1327e51cbSPeter Avalos 2327e51cbSPeter Avalos#------------------------------------------------------------------------------ 3*3b9cdfa3SAntonio Huete Jimenez# $File: sniffer,v 1.32 2022/07/30 16:46:56 christos Exp $ 4327e51cbSPeter Avalos# sniffer: file(1) magic for packet capture files 5327e51cbSPeter Avalos# 6327e51cbSPeter Avalos# From: guy@alum.mit.edu (Guy Harris) 7327e51cbSPeter Avalos# 8327e51cbSPeter Avalos 9327e51cbSPeter Avalos# 10327e51cbSPeter Avalos# Microsoft Network Monitor 1.x capture files. 11327e51cbSPeter Avalos# 12327e51cbSPeter Avalos0 string RTSS NetMon capture file 13327e51cbSPeter Avalos>5 byte x - version %d 14327e51cbSPeter Avalos>4 byte x \b.%d 15327e51cbSPeter Avalos>6 leshort 0 (Unknown) 16327e51cbSPeter Avalos>6 leshort 1 (Ethernet) 17327e51cbSPeter Avalos>6 leshort 2 (Token Ring) 18327e51cbSPeter Avalos>6 leshort 3 (FDDI) 19327e51cbSPeter Avalos>6 leshort 4 (ATM) 20e8af9738SPeter Avalos>6 leshort >4 (type %d) 21327e51cbSPeter Avalos 22327e51cbSPeter Avalos# 23327e51cbSPeter Avalos# Microsoft Network Monitor 2.x capture files. 24327e51cbSPeter Avalos# 25327e51cbSPeter Avalos0 string GMBU NetMon capture file 26327e51cbSPeter Avalos>5 byte x - version %d 27327e51cbSPeter Avalos>4 byte x \b.%d 28327e51cbSPeter Avalos>6 leshort 0 (Unknown) 29327e51cbSPeter Avalos>6 leshort 1 (Ethernet) 30327e51cbSPeter Avalos>6 leshort 2 (Token Ring) 31327e51cbSPeter Avalos>6 leshort 3 (FDDI) 32327e51cbSPeter Avalos>6 leshort 4 (ATM) 33e8af9738SPeter Avalos>6 leshort 5 (IP-over-IEEE 1394) 34e8af9738SPeter Avalos>6 leshort 6 (802.11) 35e8af9738SPeter Avalos>6 leshort 7 (Raw IP) 36e8af9738SPeter Avalos>6 leshort 8 (Raw IP) 37e8af9738SPeter Avalos>6 leshort 9 (Raw IP) 38e8af9738SPeter Avalos>6 leshort >9 (type %d) 39327e51cbSPeter Avalos 40327e51cbSPeter Avalos# 41327e51cbSPeter Avalos# Network General Sniffer capture files. 42327e51cbSPeter Avalos# Sorry, make that "Network Associates Sniffer capture files." 43327e51cbSPeter Avalos# Sorry, make that "Network General old DOS Sniffer capture files." 44327e51cbSPeter Avalos# 456fca56fbSSascha Wildner0 string TRSNIFF\040data\040\040\040\040\032 Sniffer capture file 46327e51cbSPeter Avalos>33 byte 2 (compressed) 47327e51cbSPeter Avalos>23 leshort x - version %d 48327e51cbSPeter Avalos>25 leshort x \b.%d 49327e51cbSPeter Avalos>32 byte 0 (Token Ring) 50327e51cbSPeter Avalos>32 byte 1 (Ethernet) 51327e51cbSPeter Avalos>32 byte 2 (ARCNET) 52327e51cbSPeter Avalos>32 byte 3 (StarLAN) 53327e51cbSPeter Avalos>32 byte 4 (PC Network broadband) 54327e51cbSPeter Avalos>32 byte 5 (LocalTalk) 55327e51cbSPeter Avalos>32 byte 6 (Znet) 56327e51cbSPeter Avalos>32 byte 7 (Internetwork Analyzer) 57327e51cbSPeter Avalos>32 byte 9 (FDDI) 58327e51cbSPeter Avalos>32 byte 10 (ATM) 59327e51cbSPeter Avalos 60327e51cbSPeter Avalos# 61327e51cbSPeter Avalos# Cinco Networks NetXRay capture files. 62327e51cbSPeter Avalos# Sorry, make that "Network General Sniffer Basic capture files." 63327e51cbSPeter Avalos# Sorry, make that "Network Associates Sniffer Basic capture files." 64327e51cbSPeter Avalos# Sorry, make that "Network Associates Sniffer Basic, and Windows 65327e51cbSPeter Avalos# Sniffer Pro", capture files." 66327e51cbSPeter Avalos# Sorry, make that "Network General Sniffer capture files." 67e8af9738SPeter Avalos# Sorry, make that "NetScout Sniffer capture files." 68327e51cbSPeter Avalos# 69327e51cbSPeter Avalos0 string XCP\0 NetXRay capture file 70327e51cbSPeter Avalos>4 string >\0 - version %s 71327e51cbSPeter Avalos>44 leshort 0 (Ethernet) 72327e51cbSPeter Avalos>44 leshort 1 (Token Ring) 73327e51cbSPeter Avalos>44 leshort 2 (FDDI) 74327e51cbSPeter Avalos>44 leshort 3 (WAN) 75327e51cbSPeter Avalos>44 leshort 8 (ATM) 76327e51cbSPeter Avalos>44 leshort 9 (802.11) 77327e51cbSPeter Avalos 78327e51cbSPeter Avalos# 79327e51cbSPeter Avalos# "libpcap" capture files. 806fca56fbSSascha Wildner# https://www.tcpdump.org/manpages/pcap-savefile.5.html 81327e51cbSPeter Avalos# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is 82327e51cbSPeter Avalos# the main program that uses that format, but there are other programs 83327e51cbSPeter Avalos# that use "libpcap", or that use the same capture file format.) 84327e51cbSPeter Avalos# 85e8af9738SPeter Avalos0 name pcap-be 86327e51cbSPeter Avalos>4 beshort x - version %d 87327e51cbSPeter Avalos>6 beshort x \b.%d 886fca56fbSSascha Wildner# clear that continuation level match 896fca56fbSSascha Wildner>20 clear x 90c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 0 (No link-layer encapsulation 91c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 1 (Ethernet 92c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 2 (3Mb Ethernet 93c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 3 (AX.25 94c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 4 (ProNET 95c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 5 (CHAOS 96c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 6 (Token Ring 97c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 7 (BSD ARCNET 98c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 8 (SLIP 99c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 9 (PPP 100c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 10 (FDDI 101c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 11 (RFC 1483 ATM 102c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 12 (Raw IP 103c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 13 (BSD/OS SLIP 104c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 14 (BSD/OS PPP 105c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 19 (Linux ATM Classical IP 106c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 50 (PPP or Cisco HDLC 107c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 51 (PPP-over-Ethernet 108c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 99 (Symantec Enterprise Firewall 109c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 100 (RFC 1483 ATM 110c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 101 (Raw IP 111c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 102 (BSD/OS SLIP 112c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 103 (BSD/OS PPP 113c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 104 (BSD/OS Cisco HDLC 114c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 105 (802.11 115c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 106 (Linux Classical IP over ATM 116c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 107 (Frame Relay 117c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 108 (OpenBSD loopback 118c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 109 (OpenBSD IPsec encrypted 119c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 112 (Cisco HDLC 120c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 113 (Linux cooked v1 121c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 114 (LocalTalk 122c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 117 (OpenBSD PFLOG 123c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 119 (802.11 with Prism header 124c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 122 (RFC 2625 IP over Fibre Channel 125c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 123 (SunATM 126c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 127 (802.11 with radiotap header 127c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 129 (Linux ARCNET 128c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 130 (Juniper Multi-Link PPP 129c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 131 (Juniper Multi-Link Frame Relay 130c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 132 (Juniper Encryption Services PIC 131c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 133 (Juniper GGSN PIC 132c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 134 (Juniper FRF.16 Frame Relay 133c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 135 (Juniper ATM2 PIC 134c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 136 (Juniper Advanced Services PIC 135c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 137 (Juniper ATM1 PIC 136c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 138 (Apple IP over IEEE 1394 137c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 139 (SS7 MTP2 with pseudo-header 138c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 140 (SS7 MTP2 139c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 141 (SS7 MTP3 140c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 142 (SS7 SCCP 141c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 143 (DOCSIS 142c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 144 (Linux IrDA 143c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 147 (Private use 0 144c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 148 (Private use 1 145c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 149 (Private use 2 146c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 150 (Private use 3 147c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 151 (Private use 4 148c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 152 (Private use 5 149c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 153 (Private use 6 150c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 154 (Private use 7 151c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 155 (Private use 8 152c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 156 (Private use 9 153c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 157 (Private use 10 154c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 158 (Private use 11 155c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 159 (Private use 12 156c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 160 (Private use 13 157c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 161 (Private use 14 158c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 162 (Private use 15 159c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 163 (802.11 with AVS header 160c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 164 (Juniper Passive Monitor PIC 161c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 165 (BACnet MS/TP 162c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 166 (PPPD 163c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 167 (Juniper PPPoE 164c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 168 (Juniper PPPoE/ATM 165c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 169 (GPRS LLC 166c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 170 (GPF-T 167c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 171 (GPF-F 168c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 174 (Juniper PIC Peer 169c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 175 (Ethernet with Endace ERF header 170c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 176 (Packet-over-SONET with Endace ERF header 171c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 177 (Linux LAPD 172c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 178 (Juniper Ethernet 173c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 179 (Juniper PPP 174c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 180 (Juniper Frame Relay 175c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 181 (Juniper C-HDLC 176c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 182 (FRF.16 Frame Relay 177c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 183 (Juniper Voice PIC 178c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 184 (Arinc 429 179c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 185 (Arinc 653 Interpartition Communication 180c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 186 (USB with FreeBSD header 181c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 187 (Bluetooth HCI H4 182c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 188 (802.16 MAC Common Part Sublayer 183c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 189 (Linux USB 184c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 190 (Controller Area Network (CAN) v. 2.0B 185c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 191 (802.15.4 with Linux padding 186c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 192 (PPI 187c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 193 (802.16 MAC Common Part Sublayer plus radiotap header 188c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 194 (Juniper Integrated Service Module 189c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 195 (802.15.4 with FCS 190c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 196 (SITA 191c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 197 (Endace ERF 192c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 198 (Ethernet with u10 Networks pseudo-header 193c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 199 (IPMB 194c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 200 (Juniper Secure Tunnel 195c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 201 (Bluetooth HCI H4 with pseudo-header 196c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 202 (AX.25 with KISS header 197c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 203 (LAPD 198c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 204 (PPP with direction pseudo-header 199c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 205 (Cisco HDLC with direction pseudo-header 200c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 206 (Frame Relay with direction pseudo-header 201c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 209 (Linux IPMB 202c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 215 (802.15.4 with non-ASK PHY header 203c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 216 (Linux evdev events 204c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 219 (MPLS with label as link-layer header 205c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 220 (Memory-mapped Linux USB 206c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 221 (DECT 207c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 222 (AOS Space Data Link protocol 208c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 223 (Wireless HART 209c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 224 (Fibre Channel FC-2 210c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 225 (Fibre Channel FC-2 with frame delimiters 211c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 226 (Solaris IPNET 212c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 227 (SocketCAN 213c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 228 (Raw IPv4 214c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 229 (Raw IPv6 215c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 230 (802.15.4 without FCS 216c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 231 (D-Bus messages 217c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 232 (Juniper Virtual Server 218c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 233 (Juniper SRX E2E 219c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 234 (Juniper Fibre Channel 220c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 235 (DVB-CI 221c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 236 (MUX27010 222c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 237 (STANAG 5066 D_PDUs 223c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 238 (Juniper ATM CEMIC 224c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 239 (Linux netfilter log messages 225c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 240 (Hilscher netAnalyzer 226c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 241 (Hilscher netAnalyzer with delimiters 227c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 242 (IP-over-Infiniband 228c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 243 (MPEG-2 Transport Stream packets 229c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 244 (ng4t ng40 230c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 245 (NFC LLCP 231c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 246 (Packet filter state syncing 232c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 247 (InfiniBand 233c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 248 (SCTP 234c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 249 (USB with USBPcap header 235c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 250 (Schweitzer Engineering Laboratories RTAC packets 236c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 251 (Bluetooth Low Energy air interface 237c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 252 (Wireshark Upper PDU export 238c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 253 (Linux netlink 239c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 254 (Bluetooth Linux Monitor 240c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 255 (Bluetooth Basic Rate/Enhanced Data Rate baseband packets 241c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 256 (Bluetooth Low Energy air interface with pseudo-header 242c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 257 (PROFIBUS data link layer 243c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 258 (Apple DLT_PKTAP 244c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 259 (Ethernet with 802.3 Clause 65 EPON preamble 245c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 260 (IPMI trace packets 246c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 261 (Z-Wave RF profile R1 and R2 packets 247c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 262 (Z-Wave RF profile R3 packets 248c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 263 (WattStopper Digital Lighting Mngmt/Legrand Nitoo Open Proto 249c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 264 (ISO 14443 messages 250c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 265 (IEC 62106 Radio Data System groups 251c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 266 (USB with Darwin header 252c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 267 (OpenBSD DLT_OPENFLOW 253c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 268 (IBM SDLC frames 254c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 269 (TI LLN sniffer frames 255c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 271 (Linux vsock 256c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 272 (Nordic Semiconductor Bluetooth LE sniffer frames 257c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 273 (Excentis XRA-31 DOCSIS 3.1 RF sniffer frames 258c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 274 (802.3br mPackets 259c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 275 (DisplayPort AUX channel monitoring data 260c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 276 (Linux cooked v2 261c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 278 (OpenVizsla USB 262c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 279 (Elektrobit High Speed Capture and Replay (EBHSCR) 263c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 281 (Broadcom tag 264c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 282 (Broadcom tag (prepended) 265614728caSSascha Wildner>20 belong&0x03FFFFFF 283 (802.15.4 with TAP 266c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 284 (Marvell DSA 267c990e5baSDaniel Fojt>20 belong&0x03FFFFFF 285 (Marvell EDSA 268970935fdSSascha Wildner>20 belong&0x03FFFFFF 286 (ELEE lawful intercept 269970935fdSSascha Wildner>20 belong&0x03FFFFFF 287 (Z-Wave serial 270970935fdSSascha Wildner>20 belong&0x03FFFFFF 288 (USB 2.0 271970935fdSSascha Wildner>20 belong&0x03FFFFFF 289 (ATSC ALP 272970935fdSSascha Wildner>20 belong&0x03FFFFFF 290 (Event Tracing for Windows 273*3b9cdfa3SAntonio Huete Jimenez>20 belong&0x03FFFFFF 291 (Hilscher netANALYZER NG pseudo-footer 274*3b9cdfa3SAntonio Huete Jimenez>20 belong&0x03FFFFFF 292 (ZBOSS NCP protocol with pseudo-header 275*3b9cdfa3SAntonio Huete Jimenez>20 belong&0x03FFFFFF 293 (Low-Speed USB 2.0/1.1/1.0 276*3b9cdfa3SAntonio Huete Jimenez>20 belong&0x03FFFFFF 294 (Full-Speed USB 2.0/1.1/1.0 277*3b9cdfa3SAntonio Huete Jimenez>20 belong&0x03FFFFFF 295 (High-Speed USB 2.0 2786fca56fbSSascha Wildner# print default match 2796fca56fbSSascha Wildner>20 default x 2806fca56fbSSascha Wildner>>20 belong x (linktype#%u 2816fca56fbSSascha Wildner>16 belong x \b, capture length %u) 282e8af9738SPeter Avalos 2836fca56fbSSascha Wildner# packets time stamps in seconds and microseconds. 2846fca56fbSSascha Wildner0 ubelong 0xa1b2c3d4 pcap capture file, microseconds ts (big-endian) 285e8af9738SPeter Avalos!:mime application/vnd.tcpdump.pcap 286e8af9738SPeter Avalos>0 use pcap-be 2876fca56fbSSascha Wildner0 ulelong 0xa1b2c3d4 pcap capture file, microsecond ts (little-endian) 2886fca56fbSSascha Wildner!:mime application/vnd.tcpdump.pcap 2896fca56fbSSascha Wildner>0 use \^pcap-be 2906fca56fbSSascha Wildner 2916fca56fbSSascha Wildner# packets time stamps in seconds and nanoseconds. 2926fca56fbSSascha Wildner0 ubelong 0xa1b23c4d pcap capture file, nanosecond ts (big-endian) 2936fca56fbSSascha Wildner!:mime application/vnd.tcpdump.pcap 2946fca56fbSSascha Wildner>0 use pcap-be 2956fca56fbSSascha Wildner0 ulelong 0xa1b23c4d pcap capture file, nanosecond ts (little-endian) 296a96e001bSPeter Avalos!:mime application/vnd.tcpdump.pcap 297e8af9738SPeter Avalos>0 use \^pcap-be 298327e51cbSPeter Avalos 299327e51cbSPeter Avalos# 300327e51cbSPeter Avalos# "libpcap"-with-Alexey-Kuznetsov's-patches capture files. 301327e51cbSPeter Avalos# 3026fca56fbSSascha Wildner0 ubelong 0xa1b2cd34 pcap capture file, microsecond ts, extensions (big-endian) 303e8af9738SPeter Avalos>0 use pcap-be 3046fca56fbSSascha Wildner0 ulelong 0xa1b2cd34 pcap capture file, microsecond ts, extensions (little-endian) 305e8af9738SPeter Avalos>0 use \^pcap-be 306327e51cbSPeter Avalos 307327e51cbSPeter Avalos# 3086fca56fbSSascha Wildner# "pcapng" capture files. 3096fca56fbSSascha Wildner# https://github.com/pcapng/pcapng 3106fca56fbSSascha Wildner# Pcapng files can contain multiple sections. Printing the endianness, 311a96e001bSPeter Avalos# snaplen, or other information from the first SHB may be misleading. 312a96e001bSPeter Avalos# 313a96e001bSPeter Avalos0 ubelong 0x0a0d0d0a 3146fca56fbSSascha Wildner>8 ubelong 0x1a2b3c4d pcapng capture file 315a96e001bSPeter Avalos>>12 beshort x - version %d 316a96e001bSPeter Avalos>>14 beshort x \b.%d 317a96e001bSPeter Avalos0 ulelong 0x0a0d0d0a 3186fca56fbSSascha Wildner>8 ulelong 0x1a2b3c4d pcapng capture file 319a96e001bSPeter Avalos>>12 leshort x - version %d 320a96e001bSPeter Avalos>>14 leshort x \b.%d 321a96e001bSPeter Avalos 322a96e001bSPeter Avalos# 323327e51cbSPeter Avalos# AIX "iptrace" capture files. 324327e51cbSPeter Avalos# 3256fca56fbSSascha Wildner0 string iptrace\0401.0 AIX iptrace capture file 3266fca56fbSSascha Wildner0 string iptrace\0402.0 AIX iptrace capture file 327327e51cbSPeter Avalos 328327e51cbSPeter Avalos# 329327e51cbSPeter Avalos# Novell LANalyzer capture files. 330327e51cbSPeter Avalos# 3316fca56fbSSascha Wildner0 leshort 0x1001 Novell LANalyzer capture file 3326fca56fbSSascha Wildner0 leshort 0x1007 Novell LANalyzer capture file 333327e51cbSPeter Avalos 334327e51cbSPeter Avalos# 335327e51cbSPeter Avalos# HP-UX "nettl" capture files. 336327e51cbSPeter Avalos# 3376fca56fbSSascha Wildner0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file 338327e51cbSPeter Avalos 339327e51cbSPeter Avalos# 340327e51cbSPeter Avalos# RADCOM WAN/LAN Analyzer capture files. 341327e51cbSPeter Avalos# 342327e51cbSPeter Avalos0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file 343327e51cbSPeter Avalos 344327e51cbSPeter Avalos# 345327e51cbSPeter Avalos# NetStumbler log files. Not really packets, per se, but about as 346327e51cbSPeter Avalos# close as you can get. These are log files from NetStumbler, a 347327e51cbSPeter Avalos# Windows program, that scans for 802.11b networks. 348327e51cbSPeter Avalos# 349327e51cbSPeter Avalos0 string NetS NetStumbler log file 350327e51cbSPeter Avalos>8 lelong x \b, %d stations found 351327e51cbSPeter Avalos 352327e51cbSPeter Avalos# 353e8af9738SPeter Avalos# *Peek tagged capture files. 354327e51cbSPeter Avalos# 355e8af9738SPeter Avalos0 string \177ver EtherPeek/AiroPeek/OmniPeek capture file 356327e51cbSPeter Avalos 357327e51cbSPeter Avalos# 358327e51cbSPeter Avalos# Visual Networks traffic capture files. 359327e51cbSPeter Avalos# 360327e51cbSPeter Avalos0 string \x05VNF Visual Networks traffic capture file 361327e51cbSPeter Avalos 362327e51cbSPeter Avalos# 363327e51cbSPeter Avalos# Network Instruments Observer capture files. 364327e51cbSPeter Avalos# 365327e51cbSPeter Avalos0 string ObserverPktBuffe Network Instruments Observer capture file 366327e51cbSPeter Avalos 367327e51cbSPeter Avalos# 368327e51cbSPeter Avalos# Files from Accellent Group's 5View products. 369327e51cbSPeter Avalos# 370*3b9cdfa3SAntonio Huete Jimenez# URL: http://www.infovista.com 371*3b9cdfa3SAntonio Huete Jimenez# Reference: http://mark0.net/download/triddefs_xml.7z 372*3b9cdfa3SAntonio Huete Jimenez# defs/0/5vw.trid.xml 373*3b9cdfa3SAntonio Huete Jimenez# https://2.na.dl.wireshark.org/src/wireshark-3.6.2.tar.xz 374*3b9cdfa3SAntonio Huete Jimenez# wireshark-3.6.2/wiretap/5views.c 375*3b9cdfa3SAntonio Huete Jimenez# Update: Joerg Jenderek 376*3b9cdfa3SAntonio Huete Jimenez# Note: called "5View capture" by TrID and 377*3b9cdfa3SAntonio Huete Jimenez# "Wireshark capture file" on Windows or 378*3b9cdfa3SAntonio Huete Jimenez# "Packet Capture (Accellent/InfoVista 5view)" by shared MIME-info database 379*3b9cdfa3SAntonio Huete Jimenez# verified/falsified by `wireshark *.5vw` 380*3b9cdfa3SAntonio Huete Jimenez0 string \xaa\xaa\xaa\xaa 381*3b9cdfa3SAntonio Huete Jimenez# skip misidentified boot/x86_64/loader/kroete.dat on Suse LEAP DVD 382*3b9cdfa3SAntonio Huete Jimenez# by check for valid record version 383*3b9cdfa3SAntonio Huete Jimenez>8 ulelong =0x00010000 384*3b9cdfa3SAntonio Huete Jimenez>>0 use 5view-le 385*3b9cdfa3SAntonio Huete Jimenez0 name 5view-le 386*3b9cdfa3SAntonio Huete Jimenez# t_5VW_Info_Header.Signature = CST_5VW_INFO_HEADER_KEY = 0xAAAAAAAAU 387*3b9cdfa3SAntonio Huete Jimenez>0 ulelong x 5View capture file 388*3b9cdfa3SAntonio Huete Jimenez# https://reposcope.com/mimetype/application/x-5view 389*3b9cdfa3SAntonio Huete Jimenez!:mime application/x-5view 390*3b9cdfa3SAntonio Huete Jimenez!:ext 5vw 391*3b9cdfa3SAntonio Huete Jimenez# size of header in bytes (included signature and reserved fields); probably always 20h 392*3b9cdfa3SAntonio Huete Jimenez>4 ulelong !0x00000020 \b, header size %#x 393*3b9cdfa3SAntonio Huete Jimenez# version of header record; apparently always CST_5VW_INFO_RECORD_VERSION=0x00010000U 394*3b9cdfa3SAntonio Huete Jimenez>8 ulelong !0x00010000 \b, record version %#x 395*3b9cdfa3SAntonio Huete Jimenez# DataSize; total size of data without header like: 18h 396*3b9cdfa3SAntonio Huete Jimenez>12 ulelong x \b, record size %#x 397*3b9cdfa3SAntonio Huete Jimenez# filetype; type of the capture file like: 18001000h 398*3b9cdfa3SAntonio Huete Jimenez>16 ulelong x \b, file type %#8.8x 399*3b9cdfa3SAntonio Huete Jimenez# Reserved[3]; reserved for future use; apparently zero 400*3b9cdfa3SAntonio Huete Jimenez>20 quad !0 \b, Reserved %#llx 401*3b9cdfa3SAntonio Huete Jimenez# look for record header key CST_5VW_RECORDS_HEADER_KEY of structure t_5VW_TimeStamped_Header 402*3b9cdfa3SAntonio Huete Jimenez>0x20 search/0xB8/b \xEE\xEE\x33\x33 \b; record 403*3b9cdfa3SAntonio Huete Jimenez# HeaderSize; actual size of this header in bytes like: 32 24h 404*3b9cdfa3SAntonio Huete Jimenez>>&0 uleshort x size %#x 405*3b9cdfa3SAntonio Huete Jimenez# HeaderType; exact type of this header; probably always 0x4000 406*3b9cdfa3SAntonio Huete Jimenez>>&2 uleshort !0x4000 \b, header type %#x 407*3b9cdfa3SAntonio Huete Jimenez# RecType; type of record like: 80000000h 408*3b9cdfa3SAntonio Huete Jimenez>>&4 ulelong x \b, record type %#x 409*3b9cdfa3SAntonio Huete Jimenez# RecSubType; subtype of record like: 0 410*3b9cdfa3SAntonio Huete Jimenez>>&8 ulelong !0 \b, subtype %#x 411*3b9cdfa3SAntonio Huete Jimenez# RecSize; Size of one record like: 5Ch 412*3b9cdfa3SAntonio Huete Jimenez>>&12 ulelong x \b, RecSize %#x 413*3b9cdfa3SAntonio Huete Jimenez# RecNb; Number of records like: 1 414*3b9cdfa3SAntonio Huete Jimenez>>&16 ulelong >1 \b, %#x records 415*3b9cdfa3SAntonio Huete Jimenez# Timestamp Utc 416*3b9cdfa3SAntonio Huete Jimenez#>>&20 ulelong x \b, RAW TIME %#8.8x 417*3b9cdfa3SAntonio Huete Jimenez>>&20 date x \b, Time-stamp %s 418