sniffer

UNIX下FILE命令的实现源码

#------------------------------------------------------------------------------
# sniffer:  file(1) magic for packet capture files
#
# From: guy@alum.mit.edu (Guy Harris)
#

#
# Microsoft Network Monitor 1.x capture files.
#
0	string		RTSS		NetMon capture file
>4	byte		x		- version %d
>5	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)

#
# Microsoft Network Monitor 2.x capture files.
#
0	string		GMBU		NetMon capture file
>4	byte		x		- version %d
>5	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)

#
# Network General Sniffer capture files.
# Sorry, make that "Network Associates Sniffer capture files."
#
0	string		TRSNIFF\ data\ \ \ \ \032	Sniffer capture file
>33	byte		2		(compressed)
>23	leshort		x		- version %d
>25	leshort		x		\b.%d
>32	byte		0		(Token Ring)
>32	byte		1		(Ethernet)
>32	byte		2		(ARCNET)
>32	byte		3		(StarLAN)
>32	byte		4		(PC Network broadband)
>32	byte		5		(LocalTalk)
>32	byte		6		(Znet)
>32	byte		7		(Internetwork Analyzer)
>32	byte		9		(FDDI)
>32	byte		10		(ATM)

#
# Cinco Networks NetXRay capture files.
# Sorry, make that "Network General Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic, and Windows
# Sniffer Pro", capture files."
#
0	string		XCP\0		NetXRay capture file
>4	string		>\0		- version %s
>44	leshort		0		(Ethernet)
>44	leshort		1		(Token Ring)
>44	leshort		2		(FDDI)

#
# "libpcap" capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0	ubelong		0xa1b2c3d4	tcpdump capture file (big-endian)
>4	beshort		x		- version %d
>6	beshort		x		\b.%d
>20	belong		0		(No link-layer encapsulation
>20	belong		1		(Ethernet
>20	belong		2		(3Mb Ethernet
>20	belong		3		(AX.25
>20	belong		4		(ProNET
>20	belong		5		(CHAOS
>20	belong		6		(IEEE 802.x network
>20	belong		7		(ARCNET
>20	belong		8		(SLIP
>20	belong		9		(PPP
>20	belong		10		(FDDI
>20	belong		11		(RFC 1483 ATM
>20	belong		12		(raw IP
>20	belong		13		(BSD/OS SLIP
>20	belong		14		(BSD/OS PPP
>16	belong		x		\b, capture length %d)
0	ulelong		0xa1b2c3d4	tcpdump capture file (little-endian)
>4	leshort		x		- version %d
>6	leshort		x		\b.%d
>20	lelong		0		(No link-layer encapsulation
>20	lelong		1		(Ethernet
>20	lelong		2		(3Mb Ethernet
>20	lelong		3		(AX.25
>20	lelong		4		(ProNET
>20	lelong		5		(CHAOS
>20	lelong		6		(IEEE 802.x network
>20	lelong		7		(ARCNET
>20	lelong		8		(SLIP
>20	lelong		9		(PPP
>20	lelong		10		(FDDI
>20	lelong		11		(RFC 1483 ATM
>20	lelong		12		(raw IP
>20	lelong		13		(BSD/OS SLIP
>20	lelong		14		(BSD/OS PPP
>16	lelong		x		\b, capture length %d)

#
# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0	ubelong		0xa1b2cd34	extended tcpdump capture file (big-endian)
>4	beshort		x		- version %d
>6	beshort		x		\b.%d
>20	belong		0		(No link-layer encapsulation
>20	belong		1		(Ethernet
>20	belong		2		(3Mb Ethernet
>20	belong		3		(AX.25
>20	belong		4		(ProNET
>20	belong		5		(CHAOS
>20	belong		6		(IEEE 802.x network
>20	belong		7		(ARCNET
>20	belong		8		(SLIP
>20	belong		9		(PPP
>20	belong		10		(FDDI
>20	belong		11		(RFC 1483 ATM
>20	belong		12		(raw IP
>20	belong		13		(BSD/OS SLIP
>20	belong		14		(BSD/OS PPP
>16	belong		x		\b, capture length %d)
0	ulelong		0xa1b2cd34	extended tcpdump capture file (little-endian)
>4	leshort		x		- version %d
>6	leshort		x		\b.%d
>20	lelong		0		(No link-layer encapsulation
>20	lelong		1		(Ethernet
>20	lelong		2		(3Mb Ethernet
>20	lelong		3		(AX.25
>20	lelong		4		(ProNET
>20	lelong		5		(CHAOS
>20	lelong		6		(IEEE 802.x network
>20	lelong		7		(ARCNET
>20	lelong		8		(SLIP
>20	lelong		9		(PPP
>20	lelong		10		(FDDI
>20	lelong		11		(RFC 1483 ATM
>20	lelong		12		(raw IP
>20	lelong		13		(BSD/OS SLIP
>20	lelong		14		(BSD/OS PPP
>16	lelong		x		\b, capture length %d)

#
# AIX "iptrace" capture files.
#
0	string		iptrace\ 2.0	"iptrace" capture file

#
# Novell LANalyzer capture files.
#
0	leshort		0x1001		LANalyzer capture file
0	leshort		0x1007		LANalyzer capture file

#
# HP-UX "nettl" capture files.
#
0	string		\x54\x52\x00\x64\x00	"nettl" capture file

#
# RADCOM WAN/LAN Analyzer capture files.
#
0	string		\x42\xd2\x00\x34\x12\x66\x22\x88	RADCOM WAN/LAN Analyzer capture file