summaryrefslogtreecommitdiffstats
path: root/magic/Magdir/sniffer
blob: 751d197376622e0f8b58837122e7856218606e95 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
#------------------------------------------------------------------------------
# $File: sniffer,v 1.34 2022/12/14 18:27:36 christos Exp $
# sniffer:  file(1) magic for packet capture files
#
# From: guy@alum.mit.edu (Guy Harris)
#

#
# Microsoft Network Monitor 1.x capture files.
#
0	string		RTSS		NetMon capture file
>5	byte		x		- version %d
>4	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)
>6	leshort		4		(ATM)
>6	leshort		>4		(type %d)

#
# Microsoft Network Monitor 2.x capture files.
#
0	string		GMBU		NetMon capture file
>5	byte		x		- version %d
>4	byte		x		\b.%d
>6	leshort		0		(Unknown)
>6	leshort		1		(Ethernet)
>6	leshort		2		(Token Ring)
>6	leshort		3		(FDDI)
>6	leshort		4		(ATM)
>6	leshort		5		(IP-over-IEEE 1394)
>6	leshort		6		(802.11)
>6	leshort		7		(Raw IP)
>6	leshort		8		(Raw IP)
>6	leshort		9		(Raw IP)
>6	leshort		>9		(type %d)

#
# Network General Sniffer capture files.
# Sorry, make that "Network Associates Sniffer capture files."
# Sorry, make that "Network General old DOS Sniffer capture files."
#
0	string		TRSNIFF\040data\040\040\040\040\032	Sniffer capture file
>33	byte		2		(compressed)
>23	leshort		x		- version %d
>25	leshort		x		\b.%d
>32	byte		0		(Token Ring)
>32	byte		1		(Ethernet)
>32	byte		2		(ARCNET)
>32	byte		3		(StarLAN)
>32	byte		4		(PC Network broadband)
>32	byte		5		(LocalTalk)
>32	byte		6		(Znet)
>32	byte		7		(Internetwork Analyzer)
>32	byte		9		(FDDI)
>32	byte		10		(ATM)

#
# Cinco Networks NetXRay capture files.
# Sorry, make that "Network General Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic capture files."
# Sorry, make that "Network Associates Sniffer Basic, and Windows
# Sniffer Pro", capture files."
# Sorry, make that "Network General Sniffer capture files."
# Sorry, make that "NetScout Sniffer capture files."
#
0	string		XCP\0		NetXRay capture file
>4	string		>\0		- version %s
>44	leshort		0		(Ethernet)
>44	leshort		1		(Token Ring)
>44	leshort		2		(FDDI)
>44	leshort		3		(WAN)
>44	leshort		8		(ATM)
>44	leshort		9		(802.11)

#
# "libpcap" capture files.
# https://www.tcpdump.org/manpages/pcap-savefile.5.html
# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
# the main program that uses that format, but there are other programs
# that use "libpcap", or that use the same capture file format.)
#
0	name		pcap-be
>4	beshort		x		- version %d
>6	beshort		x		\b.%d
# clear that continuation level match
>20	clear		x
>20	belong&0x03FFFFFF		0		(No link-layer encapsulation
>20	belong&0x03FFFFFF		1		(Ethernet
>20	belong&0x03FFFFFF		2		(3Mb Ethernet
>20	belong&0x03FFFFFF		3		(AX.25
>20	belong&0x03FFFFFF		4		(ProNET
>20	belong&0x03FFFFFF		5		(CHAOS
>20	belong&0x03FFFFFF		6		(Token Ring
>20	belong&0x03FFFFFF		7		(BSD ARCNET
>20	belong&0x03FFFFFF		8		(SLIP
>20	belong&0x03FFFFFF		9		(PPP
>20	belong&0x03FFFFFF		10		(FDDI
>20	belong&0x03FFFFFF		11		(RFC 1483 ATM
>20	belong&0x03FFFFFF		12		(Raw IP
>20	belong&0x03FFFFFF		13		(BSD/OS SLIP
>20	belong&0x03FFFFFF		14		(BSD/OS PPP
>20	belong&0x03FFFFFF		19		(Linux ATM Classical IP
>20	belong&0x03FFFFFF		50		(PPP or Cisco HDLC
>20	belong&0x03FFFFFF		51		(PPP-over-Ethernet
>20	belong&0x03FFFFFF		99		(Symantec Enterprise Firewall
>20	belong&0x03FFFFFF		100		(RFC 1483 ATM
>20	belong&0x03FFFFFF		101		(Raw IP
>20	belong&0x03FFFFFF		102		(BSD/OS SLIP
>20	belong&0x03FFFFFF		103		(BSD/OS PPP
>20	belong&0x03FFFFFF		104		(BSD/OS Cisco HDLC
>20	belong&0x03FFFFFF		105		(802.11
>20	belong&0x03FFFFFF		106		(Linux Classical IP over ATM
>20	belong&0x03FFFFFF		107		(Frame Relay
>20	belong&0x03FFFFFF		108		(OpenBSD loopback
>20	belong&0x03FFFFFF		109		(OpenBSD IPsec encrypted
>20	belong&0x03FFFFFF		112		(Cisco HDLC
>20	belong&0x03FFFFFF		113		(Linux cooked v1
>20	belong&0x03FFFFFF		114		(LocalTalk
>20	belong&0x03FFFFFF		117		(OpenBSD PFLOG
>20	belong&0x03FFFFFF		119		(802.11 with Prism header
>20	belong&0x03FFFFFF		122		(RFC 2625 IP over Fibre Channel
>20	belong&0x03FFFFFF		123		(SunATM
>20	belong&0x03FFFFFF		127		(802.11 with radiotap header
>20	belong&0x03FFFFFF		129		(Linux ARCNET
>20	belong&0x03FFFFFF		130		(Juniper Multi-Link PPP
>20	belong&0x03FFFFFF		131		(Juniper Multi-Link Frame Relay
>20	belong&0x03FFFFFF		132		(Juniper Encryption Services PIC
>20	belong&0x03FFFFFF		133		(Juniper GGSN PIC
>20	belong&0x03FFFFFF		134		(Juniper FRF.16 Frame Relay
>20	belong&0x03FFFFFF		135		(Juniper ATM2 PIC
>20	belong&0x03FFFFFF		136		(Juniper Advanced Services PIC
>20	belong&0x03FFFFFF		137		(Juniper ATM1 PIC
>20	belong&0x03FFFFFF		138		(Apple IP over IEEE 1394
>20	belong&0x03FFFFFF		139		(SS7 MTP2 with pseudo-header
>20	belong&0x03FFFFFF		140		(SS7 MTP2
>20	belong&0x03FFFFFF		141		(SS7 MTP3
>20	belong&0x03FFFFFF		142		(SS7 SCCP
>20	belong&0x03FFFFFF		143		(DOCSIS
>20	belong&0x03FFFFFF		144		(Linux IrDA
>20	belong&0x03FFFFFF		147		(Private use 0
>20	belong&0x03FFFFFF		148		(Private use 1
>20	belong&0x03FFFFFF		149		(Private use 2
>20	belong&0x03FFFFFF		150		(Private use 3
>20	belong&0x03FFFFFF		151		(Private use 4
>20	belong&0x03FFFFFF		152		(Private use 5
>20	belong&0x03FFFFFF		153		(Private use 6
>20	belong&0x03FFFFFF		154		(Private use 7
>20	belong&0x03FFFFFF		155		(Private use 8
>20	belong&0x03FFFFFF		156		(Private use 9
>20	belong&0x03FFFFFF		157		(Private use 10
>20	belong&0x03FFFFFF		158		(Private use 11
>20	belong&0x03FFFFFF		159		(Private use 12
>20	belong&0x03FFFFFF		160		(Private use 13
>20	belong&0x03FFFFFF		161		(Private use 14
>20	belong&0x03FFFFFF		162		(Private use 15
>20	belong&0x03FFFFFF		163		(802.11 with AVS header
>20	belong&0x03FFFFFF		164		(Juniper Passive Monitor PIC
>20	belong&0x03FFFFFF		165		(BACnet MS/TP
>20	belong&0x03FFFFFF		166		(PPPD
>20	belong&0x03FFFFFF		167		(Juniper PPPoE
>20	belong&0x03FFFFFF		168		(Juniper PPPoE/ATM
>20	belong&0x03FFFFFF		169		(GPRS LLC
>20	belong&0x03FFFFFF		170		(GPF-T
>20	belong&0x03FFFFFF		171		(GPF-F
>20	belong&0x03FFFFFF		174		(Juniper PIC Peer
>20	belong&0x03FFFFFF		175		(Ethernet with Endace ERF header
>20	belong&0x03FFFFFF		176		(Packet-over-SONET with Endace ERF header
>20	belong&0x03FFFFFF		177		(Linux LAPD
>20	belong&0x03FFFFFF		178		(Juniper Ethernet
>20	belong&0x03FFFFFF		179		(Juniper PPP
>20	belong&0x03FFFFFF		180		(Juniper Frame Relay
>20	belong&0x03FFFFFF		181		(Juniper C-HDLC
>20	belong&0x03FFFFFF		182		(FRF.16 Frame Relay
>20	belong&0x03FFFFFF		183		(Juniper Voice PIC
>20	belong&0x03FFFFFF		184		(Arinc 429
>20	belong&0x03FFFFFF		185		(Arinc 653 Interpartition Communication
>20	belong&0x03FFFFFF		186		(USB with FreeBSD header
>20	belong&0x03FFFFFF		187		(Bluetooth HCI H4
>20	belong&0x03FFFFFF		188		(802.16 MAC Common Part Sublayer
>20	belong&0x03FFFFFF		189		(Linux USB
>20	belong&0x03FFFFFF		190		(Controller Area Network (CAN) v. 2.0B
>20	belong&0x03FFFFFF		191		(802.15.4 with Linux padding
>20	belong&0x03FFFFFF		192		(PPI
>20	belong&0x03FFFFFF		193		(802.16 MAC Common Part Sublayer plus radiotap header
>20	belong&0x03FFFFFF		194		(Juniper Integrated Service Module
>20	belong&0x03FFFFFF		195		(802.15.4 with FCS
>20	belong&0x03FFFFFF		196		(SITA
>20	belong&0x03FFFFFF		197		(Endace ERF
>20	belong&0x03FFFFFF		198		(Ethernet with u10 Networks pseudo-header
>20	belong&0x03FFFFFF		199		(IPMB
>20	belong&0x03FFFFFF		200		(Juniper Secure Tunnel
>20	belong&0x03FFFFFF		201		(Bluetooth HCI H4 with pseudo-header
>20	belong&0x03FFFFFF		202		(AX.25 with KISS header
>20	belong&0x03FFFFFF		203		(LAPD
>20	belong&0x03FFFFFF		204		(PPP with direction pseudo-header
>20	belong&0x03FFFFFF		205		(Cisco HDLC with direction pseudo-header
>20	belong&0x03FFFFFF		206		(Frame Relay with direction pseudo-header
>20	belong&0x03FFFFFF		209		(Linux IPMB
>20	belong&0x03FFFFFF		215		(802.15.4 with non-ASK PHY header
>20	belong&0x03FFFFFF		216		(Linux evdev events
>20	belong&0x03FFFFFF		219		(MPLS with label as link-layer header
>20	belong&0x03FFFFFF		220		(Memory-mapped Linux USB
>20	belong&0x03FFFFFF		221		(DECT
>20	belong&0x03FFFFFF		222		(AOS Space Data Link protocol
>20	belong&0x03FFFFFF		223		(Wireless HART
>20	belong&0x03FFFFFF		224		(Fibre Channel FC-2
>20	belong&0x03FFFFFF		225		(Fibre Channel FC-2 with frame delimiters
>20	belong&0x03FFFFFF		226		(Solaris IPNET
>20	belong&0x03FFFFFF		227		(SocketCAN
>20	belong&0x03FFFFFF		228		(Raw IPv4
>20	belong&0x03FFFFFF		229		(Raw IPv6
>20	belong&0x03FFFFFF		230		(802.15.4 without FCS
>20	belong&0x03FFFFFF		231		(D-Bus messages
>20	belong&0x03FFFFFF		232		(Juniper Virtual Server
>20	belong&0x03FFFFFF		233		(Juniper SRX E2E
>20	belong&0x03FFFFFF		234		(Juniper Fibre Channel
>20	belong&0x03FFFFFF		235		(DVB-CI
>20	belong&0x03FFFFFF		236		(MUX27010
>20	belong&0x03FFFFFF		237		(STANAG 5066 D_PDUs
>20	belong&0x03FFFFFF		238		(Juniper ATM CEMIC
>20	belong&0x03FFFFFF		239		(Linux netfilter log messages
>20	belong&0x03FFFFFF		240		(Hilscher netAnalyzer
>20	belong&0x03FFFFFF		241		(Hilscher netAnalyzer with delimiters
>20	belong&0x03FFFFFF		242		(IP-over-Infiniband
>20	belong&0x03FFFFFF		243		(MPEG-2 Transport Stream packets
>20	belong&0x03FFFFFF		244		(ng4t ng40
>20	belong&0x03FFFFFF		245		(NFC LLCP
>20	belong&0x03FFFFFF		246		(Packet filter state syncing
>20	belong&0x03FFFFFF		247		(InfiniBand
>20	belong&0x03FFFFFF		248		(SCTP
>20	belong&0x03FFFFFF		249		(USB with USBPcap header
>20	belong&0x03FFFFFF		250		(Schweitzer Engineering Laboratories RTAC packets
>20	belong&0x03FFFFFF		251		(Bluetooth Low Energy air interface
>20	belong&0x03FFFFFF		252		(Wireshark Upper PDU export
>20	belong&0x03FFFFFF		253		(Linux netlink
>20	belong&0x03FFFFFF		254		(Bluetooth Linux Monitor
>20	belong&0x03FFFFFF		255		(Bluetooth Basic Rate/Enhanced Data Rate baseband packets
>20	belong&0x03FFFFFF		256		(Bluetooth Low Energy air interface with pseudo-header
>20	belong&0x03FFFFFF		257		(PROFIBUS data link layer
>20	belong&0x03FFFFFF		258		(Apple DLT_PKTAP
>20	belong&0x03FFFFFF		259		(Ethernet with 802.3 Clause 65 EPON preamble
>20	belong&0x03FFFFFF		260		(IPMI trace packets
>20	belong&0x03FFFFFF		261		(Z-Wave RF profile R1 and R2 packets
>20	belong&0x03FFFFFF		262		(Z-Wave RF profile R3 packets
>20	belong&0x03FFFFFF		263		(WattStopper Digital Lighting Mngmt/Legrand Nitoo Open Proto
>20	belong&0x03FFFFFF		264		(ISO 14443 messages
>20	belong&0x03FFFFFF		265		(IEC 62106 Radio Data System groups
>20	belong&0x03FFFFFF		266		(USB with Darwin header
>20	belong&0x03FFFFFF		267		(OpenBSD DLT_OPENFLOW
>20	belong&0x03FFFFFF		268		(IBM SDLC frames
>20	belong&0x03FFFFFF		269		(TI LLN sniffer frames
>20	belong&0x03FFFFFF		271		(Linux vsock
>20	belong&0x03FFFFFF		272		(Nordic Semiconductor Bluetooth LE sniffer frames
>20	belong&0x03FFFFFF		273		(Excentis XRA-31 DOCSIS 3.1 RF sniffer frames
>20	belong&0x03FFFFFF		274		(802.3br mPackets
>20	belong&0x03FFFFFF		275		(DisplayPort AUX channel monitoring data
>20	belong&0x03FFFFFF		276		(Linux cooked v2
>20	belong&0x03FFFFFF		278		(OpenVizsla USB
>20	belong&0x03FFFFFF		279		(Elektrobit High Speed Capture and Replay (EBHSCR)
>20	belong&0x03FFFFFF		281		(Broadcom tag
>20	belong&0x03FFFFFF		282		(Broadcom tag (prepended)
>20	belong&0x03FFFFFF		283		(802.15.4 with TAP
>20	belong&0x03FFFFFF		284		(Marvell DSA
>20	belong&0x03FFFFFF		285		(Marvell EDSA
>20	belong&0x03FFFFFF		286		(ELEE lawful intercept
>20	belong&0x03FFFFFF		287		(Z-Wave serial
>20	belong&0x03FFFFFF		288		(USB 2.0
>20	belong&0x03FFFFFF		289		(ATSC ALP
>20	belong&0x03FFFFFF		290		(Event Tracing for Windows
>20	belong&0x03FFFFFF		291		(Hilscher netANALYZER NG pseudo-footer
>20	belong&0x03FFFFFF		292		(ZBOSS NCP protocol with pseudo-header
>20	belong&0x03FFFFFF		293		(Low-Speed USB 2.0/1.1/1.0
>20	belong&0x03FFFFFF		294		(Full-Speed USB 2.0/1.1/1.0
>20	belong&0x03FFFFFF		295		(High-Speed USB 2.0
# print default match
>20	default		x
>>20	belong		x		(linktype#%u
>16	belong		x		\b, capture length %u)

# packets time stamps in seconds and microseconds.
0	ubelong		0xa1b2c3d4	pcap capture file, microseconds ts (big-endian)
!:mime	application/vnd.tcpdump.pcap
>0	use	pcap-be
0	ulelong		0xa1b2c3d4	pcap capture file, microsecond ts (little-endian)
!:mime	application/vnd.tcpdump.pcap
>0	use	\^pcap-be

# packets time stamps in seconds and nanoseconds.
0	ubelong		0xa1b23c4d	pcap capture file, nanosecond ts (big-endian)
!:mime	application/vnd.tcpdump.pcap
>0	use	pcap-be
0	ulelong		0xa1b23c4d	pcap capture file, nanosecond ts (little-endian)
!:mime	application/vnd.tcpdump.pcap
>0	use	\^pcap-be

#
# "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
#
0	ubelong		0xa1b2cd34	pcap capture file, microsecond ts, extensions (big-endian)
>0	use	pcap-be
0	ulelong		0xa1b2cd34	pcap capture file, microsecond ts, extensions (little-endian)
>0	use	\^pcap-be

#
# "pcapng" capture files.
# https://github.com/pcapng/pcapng
# Pcapng files can contain multiple sections. Printing the endianness,
# snaplen, or other information from the first SHB may be misleading.
#
0	ubelong		0x0a0d0d0a
>8	ubelong		0x1a2b3c4d	pcapng capture file
>>12	beshort		x		- version %d
>>14	beshort		x		\b.%d
0	ulelong		0x0a0d0d0a
>8	ulelong		0x1a2b3c4d	pcapng capture file
>>12	leshort		x		- version %d
>>14	leshort		x		\b.%d

#
# AIX "iptrace" capture files.
#
0	string		iptrace\0401.0	AIX iptrace capture file
0	string		iptrace\0402.0	AIX iptrace capture file

#
# Novell LANalyzer capture files.
# URL:		http://www.blacksheepnetworks.com/security/info/nw/lan/trace.txt
# Reference:	https://github.com/wireshark/wireshark/blob/master/wiretap/lanalyzer.c
# Update:	Joerg Jenderek
# 
# regular trace header record (RT_HeaderRegular)
0	leshort		0x1001
# GRR: line above is too generic because it matches Commodore Plus/4 BASIC V3.5
# and VIC-20 BASIC V2 program
# skip many Commodore Basic program (Microzodiac.prg Minefield.prg Vic-tac-toe.prg breakvic_joy.prg)
# with invalid second record type 0 instead of "Trace receive channel name record"
>(2.s+4)	leshort	=0x1006h
>>0	use	novell-lanalyzer
# cyclic trace header record (RT_HeaderCyclic)
0	leshort		0x1007
>0	use	novell-lanalyzer
0	name	novell-lanalyzer
>0	leshort		x		Novell LANalyzer capture file
# https://reposcope.com/mimetype/application/x-lanalyzer
!:mime	application/x-lanalyzer
# maybe also TR2 .. TR9 TRA .. TRZ
!:ext	tr1
# version like: 1.5
>4		ubyte	x		\b, version %u
# minor version; one byte identifying the trace file minor version number
>5		ubyte	x		\b.%u
# Trace header record type like: 1001~regular or 1007~cyclic
>0	leshort		!0x1001		\b, record type %4.4x
# record_length[2] is the length of the data part of 1st reorcd (without "type" and "length" fields) like: 4Ch
>2		leshort	x		\b, record length %#x
# second record type like: 1006h~Trace receive channel name record
>(2.s+4)	leshort	!0x1006h	\b, 2nd record type %#4.4x
>(2.s+6)	leshort	x		\b, 2nd record length %#x
# each channel name is a null-terminated, eight-byte ASCII string like: Channel1
>(2.s+8)	string	x		\b, names %.9s
# 2nd channel name like: Channel2
>(2.s+17)	string	x		%.9s ...

#
# HP-UX "nettl" capture files.
# URL:		https://nixdoc.net/man-pages/HP-UX/man1m/nettl.1m.html
# Reference:	https://github.com/wireshark/wireshark/blob/master/wiretap/nettl.c
# Update:	Joerg Jenderek
# Note:		Wireshark fills "meta information header fields" with "dummy" values 
# nettl_magic_hpux9[12]; for HP-UX 9.x not tested
0	string		\x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\xD0\x00	HP/UX 9.x nettl capture file
!:mime	application/x-nettl
!:ext	trc0/trc1
# nettl_magic_hpux10[12]; for HP-UX 10.x and 11.x
0	string		\x54\x52\x00\x64\x00	HP/UX nettl capture file
# https://reposcope.com/mimetype/application/x-nettl
!:mime	application/x-nettl
# maybe also TRC000 TRC001 TRC002 ...
!:ext	trc0/trc1
# file_name[56]; maybe also like /tmp/raw.tr.TRC000
>12	string		!/tmp/wireshark.TRC000
>>12	string		x			"%-.56s"
# tz[20]; like UTC
>68	string		!UTC			\b, tz
>>68	string		x			%-.20s
# host_name[9];
>88	string		>\0			\b, host %-.9s
# os_vers[9]; like B.11.11
>97	string		!B.11.11		\b, os
>>97	string		x			%-.9s
# os_v; like 55h
>>106	ubyte		x			(%#x)
# xxa[8]; like 0
>107	ubequad		!0			\b, xxa=%#16.16llx
# model[11] like: 9000/800
>115	string		!9000/800		\b, model
>>115	string		x			%-.11s
# unknown; probably just padding to 128 bytes like: 0406h
>126	ubeshort	!0x0406h		\b, at 126 %#4.4x

#
# RADCOM WAN/LAN Analyzer capture files.
#
0	string		\x42\xd2\x00\x34\x12\x66\x22\x88	RADCOM WAN/LAN Analyzer capture file

#
# NetStumbler log files.  Not really packets, per se, but about as
# close as you can get.  These are log files from NetStumbler, a
# Windows program, that scans for 802.11b networks.
#
0	string		NetS		NetStumbler log file
>8	lelong		x		\b, %d stations found

#
# *Peek tagged capture files.
#
0	string		\177ver		EtherPeek/AiroPeek/OmniPeek capture file

#
# Visual Networks traffic capture files.
#
0	string		\x05VNF		Visual Networks traffic capture file

#
# Network Instruments Observer capture files.
#
0	string		ObserverPktBuffe	Network Instruments Observer capture file

#
# Files from Accellent Group's 5View products.
#
# URL:		http://www.infovista.com
# Reference:	http://mark0.net/download/triddefs_xml.7z
#		defs/0/5vw.trid.xml
#		https://2.na.dl.wireshark.org/src/wireshark-3.6.2.tar.xz
#		wireshark-3.6.2/wiretap/5views.c 
# Update:	Joerg Jenderek
# Note:		called "5View capture" by TrID and
#		"Wireshark capture file" on Windows or
#		"Packet Capture (Accellent/InfoVista 5view)" by shared MIME-info database
#		verified/falsified by `wireshark *.5vw`
0	string		\xaa\xaa\xaa\xaa
# skip misidentified boot/x86_64/loader/kroete.dat on Suse LEAP DVD
# by check for valid record version
>8	ulelong		=0x00010000
>>0	use	5view-le
0	name	5view-le
# t_5VW_Info_Header.Signature = CST_5VW_INFO_HEADER_KEY = 0xAAAAAAAAU
>0	ulelong		x			5View capture file
# https://reposcope.com/mimetype/application/x-5view
!:mime	application/x-5view
!:ext	5vw
# size of header in bytes (included signature and reserved fields); probably always 20h
>4	ulelong		!0x00000020		\b, header size %#x
# version of header record; apparently always CST_5VW_INFO_RECORD_VERSION=0x00010000U
>8	ulelong		!0x00010000		\b, record version %#x
# DataSize; total size of data without header like: 18h
>12	ulelong		x			\b, record size %#x
# filetype; type of the capture file like: 18001000h
>16	ulelong		x			\b, file type %#8.8x
# Reserved[3]; reserved for future use; apparently zero
>20	quad		!0			\b, Reserved %#llx
# look for record header key CST_5VW_RECORDS_HEADER_KEY of structure t_5VW_TimeStamped_Header
>0x20	search/0xB8/b	\xEE\xEE\x33\x33	\b; record
# HeaderSize; actual size of this header in bytes like: 32 24h
>>&0	uleshort	x			size %#x
# HeaderType; exact type of this header; probably always 0x4000
>>&2	uleshort	!0x4000			\b, header type %#x
# RecType; type of record like: 80000000h
>>&4	ulelong		x			\b, record type %#x
# RecSubType; subtype of record like: 0
>>&8	ulelong		!0			\b, subtype %#x
# RecSize; Size of one record like: 5Ch
>>&12	ulelong		x			\b, RecSize %#x
# RecNb; Number of records like: 1
>>&16	ulelong		>1			\b, %#x records
# Timestamp Utc
#>>&20	ulelong		x			\b, RAW TIME %#8.8x
>>&20	date		x			\b, Time-stamp %s