diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:52:51 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:52:51 +0000 |
commit | 71507ca5d2410b11889ca963fafcd1bcad5044c3 (patch) | |
tree | 17e6d07243d49e29e4b75887e0d07f24ec2b66e8 /magic/Magdir/sniffer | |
parent | Initial commit. (diff) | |
download | file-71507ca5d2410b11889ca963fafcd1bcad5044c3.tar.xz file-71507ca5d2410b11889ca963fafcd1bcad5044c3.zip |
Adding upstream version 1:5.44.upstream/1%5.44upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'magic/Magdir/sniffer')
-rw-r--r-- | magic/Magdir/sniffer | 482 |
1 files changed, 482 insertions, 0 deletions
diff --git a/magic/Magdir/sniffer b/magic/Magdir/sniffer new file mode 100644 index 0000000..751d197 --- /dev/null +++ b/magic/Magdir/sniffer @@ -0,0 +1,482 @@ + +#------------------------------------------------------------------------------ +# $File: sniffer,v 1.34 2022/12/14 18:27:36 christos Exp $ +# sniffer: file(1) magic for packet capture files +# +# From: guy@alum.mit.edu (Guy Harris) +# + +# +# Microsoft Network Monitor 1.x capture files. +# +0 string RTSS NetMon capture file +>5 byte x - version %d +>4 byte x \b.%d +>6 leshort 0 (Unknown) +>6 leshort 1 (Ethernet) +>6 leshort 2 (Token Ring) +>6 leshort 3 (FDDI) +>6 leshort 4 (ATM) +>6 leshort >4 (type %d) + +# +# Microsoft Network Monitor 2.x capture files. +# +0 string GMBU NetMon capture file +>5 byte x - version %d +>4 byte x \b.%d +>6 leshort 0 (Unknown) +>6 leshort 1 (Ethernet) +>6 leshort 2 (Token Ring) +>6 leshort 3 (FDDI) +>6 leshort 4 (ATM) +>6 leshort 5 (IP-over-IEEE 1394) +>6 leshort 6 (802.11) +>6 leshort 7 (Raw IP) +>6 leshort 8 (Raw IP) +>6 leshort 9 (Raw IP) +>6 leshort >9 (type %d) + +# +# Network General Sniffer capture files. +# Sorry, make that "Network Associates Sniffer capture files." +# Sorry, make that "Network General old DOS Sniffer capture files." +# +0 string TRSNIFF\040data\040\040\040\040\032 Sniffer capture file +>33 byte 2 (compressed) +>23 leshort x - version %d +>25 leshort x \b.%d +>32 byte 0 (Token Ring) +>32 byte 1 (Ethernet) +>32 byte 2 (ARCNET) +>32 byte 3 (StarLAN) +>32 byte 4 (PC Network broadband) +>32 byte 5 (LocalTalk) +>32 byte 6 (Znet) +>32 byte 7 (Internetwork Analyzer) +>32 byte 9 (FDDI) +>32 byte 10 (ATM) + +# +# Cinco Networks NetXRay capture files. +# Sorry, make that "Network General Sniffer Basic capture files." +# Sorry, make that "Network Associates Sniffer Basic capture files." +# Sorry, make that "Network Associates Sniffer Basic, and Windows +# Sniffer Pro", capture files." +# Sorry, make that "Network General Sniffer capture files." +# Sorry, make that "NetScout Sniffer capture files." +# +0 string XCP\0 NetXRay capture file +>4 string >\0 - version %s +>44 leshort 0 (Ethernet) +>44 leshort 1 (Token Ring) +>44 leshort 2 (FDDI) +>44 leshort 3 (WAN) +>44 leshort 8 (ATM) +>44 leshort 9 (802.11) + +# +# "libpcap" capture files. +# https://www.tcpdump.org/manpages/pcap-savefile.5.html +# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is +# the main program that uses that format, but there are other programs +# that use "libpcap", or that use the same capture file format.) +# +0 name pcap-be +>4 beshort x - version %d +>6 beshort x \b.%d +# clear that continuation level match +>20 clear x +>20 belong&0x03FFFFFF 0 (No link-layer encapsulation +>20 belong&0x03FFFFFF 1 (Ethernet +>20 belong&0x03FFFFFF 2 (3Mb Ethernet +>20 belong&0x03FFFFFF 3 (AX.25 +>20 belong&0x03FFFFFF 4 (ProNET +>20 belong&0x03FFFFFF 5 (CHAOS +>20 belong&0x03FFFFFF 6 (Token Ring +>20 belong&0x03FFFFFF 7 (BSD ARCNET +>20 belong&0x03FFFFFF 8 (SLIP +>20 belong&0x03FFFFFF 9 (PPP +>20 belong&0x03FFFFFF 10 (FDDI +>20 belong&0x03FFFFFF 11 (RFC 1483 ATM +>20 belong&0x03FFFFFF 12 (Raw IP +>20 belong&0x03FFFFFF 13 (BSD/OS SLIP +>20 belong&0x03FFFFFF 14 (BSD/OS PPP +>20 belong&0x03FFFFFF 19 (Linux ATM Classical IP +>20 belong&0x03FFFFFF 50 (PPP or Cisco HDLC +>20 belong&0x03FFFFFF 51 (PPP-over-Ethernet +>20 belong&0x03FFFFFF 99 (Symantec Enterprise Firewall +>20 belong&0x03FFFFFF 100 (RFC 1483 ATM +>20 belong&0x03FFFFFF 101 (Raw IP +>20 belong&0x03FFFFFF 102 (BSD/OS SLIP +>20 belong&0x03FFFFFF 103 (BSD/OS PPP +>20 belong&0x03FFFFFF 104 (BSD/OS Cisco HDLC +>20 belong&0x03FFFFFF 105 (802.11 +>20 belong&0x03FFFFFF 106 (Linux Classical IP over ATM +>20 belong&0x03FFFFFF 107 (Frame Relay +>20 belong&0x03FFFFFF 108 (OpenBSD loopback +>20 belong&0x03FFFFFF 109 (OpenBSD IPsec encrypted +>20 belong&0x03FFFFFF 112 (Cisco HDLC +>20 belong&0x03FFFFFF 113 (Linux cooked v1 +>20 belong&0x03FFFFFF 114 (LocalTalk +>20 belong&0x03FFFFFF 117 (OpenBSD PFLOG +>20 belong&0x03FFFFFF 119 (802.11 with Prism header +>20 belong&0x03FFFFFF 122 (RFC 2625 IP over Fibre Channel +>20 belong&0x03FFFFFF 123 (SunATM +>20 belong&0x03FFFFFF 127 (802.11 with radiotap header +>20 belong&0x03FFFFFF 129 (Linux ARCNET +>20 belong&0x03FFFFFF 130 (Juniper Multi-Link PPP +>20 belong&0x03FFFFFF 131 (Juniper Multi-Link Frame Relay +>20 belong&0x03FFFFFF 132 (Juniper Encryption Services PIC +>20 belong&0x03FFFFFF 133 (Juniper GGSN PIC +>20 belong&0x03FFFFFF 134 (Juniper FRF.16 Frame Relay +>20 belong&0x03FFFFFF 135 (Juniper ATM2 PIC +>20 belong&0x03FFFFFF 136 (Juniper Advanced Services PIC +>20 belong&0x03FFFFFF 137 (Juniper ATM1 PIC +>20 belong&0x03FFFFFF 138 (Apple IP over IEEE 1394 +>20 belong&0x03FFFFFF 139 (SS7 MTP2 with pseudo-header +>20 belong&0x03FFFFFF 140 (SS7 MTP2 +>20 belong&0x03FFFFFF 141 (SS7 MTP3 +>20 belong&0x03FFFFFF 142 (SS7 SCCP +>20 belong&0x03FFFFFF 143 (DOCSIS +>20 belong&0x03FFFFFF 144 (Linux IrDA +>20 belong&0x03FFFFFF 147 (Private use 0 +>20 belong&0x03FFFFFF 148 (Private use 1 +>20 belong&0x03FFFFFF 149 (Private use 2 +>20 belong&0x03FFFFFF 150 (Private use 3 +>20 belong&0x03FFFFFF 151 (Private use 4 +>20 belong&0x03FFFFFF 152 (Private use 5 +>20 belong&0x03FFFFFF 153 (Private use 6 +>20 belong&0x03FFFFFF 154 (Private use 7 +>20 belong&0x03FFFFFF 155 (Private use 8 +>20 belong&0x03FFFFFF 156 (Private use 9 +>20 belong&0x03FFFFFF 157 (Private use 10 +>20 belong&0x03FFFFFF 158 (Private use 11 +>20 belong&0x03FFFFFF 159 (Private use 12 +>20 belong&0x03FFFFFF 160 (Private use 13 +>20 belong&0x03FFFFFF 161 (Private use 14 +>20 belong&0x03FFFFFF 162 (Private use 15 +>20 belong&0x03FFFFFF 163 (802.11 with AVS header +>20 belong&0x03FFFFFF 164 (Juniper Passive Monitor PIC +>20 belong&0x03FFFFFF 165 (BACnet MS/TP +>20 belong&0x03FFFFFF 166 (PPPD +>20 belong&0x03FFFFFF 167 (Juniper PPPoE +>20 belong&0x03FFFFFF 168 (Juniper PPPoE/ATM +>20 belong&0x03FFFFFF 169 (GPRS LLC +>20 belong&0x03FFFFFF 170 (GPF-T +>20 belong&0x03FFFFFF 171 (GPF-F +>20 belong&0x03FFFFFF 174 (Juniper PIC Peer +>20 belong&0x03FFFFFF 175 (Ethernet with Endace ERF header +>20 belong&0x03FFFFFF 176 (Packet-over-SONET with Endace ERF header +>20 belong&0x03FFFFFF 177 (Linux LAPD +>20 belong&0x03FFFFFF 178 (Juniper Ethernet +>20 belong&0x03FFFFFF 179 (Juniper PPP +>20 belong&0x03FFFFFF 180 (Juniper Frame Relay +>20 belong&0x03FFFFFF 181 (Juniper C-HDLC +>20 belong&0x03FFFFFF 182 (FRF.16 Frame Relay +>20 belong&0x03FFFFFF 183 (Juniper Voice PIC +>20 belong&0x03FFFFFF 184 (Arinc 429 +>20 belong&0x03FFFFFF 185 (Arinc 653 Interpartition Communication +>20 belong&0x03FFFFFF 186 (USB with FreeBSD header +>20 belong&0x03FFFFFF 187 (Bluetooth HCI H4 +>20 belong&0x03FFFFFF 188 (802.16 MAC Common Part Sublayer +>20 belong&0x03FFFFFF 189 (Linux USB +>20 belong&0x03FFFFFF 190 (Controller Area Network (CAN) v. 2.0B +>20 belong&0x03FFFFFF 191 (802.15.4 with Linux padding +>20 belong&0x03FFFFFF 192 (PPI +>20 belong&0x03FFFFFF 193 (802.16 MAC Common Part Sublayer plus radiotap header +>20 belong&0x03FFFFFF 194 (Juniper Integrated Service Module +>20 belong&0x03FFFFFF 195 (802.15.4 with FCS +>20 belong&0x03FFFFFF 196 (SITA +>20 belong&0x03FFFFFF 197 (Endace ERF +>20 belong&0x03FFFFFF 198 (Ethernet with u10 Networks pseudo-header +>20 belong&0x03FFFFFF 199 (IPMB +>20 belong&0x03FFFFFF 200 (Juniper Secure Tunnel +>20 belong&0x03FFFFFF 201 (Bluetooth HCI H4 with pseudo-header +>20 belong&0x03FFFFFF 202 (AX.25 with KISS header +>20 belong&0x03FFFFFF 203 (LAPD +>20 belong&0x03FFFFFF 204 (PPP with direction pseudo-header +>20 belong&0x03FFFFFF 205 (Cisco HDLC with direction pseudo-header +>20 belong&0x03FFFFFF 206 (Frame Relay with direction pseudo-header +>20 belong&0x03FFFFFF 209 (Linux IPMB +>20 belong&0x03FFFFFF 215 (802.15.4 with non-ASK PHY header +>20 belong&0x03FFFFFF 216 (Linux evdev events +>20 belong&0x03FFFFFF 219 (MPLS with label as link-layer header +>20 belong&0x03FFFFFF 220 (Memory-mapped Linux USB +>20 belong&0x03FFFFFF 221 (DECT +>20 belong&0x03FFFFFF 222 (AOS Space Data Link protocol +>20 belong&0x03FFFFFF 223 (Wireless HART +>20 belong&0x03FFFFFF 224 (Fibre Channel FC-2 +>20 belong&0x03FFFFFF 225 (Fibre Channel FC-2 with frame delimiters +>20 belong&0x03FFFFFF 226 (Solaris IPNET +>20 belong&0x03FFFFFF 227 (SocketCAN +>20 belong&0x03FFFFFF 228 (Raw IPv4 +>20 belong&0x03FFFFFF 229 (Raw IPv6 +>20 belong&0x03FFFFFF 230 (802.15.4 without FCS +>20 belong&0x03FFFFFF 231 (D-Bus messages +>20 belong&0x03FFFFFF 232 (Juniper Virtual Server +>20 belong&0x03FFFFFF 233 (Juniper SRX E2E +>20 belong&0x03FFFFFF 234 (Juniper Fibre Channel +>20 belong&0x03FFFFFF 235 (DVB-CI +>20 belong&0x03FFFFFF 236 (MUX27010 +>20 belong&0x03FFFFFF 237 (STANAG 5066 D_PDUs +>20 belong&0x03FFFFFF 238 (Juniper ATM CEMIC +>20 belong&0x03FFFFFF 239 (Linux netfilter log messages +>20 belong&0x03FFFFFF 240 (Hilscher netAnalyzer +>20 belong&0x03FFFFFF 241 (Hilscher netAnalyzer with delimiters +>20 belong&0x03FFFFFF 242 (IP-over-Infiniband +>20 belong&0x03FFFFFF 243 (MPEG-2 Transport Stream packets +>20 belong&0x03FFFFFF 244 (ng4t ng40 +>20 belong&0x03FFFFFF 245 (NFC LLCP +>20 belong&0x03FFFFFF 246 (Packet filter state syncing +>20 belong&0x03FFFFFF 247 (InfiniBand +>20 belong&0x03FFFFFF 248 (SCTP +>20 belong&0x03FFFFFF 249 (USB with USBPcap header +>20 belong&0x03FFFFFF 250 (Schweitzer Engineering Laboratories RTAC packets +>20 belong&0x03FFFFFF 251 (Bluetooth Low Energy air interface +>20 belong&0x03FFFFFF 252 (Wireshark Upper PDU export +>20 belong&0x03FFFFFF 253 (Linux netlink +>20 belong&0x03FFFFFF 254 (Bluetooth Linux Monitor +>20 belong&0x03FFFFFF 255 (Bluetooth Basic Rate/Enhanced Data Rate baseband packets +>20 belong&0x03FFFFFF 256 (Bluetooth Low Energy air interface with pseudo-header +>20 belong&0x03FFFFFF 257 (PROFIBUS data link layer +>20 belong&0x03FFFFFF 258 (Apple DLT_PKTAP +>20 belong&0x03FFFFFF 259 (Ethernet with 802.3 Clause 65 EPON preamble +>20 belong&0x03FFFFFF 260 (IPMI trace packets +>20 belong&0x03FFFFFF 261 (Z-Wave RF profile R1 and R2 packets +>20 belong&0x03FFFFFF 262 (Z-Wave RF profile R3 packets +>20 belong&0x03FFFFFF 263 (WattStopper Digital Lighting Mngmt/Legrand Nitoo Open Proto +>20 belong&0x03FFFFFF 264 (ISO 14443 messages +>20 belong&0x03FFFFFF 265 (IEC 62106 Radio Data System groups +>20 belong&0x03FFFFFF 266 (USB with Darwin header +>20 belong&0x03FFFFFF 267 (OpenBSD DLT_OPENFLOW +>20 belong&0x03FFFFFF 268 (IBM SDLC frames +>20 belong&0x03FFFFFF 269 (TI LLN sniffer frames +>20 belong&0x03FFFFFF 271 (Linux vsock +>20 belong&0x03FFFFFF 272 (Nordic Semiconductor Bluetooth LE sniffer frames +>20 belong&0x03FFFFFF 273 (Excentis XRA-31 DOCSIS 3.1 RF sniffer frames +>20 belong&0x03FFFFFF 274 (802.3br mPackets +>20 belong&0x03FFFFFF 275 (DisplayPort AUX channel monitoring data +>20 belong&0x03FFFFFF 276 (Linux cooked v2 +>20 belong&0x03FFFFFF 278 (OpenVizsla USB +>20 belong&0x03FFFFFF 279 (Elektrobit High Speed Capture and Replay (EBHSCR) +>20 belong&0x03FFFFFF 281 (Broadcom tag +>20 belong&0x03FFFFFF 282 (Broadcom tag (prepended) +>20 belong&0x03FFFFFF 283 (802.15.4 with TAP +>20 belong&0x03FFFFFF 284 (Marvell DSA +>20 belong&0x03FFFFFF 285 (Marvell EDSA +>20 belong&0x03FFFFFF 286 (ELEE lawful intercept +>20 belong&0x03FFFFFF 287 (Z-Wave serial +>20 belong&0x03FFFFFF 288 (USB 2.0 +>20 belong&0x03FFFFFF 289 (ATSC ALP +>20 belong&0x03FFFFFF 290 (Event Tracing for Windows +>20 belong&0x03FFFFFF 291 (Hilscher netANALYZER NG pseudo-footer +>20 belong&0x03FFFFFF 292 (ZBOSS NCP protocol with pseudo-header +>20 belong&0x03FFFFFF 293 (Low-Speed USB 2.0/1.1/1.0 +>20 belong&0x03FFFFFF 294 (Full-Speed USB 2.0/1.1/1.0 +>20 belong&0x03FFFFFF 295 (High-Speed USB 2.0 +# print default match +>20 default x +>>20 belong x (linktype#%u +>16 belong x \b, capture length %u) + +# packets time stamps in seconds and microseconds. +0 ubelong 0xa1b2c3d4 pcap capture file, microseconds ts (big-endian) +!:mime application/vnd.tcpdump.pcap +>0 use pcap-be +0 ulelong 0xa1b2c3d4 pcap capture file, microsecond ts (little-endian) +!:mime application/vnd.tcpdump.pcap +>0 use \^pcap-be + +# packets time stamps in seconds and nanoseconds. +0 ubelong 0xa1b23c4d pcap capture file, nanosecond ts (big-endian) +!:mime application/vnd.tcpdump.pcap +>0 use pcap-be +0 ulelong 0xa1b23c4d pcap capture file, nanosecond ts (little-endian) +!:mime application/vnd.tcpdump.pcap +>0 use \^pcap-be + +# +# "libpcap"-with-Alexey-Kuznetsov's-patches capture files. +# +0 ubelong 0xa1b2cd34 pcap capture file, microsecond ts, extensions (big-endian) +>0 use pcap-be +0 ulelong 0xa1b2cd34 pcap capture file, microsecond ts, extensions (little-endian) +>0 use \^pcap-be + +# +# "pcapng" capture files. +# https://github.com/pcapng/pcapng +# Pcapng files can contain multiple sections. Printing the endianness, +# snaplen, or other information from the first SHB may be misleading. +# +0 ubelong 0x0a0d0d0a +>8 ubelong 0x1a2b3c4d pcapng capture file +>>12 beshort x - version %d +>>14 beshort x \b.%d +0 ulelong 0x0a0d0d0a +>8 ulelong 0x1a2b3c4d pcapng capture file +>>12 leshort x - version %d +>>14 leshort x \b.%d + +# +# AIX "iptrace" capture files. +# +0 string iptrace\0401.0 AIX iptrace capture file +0 string iptrace\0402.0 AIX iptrace capture file + +# +# Novell LANalyzer capture files. +# URL: http://www.blacksheepnetworks.com/security/info/nw/lan/trace.txt +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/lanalyzer.c +# Update: Joerg Jenderek +# +# regular trace header record (RT_HeaderRegular) +0 leshort 0x1001 +# GRR: line above is too generic because it matches Commodore Plus/4 BASIC V3.5 +# and VIC-20 BASIC V2 program +# skip many Commodore Basic program (Microzodiac.prg Minefield.prg Vic-tac-toe.prg breakvic_joy.prg) +# with invalid second record type 0 instead of "Trace receive channel name record" +>(2.s+4) leshort =0x1006h +>>0 use novell-lanalyzer +# cyclic trace header record (RT_HeaderCyclic) +0 leshort 0x1007 +>0 use novell-lanalyzer +0 name novell-lanalyzer +>0 leshort x Novell LANalyzer capture file +# https://reposcope.com/mimetype/application/x-lanalyzer +!:mime application/x-lanalyzer +# maybe also TR2 .. TR9 TRA .. TRZ +!:ext tr1 +# version like: 1.5 +>4 ubyte x \b, version %u +# minor version; one byte identifying the trace file minor version number +>5 ubyte x \b.%u +# Trace header record type like: 1001~regular or 1007~cyclic +>0 leshort !0x1001 \b, record type %4.4x +# record_length[2] is the length of the data part of 1st reorcd (without "type" and "length" fields) like: 4Ch +>2 leshort x \b, record length %#x +# second record type like: 1006h~Trace receive channel name record +>(2.s+4) leshort !0x1006h \b, 2nd record type %#4.4x +>(2.s+6) leshort x \b, 2nd record length %#x +# each channel name is a null-terminated, eight-byte ASCII string like: Channel1 +>(2.s+8) string x \b, names %.9s +# 2nd channel name like: Channel2 +>(2.s+17) string x %.9s ... + +# +# HP-UX "nettl" capture files. +# URL: https://nixdoc.net/man-pages/HP-UX/man1m/nettl.1m.html +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/nettl.c +# Update: Joerg Jenderek +# Note: Wireshark fills "meta information header fields" with "dummy" values +# nettl_magic_hpux9[12]; for HP-UX 9.x not tested +0 string \x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\xD0\x00 HP/UX 9.x nettl capture file +!:mime application/x-nettl +!:ext trc0/trc1 +# nettl_magic_hpux10[12]; for HP-UX 10.x and 11.x +0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file +# https://reposcope.com/mimetype/application/x-nettl +!:mime application/x-nettl +# maybe also TRC000 TRC001 TRC002 ... +!:ext trc0/trc1 +# file_name[56]; maybe also like /tmp/raw.tr.TRC000 +>12 string !/tmp/wireshark.TRC000 +>>12 string x "%-.56s" +# tz[20]; like UTC +>68 string !UTC \b, tz +>>68 string x %-.20s +# host_name[9]; +>88 string >\0 \b, host %-.9s +# os_vers[9]; like B.11.11 +>97 string !B.11.11 \b, os +>>97 string x %-.9s +# os_v; like 55h +>>106 ubyte x (%#x) +# xxa[8]; like 0 +>107 ubequad !0 \b, xxa=%#16.16llx +# model[11] like: 9000/800 +>115 string !9000/800 \b, model +>>115 string x %-.11s +# unknown; probably just padding to 128 bytes like: 0406h +>126 ubeshort !0x0406h \b, at 126 %#4.4x + +# +# RADCOM WAN/LAN Analyzer capture files. +# +0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file + +# +# NetStumbler log files. Not really packets, per se, but about as +# close as you can get. These are log files from NetStumbler, a +# Windows program, that scans for 802.11b networks. +# +0 string NetS NetStumbler log file +>8 lelong x \b, %d stations found + +# +# *Peek tagged capture files. +# +0 string \177ver EtherPeek/AiroPeek/OmniPeek capture file + +# +# Visual Networks traffic capture files. +# +0 string \x05VNF Visual Networks traffic capture file + +# +# Network Instruments Observer capture files. +# +0 string ObserverPktBuffe Network Instruments Observer capture file + +# +# Files from Accellent Group's 5View products. +# +# URL: http://www.infovista.com +# Reference: http://mark0.net/download/triddefs_xml.7z +# defs/0/5vw.trid.xml +# https://2.na.dl.wireshark.org/src/wireshark-3.6.2.tar.xz +# wireshark-3.6.2/wiretap/5views.c +# Update: Joerg Jenderek +# Note: called "5View capture" by TrID and +# "Wireshark capture file" on Windows or +# "Packet Capture (Accellent/InfoVista 5view)" by shared MIME-info database +# verified/falsified by `wireshark *.5vw` +0 string \xaa\xaa\xaa\xaa +# skip misidentified boot/x86_64/loader/kroete.dat on Suse LEAP DVD +# by check for valid record version +>8 ulelong =0x00010000 +>>0 use 5view-le +0 name 5view-le +# t_5VW_Info_Header.Signature = CST_5VW_INFO_HEADER_KEY = 0xAAAAAAAAU +>0 ulelong x 5View capture file +# https://reposcope.com/mimetype/application/x-5view +!:mime application/x-5view +!:ext 5vw +# size of header in bytes (included signature and reserved fields); probably always 20h +>4 ulelong !0x00000020 \b, header size %#x +# version of header record; apparently always CST_5VW_INFO_RECORD_VERSION=0x00010000U +>8 ulelong !0x00010000 \b, record version %#x +# DataSize; total size of data without header like: 18h +>12 ulelong x \b, record size %#x +# filetype; type of the capture file like: 18001000h +>16 ulelong x \b, file type %#8.8x +# Reserved[3]; reserved for future use; apparently zero +>20 quad !0 \b, Reserved %#llx +# look for record header key CST_5VW_RECORDS_HEADER_KEY of structure t_5VW_TimeStamped_Header +>0x20 search/0xB8/b \xEE\xEE\x33\x33 \b; record +# HeaderSize; actual size of this header in bytes like: 32 24h +>>&0 uleshort x size %#x +# HeaderType; exact type of this header; probably always 0x4000 +>>&2 uleshort !0x4000 \b, header type %#x +# RecType; type of record like: 80000000h +>>&4 ulelong x \b, record type %#x +# RecSubType; subtype of record like: 0 +>>&8 ulelong !0 \b, subtype %#x +# RecSize; Size of one record like: 5Ch +>>&12 ulelong x \b, RecSize %#x +# RecNb; Number of records like: 1 +>>&16 ulelong >1 \b, %#x records +# Timestamp Utc +#>>&20 ulelong x \b, RAW TIME %#8.8x +>>&20 date x \b, Time-stamp %s |