add support for PCAP "modified" format

[gcsbt]

Some outdated / proprietary tools seem to produce PCAPs in this format, described on Wireshark wiki:

The magic bytes for this format are 0xa1b2cd34 (note the final two bytes). The file header is otherwise the same as the standard libpcap header.

The record header is extended [...]

For PCAPs with this magic, the patch discards the 8 additional bytes from record headers.

The test case comes from a capture of an ICMP packet modified with editcap:

$ sudo tcpdump -i lo -w /tmp/ping.pcap
$ hexdump -n 4 -C /tmp/ping.pcap | head -1
00000000  d4 c3 b2 a1                                       |....|

$ editcap -F modpcap /tmp/ping.pcap /tmp/ping-modified.pcap
$ hexdump -n 4 -C /tmp/ping-modified.pcap | head -1
00000000  34 cd b2 a1                                       |4...|