//---------------------
//--- 010 Editor v3.0.3 Binary Template
//
// File: PCAPTemplate.bt
// Author: Didier Stevens (https://DidierStevens.com)
// Revision: 0.1, prototype, only tested on 1 PCAP file
// Date: 2009/05/24
// Purpose:  Defines a template for parsing PCAP files.
// References:
//  http://wiki.wireshark.org/Development/LibpcapFileFormat
//--------------------------------------


typedef struct {
        uint32 magic_number <format=hex>;   /* magic number */
        if(magic_number != 0xA1B2C3D4) {
            Warning("Not a valid PCAP file");
            return 1;
        }
        uint16 version_major;  /* major version number */
        uint16 version_minor;  /* minor version number */
        int32  thiszone;       /* GMT to local correction */
        uint32 sigfigs;        /* accuracy of timestamps */
        uint32 snaplen;        /* max length of captured packets, in octets */
        uint32 network;        /* data link type */
} PCAPHEADER;

typedef struct 
{
    uchar Byte[6];
} MACaddr<read=MACname>;

typedef struct 
{
        MACaddr DstMac<name="Destination MAC">;
        MACaddr SrcMac<name="Source MAC">;
        uint16 L3type<name="Layer 3 Protocol">;
} Layer_2 <size=14>;

typedef struct 
{
    uchar Byte[4];
} IPv4addr<read=IPv4addrName>;

string IPv4addrName(IPv4addr &IP)
{
    string strReturn;
    SPrintf(strReturn,"%d.%d.%d.%d",IP.Byte[0],IP.Byte[1],IP.Byte[2],IP.Byte[3]);
    return strReturn;
}
typedef struct (uint16 proto_type)
{
     uchar version:4;
     uchar ip_hdr_len:4;
     local int hdr_length = ip_hdr_len*4;
     BYTE DiffServField;
     uint16 total_length;
     if (proto_type == 0x0800)    // IP
     {
        uint16 Identification;   
        uint16 Flags;
        BYTE   TTL;
        BYTE   L4proto<name="Layer 4 Protocol",read=L4protoName>;
        uint16 HdrChecksum;
        IPv4addr SRC_IP<name="Source IP">;
        IPv4addr DST_IP<name="Dest IP">;
     }
     else
     {
        BYTE Unknown[hdr_length-4];
      }
} Layer_3;

typedef struct (ushort VER_HDR,uint16 total_length,uint L4proto)
{    
    local uint16 ip_hdr_length = VER_HDR*4;

    if (L4proto == 0x11) // UDP
    {
        uint16 SrcPort<name="Source Port">;
        uint16 DstPort<name="Destination Port">;
        uint16 udp_hdr_len<name="Datagram Length">;
        uint16 ChkSum<name="Checksum">;
    }
    else if (L4proto == 0x6) // TCP
    {
        uint16 SrcPort<name="Source Port">;
        uint16 DstPort<name="Destination Port">;
        uint32 SEQ;
        uint32 ACK; 
        uchar tcp_hdr_len:4;
        uchar Reserved:4;
        BYTE Crap[tcp_hdr_len*4-13];
    }
    else
    {
          BYTE packet[total_length-ip_hdr_length]<name="Unknown Layer 4 Data">;
    }
    
} Layer_4;

string L4protoName(BYTE val)
{
    if (val == 0x06)
    {
        return "TCP";
    }
    else if (val == 0x11)
    {
        return "UDP";
    }
    else
    {
        return "Unknown";
    }
}

typedef struct {
        time_t ts_sec;         /* timestamp seconds */
        uint32 ts_usec;        /* timestamp microseconds */
        uint32 incl_len;       /* number of octets of packet saved in file */
        uint32 orig_len;       /* actual length of packet */
        BigEndian();
        Layer_2 L2 <name="Layer 2">;
        Layer_3 L3(L2.L3type) <name="Layer 3">;
        Layer_4 L4(L3.ip_hdr_len,L3.total_length,L3.L4proto)<name="Layer 4">;

        if (L3.L4proto == 0x6)
        {
            local uint16 AppDataLen = L3.total_length - L3.ip_hdr_len*4 - L4.tcp_hdr_len*4;
            if (AppDataLen > 0)
            {
                BYTE AppData[AppDataLen]<name="TCP Application Data">;
            }
        }
        else if (L3.L4proto == 0x11)
        {
            local uint AppDataLen = L4.udp_hdr_len-8;
            if (AppDataLen > 0)
            {
                BYTE AppData[AppDataLen]<name="UDP Application Data">;
            }
        }   
        LittleEndian();
} PCAPRECORD <read=ReadPCAPRECORD,comment=PCAPcomments>;

string PCAPcomments(PCAPRECORD &P)
{
    local uint16 L4_proto = P.L3.L4proto;
    string strReturn;
    local uint16 AppDataLen = 0;
    if (L4_proto == 0x6)
    {
        AppDataLen = P.L3.total_length - P.L3.ip_hdr_len*4 - P.L4.tcp_hdr_len*4;
    }
    else if (L4_proto == 0x11)
    {
        AppDataLen = P.L4.udp_hdr_len - 8;
    }   
    SPrintf(strReturn,"%s:%d -> %s:%d  %s %s",IPv4addrName(P.L3.SRC_IP),P.L4.SrcPort,IPv4addrName(P.L3.DST_IP),P.L4.DstPort,L4protoName(L4_proto), AppDataLen > 0 ? "***" : "");
    return strReturn;
}
string ReadPCAPRECORD(PCAPRECORD &record)
{
	string strReturn;
	
	SPrintf(strReturn, "%s.%06u", TimeTToString(record.ts_sec), record.ts_usec);
	return strReturn;
}

string MACname(MACaddr &addr)
{
    string strReturn;
    SPrintf(strReturn,"%.02x:%.02x:%.02x:%.02x:%.02x:%.02x",addr.Byte[0],addr.Byte[1],addr.Byte[2],addr.Byte[3],addr.Byte[4],addr.Byte[5]);
    return strReturn;
}

// Define the headers
LittleEndian();
PCAPHEADER header;

while( !FEof() )
{
	PCAPRECORD record<name="Frame">;

}