk)
>32 byte 6 (Znet)
>32 byte 7 (Internetwork Analyzer)
>32 byte 9 (FDDI)
>32 byte 10 (ATM)
#
# Cinco Networks NetXRay capture files.
# Sorry, make that "Network General Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic, and Windows
# Sniffer Pro", capture files."
#
0 string XCP\0 NetXRay capture file
>4 string >\0 - version %s
>44 leshort 0 (Ethernet)
>44 leshort 1 (Token Ring)
>44 leshort 2 (FDDI)
#
# "libpcap" capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
>4 beshort x - version %d
>6 beshort x \b.%d
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25
>20 belong 4 (ProNET
>20 belong 5 (CHAOS
>20 belong 6 (Token Ring
>20 belong 7 (ARCNET
>20 belong 8 (SLIP
>20 belong 9 (PPP
>20 belong 10 (FDDI
>20 belong 11 (RFC 1483 ATM
>20 belong 12 (raw IP
>20 belong 13 (BSD/OS SLIP
>20 belong 14 (BSD/OS PPP
>20 belong 50 (PPP or Cisco HDLC
>20 belong 51 (PPP-over-Ethernet
>20 belong 100 (RFC 1483 ATM
>20 belong 101 (raw IP
>20 belong 102 (BSD/OS SLIP
>20 belong 103 (BSD/OS PPP
>20 belong 104 (BSD/OS Cisco HDLC
>20 belong 105 (802.11
>20 belong 106 (Linux Classical IP over ATM
>20 belong 108 (OpenBSD loopback
>20 belong 109 (OpenBSD IPSEC encrypted
>20 belong 113 (Linux "cooked"
>20 belong 114 (LocalTalk
>16 belong x \b, capture length %d)
0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
>4 leshort x - version %d
>6 leshort x \b.%d
>20 lelong 0 (No link-layer encapsulation
>20 lelong 1 (Ethernet
>20 lelong 2 (3Mb Ethernet
>20 lelong 3 (AX.25
>20 lelong 4 (ProNET
>20 lelong 5 (CHAOS
>20 lelong 6 (Token Ring
>20 lelong 7 (ARCNET
>20 lelong 8 (SLIP
>20 lelong 9 (PPP
>20 lelong 10 (FDDI
>20 lelong 11 (RFC 1483 ATM
>20 lelong 12 (raw IP
>20 lelong 13 (BSD/OS SLIP
>20 lelong 14 (BSD/OS PPP
>20 lelong 50 (PPP or Cisco HDLC
>20 lelong 51 (PPP-over-Ethernet
>20 lelong 100 (RFC 1483 ATM
>20 lelong 101 (raw IP
>20 lelong 102 (BSD/OS SLIP
>20 lelong 103 (BSD/OS PPP
>20 lelong 104 (BSD/OS Cisco HDLC
>20 lelong 105 (802.11
>20 lelong 106 (Linux Classical IP over ATM
>20 lelong 108 (OpenBSD loopback
>20 lelong 109 (OpenBSD IPSEC encrypted
>20 lelong 113 (Linux "cooked"
>20 lelong 114 (LocalTalk
>16 lelong x \b, capture length %d)
#
# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian)
>4 beshort x - version %d
>6 beshort x \b.%d
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25
>20 belong 4 (ProNET
>20 belong 5 (CHAOS
>20 belong 6 (Token Ring
>20 belong 7 (ARCNET
>20 belong 8 (SLIP
>20 belong 9 (PPP
>20 belong 10 (FDDI
>20 belong 11 (RFC 1483 ATM
>20 belong 12 (raw IP
>20 belong 13 (BSD/OS SLIP
>20 belong 14 (BSD/OS PPP
>16 belong x \b, capture length %d)
0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian)
>4 leshort x - version %d
>6 leshort x \b.%d
>20 lelong 0 (No link-layer encapsulation
>20 lelong 1 (Ethernet
>20 lelong 2 (3Mb Ethernet
>20 lelong 3 (AX.25
>20 lelong 4 (ProNET
>20 lelong 5 (CHAOS
>20 lelong 6 (Token Ring
>20 lelong 7 (ARCNET
>20 lelong 8 (SLIP
>20 lelong 9 (PPP
>20 lelong 10 (FDDI
>20 lelong 11 (RFC 1483 ATM
>20 lelong 12 (raw IP
>20 lelong 13 (BSD/OS SLIP
>20 lelong 14 (BSD/OS PPP
>16 lelong x \b, capture length %d)
#
# AIX "iptrace" capture files.
#
0 string iptrace\ 2.0 "iptrace" capture file
#
# Novell LANalyzer capture files.
#
0 leshort 0x1001 LANalyzer capture file
0 leshort 0x1007 LANalyzer capture file
#
# HP-UX "nettl" capture files.
#
0 string \x54\x52\x00\x64\x00 "nettl" capture file
#
# RADCOM WAN/LAN Analyzer capture files.
#
0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file
#
# NetStumbler log files. Not really packets, per se, but about as
# close as you can get. These are log files from NetStumbler, a
# Windows program, that scans for 802.11b networks.
#
0 string NetS NetStumbler log file
>8 lelong x \b, %d stations found
|