--- /dev/null
+#------------------------------------------------------------------------------
+# sniffer: file(1) magic for packet captured files
+#
+# From: guy@netapp.com (Guy Harris)
+#
+# Microsoft NetMon (packet capture/display program) capture files.
+#
+0 string RTSS NetMon capture file
+>4 byte x - version %d
+>5 byte x \b.%d
+#
+# Network General Sniffer capture files (the Sniffer software does,
+# after all, run under MS-DOS...).
+#
+0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file
+>23 leshort x - version %d
+>25 leshort x \b.%d
+>33 byte x (Format %d,
+>32 byte 0 Token ring)
+>32 byte 1 Ethernet)
+>32 byte 2 ARCnet)
+>32 byte 3 StarLAN)
+>32 byte 4 PC Network broadband)
+>32 byte 5 LocalTalk)
+>32 byte 6 Znet)
+#
+# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
+# the main program that uses that format, but there's also "tcpview",
+# and there may be others in the future.)
+#
+0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian)
+>4 beshort x - version %d
+>6 beshort x \b.%d
+>20 belong 0 (No link-layer encapsulation
+>20 belong 1 (Ethernet
+>20 belong 2 (3Mb Ethernet
+>20 belong 3 (AX.25
+>20 belong 4 (ProNet
+>20 belong 5 (Chaos
+>20 belong 6 (IEEE 802.x network
+>20 belong 7 (ARCnet
+>20 belong 8 (SLIP
+>20 belong 9 (PPP
+>20 belong 10 (FDDI
+>20 belong 11 (RFC 1483 ATM
+>16 belong x \b, capture length %d)
+0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian)
+>4 leshort x - version %d
+>6 leshort x \b.%d
+>20 lelong 0 (No link-layer encapsulation
+>20 lelong 1 (Ethernet
+>20 lelong 2 (3Mb Ethernet
+>20 lelong 3 (AX.25
+>20 lelong 4 (ProNet
+>20 lelong 5 (Chaos
+>20 lelong 6 (IEEE 802.x network
+>20 lelong 7 (ARCnet
+>20 lelong 8 (SLIP
+>20 lelong 9 (PPP
+>20 lelong 10 (FDDI
+>20 lelong 11 (RFC 1483 ATM
+>16 lelong x \b, capture length %d)
projects / file / commitdiff