1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#
# "pcap-ng" capture files.
# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
# Pcap-ng files can contain multiple sections. Printing the endianness,
# snaplen, or other information from the first SHB may be misleading.
#
0 string \x0a\x0d\x0d\x0a\x1a\x2b\x3c\x4d Pcap-ng capture file, big-endian,
>>12 beshort x version %d
>>14 beshort x \b.%d
0 string \x0a\x0d\x0d\x0a\x4d\x3c\x2b\x1a Pcap-ng capture file, little-endian,
>>12 leshort x version %d
>>14 leshort x \b.%d
#
# "libpcap" capture files.
#
0 string \xa1\xb2\xc3\xd4\x00 Libpcap capture file, big-endian,
>4 beshort >2 invalid
>4 beshort x version %d
>6 beshort x \b.%d,
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25
>20 belong 4 (ProNET
>20 belong 5 (CHAOS
>20 belong 6 (Token Ring
>20 belong 7 (BSD ARCNET
>20 belong 8 (SLIP
>20 belong 9 (PPP
>20 belong 10 (FDDI
>20 belong 11 (RFC 1483 ATM
>20 belong 12 (raw IP
>20 belong 13 (BSD/OS SLIP
>20 belong 14 (BSD/OS PPP
>20 belong 19 (Linux ATM Classical IP
>20 belong 50 (PPP or Cisco HDLC
>20 belong 51 (PPP-over-Ethernet
>20 belong 99 (Symantec Enterprise Firewall
>20 belong 100 (RFC 1483 ATM
>20 belong 101 (raw IP
>20 belong 102 (BSD/OS SLIP
>20 belong 103 (BSD/OS PPP
>20 belong 104 (BSD/OS Cisco HDLC
>20 belong 105 (802.11
>20 belong 106 (Linux Classical IP over ATM
>20 belong 107 (Frame Relay
>20 belong 108 (OpenBSD loopback
>20 belong 109 (OpenBSD IPsec encrypted
>20 belong 112 (Cisco HDLC
>20 belong 113 (Linux "cooked"
>20 belong 114 (LocalTalk
>20 belong 117 (OpenBSD PFLOG
>20 belong 119 (802.11 with Prism header
>20 belong 122 (RFC 2625 IP over Fibre Channel
>20 belong 123 (SunATM
>20 belong 127 (802.11 with radiotap header
>20 belong 129 (Linux ARCNET
>20 belong 138 (Apple IP over IEEE 1394
>20 belong 140 (MTP2
>20 belong 141 (MTP3
>20 belong 143 (DOCSIS
>20 belong 144 (IrDA
>20 belong 147 (Private use 0
>20 belong 148 (Private use 1
>20 belong 149 (Private use 2
>20 belong 150 (Private use 3
>20 belong 151 (Private use 4
>20 belong 152 (Private use 5
>20 belong 153 (Private use 6
>20 belong 154 (Private use 7
>20 belong 155 (Private use 8
>20 belong 156 (Private use 9
>20 belong 157 (Private use 10
>20 belong 158 (Private use 11
>20 belong 159 (Private use 12
>20 belong 160 (Private use 13
>20 belong 161 (Private use 14
>20 belong 162 (Private use 15
>20 belong 163 (802.11 with AVS header
>20 belong >163 (invalid link layer
>20 belong <0 (invalid link layer
>16 belong x \b, snaplen: %d)
0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian,
>4 leshort >2 invalid
>4 leshort <0 invalid
>4 leshort x version %d
>6 leshort x \b.%d,
>20 lelong 0 (No link-layer encapsulation
>20 lelong 1 (Ethernet
>20 lelong 2 (3Mb Ethernet
>20 lelong 3 (AX.25
>20 lelong 4 (ProNET
>20 lelong 5 (CHAOS
>20 lelong 6 (Token Ring
>20 lelong 7 (ARCNET
>20 lelong 8 (SLIP
>20 lelong 9 (PPP
>20 lelong 10 (FDDI
>20 lelong 11 (RFC 1483 ATM
>20 lelong 12 (raw IP
>20 lelong 13 (BSD/OS SLIP
>20 lelong 14 (BSD/OS PPP
>20 lelong 19 (Linux ATM Classical IP
>20 lelong 50 (PPP or Cisco HDLC
>20 lelong 51 (PPP-over-Ethernet
>20 lelong 99 (Symantec Enterprise Firewall
>20 lelong 100 (RFC 1483 ATM
>20 lelong 101 (raw IP
>20 lelong 102 (BSD/OS SLIP
>20 lelong 103 (BSD/OS PPP
>20 lelong 104 (BSD/OS Cisco HDLC
>20 lelong 105 (802.11
>20 lelong 106 (Linux Classical IP over ATM
>20 lelong 107 (Frame Relay
>20 lelong 108 (OpenBSD loopback
>20 lelong 109 (OpenBSD IPsec encrypted
>20 lelong 112 (Cisco HDLC
>20 lelong 113 (Linux "cooked"
>20 lelong 114 (LocalTalk
>20 lelong 117 (OpenBSD PFLOG
>20 lelong 119 (802.11 with Prism header
>20 lelong 122 (RFC 2625 IP over Fibre Channel
>20 lelong 123 (SunATM
>20 lelong 127 (802.11 with radiotap header
>20 lelong 129 (Linux ARCNET
>20 lelong 138 (Apple IP over IEEE 1394
>20 lelong 140 (MTP2
>20 lelong 141 (MTP3
>20 lelong 143 (DOCSIS
>20 lelong 144 (IrDA
>20 lelong 147 (Private use 0
>20 lelong 148 (Private use 1
>20 lelong 149 (Private use 2
>20 lelong 150 (Private use 3
>20 lelong 151 (Private use 4
>20 lelong 152 (Private use 5
>20 lelong 153 (Private use 6
>20 lelong 154 (Private use 7
>20 lelong 155 (Private use 8
>20 lelong 156 (Private use 9
>20 lelong 157 (Private use 10
>20 lelong 158 (Private use 11
>20 lelong 159 (Private use 12
>20 lelong 160 (Private use 13
>20 lelong 161 (Private use 14
>20 lelong 162 (Private use 15
>20 lelong 163 (802.11 with AVS header
>20 lelong >163 (invalid link layer
>20 lelong <0 (invalid link layer
>16 lelong x \b, snaplen: %d)