# Basic recognition of Digital UNIX core dumps - Mike Bremford <mike@opac.bl.uk>
#
+# The actual magic number is just "Core", followed by a 2-byte version
+# number; however, treating any file that begins with "Core" as a Digital
+# UNIX core dump file may produce too many false hits, so we include one
+# byte of the version number as well; DU 5.0 appears only to be up to
+# version 2.
+#
0 string Core\001 Alpha COFF format core dump (Digital UNIX)
>24 string >\0 \b, from '%s'
+0 string Core\002 Alpha COFF format core dump (Digital UNIX)
+>24 string >\0 \b, from '%s'
+
#>4 beshort&0xfff0 x (%d x
#>5 beshort&0x0fff x %d)
0 belong 0x000001ba MPEG system stream data
+
# MPEG Audio (*.mpx)
# from dreesen@math.fu-berlin.de
+
+# XXX
+# This conflicts with the FF FE signature for UTF-16-encoded Unicode
+# text, which will be identified as an MP3 file. I don't have any MP3s
+# so I don't know how to (or even if it's possible to) change this to
+# tell the two apart. enf@pobox.com
+
0 beshort &0xfff0 MP
# MPEG 1.0
>1 byte&0x08 =0x08 \b
0 belong 0x00051600 AppleSingle encoded Macintosh file
0 belong 0x00051607 AppleDouble encoded Macintosh file
+# magic for Newton PDA package formats
+# from Ruda Moura <ruda@helllabs.org>
+0 string package Newton package,
+>7 byte 48 NOS 1.x,
+>7 byte 49 NOS 2.x,
+>12 belong &0x80000000 AutoRemove,
+>12 belong &0x40000000 CopyProtect,
+>12 belong &0x10000000 NoCompression,
+>12 belong &0x04000000 Relocation,
+>12 belong &0x02000000 UseFasterCompression,
+>16 belong x version %d
+
+# The following entries for the Apple II are for files that have
+# been transferred as raw binary data from an Apple, without having
+# been encapsulated by any of the above archivers.
+#
+# In general, Apple II formats are hard to identify because Apple DOS
+# and especially Apple ProDOS have strong typing in the file system and
+# therefore programmers never felt much need to include type information
+# in the files themselves.
+#
+# Eric Fischer <enf@pobox.com>
+
+# AppleWorks word processor:
+#
+# This matches the standard tab stops for an AppleWorks file, but if
+# a file has a tab stop set in the first four columns this will fail.
+#
+# The "O" is really the magic number, but that's so common that it's
+# necessary to check the tab stops that follow it to avoid false positives.
+
+4 string O==== AppleWorks word processor data
+>85 byte&0x01 >0 \b, zoomed
+>90 byte&0x01 >0 \b, paginated
+>92 byte&0x01 >0 \b, with mail merge
+#>91 byte x \b, left margin %d
+
+# AppleWorks database:
+#
+# This isn't really a magic number, but it's the closest thing to one
+# that I could find. The 1 and 2 really mean "order in which you defined
+# categories" and "left to right, top to bottom," respectively; the D and R
+# mean that the cursor should move either down or right when you press Return.
+
+30 string \x01D AppleWorks database data
+30 string \x02D AppleWorks database data
+30 string \x01R AppleWorks database data
+30 string \x02R AppleWorks database data
+
+# AppleWorks spreadsheet:
+#
+# Likewise, this isn't really meant as a magic number. The R or C means
+# row- or column-order recalculation; the A or M means automatic or manual
+# recalculation.
+
+131 string RA AppleWorks spreadsheet data
+131 string RM AppleWorks spreadsheet data
+131 string CA AppleWorks spreadsheet data
+131 string CM AppleWorks spreadsheet data
+
+# Applesoft BASIC:
+#
+# This is incredibly sloppy, but will be true if the program was
+# written at its usual memory location of 2048 and its first line
+# number is less than 256. Yuck.
+
+0 belong&0xff00ff 0x80000 Applesoft BASIC program data
+#>2 leshort x \b, first line number %d
+
+# ORCA/EZ assembler:
+#
+# This will not identify ORCA/M source files, since those have
+# some sort of date code instead of the two zero bytes at 6 and 7
+
+4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data
+>5 byte x \b, build number %d
+
+# Broderbund Fantavision
+#
+# I don't know what these values really mean, but they seem to recur.
+# Will they cause too many conflicts?
+
+2 belong&0xFF00FF 0x040008 Fantavision movie data
+
+# Some attempts at images.
+#
+# These are actually just bit-for-bit dumps of the frame buffer, so
+# there's really no reasonably way to distinguish them except for their
+# address (if preserved) -- 8192 or 16384 -- and their length -- 8192
+# or, occasionally, 8184.
+#
+# Nevertheless this will manage to catch a lot of images that happen
+# to have a solid-colored line at the bottom of the screen.
+
+8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background
+8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background
+8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background
+8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background
+8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background
+
+# Beagle Bros. Apple Mechanic fonts
+
+0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font
--- /dev/null
+#------------------------------------------------------------------------------
+# blender: file(1) magic for Blender 3D data files
+#
+# Coded by Guillermo S. Romero <gsromero@alumnos.euitt.upm.es> using the
+# data from Ton Roosendaal <ton@blender.nl>. Ton or his company do not
+# support the rule, so mail GSR if problems with it. Rule version: 1.1.
+# You can get latest version with comments and details about the format
+# at http://acd.asoc.euitt.upm.es/~gsromero/3d/blender/magic.blender
+
+0 string =BLENDER Blender3D,
+>7 string =_ saved as 32-bits
+>7 string =- saved as 64-bits
+>8 string =v little endian
+>8 string =V big endian
+>9 byte x with version %c.
+>10 byte x \b%c
+>11 byte x \b%c
0 string/b #!\ /bin/bash Bourne-Again shell script text executable
0 string/b #!\ /usr/local/bin/bash Bourne-Again shell script text executable
+# using env
+0 string #!/usr/bin/env a
+>15 string >\0 %s script text executable
+0 string #!\ /usr/bin/env a
+>16 string >\0 %s script text executable
+
+
# generic shell magic
0 string #!\ / a
>3 string >\0 %s script text executable
0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian
0 string GDBM GNU dbm 2.x database
#
-0 belong 0x061561 Berkeley DB
->4 belong >2 1.86
->4 belong <3 1.85
->8 belong 4321 Hash/Big Endian
->8 belong 1234 Hash/Little Endian
->4 belong >0 (Version %d,
->12 belong x Bucket Size %d,
->16 belong x Bucket Shift %d,
->20 belong x Directory Size %d,
->24 belong x Segment Size %d,
->28 belong x Segment Shift %d,
->32 belong x Overflow Point %d,
->36 belong x Last Freed %d,
->40 belong x Max Bucket %d,
->44 belong x High Mask 0x%x,
->48 belong x Low Mask 0x%x,
->52 belong x Fill Factor %d,
->56 belong x Number of Keys %d)
+# Berkeley DB
#
+# Ian Darwin's file /etc/magic files: big/little-endian version.
#
-0 belong 0x053162 Berkeley DB 1.85/1.86 Btree/Big Endian
->4 belong >0 (Version %d,
->8 belong x Page Size %d,
->12 belong x Free Page %d,
->16 belong x Number of Records %d,
->20 belong x Flags 0x%x)
-0 lelong 0x053162 Berkeley DB 1.85/1.86 Btree/Little Endian
->4 lelong >0 (Version %d,
->8 lelong x Page Size %d,
->12 lelong x Free Page %d,
->16 lelong x Number of Records %d,
->20 lelong x Flags 0x%x)
-#
-#
-12 belong 0x061561 Berkeley DB 2.X Hash/Big Endian
->16 belong >0 (Version %d,
->0 belong x Logical sequence number: file - %d,
->4 belong x offset - %d,
->20 belong x Bucket Size %d,
->24 belong x Overflow Point %d,
->28 belong x Last Freed %d,
->32 belong x Max Bucket %d,
->36 belong x High Mask 0x%x,
->40 belong x Low Mask 0x%x,
->44 belong x Fill Factor %d,
->48 belong x Number of Keys %d)
-#
-# DB2.X formats from Khimenko Victor <khim@sch57.msk.ru>
-#
-12 lelong 0x061561 Berkeley DB 2.X Hash/Little Endian
->16 lelong >0 (Version %d,
->0 lelong x Logical sequence number: file - %d,
->4 lelong x offset - %d,
->20 lelong x Bucket Size %d,
->24 lelong x Overflow Point %d,
->28 lelong x Last Freed %d,
->32 lelong x Max Bucket %d,
->36 lelong x High Mask 0x%x,
->40 lelong x Low Mask 0x%x,
->44 lelong x Fill Factor %d,
->48 lelong x Number of Keys %d)
-#
-#
-12 belong 0x053162 Berkeley DB 2.X Btree/Big Endian
->16 belong >0 (Version %d,
->0 belong x Logical sequence number: file - %d,
->4 belong x offset - %d,
->20 belong x Page Size %d,
->24 belong x Maxkey %d,
->28 belong x Minkey %d,
->32 belong x Free Page %d)
-#
-#
-12 lelong 0x053162 Berkeley DB 2.X Btree/Little Endian
->16 lelong >0 (Version %d,
->0 lelong x Logical sequence number: file - %d,
->4 lelong x offset - %d,
->20 lelong x Page Size %d,
->24 lelong x Maxkey %d,
->28 lelong x Minkey %d,
->32 lelong x Free Page %d)
+# Hash 1.85/1.86 databases store metadata in network byte order.
+# Btree 1.85/1.86 databases store the metadata in host byte order.
+# Hash and Btree 2.X and later databases store the metadata in host byte order.
+
+0 long 0x00061561 Berkeley DB
+>8 belong 4321
+>>4 belong >2 1.86
+>>4 belong <3 1.85
+>>4 belong >0 (Hash, version %d, native byte-order)
+>8 belong 1234
+>>4 belong >2 1.86
+>>4 belong <3 1.85
+>>4 belong >0 (Hash, version %d, little-endian)
+
+0 belong 0x00061561 Berkeley DB
+>8 belong 4321
+>>4 belong >2 1.86
+>>4 belong <3 1.85
+>>4 belong >0 (Hash, version %d, big-endian)
+>8 belong 1234
+>>4 belong >2 1.86
+>>4 belong <3 1.85
+>>4 belong >0 (Hash, version %d, native byte-order)
+
+0 long 0x00053162 Berkeley DB 1.85/1.86
+>4 long >0 (Btree, version %d, native byte-order)
+0 belong 0x00053162 Berkeley DB 1.85/1.86
+>4 belong >0 (Btree, version %d, big-endian)
+0 lelong 0x00053162 Berkeley DB 1.85/1.86
+>4 lelong >0 (Btree, version %d, little-endian)
+
+12 long 0x00061561 Berkeley DB
+>16 long >0 (Hash, version %d, native byte-order)
+12 belong 0x00061561 Berkeley DB
+>16 belong >0 (Hash, version %d, big-endian)
+12 lelong 0x00061561 Berkeley DB
+>16 lelong >0 (Hash, version %d, little-endian)
+
+12 long 0x00053162 Berkeley DB
+>16 long >0 (Btree, version %d, native byte-order)
+12 belong 0x00053162 Berkeley DB
+>16 belong >0 (Btree, version %d, big-endian)
+12 lelong 0x00053162 Berkeley DB
+>16 lelong >0 (Btree, version %d, little-endian)
+
+12 long 0x00042253 Berkeley DB
+>16 long >0 (Queue, version %d, native byte-order)
+12 belong 0x00042253 Berkeley DB
+>16 belong >0 (Queue, version %d, big-endian)
+12 lelong 0x00042253 Berkeley DB
+>16 lelong >0 (Queue, version %d, little-endian)
+
#------------------------------------------------------------------------------
# filesystems: file(1) magic for different filesystems
#
-0x438 leshort 0xEF53 Linux/i386 ext2 filesystem
0 string \366\366\366\366 PC formatted floppy with no filesystem
# Sun disk labels
# From /usr/include/sun/dklabel.h:
>8256 lelong x disk rotational speed %drps,
>8320 lelong 0 TIME optimization
>8320 lelong 1 SPACE optimization
+
+# ext2/ext3 filesystems - Andreas Dilger <adilger@turbolabs.com>
+0x438 leshort 0xEF53 Linux
+>0x44c lelong x rev %d
+>0x43e leshort x \b.%d
+>0x45c lelong ^0x0000004 ext2 filesystem data
+>>0x43a leshort ^0x0000001 (mounted or unclean)
+>0x45c lelong &0x0000004 ext3 filesystem data
+>>0x460 lelong &0x0000004 (needs journal recovery)
+>0x43a leshort &0x0000002 (errors)
+>0x460 lelong &0x0000001 (compressed)
+#>0x460 lelong &0x0000002 (filetype)
+#>0x464 lelong &0x0000001 (sparse_super)
+>0x464 lelong &0x0000002 (large files)
0 beshort 0x1010 PEX Binary Archive
# Visio drawings
-03000 string Visio\ (TM)\ Drawing %s
+03000 string Visio\ (TM)\ Drawing %s
# Tgif files
0 string \%TGIF\ x Tgif file version %s
+
+# DICOM medical imaging data
+128 string DICM DICOM medical imaging data
# files obtained from most archives. (franklsm@tuns.ca)
0 string SIT! StuffIt Archive (data)
>2 string x : %s
-65 string SIT! StuffIt Archive (rsrc + data)
->2 string x : %s
0 string SITD StuffIt Deluxe (data)
>2 string x : %s
-65 string SITD StuffIt Deluxe (rsrc + data)
->2 string x : %s
0 string Seg StuffIt Deluxe Segment (data)
>2 string x : %s
-65 string Seg StuffIt Deluxe Segment (rsrc + data)
->2 string x : %s
# Macintosh Applications and Installation binaries (franklsm@tuns.ca)
0 string APPL Macintosh Application (data)
->2 string x : %s
-65 string APPL Macintosh Application (rsrc + data)
->2 string x : %s
+>2 string x \b: %s
# Macintosh System files (franklsm@tuns.ca)
0 string zsys Macintosh System File (data)
-65 string zsys Macintosh System File(rsrc + data)
0 string FNDR Macintosh Finder (data)
-65 string FNDR Macintosh Finder(rsrc + data)
0 string libr Macintosh Library (data)
>2 string x : %s
-65 string libr Macintosh Library(rsrc + data)
->2 string x : %s
0 string shlb Macintosh Shared Library (data)
>2 string x : %s
-65 string shlb Macintosh Shared Library(rsrc + data)
->2 string x : %s
0 string cdev Macintosh Control Panel (data)
>2 string x : %s
-65 string cdev Macintosh Control Panel(rsrc + data)
->2 string x : %s
0 string INIT Macintosh Extension (data)
>2 string x : %s
-65 string INIT Macintosh Extension(rsrc + data)
->2 string x : %s
0 string FFIL Macintosh Truetype Font (data)
>2 string x : %s
-65 string FFIL Macintosh Truetype Font(rsrc + data)
->2 string x : %s
0 string LWFN Macintosh Postscript Font (data)
>2 string x : %s
-65 string LWFN Macintosh Postscript Font(rsrc + data)
->2 string x : %s
# Additional Macintosh Files (franklsm@tuns.ca)
-
0 string PACT Macintosh Compact Pro Archive (data)
>2 string x : %s
-65 string PACT Macintosh Compact Pro Archive(rsrc + data)
->2 string x : %s
0 string ttro Macintosh TeachText File (data)
>2 string x : %s
-65 string ttro Macintosh TeachText File(rsrc + data)
->2 string x : %s
0 string TEXT Macintosh TeachText File (data)
>2 string x : %s
-65 string TEXT Macintosh TeachText File(rsrc + data)
->2 string x : %s
0 string PDF Macintosh PDF File (data)
>2 string x : %s
-65 string PDF Macintosh PDF File(rsrc + data)
->2 string x : %s
+# MacBinary format (Eric Fischer, enf@pobox.com)
+#
+# Unfortunately MacBinary doesn't really have a magic number prior
+# to the MacBinary III format. The checksum is really the way to
+# do it, but the magic file format isn't up to the challenge.
+#
+# 0 byte 0
+# 1 byte # filename length
+# 2 string # filename
+# 65 string # file type
+# 69 string # file creator
+# 73 byte # Finder flags
+# 74 byte 0
+# 75 beshort # vertical posn in window
+# 77 beshort # horiz posn in window
+# 79 beshort # window or folder ID
+# 81 byte # protected?
+# 82 byte 0
+# 83 belong # length of data segment
+# 87 belong # length of resource segment
+# 91 belong # file creation date
+# 95 belong # file modification date
+# 99 beshort # length of comment after resource
+# 101 byte # new Finder flags
+# 102 string mBIN # (only in MacBinary III)
+# 106 byte # char. code of file name
+# 107 byte # still more Finder flags
+# 116 belong # total file length
+# 120 beshort # length of add'l header
+# 122 byte 129 # for MacBinary II
+# 122 byte 130 # for MacBinary III
+# 123 byte 129 # minimum version that can read fmt
+# 124 beshort # checksum
+#
+# This attempts to use the version numbers as a magic number, requiring
+# that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second
+# be 0x81. This works for the files I have, but maybe not for everyone's.
+
+122 beshort&0xFCFF 0x8081 Macintosh MacBinary data
+
+# MacBinary I doesn't have the version number field at all, but MacBinary II
+# has been in use since 1987 so I hope there aren't many really old files
+# floating around that this will miss. The original spec calls for using
+# the nulls in 0, 74, and 82 as the magic number.
+#
+# Another possibility, that would also work for MacBinary I, is to use
+# the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will
+# have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset,
+# and that 74 will be 0. So something like
+#
+# 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data
+#
+# >73 byte&0x01 0x01 \b, inited
+# >73 byte&0x02 0x02 \b, changed
+# >73 byte&0x04 0x04 \b, busy
+# >73 byte&0x08 0x08 \b, bozo
+# >73 byte&0x10 0x10 \b, system
+# >73 byte&0x10 0x20 \b, bundle
+# >73 byte&0x10 0x40 \b, invisible
+# >73 byte&0x10 0x80 \b, locked
+
+>65 string x \b, type "%4.4s"
+
+>65 string 8BIM (PhotoShop)
+>65 string ALB3 (PageMaker 3)
+>65 string ALB4 (PageMaker 4)
+>65 string ALT3 (PageMaker 3)
+>65 string APPL (application)
+>65 string AWWP (AppleWorks word processor)
+>65 string CIRC (simulated circuit)
+>65 string DRWG (MacDraw)
+>65 string EPSF (Encapsulated PostScript)
+>65 string FFIL (font suitcase)
+>65 string FKEY (function key)
+>65 string FNDR (Macintosh Finder)
+>65 string GIFf (GIF image)
+>65 string Gzip (GNU gzip)
+>65 string INIT (system extension)
+>65 string LIB\ (library)
+>65 string LWFN (PostScript font)
+>65 string MSBC (Microsoft BASIC)
+>65 string PACT (Compact Pro archive)
+>65 string PDF\ (Portable Document Format)
+>65 string PICT (picture)
+>65 string PNTG (MacPaint picture)
+>65 string PREF (preferences)
+>65 string PROJ (Think C project)
+>65 string QPRJ (Think Pascal project)
+>65 string SCFL (Defender scores)
+>65 string SCRN (startup screen)
+>65 string SITD (StuffIt Deluxe)
+>65 string SPn3 (SuperPaint)
+>65 string STAK (HyperCard stack)
+>65 string Seg\ (StuffIt segment)
+>65 string TARF (Unix tar archive)
+>65 string TEXT (ASCII)
+>65 string TIFF (TIFF image)
+>65 string TOVF (Eudora table of contents)
+>65 string WDBN (Microsoft Word word processor)
+>65 string WORD (MacWrite word processor)
+>65 string XLS\ (Microsoft Excel)
+>65 string ZIVM (compress (.Z))
+>65 string ZSYS (Pre-System 7 system file)
+>65 string acf3 (Aldus FreeHand)
+>65 string cdev (control panel)
+>65 string dfil (Desk Acessory suitcase)
+>65 string libr (library)
+>65 string nX^d (WriteNow word processor)
+>65 string nX^w (WriteNow dictionary)
+>65 string rsrc (resource)
+>65 string scbk (Scrapbook)
+>65 string shlb (shared library)
+>65 string ttro (SimpleText read-only)
+>65 string zsys (system file)
+
+>69 string x \b, creator "%4.4s"
+
+# Somewhere, Apple has a repository of registered Creator IDs. These are
+# just the ones that I happened to have files from and was able to identify.
+
+>69 string 8BIM (Adobe Photoshop)
+>69 string ALD3 (PageMaker 3)
+>69 string ALD4 (PageMaker 4)
+>69 string ALFA (Alpha editor)
+>69 string APLS (Apple Scanner)
+>69 string APSC (Apple Scanner)
+>69 string BRKL (Brickles)
+>69 string BTFT (BitFont)
+>69 string CCL2 (Common Lisp 2)
+>69 string CCL\ (Common Lisp)
+>69 string CDmo (The Talking Moose)
+>69 string CPCT (Compact Pro)
+>69 string CSOm (Eudora)
+>69 string DMOV (Font/DA Mover)
+>69 string DSIM (DigSim)
+>69 string EDIT (Macintosh Edit)
+>69 string ERIK (Macintosh Finder)
+>69 string EXTR (self-extracting archive)
+>69 string Gzip (GNU gzip)
+>69 string KAHL (Think C)
+>69 string LWFU (LaserWriter Utility)
+>69 string LZIV (compress)
+>69 string MACA (MacWrite)
+>69 string MACS (Macintosh operating system)
+>69 string MAcK (MacKnowledge terminal emulator)
+>69 string MLND (Defender)
+>69 string MPNT (MacPaint)
+>69 string MSBB (Microsoft BASIC (binary))
+>69 string MSWD (Microsoft Word)
+>69 string NCSA (NCSA Telnet)
+>69 string PJMM (Think Pascal)
+>69 string PSAL (Hunt the Wumpus)
+>69 string PSI2 (Apple File Exchange)
+>69 string R*ch (BBEdit)
+>69 string RMKR (Resource Maker)
+>69 string RSED (Resource Editor)
+>69 string Rich (BBEdit)
+>69 string SIT! (StuffIt)
+>69 string SPNT (SuperPaint)
+>69 string Unix (NeXT Mac filesystem)
+>69 string VIM! (Vim editor)
+>69 string WILD (HyperCard)
+>69 string XCEL (Microsoft Excel)
+>69 string aCa2 (Fontographer)
+>69 string aca3 (Aldus FreeHand)
+>69 string dosa (Macintosh MS-DOS file system)
+>69 string movr (Font/DA Mover)
+>69 string nX^n (WriteNow)
+>69 string pdos (Apple ProDOS file system)
+>69 string scbk (Scrapbook)
+>69 string ttxt (SimpleText)
+>69 string ufox (Foreign File Access)
+
+# Just in case...
+
+102 string mBIN MacBinary III data with surprising version number
0 string Received: RFC 822 mail text
0 string MIME-Version: MIME entity text
#0 string Content- MIME entity text
+
+# TNEF files...
+0 lelong 0x223E9F78 Transport Neutral Encapsulation Format
0 string \360\175\000\000 Microsoft Visual C library
#.pch
-0 string DTJPCH0\000\022\103\006\200 Microsoft visula C .pch
+0 string DTJPCH0\000\022\103\006\200 Microsoft Visual C .pch
# .pdb
# too long 0 string Microsoft\ C/C++\ program\ database\
--- /dev/null
+# often the module starts with a multiline string
+0 string """ a python script text executable
+# MAGIC as specified in Python/import.c (1.5.2/1.6)
+# 20121 ( YEAR - 1995 ) + MONTH + DAY (little endian followed by "\r\n"
+0 belong 0x994e0d0a python compiled
>20 lelong 14 (BSD/OS PPP
>16 lelong x \b, capture length %d)
+#
+# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
+# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
+# the main program that uses that format, but there are other programs
+# that use "libpcap", or that use the same capture file format.)
+#
+0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian)
+>4 beshort x - version %d
+>6 beshort x \b.%d
+>20 belong 0 (No link-layer encapsulation
+>20 belong 1 (Ethernet
+>20 belong 2 (3Mb Ethernet
+>20 belong 3 (AX.25
+>20 belong 4 (ProNET
+>20 belong 5 (CHAOS
+>20 belong 6 (IEEE 802.x network
+>20 belong 7 (ARCNET
+>20 belong 8 (SLIP
+>20 belong 9 (PPP
+>20 belong 10 (FDDI
+>20 belong 11 (RFC 1483 ATM
+>20 belong 12 (raw IP
+>20 belong 13 (BSD/OS SLIP
+>20 belong 14 (BSD/OS PPP
+>16 belong x \b, capture length %d)
+0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian)
+>4 leshort x - version %d
+>6 leshort x \b.%d
+>20 lelong 0 (No link-layer encapsulation
+>20 lelong 1 (Ethernet
+>20 lelong 2 (3Mb Ethernet
+>20 lelong 3 (AX.25
+>20 lelong 4 (ProNET
+>20 lelong 5 (CHAOS
+>20 lelong 6 (IEEE 802.x network
+>20 lelong 7 (ARCNET
+>20 lelong 8 (SLIP
+>20 lelong 9 (PPP
+>20 lelong 10 (FDDI
+>20 lelong 11 (RFC 1483 ATM
+>20 lelong 12 (raw IP
+>20 lelong 13 (BSD/OS SLIP
+>20 lelong 14 (BSD/OS PPP
+>16 lelong x \b, capture length %d)
+
#
# AIX "iptrace" capture files.
#
0 string \\" troff or preprocessor input text
# ditroff intermediate output text
-0 string x\ T ditroff text
+0 string x\ T ditroff output text
>4 string cat for the C/A/T phototypesetter
>4 string ps for PostScript
>4 string dvi for DVI
# -----------------------------------------------------------
# VMware specific files (deducted from version 1.1 and log file entries)
# Anthon van der Neut (anthon@mnt.org)
-0 belong 0x4d52564e VMware nvram
-0 belong 0x434f5744 VMware virtual disk
->32 lelong x (%d/
->36 lelong x \b%d/
->40 lelong x \b%d)
+0 belong 0x4d52564e VMware nvram
+0 belong 0x434f5744
+>8 byte 3 VMware virtual disk
+>>32 lelong x (%d/
+>>36 lelong x \b%d/
+>>40 lelong x \b%d)
+>8 byte 2 VMware undoable disk
+>>32 string >\0 (%s)
projects / file / commitdiff