forked from difcareer/010templates
-
Notifications
You must be signed in to change notification settings - Fork 1
/
PCAPTemplate.bt
executable file
·186 lines (168 loc) · 4.92 KB
/
PCAPTemplate.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
//---------------------
//--- 010 Editor v3.0.3 Binary Template
//
// File: PCAPTemplate.bt
// Author: Didier Stevens (https://DidierStevens.com)
// Revision: 0.1, prototype, only tested on 1 PCAP file
// Date: 2009/05/24
// Purpose: Defines a template for parsing PCAP files.
// References:
// http://wiki.wireshark.org/Development/LibpcapFileFormat
//--------------------------------------
typedef struct {
uint32 magic_number <format=hex>; /* magic number */
if(magic_number != 0xA1B2C3D4) {
Warning("Not a valid PCAP file");
return 1;
}
uint16 version_major; /* major version number */
uint16 version_minor; /* minor version number */
int32 thiszone; /* GMT to local correction */
uint32 sigfigs; /* accuracy of timestamps */
uint32 snaplen; /* max length of captured packets, in octets */
uint32 network; /* data link type */
} PCAPHEADER;
typedef struct
{
uchar Byte[6];
} MACaddr<read=MACname>;
typedef struct
{
MACaddr DstMac<name="Destination MAC">;
MACaddr SrcMac<name="Source MAC">;
uint16 L3type<name="Layer 3 Protocol">;
} Layer_2 <size=14>;
typedef struct
{
uchar Byte[4];
} IPv4addr<read=IPv4addrName>;
string IPv4addrName(IPv4addr &IP)
{
string strReturn;
SPrintf(strReturn,"%d.%d.%d.%d",IP.Byte[0],IP.Byte[1],IP.Byte[2],IP.Byte[3]);
return strReturn;
}
typedef struct (uint16 proto_type)
{
uchar version:4;
uchar ip_hdr_len:4;
local int hdr_length = ip_hdr_len*4;
BYTE DiffServField;
uint16 total_length;
if (proto_type == 0x0800) // IP
{
uint16 Identification;
uint16 Flags;
BYTE TTL;
BYTE L4proto<name="Layer 4 Protocol",read=L4protoName>;
uint16 HdrChecksum;
IPv4addr SRC_IP<name="Source IP">;
IPv4addr DST_IP<name="Dest IP">;
}
else
{
BYTE Unknown[hdr_length-4];
}
} Layer_3;
typedef struct (ushort VER_HDR,uint16 total_length,uint L4proto)
{
local uint16 ip_hdr_length = VER_HDR*4;
if (L4proto == 0x11) // UDP
{
uint16 SrcPort<name="Source Port">;
uint16 DstPort<name="Destination Port">;
uint16 udp_hdr_len<name="Datagram Length">;
uint16 ChkSum<name="Checksum">;
}
else if (L4proto == 0x6) // TCP
{
uint16 SrcPort<name="Source Port">;
uint16 DstPort<name="Destination Port">;
uint32 SEQ;
uint32 ACK;
uchar tcp_hdr_len:4;
uchar Reserved:4;
BYTE Crap[tcp_hdr_len*4-13];
}
else
{
BYTE packet[total_length-ip_hdr_length]<name="Unknown Layer 4 Data">;
}
} Layer_4;
string L4protoName(BYTE val)
{
if (val == 0x06)
{
return "TCP";
}
else if (val == 0x11)
{
return "UDP";
}
else
{
return "Unknown";
}
}
typedef struct {
time_t ts_sec; /* timestamp seconds */
uint32 ts_usec; /* timestamp microseconds */
uint32 incl_len; /* number of octets of packet saved in file */
uint32 orig_len; /* actual length of packet */
BigEndian();
Layer_2 L2 <name="Layer 2">;
Layer_3 L3(L2.L3type) <name="Layer 3">;
Layer_4 L4(L3.ip_hdr_len,L3.total_length,L3.L4proto)<name="Layer 4">;
if (L3.L4proto == 0x6)
{
local uint16 AppDataLen = L3.total_length - L3.ip_hdr_len*4 - L4.tcp_hdr_len*4;
if (AppDataLen > 0)
{
BYTE AppData[AppDataLen]<name="TCP Application Data">;
}
}
else if (L3.L4proto == 0x11)
{
local uint AppDataLen = L4.udp_hdr_len-8;
if (AppDataLen > 0)
{
BYTE AppData[AppDataLen]<name="UDP Application Data">;
}
}
LittleEndian();
} PCAPRECORD <read=ReadPCAPRECORD,comment=PCAPcomments>;
string PCAPcomments(PCAPRECORD &P)
{
local uint16 L4_proto = P.L3.L4proto;
string strReturn;
local uint16 AppDataLen = 0;
if (L4_proto == 0x6)
{
AppDataLen = P.L3.total_length - P.L3.ip_hdr_len*4 - P.L4.tcp_hdr_len*4;
}
else if (L4_proto == 0x11)
{
AppDataLen = P.L4.udp_hdr_len - 8;
}
SPrintf(strReturn,"%s:%d -> %s:%d %s %s",IPv4addrName(P.L3.SRC_IP),P.L4.SrcPort,IPv4addrName(P.L3.DST_IP),P.L4.DstPort,L4protoName(L4_proto), AppDataLen > 0 ? "***" : "");
return strReturn;
}
string ReadPCAPRECORD(PCAPRECORD &record)
{
string strReturn;
SPrintf(strReturn, "%s.%06u", TimeTToString(record.ts_sec), record.ts_usec);
return strReturn;
}
string MACname(MACaddr &addr)
{
string strReturn;
SPrintf(strReturn,"%.02x:%.02x:%.02x:%.02x:%.02x:%.02x",addr.Byte[0],addr.Byte[1],addr.Byte[2],addr.Byte[3],addr.Byte[4],addr.Byte[5]);
return strReturn;
}
// Define the headers
LittleEndian();
PCAPHEADER header;
while( !FEof() )
{
PCAPRECORD record<name="Frame">;
}