1magic(4) File Formats magic(4)
2
6 magic - file command's magic number file
7
9 /etc/magic
10
13 The file(1) command identifies the type of a file using, among other
14 tests, a test for whether the file begins with a certain magic number.
15 The /etc/magic file, or a file specified as an option-argument to the
16 -m or -M options of file(1), specifies what magic numbers are to be
17 tested for, what message to print if a particular magic number is
18 found, and additional information to extract from the file.
19 Each line of the file specifies a position-sensitive test to perform. A
22 test compares the data starting at a particular offset in the file with
23 a 1-byte, 2-byte, 4-byte, or 8-byte numeric value or string. If the
24 test succeeds, a message is printed. The line consists of the following
25 fields (separated by tabs): offset type value message
26 offset A number specifying the offset, in bytes, into the file of
28 the data which is to be tested.
29 type The type of the data to be tested. The possible values are:
32 byte, d1, dC A one-byte signed value.
34 short, d2, dS A 2-byte signed value.
37 long, d4, dI, dL, d A 4-byte signed value.
40 llong, d8 An 8-byte signed value
43 ubyte, u1, uC A one-byte unsigned value.
46 ushort, u2, uS A 2-byte unsigned value.
49 ulong, u4, uI, uL, u A 4-byte unsigned value.
52 ullong, u8 An 8-byte unsigned value.
55 string, s A string of bytes.
58 All type specifiers, except for string and s, may be fol‐
60 lowed by a mask specifier of the form &number. If a mask
61 specifier is given, the value is AND'ed with the number
62 before any comparisons are done. The number is specified in
63 C form. For instance, 13 is decimal, 013 is octal, and 0x13
64 is hexadecimal.
65 value The value to be compared with the value from the file. If
68 the type is numeric, this value is specified in C form. If
69 it is a string, it is specified as a C string with the usual
70 escapes permitted (for instance, \n for NEWLINE).
71 Numeric values may be preceded by a character indicating the
73 operation to be performed, as follows:
74 = The value from the file must equal the specified value.
76 < The value from the file must be less than the specified
79 value.
80 > The value from the file must be greater than the speci‐
83 fied value.
84 & All the bits in the specified value must be set in the
87 value from the file.
88 ^ At least one of the bits in the specified value must
91 not be set in the value from the file.
92 x Any value will match.
95 If the character is omitted, it is assumed to be "=".
97 For comparison of numeric values, the sign and size of both
99 the value in the file and the value from the value field of
100 the magic entry will match that of the corresponding type
101 field. If there is a non-zero mask (&) in the type field,
102 the comparison will be unsigned.
103 For string values, the byte string from the file must match
105 the specified byte string. The byte string from the file
106 which is matched is the same length as the specified byte
107 string. If the value is a string, it can contain the follow‐
108 ing sequences:
109 \character The backslash-escape sequences \\, \a, \b,
111 \f, \n, \r, \t, \v.
112 \octal Octal sequences that can be used to represent
115 characters with specific coded values. An
116 octal sequence consists of a backslash fol‐
117 lowed by the longest sequence of one, two, or
118 three octal-digit characters (01234567).
119 message The message to be printed if the comparison succeeds. If the
123 string contains a printf(3C) format specification, the value
124 from the file (with any specified masking performed) is
125 printed using the message as the format string.
126 Some file formats contain additional information which is to be printed
130 along with the file type. A line which begins with the character ">"
131 indicates additional tests and messages to be printed. If the test on
132 the line preceding the first line with a ">" succeeds, the tests speci‐
133 fied in all the subsequent lines beginning with ">" are performed, and
134 the messages are printed if the tests succeed. The next line which does
135 not begin with a ">" terminates this.
136
138 /etc/magic
139
142 file(1), file(1B), printf(3C)
143
145 In Solaris 9 and prior releases, the file utility may have performed
146 unsigned comparisons for types byte, short, and long. Old user-defined
147 magic files, which were specified with the -m option, will need modifi‐
148 cation of byte, short, and long entries to their corresponding unsigned
149 types (ubyte, ushort, or ulong) for those entries for which all of the
150 following are true:
151 o The entry uses the "<" or the ">" operator.
153 o The type field does not contain a non-zero mask.
155 o The intention of the entry is to test unsigned values.
157 For example, if the following entry is expected to match any non-zero,
160 one-byte value from the file, including values for which the sign bit
161 is on:
162 #offset type value message
164 0 byte >0 this matches any non-zero value
165 then that entry should be changed to:
170 0 ubyte >0 this matches any non-zero value
172 In Solaris 7 through Solaris 9, when applying tests for magic file
177 entries whose type field is the numeric type "short" or "long", the
178 file utility in the x86 environment would switch the byte order of the
179 numeric values read. Starting in Solaris 10, the byte order will not be
180 switched on x86. A test for a numeric value whose byte order is identi‐
181 cal in both little- and big-endian architectures may require two magic
182 file entries, to ensure that the test correctly identifies files in
183 both environments. For example, a magic file entry that will match on a
184 big-endian system may look like this:
185 0 long 0xf00000ff extended accounting file
187 Its corresponding magic file entry that will match the same value on a
192 little-endian system would look like this:
193 0 long 0xff0000f0 extended accounting file
195
199 There should be more than one level of subtests, with the level indi‐
200 cated by the number of `>' at the beginning of the line.
201SunOS 5.11 6 Feb 2004 magic(4)