head	1.2;
access;
symbols
	RELENG_8_4:1.2.0.2
	RELENG_9_1_0_RELEASE:1.1.1.5.34.1
	RELENG_9_1:1.1.1.5.34.1.0.2
	RELENG_9_1_BP:1.1.1.5.34.1
	RELENG_8_3_0_RELEASE:1.1.1.5
	RELENG_8_3:1.1.1.5.0.38
	RELENG_8_3_BP:1.1.1.5
	RELENG_9_0_0_RELEASE:1.1.1.5
	RELENG_9_0:1.1.1.5.0.36
	RELENG_9_0_BP:1.1.1.5
	RELENG_9:1.1.1.5.0.34
	RELENG_9_BP:1.1.1.5
	RELENG_7_4_0_RELEASE:1.1.1.5
	RELENG_8_2_0_RELEASE:1.1.1.5
	RELENG_7_4:1.1.1.5.0.32
	RELENG_7_4_BP:1.1.1.5
	RELENG_8_2:1.1.1.5.0.30
	RELENG_8_2_BP:1.1.1.5
	RELENG_8_1_0_RELEASE:1.1.1.5
	RELENG_8_1:1.1.1.5.0.28
	RELENG_8_1_BP:1.1.1.5
	RELENG_7_3_0_RELEASE:1.1.1.5
	RELENG_7_3:1.1.1.5.0.26
	RELENG_7_3_BP:1.1.1.5
	RELENG_8_0_0_RELEASE:1.1.1.5
	RELENG_8_0:1.1.1.5.0.24
	RELENG_8_0_BP:1.1.1.5
	RELENG_8:1.1.1.5.0.22
	RELENG_8_BP:1.1.1.5
	RELENG_7_2_0_RELEASE:1.1.1.5
	RELENG_7_2:1.1.1.5.0.20
	RELENG_7_2_BP:1.1.1.5
	RELENG_7_1_0_RELEASE:1.1.1.5
	RELENG_6_4_0_RELEASE:1.1.1.5
	RELENG_7_1:1.1.1.5.0.18
	RELENG_7_1_BP:1.1.1.5
	RELENG_6_4:1.1.1.5.0.16
	RELENG_6_4_BP:1.1.1.5
	RELENG_7_0_0_RELEASE:1.1.1.5
	file_4_23__r1_46:1.1.1.5
	RELENG_6_3_0_RELEASE:1.1.1.5
	file_4_23:1.1.1.5
	RELENG_7_0:1.1.1.5.0.14
	RELENG_7_0_BP:1.1.1.5
	RELENG_6_3:1.1.1.5.0.12
	RELENG_6_3_BP:1.1.1.5
	RELENG_7:1.1.1.5.0.10
	RELENG_7_BP:1.1.1.5
	file_4_21:1.1.1.5
	file_4_19:1.1.1.5
	RELENG_6_2_0_RELEASE:1.1.1.5
	RELENG_6_2:1.1.1.5.0.8
	RELENG_6_2_BP:1.1.1.5
	file_4_17_A:1.1
	file_4_17:1.1.1.5
	RELENG_5_5_0_RELEASE:1.1.1.4
	RELENG_5_5:1.1.1.4.0.8
	RELENG_5_5_BP:1.1.1.4
	RELENG_6_1_0_RELEASE:1.1.1.5
	RELENG_6_1:1.1.1.5.0.6
	RELENG_6_1_BP:1.1.1.5
	RELENG_6_0_0_RELEASE:1.1.1.5
	RELENG_6_0:1.1.1.5.0.4
	RELENG_6_0_BP:1.1.1.5
	RELENG_6:1.1.1.5.0.2
	RELENG_6_BP:1.1.1.5
	RELENG_5_4_0_RELEASE:1.1.1.4
	RELENG_5_4:1.1.1.4.0.6
	RELENG_5_4_BP:1.1.1.4
	RELENG_4_11_0_RELEASE:1.1.1.1.2.3
	file_4_12:1.1.1.5
	RELENG_4_11:1.1.1.1.2.3.0.8
	RELENG_4_11_BP:1.1.1.1.2.3
	RELENG_5_3_0_RELEASE:1.1.1.4
	RELENG_5_3:1.1.1.4.0.4
	RELENG_5_3_BP:1.1.1.4
	RELENG_5:1.1.1.4.0.2
	RELENG_5_BP:1.1.1.4
	file_4_10:1.1.1.4
	RELENG_4_10_0_RELEASE:1.1.1.1.2.3
	RELENG_4_10:1.1.1.1.2.3.0.6
	RELENG_4_10_BP:1.1.1.1.2.3
	RELENG_5_2_1_RELEASE:1.1.1.3
	RELENG_5_2_0_RELEASE:1.1.1.3
	RELENG_5_2:1.1.1.3.0.6
	RELENG_5_2_BP:1.1.1.3
	RELENG_4_9_0_RELEASE:1.1.1.1.2.3
	RELENG_4_9:1.1.1.1.2.3.0.4
	RELENG_4_9_BP:1.1.1.1.2.3
	RELENG_5_1_0_RELEASE:1.1.1.3
	RELENG_5_1:1.1.1.3.0.4
	RELENG_5_1_BP:1.1.1.3
	RELENG_4_8_0_RELEASE:1.1.1.1.2.3
	RELENG_4_8:1.1.1.1.2.3.0.2
	RELENG_4_8_BP:1.1.1.1.2.3
	file_3_41:1.1.1.3
	file_3_40:1.1.1.3
	RELENG_5_0_0_RELEASE:1.1.1.3
	RELENG_5_0:1.1.1.3.0.2
	RELENG_5_0_BP:1.1.1.3
	RELENG_4_7_0_RELEASE:1.1.1.1.2.2
	RELENG_4_7:1.1.1.1.2.2.0.8
	RELENG_4_7_BP:1.1.1.1.2.2
	file_3_39:1.1.1.3
	RELENG_4_6_2_RELEASE:1.1.1.1.2.2
	RELENG_4_6_1_RELEASE:1.1.1.1.2.2
	RELENG_4_6_0_RELEASE:1.1.1.1.2.2
	RELENG_4_6:1.1.1.1.2.2.0.6
	RELENG_4_6_BP:1.1.1.1.2.2
	RELENG_4_5_0_RELEASE:1.1.1.1.2.2
	RELENG_4_5:1.1.1.1.2.2.0.4
	RELENG_4_5_BP:1.1.1.1.2.2
	file_3_37:1.1.1.3
	RELENG_4_4_0_RELEASE:1.1.1.1.2.2
	RELENG_4_4:1.1.1.1.2.2.0.2
	RELENG_4_4_BP:1.1.1.1.2.2
	file_3_36:1.1.1.2
	file_3_35:1.1.1.1
	RELENG_4_3_0_RELEASE:1.1.1.1.2.1
	RELENG_4_3:1.1.1.1.2.1.0.2
	RELENG_4_3_BP:1.1.1.1.2.1
	file_3_34:1.1.1.1
	RELENG_4:1.1.1.1.0.2
	file_3_33:1.1.1.1
	file_3_32:1.1.1.1
	ZOULAS:1.1.1;
locks; strict;
comment	@# @;


1.2
date	2012.04.19.03.20.13;	author obrien;	state Exp;
branches
	1.2.2.1;
next	1.1;

1.1
date	2000.11.05.08.33.55;	author obrien;	state Exp;
branches
	1.1.1.1;
next	;

1.2.2.1
date	2012.04.19.03.20.13;	author svnexp;	state dead;
branches;
next	1.2.2.2;

1.2.2.2
date	2013.03.28.13.00.45;	author svnexp;	state Exp;
branches;
next	;

1.1.1.1
date	2000.11.05.08.33.55;	author obrien;	state Exp;
branches
	1.1.1.1.2.1;
next	1.1.1.2;

1.1.1.2
date	2001.07.30.03.09.46;	author obrien;	state Exp;
branches;
next	1.1.1.3;

1.1.1.3
date	2001.10.08.22.50.54;	author obrien;	state Exp;
branches;
next	1.1.1.4;

1.1.1.4
date	2004.08.09.08.45.41;	author obrien;	state Exp;
branches;
next	1.1.1.5;

1.1.1.5
date	2004.12.28.04.31.46;	author obrien;	state Exp;
branches
	1.1.1.5.34.1;
next	;

1.1.1.1.2.1
date	2000.11.26.21.37.25;	author obrien;	state Exp;
branches;
next	1.1.1.1.2.2;

1.1.1.1.2.2
date	2001.08.02.22.51.38;	author obrien;	state Exp;
branches;
next	1.1.1.1.2.3;

1.1.1.1.2.3
date	2003.03.16.04.44.56;	author obrien;	state Exp;
branches;
next	;

1.1.1.5.34.1
date	2012.07.02.08.48.58;	author obrien;	state Exp;
branches;
next	;


desc
@@


1.2
log
@SVN rev 234449 on 2012-04-19 03:20:13Z by obrien

Update file(1) to version 5.11.
@
text
@
#------------------------------------------------------------------------------
# $File: sniffer,v 1.18 2011/08/08 08:49:27 christos Exp $
# sniffer:  file(1) magic for packet capture files
#
# From: guy@@alum.mit.edu (Guy Harris)
#

#
# Microsoft Network Monitor 1.x capture files.
#
0	string		RTSS		NetMon capture file
>5	byte		x		- version %d
>4	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)
>6	leshort		4		(ATM)

#
# Microsoft Network Monitor 2.x capture files.
#
0	string		GMBU		NetMon capture file
>5	byte		x		- version %d
>4	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)
>6	leshort		4		(ATM)

#
# Network General Sniffer capture files.
# Sorry, make that "Network Associates Sniffer capture files."
# Sorry, make that "Network General old DOS Sniffer capture files."
#
0	string		TRSNIFF\ data\ \ \ \ \032	Sniffer capture file
>33	byte		2		(compressed)
>23	leshort		x		- version %d
>25	leshort		x		\b.%d
>32	byte		0		(Token Ring)
>32	byte		1		(Ethernet)
>32	byte		2		(ARCNET)
>32	byte		3		(StarLAN)
>32	byte		4		(PC Network broadband)
>32	byte		5		(LocalTalk)
>32	byte		6		(Znet)
>32	byte		7		(Internetwork Analyzer)
>32	byte		9		(FDDI)
>32	byte		10		(ATM)

#
# Cinco Networks NetXRay capture files.
# Sorry, make that "Network General Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic, and Windows
# Sniffer Pro", capture files."
# Sorry, make that "Network General Sniffer capture files."
#
0	string		XCP\0		NetXRay capture file
>4	string		>\0		- version %s
>44	leshort		0		(Ethernet)
>44	leshort		1		(Token Ring)
>44	leshort		2		(FDDI)
>44	leshort		3		(WAN)
>44	leshort		8		(ATM)
>44	leshort		9		(802.11)

#
# "libpcap" capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0	ubelong		0xa1b2c3d4	tcpdump capture file (big-endian)
!:mime	application/vnd.tcpdump.pcap
>4	beshort		x		- version %d
>6	beshort		x		\b.%d
>20	belong		0		(No link-layer encapsulation
>20	belong		1		(Ethernet
>20	belong		2		(3Mb Ethernet
>20	belong		3		(AX.25
>20	belong		4		(ProNET
>20	belong		5		(CHAOS
>20	belong		6		(Token Ring
>20	belong		7		(BSD ARCNET
>20	belong		8		(SLIP
>20	belong		9		(PPP
>20	belong		10		(FDDI
>20	belong		11		(RFC 1483 ATM
>20	belong		12		(raw IP
>20	belong		13		(BSD/OS SLIP
>20	belong		14		(BSD/OS PPP
>20	belong		19		(Linux ATM Classical IP
>20	belong		50		(PPP or Cisco HDLC
>20	belong		51		(PPP-over-Ethernet
>20	belong		99		(Symantec Enterprise Firewall
>20	belong		100		(RFC 1483 ATM
>20	belong		101		(raw IP
>20	belong		102		(BSD/OS SLIP
>20	belong		103		(BSD/OS PPP
>20	belong		104		(BSD/OS Cisco HDLC
>20	belong		105		(802.11
>20	belong		106		(Linux Classical IP over ATM
>20	belong		107		(Frame Relay
>20	belong		108		(OpenBSD loopback
>20	belong		109		(OpenBSD IPsec encrypted
>20	belong		112		(Cisco HDLC
>20	belong		113		(Linux "cooked"
>20	belong		114		(LocalTalk
>20	belong		117		(OpenBSD PFLOG
>20	belong		119		(802.11 with Prism header
>20	belong		122		(RFC 2625 IP over Fibre Channel
>20	belong		123		(SunATM
>20	belong		127		(802.11 with radiotap header
>20	belong		129		(Linux ARCNET
>20	belong		138		(Apple IP over IEEE 1394
>20	belong		140		(MTP2
>20	belong		141		(MTP3
>20	belong		143		(DOCSIS
>20	belong		144		(IrDA
>20	belong		147		(Private use 0
>20	belong		148		(Private use 1
>20	belong		149		(Private use 2
>20	belong		150		(Private use 3
>20	belong		151		(Private use 4
>20	belong		152		(Private use 5
>20	belong		153		(Private use 6
>20	belong		154		(Private use 7
>20	belong		155		(Private use 8
>20	belong		156		(Private use 9
>20	belong		157		(Private use 10
>20	belong		158		(Private use 11
>20	belong		159		(Private use 12
>20	belong		160		(Private use 13
>20	belong		161		(Private use 14
>20	belong		162		(Private use 15
>20	belong		163		(802.11 with AVS header
>16	belong		x		\b, capture length %d)
0	ulelong		0xa1b2c3d4	tcpdump capture file (little-endian)
!:mime	application/vnd.tcpdump.pcap
>4	leshort		x		- version %d
>6	leshort		x		\b.%d
>20	lelong		0		(No link-layer encapsulation
>20	lelong		1		(Ethernet
>20	lelong		2		(3Mb Ethernet
>20	lelong		3		(AX.25
>20	lelong		4		(ProNET
>20	lelong		5		(CHAOS
>20	lelong		6		(Token Ring
>20	lelong		7		(ARCNET
>20	lelong		8		(SLIP
>20	lelong		9		(PPP
>20	lelong		10		(FDDI
>20	lelong		11		(RFC 1483 ATM
>20	lelong		12		(raw IP
>20	lelong		13		(BSD/OS SLIP
>20	lelong		14		(BSD/OS PPP
>20	lelong		19		(Linux ATM Classical IP
>20	lelong		50		(PPP or Cisco HDLC
>20	lelong		51		(PPP-over-Ethernet
>20	lelong		99		(Symantec Enterprise Firewall
>20	lelong		100		(RFC 1483 ATM
>20	lelong		101		(raw IP
>20	lelong		102		(BSD/OS SLIP
>20	lelong		103		(BSD/OS PPP
>20	lelong		104		(BSD/OS Cisco HDLC
>20	lelong		105		(802.11
>20	lelong		106		(Linux Classical IP over ATM
>20	lelong		107		(Frame Relay
>20	lelong		108		(OpenBSD loopback
>20	lelong		109		(OpenBSD IPsec encrypted
>20	lelong		112		(Cisco HDLC
>20	lelong		113		(Linux "cooked"
>20	lelong		114		(LocalTalk
>20	lelong		117		(OpenBSD PFLOG
>20	lelong		119		(802.11 with Prism header
>20	lelong		122		(RFC 2625 IP over Fibre Channel
>20	lelong		123		(SunATM
>20	lelong		127		(802.11 with radiotap header
>20	lelong		129		(Linux ARCNET
>20	lelong		138		(Apple IP over IEEE 1394
>20	lelong		140		(MTP2
>20	lelong		141		(MTP3
>20	lelong		143		(DOCSIS
>20	lelong		144		(IrDA
>20	lelong		147		(Private use 0
>20	lelong		148		(Private use 1
>20	lelong		149		(Private use 2
>20	lelong		150		(Private use 3
>20	lelong		151		(Private use 4
>20	lelong		152		(Private use 5
>20	lelong		153		(Private use 6
>20	lelong		154		(Private use 7
>20	lelong		155		(Private use 8
>20	lelong		156		(Private use 9
>20	lelong		157		(Private use 10
>20	lelong		158		(Private use 11
>20	lelong		159		(Private use 12
>20	lelong		160		(Private use 13
>20	lelong		161		(Private use 14
>20	lelong		162		(Private use 15
>20	lelong		163		(802.11 with AVS header
>16	lelong		x		\b, capture length %d)

#
# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0	ubelong		0xa1b2cd34	extended tcpdump capture file (big-endian)
>4	beshort		x		- version %d
>6	beshort		x		\b.%d
>20	belong		0		(No link-layer encapsulation
>20	belong		1		(Ethernet
>20	belong		2		(3Mb Ethernet
>20	belong		3		(AX.25
>20	belong		4		(ProNET
>20	belong		5		(CHAOS
>20	belong		6		(Token Ring
>20	belong		7		(ARCNET
>20	belong		8		(SLIP
>20	belong		9		(PPP
>20	belong		10		(FDDI
>20	belong		11		(RFC 1483 ATM
>20	belong		12		(raw IP
>20	belong		13		(BSD/OS SLIP
>20	belong		14		(BSD/OS PPP
>16	belong		x		\b, capture length %d)
0	ulelong		0xa1b2cd34	extended tcpdump capture file (little-endian)
>4	leshort		x		- version %d
>6	leshort		x		\b.%d
>20	lelong		0		(No link-layer encapsulation
>20	lelong		1		(Ethernet
>20	lelong		2		(3Mb Ethernet
>20	lelong		3		(AX.25
>20	lelong		4		(ProNET
>20	lelong		5		(CHAOS
>20	lelong		6		(Token Ring
>20	lelong		7		(ARCNET
>20	lelong		8		(SLIP
>20	lelong		9		(PPP
>20	lelong		10		(FDDI
>20	lelong		11		(RFC 1483 ATM
>20	lelong		12		(raw IP
>20	lelong		13		(BSD/OS SLIP
>20	lelong		14		(BSD/OS PPP
>16	lelong		x		\b, capture length %d)

#
# "pcap-ng" capture files.
# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
# Pcap-ng files can contain multiple sections. Printing the endianness,
# snaplen, or other information from the first SHB may be misleading.
#
0	ubelong		0x0a0d0d0a
>8	ubelong		0x1a2b3c4d	pcap-ng capture file
>>12	beshort		x		- version %d
>>14	beshort		x		\b.%d
0	ulelong		0x0a0d0d0a
>8	ulelong		0x1a2b3c4d	pcap-ng capture file
>>12	leshort		x		- version %d
>>14	leshort		x		\b.%d

#
# AIX "iptrace" capture files.
#
0	string		iptrace\ 1.0	"iptrace" capture file
0	string		iptrace\ 2.0	"iptrace" capture file

#
# Novell LANalyzer capture files.
#
0	leshort		0x1001		LANalyzer capture file
0	leshort		0x1007		LANalyzer capture file

#
# HP-UX "nettl" capture files.
#
0	string		\x54\x52\x00\x64\x00	"nettl" capture file

#
# RADCOM WAN/LAN Analyzer capture files.
#
0	string		\x42\xd2\x00\x34\x12\x66\x22\x88	RADCOM WAN/LAN Analyzer capture file

#
# NetStumbler log files.  Not really packets, per se, but about as
# close as you can get.  These are log files from NetStumbler, a
# Windows program, that scans for 802.11b networks.
#
0	string		NetS		NetStumbler log file
>8	lelong		x		\b, %d stations found

#
# EtherPeek/AiroPeek "version 9" capture files.
#
0	string		\177ver		EtherPeek/AiroPeek capture file

#
# Visual Networks traffic capture files.
#
0	string		\x05VNF		Visual Networks traffic capture file

#
# Network Instruments Observer capture files.
#
0	string		ObserverPktBuffe	Network Instruments Observer capture file

#
# Files from Accellent Group's 5View products.
#
0	string		\xaa\xaa\xaa\xaa	5View capture file
@


1.2.2.1
log
@file sniffer was added on branch RELENG_8_4 on 2013-03-28 13:00:45 +0000
@
text
@d1 315
@


1.2.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 297

#------------------------------------------------------------------------------
# sniffer:  file(1) magic for packet capture files
#
# From: guy@@alum.mit.edu (Guy Harris)
#

#
# Microsoft Network Monitor 1.x capture files.
#
0	string		RTSS		NetMon capture file
>5	byte		x		- version %d
>4	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)
>6	leshort		4		(ATM)

#
# Microsoft Network Monitor 2.x capture files.
#
0	string		GMBU		NetMon capture file
>5	byte		x		- version %d
>4	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)
>6	leshort		4		(ATM)

#
# Network General Sniffer capture files.
# Sorry, make that "Network Associates Sniffer capture files."
# Sorry, make that "Network General old DOS Sniffer capture files."
#
0	string		TRSNIFF\ data\ \ \ \ \032	Sniffer capture file
>33	byte		2		(compressed)
>23	leshort		x		- version %d
>25	leshort		x		\b.%d
>32	byte		0		(Token Ring)
>32	byte		1		(Ethernet)
>32	byte		2		(ARCNET)
>32	byte		3		(StarLAN)
>32	byte		4		(PC Network broadband)
>32	byte		5		(LocalTalk)
>32	byte		6		(Znet)
>32	byte		7		(Internetwork Analyzer)
>32	byte		9		(FDDI)
>32	byte		10		(ATM)

#
# Cinco Networks NetXRay capture files.
# Sorry, make that "Network General Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic, and Windows
# Sniffer Pro", capture files."
# Sorry, make that "Network General Sniffer capture files."
#
0	string		XCP\0		NetXRay capture file
>4	string		>\0		- version %s
>44	leshort		0		(Ethernet)
>44	leshort		1		(Token Ring)
>44	leshort		2		(FDDI)
>44	leshort		3		(WAN)
>44	leshort		8		(ATM)
>44	leshort		9		(802.11)

#
# "libpcap" capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0	ubelong		0xa1b2c3d4	tcpdump capture file (big-endian)
>4	beshort		x		- version %d
>6	beshort		x		\b.%d
>20	belong		0		(No link-layer encapsulation
>20	belong		1		(Ethernet
>20	belong		2		(3Mb Ethernet
>20	belong		3		(AX.25
>20	belong		4		(ProNET
>20	belong		5		(CHAOS
>20	belong		6		(Token Ring
>20	belong		7		(BSD ARCNET
>20	belong		8		(SLIP
>20	belong		9		(PPP
>20	belong		10		(FDDI
>20	belong		11		(RFC 1483 ATM
>20	belong		12		(raw IP
>20	belong		13		(BSD/OS SLIP
>20	belong		14		(BSD/OS PPP
>20	belong		19		(Linux ATM Classical IP
>20	belong		50		(PPP or Cisco HDLC
>20	belong		51		(PPP-over-Ethernet
>20	belong		99		(Symantec Enterprise Firewall
>20	belong		100		(RFC 1483 ATM
>20	belong		101		(raw IP
>20	belong		102		(BSD/OS SLIP
>20	belong		103		(BSD/OS PPP
>20	belong		104		(BSD/OS Cisco HDLC
>20	belong		105		(802.11
>20	belong		106		(Linux Classical IP over ATM
>20	belong		107		(Frame Relay
>20	belong		108		(OpenBSD loopback
>20	belong		109		(OpenBSD IPsec encrypted
>20	belong		112		(Cisco HDLC
>20	belong		113		(Linux "cooked"
>20	belong		114		(LocalTalk
>20	belong		117		(OpenBSD PFLOG
>20	belong		119		(802.11 with Prism header
>20	belong		122		(RFC 2625 IP over Fibre Channel
>20	belong		123		(SunATM
>20	belong		127		(802.11 with radiotap header
>20	belong		129		(Linux ARCNET
>20	belong		138		(Apple IP over IEEE 1394
>20	belong		140		(MTP2
>20	belong		141		(MTP3
>20	belong		143		(DOCSIS
>20	belong		144		(IrDA
>20	belong		147		(Private use 0
>20	belong		148		(Private use 1
>20	belong		149		(Private use 2
>20	belong		150		(Private use 3
>20	belong		151		(Private use 4
>20	belong		152		(Private use 5
>20	belong		153		(Private use 6
>20	belong		154		(Private use 7
>20	belong		155		(Private use 8
>20	belong		156		(Private use 9
>20	belong		157		(Private use 10
>20	belong		158		(Private use 11
>20	belong		159		(Private use 12
>20	belong		160		(Private use 13
>20	belong		161		(Private use 14
>20	belong		162		(Private use 15
>20	belong		163		(802.11 with AVS header
>16	belong		x		\b, capture length %d)
0	ulelong		0xa1b2c3d4	tcpdump capture file (little-endian)
>4	leshort		x		- version %d
>6	leshort		x		\b.%d
>20	lelong		0		(No link-layer encapsulation
>20	lelong		1		(Ethernet
>20	lelong		2		(3Mb Ethernet
>20	lelong		3		(AX.25
>20	lelong		4		(ProNET
>20	lelong		5		(CHAOS
>20	lelong		6		(Token Ring
>20	lelong		7		(ARCNET
>20	lelong		8		(SLIP
>20	lelong		9		(PPP
>20	lelong		10		(FDDI
>20	lelong		11		(RFC 1483 ATM
>20	lelong		12		(raw IP
>20	lelong		13		(BSD/OS SLIP
>20	lelong		14		(BSD/OS PPP
>20	lelong		19		(Linux ATM Classical IP
>20	lelong		50		(PPP or Cisco HDLC
>20	lelong		51		(PPP-over-Ethernet
>20	lelong		99		(Symantec Enterprise Firewall
>20	lelong		100		(RFC 1483 ATM
>20	lelong		101		(raw IP
>20	lelong		102		(BSD/OS SLIP
>20	lelong		103		(BSD/OS PPP
>20	lelong		104		(BSD/OS Cisco HDLC
>20	lelong		105		(802.11
>20	lelong		106		(Linux Classical IP over ATM
>20	lelong		107		(Frame Relay
>20	lelong		108		(OpenBSD loopback
>20	lelong		109		(OpenBSD IPsec encrypted
>20	lelong		112		(Cisco HDLC
>20	lelong		113		(Linux "cooked"
>20	lelong		114		(LocalTalk
>20	lelong		117		(OpenBSD PFLOG
>20	lelong		119		(802.11 with Prism header
>20	lelong		122		(RFC 2625 IP over Fibre Channel
>20	lelong		123		(SunATM
>20	lelong		127		(802.11 with radiotap header
>20	lelong		129		(Linux ARCNET
>20	lelong		138		(Apple IP over IEEE 1394
>20	lelong		140		(MTP2
>20	lelong		141		(MTP3
>20	lelong		143		(DOCSIS
>20	lelong		144		(IrDA
>20	lelong		147		(Private use 0
>20	lelong		148		(Private use 1
>20	lelong		149		(Private use 2
>20	lelong		150		(Private use 3
>20	lelong		151		(Private use 4
>20	lelong		152		(Private use 5
>20	lelong		153		(Private use 6
>20	lelong		154		(Private use 7
>20	lelong		155		(Private use 8
>20	lelong		156		(Private use 9
>20	lelong		157		(Private use 10
>20	lelong		158		(Private use 11
>20	lelong		159		(Private use 12
>20	lelong		160		(Private use 13
>20	lelong		161		(Private use 14
>20	lelong		162		(Private use 15
>20	lelong		163		(802.11 with AVS header
>16	lelong		x		\b, capture length %d)

#
# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0	ubelong		0xa1b2cd34	extended tcpdump capture file (big-endian)
>4	beshort		x		- version %d
>6	beshort		x		\b.%d
>20	belong		0		(No link-layer encapsulation
>20	belong		1		(Ethernet
>20	belong		2		(3Mb Ethernet
>20	belong		3		(AX.25
>20	belong		4		(ProNET
>20	belong		5		(CHAOS
>20	belong		6		(Token Ring
>20	belong		7		(ARCNET
>20	belong		8		(SLIP
>20	belong		9		(PPP
>20	belong		10		(FDDI
>20	belong		11		(RFC 1483 ATM
>20	belong		12		(raw IP
>20	belong		13		(BSD/OS SLIP
>20	belong		14		(BSD/OS PPP
>16	belong		x		\b, capture length %d)
0	ulelong		0xa1b2cd34	extended tcpdump capture file (little-endian)
>4	leshort		x		- version %d
>6	leshort		x		\b.%d
>20	lelong		0		(No link-layer encapsulation
>20	lelong		1		(Ethernet
>20	lelong		2		(3Mb Ethernet
>20	lelong		3		(AX.25
>20	lelong		4		(ProNET
>20	lelong		5		(CHAOS
>20	lelong		6		(Token Ring
>20	lelong		7		(ARCNET
>20	lelong		8		(SLIP
>20	lelong		9		(PPP
>20	lelong		10		(FDDI
>20	lelong		11		(RFC 1483 ATM
>20	lelong		12		(raw IP
>20	lelong		13		(BSD/OS SLIP
>20	lelong		14		(BSD/OS PPP
>16	lelong		x		\b, capture length %d)

#
# AIX "iptrace" capture files.
#
0	string		iptrace\ 1.0	"iptrace" capture file
0	string		iptrace\ 2.0	"iptrace" capture file

#
# Novell LANalyzer capture files.
#
0	leshort		0x1001		LANalyzer capture file
0	leshort		0x1007		LANalyzer capture file

#
# HP-UX "nettl" capture files.
#
0	string		\x54\x52\x00\x64\x00	"nettl" capture file

#
# RADCOM WAN/LAN Analyzer capture files.
#
0	string		\x42\xd2\x00\x34\x12\x66\x22\x88	RADCOM WAN/LAN Analyzer capture file

#
# NetStumbler log files.  Not really packets, per se, but about as
# close as you can get.  These are log files from NetStumbler, a
# Windows program, that scans for 802.11b networks.
#
0	string		NetS		NetStumbler log file
>8	lelong		x		\b, %d stations found

#
# EtherPeek/AiroPeek "version 9" capture files.
#
0	string		\177ver		EtherPeek/AiroPeek capture file

#
# Visual Networks traffic capture files.
#
0	string		\x05VNF		Visual Networks traffic capture file

#
# Network Instruments Observer capture files.
#
0	string		ObserverPktBuffe	Network Instruments Observer capture file

#
# Files from Accellent Group's 5View products.
#
0	string		\xaa\xaa\xaa\xaa	5View capture file
@


1.1
log
@Initial revision
@
text
@d3 1
d13 2
a14 2
>4	byte		x		- version %d
>5	byte		x		\b.%d
d19 1
d25 2
a26 2
>4	byte		x		- version %d
>5	byte		x		\b.%d
d31 1
d36 1
d59 1
d66 3
d77 1
d86 2
a87 2
>20	belong		6		(IEEE 802.x network
>20	belong		7		(ARCNET
d95 45
d142 1
d151 1
a151 1
>20	lelong		6		(IEEE 802.x network
d160 45
d222 1
a222 1
>20	belong		6		(IEEE 802.x network
d241 1
a241 1
>20	lelong		6		(IEEE 802.x network
d253 15
d270 1
d288 28
@


1.1.1.1
log
@Virgin import of FILE 3.32
@
text
@@


1.1.1.2
log
@Virgin import of Christos Zoulas's FILE 3.36.
@
text
@d77 1
a77 1
>20	belong		6		(Token Ring
a85 10
>20	belong		50		(PPP or Cisco HDLC
>20	belong		100		(RFC 1483 ATM
>20	belong		101		(raw IP
>20	belong		102		(BSD/OS SLIP
>20	belong		103		(BSD/OS PPP
>20	belong		104		(BSD/OS Cisco HDLC
>20	belong		105		(Linux Classical IP over ATM
>20	belong		108		(OpenBSD loopback
>20	belong		109		(OpenBSD IPSEC encrypted
>20	belong		113		(Linux "cooked"
d96 1
a96 1
>20	lelong		6		(Token Ring
a104 10
>20	lelong		50		(PPP or Cisco HDLC
>20	lelong		100		(RFC 1483 ATM
>20	lelong		101		(raw IP
>20	lelong		102		(BSD/OS SLIP
>20	lelong		103		(BSD/OS PPP
>20	lelong		104		(BSD/OS Cisco HDLC
>20	lelong		105		(Linux Classical IP over ATM
>20	lelong		108		(OpenBSD loopback
>20	lelong		109		(OpenBSD IPSEC encrypted
>20	lelong		113		(Linux "cooked"
d122 1
a122 1
>20	belong		6		(Token Ring
d141 1
a141 1
>20	lelong		6		(Token Ring
@


1.1.1.3
log
@Virgin import of Christos Zoulas's FILE 3.37.
@
text
@a86 1
>20	belong		51		(PPP-over-Ethernet
d92 1
a92 2
>20	belong		105		(802.11
>20	belong		106		(Linux Classical IP over ATM
a95 1
>20	belong		114		(LocalTalk
a115 1
>20	lelong		51		(PPP-over-Ethernet
d121 1
a121 2
>20	lelong		105		(802.11
>20	lelong		106		(Linux Classical IP over ATM
a124 1
>20	lelong		114		(LocalTalk
a191 8

#
# NetStumbler log files.  Not really packets, per se, but about as
# close as you can get.  These are log files from NetStumbler, a
# Windows program, that scans for 802.11b networks.
#
0	string		NetS		NetStumbler log file
>8	lelong		x		\b, %d stations found
@


1.1.1.4
log
@Virgin import of Christos Zoulas's FILE 4.10.
*- file is now broken into a library containing and processing the magic
   and a consumer binary.
@
text
@d12 2
a13 2
>5	byte		x		- version %d
>4	byte		x		\b.%d
a17 1
>6	leshort		4		(ATM)
d23 2
a24 2
>5	byte		x		- version %d
>4	byte		x		\b.%d
a28 1
>6	leshort		4		(ATM)
a60 3
>44	leshort		3		(WAN)
>44	leshort		8		(ATM)
>44	leshort		9		(802.11)
d78 1
a78 1
>20	belong		7		(BSD ARCNET
a94 1
>20	belong		107		(Frame Relay
d96 1
a96 2
>20	belong		109		(OpenBSD IPsec encrypted
>20	belong		112		(Cisco HDLC
a98 9
>20	belong		117		(OpenBSD PFLOG
>20	belong		119		(802.11 with Prism header
>20	belong		123		(SunATM
>20	belong		127		(802.11 with radiotap header
>20	belong		129		(Linux ARCNET
>20	belong		140		(MTP2
>20	belong		141		(MTP3
>20	belong		143		(DOCSIS
>20	belong		144		(IrDA
a126 1
>20	lelong		107		(Frame Relay
a128 1
>20	lelong		112		(Cisco HDLC
a130 9
>20	lelong		117		(OpenBSD PFLOG
>20	lelong		119		(802.11 with Prism header
>20	lelong		123		(SunATM
>20	lelong		127		(802.11 with radiotap header
>20	lelong		129		(Linux ARCNET
>20	lelong		140		(MTP2
>20	lelong		141		(MTP3
>20	lelong		143		(DOCSIS
>20	lelong		144		(IrDA
a180 1
0	string		iptrace\ 1.0	"iptrace" capture file
@


1.1.1.5
log
@Virgin import of Christos Zoulas's FILE 4.12.
@
text
@a34 1
# Sorry, make that "Network General old DOS Sniffer capture files."
a56 1
# Sorry, make that "Network General Sniffer capture files."
a90 1
>20	belong		19		(Linux ATM Classical IP
a92 1
>20	belong		99		(Symantec Enterprise Firewall
a107 1
>20	belong		122		(RFC 2625 IP over Fibre Channel
a110 1
>20	belong		138		(Apple IP over IEEE 1394
a114 17
>20	belong		147		(Private use 0
>20	belong		148		(Private use 1
>20	belong		149		(Private use 2
>20	belong		150		(Private use 3
>20	belong		151		(Private use 4
>20	belong		152		(Private use 5
>20	belong		153		(Private use 6
>20	belong		154		(Private use 7
>20	belong		155		(Private use 8
>20	belong		156		(Private use 9
>20	belong		157		(Private use 10
>20	belong		158		(Private use 11
>20	belong		159		(Private use 12
>20	belong		160		(Private use 13
>20	belong		161		(Private use 14
>20	belong		162		(Private use 15
>20	belong		163		(802.11 with AVS header
a133 1
>20	lelong		19		(Linux ATM Classical IP
a135 1
>20	lelong		99		(Symantec Enterprise Firewall
d145 1
a145 1
>20	lelong		109		(OpenBSD IPsec encrypted
a150 1
>20	lelong		122		(RFC 2625 IP over Fibre Channel
a153 1
>20	lelong		138		(Apple IP over IEEE 1394
a157 17
>20	lelong		147		(Private use 0
>20	lelong		148		(Private use 1
>20	lelong		149		(Private use 2
>20	lelong		150		(Private use 3
>20	lelong		151		(Private use 4
>20	lelong		152		(Private use 5
>20	lelong		153		(Private use 6
>20	lelong		154		(Private use 7
>20	lelong		155		(Private use 8
>20	lelong		156		(Private use 9
>20	lelong		157		(Private use 10
>20	lelong		158		(Private use 11
>20	lelong		159		(Private use 12
>20	lelong		160		(Private use 13
>20	lelong		161		(Private use 14
>20	lelong		162		(Private use 15
>20	lelong		163		(802.11 with AVS header
a233 20

#
# EtherPeek/AiroPeek "version 9" capture files.
#
0	string		\177ver		EtherPeek/AiroPeek capture file

#
# Visual Networks traffic capture files.
#
0	string		\x05VNF		Visual Networks traffic capture file

#
# Network Instruments Observer capture files.
#
0	string		ObserverPktBuffe	Network Instruments Observer capture file

#
# Files from Accellent Group's 5View products.
#
0	string		\xaa\xaa\xaa\xaa	5View capture file
@


1.1.1.5.34.1
log
@SVN rev 237983 on 2012-07-02 08:48:58Z by obrien

MFC: r234449: update file(1) to version 5.11.
@
text
@a2 1
# $File: sniffer,v 1.18 2011/08/08 08:49:27 christos Exp $
a75 1
!:mime	application/vnd.tcpdump.pcap
a139 1
!:mime	application/vnd.tcpdump.pcap
a249 15
# "pcap-ng" capture files.
# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
# Pcap-ng files can contain multiple sections. Printing the endianness,
# snaplen, or other information from the first SHB may be misleading.
#
0	ubelong		0x0a0d0d0a
>8	ubelong		0x1a2b3c4d	pcap-ng capture file
>>12	beshort		x		- version %d
>>14	beshort		x		\b.%d
0	ulelong		0x0a0d0d0a
>8	ulelong		0x1a2b3c4d	pcap-ng capture file
>>12	leshort		x		- version %d
>>14	leshort		x		\b.%d

#
@


1.1.1.1.2.1
log
@MFC:  Christos Zoulas's FILE 3.33
@
text
@@


1.1.1.1.2.2
log
@Update to version 3.36.

This includes knowledge of the lh6 & lh7 "LHA" compression archive formats.
There are also many improvements in supporting other formats such as
Microsoft cabinet file (which is another popular archived format on
Windows), some audio/video file formats including WAV, ASF and so on.

Approved by:	jkh
@
text
@d77 1
a77 1
>20	belong		6		(Token Ring
a85 10
>20	belong		50		(PPP or Cisco HDLC
>20	belong		100		(RFC 1483 ATM
>20	belong		101		(raw IP
>20	belong		102		(BSD/OS SLIP
>20	belong		103		(BSD/OS PPP
>20	belong		104		(BSD/OS Cisco HDLC
>20	belong		105		(Linux Classical IP over ATM
>20	belong		108		(OpenBSD loopback
>20	belong		109		(OpenBSD IPSEC encrypted
>20	belong		113		(Linux "cooked"
d96 1
a96 1
>20	lelong		6		(Token Ring
a104 10
>20	lelong		50		(PPP or Cisco HDLC
>20	lelong		100		(RFC 1483 ATM
>20	lelong		101		(raw IP
>20	lelong		102		(BSD/OS SLIP
>20	lelong		103		(BSD/OS PPP
>20	lelong		104		(BSD/OS Cisco HDLC
>20	lelong		105		(Linux Classical IP over ATM
>20	lelong		108		(OpenBSD loopback
>20	lelong		109		(OpenBSD IPSEC encrypted
>20	lelong		113		(Linux "cooked"
d122 1
a122 1
>20	belong		6		(Token Ring
d141 1
a141 1
>20	lelong		6		(Token Ring
@


1.1.1.1.2.3
log
@MFC: file version 3.41

Approved by:	murray(re)
Desired by:		nectar(so)
@
text
@a86 1
>20	belong		51		(PPP-over-Ethernet
d92 1
a92 2
>20	belong		105		(802.11
>20	belong		106		(Linux Classical IP over ATM
a95 1
>20	belong		114		(LocalTalk
a115 1
>20	lelong		51		(PPP-over-Ethernet
d121 1
a121 2
>20	lelong		105		(802.11
>20	lelong		106		(Linux Classical IP over ATM
a124 1
>20	lelong		114		(LocalTalk
a191 8

#
# NetStumbler log files.  Not really packets, per se, but about as
# close as you can get.  These are log files from NetStumbler, a
# Windows program, that scans for 802.11b networks.
#
0	string		NetS		NetStumbler log file
>8	lelong		x		\b, %d stations found
@


