The magic number is the first 4 or more bytes in a file that allow an operating system to identify it. On *nix systems, magic numbers are preferred whereas on Windows, the file extension is used instead. On *nix systems, this can lead to the curiosity of having a file with data of one type but an extension of another. For packet captures, it is easy to fix this.
This is a work in progress. Only about half of capture file formats that I’ve collected data on are shown.
The magic numbers in the hex shown here is in network order (i.e. big-endian). Big-endian is the default for xxd, which is used extensively here to gather values. If there are little-endian values here, please file a bug. This table aims to contain the magic numbers for formats that hold packets.
In the tables below, name and description come from tshark -F and capinfos in the format “name - description”.
The values shown here are best effort, and are based upon available information. If you see a problem with these file encodings, please file an issue, along with relevant files.
| name | description | hex | string | extension | Links |
|---|---|---|---|---|---|
| 5views | InfoVista 5View capture | aa aa aa aa |
ªªªª |
5vw | |
| btsnoop | Symbian OS btsnoop | 62 74 73 6e 6f 6f 70 00 |
btsnoop. |
log | |
| commview | TamoSoft CommView | - | - | ncf | |
| dct2000 | Catapult DCT2000 trace | 53 65 73 73 69 6f 6e 2054 72 61 6e 73 63 72 6970 74 |
Session Transcript |
out | |
| eyesdn | EyeSDN USB S0/E1 ISDN | 45 79 65 53 44 4e |
EyeSDN |
trc | |
| lanalyzer | Novell LANalyzer | 01 10 4c 00 01 05 54 7261 63 65 20 44 69 73 706c 61 79 20 54 72 61 6365 20 46 69 6c 65 |
..L...Trace Display Trace File |
tr1 | WS |
| modpcap | Modified tcpdump - pcap | 34 cd b2 a1 |
4... |
pcap | |
| netmon1 | Microsoft NetMon 1.x | 52 54 53 53 |
RTSS |
||
| netmon2 | Microsoft NetMon 2.x | 47 4d 42 55 |
GMBU |
||
| nettl | HP-UX nettl trace | 00 00 00 01 00 00 00 0000 07 D0 00 |
............ |
trc0;trc1 | WS |
| ngsniffer | Sniffer (DOS) | 54 52 53 4e 49 46 46 2064 61 74 61 20 20 20 20 |
TRSNIFF data |
cap;enc;trc;fdc;syc | |
| niobserver | Network Instruments Observer | 4f 62 73 65 72 76 65 7250 6b 74 42 75 66 66 6572 56 65 72 73 69 6f 6e |
ObserverPktBufferVersion |
bfr | WS |
| pcap | Wireshark/tcpdump/… - pcap | d4 c3 b2 a1 |
Ôò¡ |
pcap;cap;dmp | |
| pcapng | Wireshark/… - pcapng | 0a 0d 0d 0a |
\n\r\r\n |
pcapng;ntar | |
| rf5 | Tektronix K12xx 32-bit | 00 00 02 00 12 05 00 10 |
........ |
rf5 | |
| snoop | Sun snoop (RFC 1761) | 73 6e 6f 6f 70 00 00 00 |
snoop... |
snoop | |
| suse6_3pcap | SuSE 6.3 tcpdump - pcap | 34 cd b2 a1 |
4... |
pcap | EX |
| visual | Visual Networks traffic capture | 05 56 4e 46 |
.VNF |
eth;pcap;pkt;vn;vntc | WS EX |
| name | description | hex | string | extension | Links |
|---|---|---|---|---|---|
| aethra | Aethra .aps file | 56 30 32 30 38 |
V0208 |
aps | |
| capsa | Colasoft Capsa | 63 70 73 65 |
cpse |
cscpkt | |
| Savvius *Peek | 7f 76 65 72 |
.ver |
pkt;tpc;apc;wpz | WS | |
| mplog | Micropross mplog | 4d 50 43 53 49 49 |
MPCSII |
mplog | WS EX |
| Etherwatch | 45 54 48 45 52 57 41 5443 48 20 |
ETHERWATCH |
|||
| netscreen | 28 6f 29 20 6c 65 6e 3d |
(o) len= 1 |
|||
| radcom | 42 D2 00 34 12 66 22 88 |
B..4.f". |
WS: Wireshark code, when available
EX: File of this type, when available
2869 2920 6c65 6e3d / (i) len=A vast majority of this info comes directly from Wireshark’s wiretap folder, and specifically, file_access.c.