From 267515266fcf6702f1b7ed6a4024b2bbb4c55305 Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Thu, 2 Jan 1997 01:14:53 +0000
Subject: [PATCH] Initial revision

---
 magic/Magdir/sniffer | 62 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 magic/Magdir/sniffer

diff --git a/magic/Magdir/sniffer b/magic/Magdir/sniffer
new file mode 100644
index 00000000..f3a1b607
--- /dev/null
+++ b/magic/Magdir/sniffer
@@ -0,0 +1,62 @@
+#------------------------------------------------------------------------------
+# sniffer:  file(1) magic for packet captured files
+#
+# From: guy@netapp.com (Guy Harris)
+#
+# Microsoft NetMon (packet capture/display program) capture files.
+#
+0	string		RTSS		NetMon capture file
+>4	byte		x		- version %d
+>5	byte		x		\b.%d
+#
+# Network General Sniffer capture files (the Sniffer software does,
+# after all, run under MS-DOS...).
+#
+0	string		TRSNIFF\ data\ \ \ \ \032	Sniffer capture file
+>23	leshort		x		- version %d
+>25	leshort		x		\b.%d
+>33	byte		x		(Format %d,
+>32	byte		0		Token ring)
+>32	byte		1		Ethernet)
+>32	byte		2		ARCnet)
+>32	byte		3		StarLAN)
+>32	byte		4		PC Network broadband)
+>32	byte		5		LocalTalk)
+>32	byte		6		Znet)
+#
+# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
+# the main program that uses that format, but there's also "tcpview",
+# and there may be others in the future.)
+#
+0	ubelong		0xa1b2c3d4	tcpdump capture file (big-endian)
+>4	beshort		x		- version %d
+>6	beshort		x		\b.%d
+>20	belong		0		(No link-layer encapsulation
+>20	belong		1		(Ethernet
+>20	belong		2		(3Mb Ethernet
+>20	belong		3		(AX.25
+>20	belong		4		(ProNet
+>20	belong		5		(Chaos
+>20	belong		6		(IEEE 802.x network
+>20	belong		7		(ARCnet
+>20	belong		8		(SLIP
+>20	belong		9		(PPP
+>20	belong		10		(FDDI
+>20	belong		11		(RFC 1483 ATM
+>16	belong		x		\b, capture length %d)
+0	ulelong		0xa1b2c3d4	tcpdump capture file (little-endian)
+>4	leshort		x		- version %d
+>6	leshort		x		\b.%d
+>20	lelong		0		(No link-layer encapsulation
+>20	lelong		1		(Ethernet
+>20	lelong		2		(3Mb Ethernet
+>20	lelong		3		(AX.25
+>20	lelong		4		(ProNet
+>20	lelong		5		(Chaos
+>20	lelong		6		(IEEE 802.x network
+>20	lelong		7		(ARCnet
+>20	lelong		8		(SLIP
+>20	lelong		9		(PPP
+>20	lelong		10		(FDDI
+>20	lelong		11		(RFC 1483 ATM
+>16	lelong		x		\b, capture length %d)
-- 
2.40.0