btparser/cparser/PCAPTemplate.bt

187 lines
4.9 KiB
Plaintext

//---------------------
//--- 010 Editor v3.0.3 Binary Template
//
// File: PCAPTemplate.bt
// Author: Didier Stevens (https://DidierStevens.com)
// Revision: 0.1, prototype, only tested on 1 PCAP file
// Date: 2009/05/24
// Purpose: Defines a template for parsing PCAP files.
// References:
// http://wiki.wireshark.org/Development/LibpcapFileFormat
//--------------------------------------
typedef struct {
uint32 magic_number <format=hex>; /* magic number */
if(magic_number != 0xA1B2C3D4) {
Warning("Not a valid PCAP file");
return 1;
}
uint16 version_major; /* major version number */
uint16 version_minor; /* minor version number */
int32 thiszone; /* GMT to local correction */
uint32 sigfigs; /* accuracy of timestamps */
uint32 snaplen; /* max length of captured packets, in octets */
uint32 network; /* data link type */
} PCAPHEADER;
typedef struct
{
uchar Byte[6];
} MACaddr<read=MACname>;
typedef struct
{
MACaddr DstMac<name="Destination MAC">;
MACaddr SrcMac<name="Source MAC">;
uint16 L3type<name="Layer 3 Protocol">;
} Layer_2 <size=14>;
typedef struct
{
uchar Byte[4];
} IPv4addr<read=IPv4addrName>;
string IPv4addrName(IPv4addr &IP)
{
string strReturn;
SPrintf(strReturn,"%d.%d.%d.%d",IP.Byte[0],IP.Byte[1],IP.Byte[2],IP.Byte[3]);
return strReturn;
}
typedef struct (uint16 proto_type)
{
uchar version:4;
uchar ip_hdr_len:4;
local int hdr_length = ip_hdr_len*4;
BYTE DiffServField;
uint16 total_length;
if (proto_type == 0x0800) // IP
{
uint16 Identification;
uint16 Flags;
BYTE TTL;
BYTE L4proto<name="Layer 4 Protocol",read=L4protoName>;
uint16 HdrChecksum;
IPv4addr SRC_IP<name="Source IP">;
IPv4addr DST_IP<name="Dest IP">;
}
else
{
BYTE Unknown[hdr_length-4];
}
} Layer_3;
typedef struct (ushort VER_HDR,uint16 total_length,uint L4proto)
{
local uint16 ip_hdr_length = VER_HDR*4;
if (L4proto == 0x11) // UDP
{
uint16 SrcPort<name="Source Port">;
uint16 DstPort<name="Destination Port">;
uint16 udp_hdr_len<name="Datagram Length">;
uint16 ChkSum<name="Checksum">;
}
else if (L4proto == 0x6) // TCP
{
uint16 SrcPort<name="Source Port">;
uint16 DstPort<name="Destination Port">;
uint32 SEQ;
uint32 ACK;
uchar tcp_hdr_len:4;
uchar Reserved:4;
BYTE Crap[tcp_hdr_len*4-13];
}
else
{
BYTE packet[total_length-ip_hdr_length]<name="Unknown Layer 4 Data">;
}
} Layer_4;
string L4protoName(BYTE val)
{
if (val == 0x06)
{
return "TCP";
}
else if (val == 0x11)
{
return "UDP";
}
else
{
return "Unknown";
}
}
typedef struct {
time_t ts_sec; /* timestamp seconds */
uint32 ts_usec; /* timestamp microseconds */
uint32 incl_len; /* number of octets of packet saved in file */
uint32 orig_len; /* actual length of packet */
BigEndian();
Layer_2 L2 <name="Layer 2">;
Layer_3 L3(L2.L3type) <name="Layer 3">;
Layer_4 L4(L3.ip_hdr_len,L3.total_length,L3.L4proto)<name="Layer 4">;
if (L3.L4proto == 0x6)
{
local uint16 AppDataLen = L3.total_length - L3.ip_hdr_len*4 - L4.tcp_hdr_len*4;
if (AppDataLen > 0)
{
BYTE AppData[AppDataLen]<name="TCP Application Data">;
}
}
else if (L3.L4proto == 0x11)
{
local uint AppDataLen = L4.udp_hdr_len-8;
if (AppDataLen > 0)
{
BYTE AppData[AppDataLen]<name="UDP Application Data">;
}
}
LittleEndian();
} PCAPRECORD <read=ReadPCAPRECORD,comment=PCAPcomments>;
string PCAPcomments(PCAPRECORD &P)
{
local uint16 L4_proto = P.L3.L4proto;
string strReturn;
local uint16 AppDataLen = 0;
if (L4_proto == 0x6)
{
AppDataLen = P.L3.total_length - P.L3.ip_hdr_len*4 - P.L4.tcp_hdr_len*4;
}
else if (L4_proto == 0x11)
{
AppDataLen = P.L4.udp_hdr_len - 8;
}
SPrintf(strReturn,"%s:%d -> %s:%d %s %s",IPv4addrName(P.L3.SRC_IP),P.L4.SrcPort,IPv4addrName(P.L3.DST_IP),P.L4.DstPort,L4protoName(L4_proto), AppDataLen > 0 ? "***" : "");
return strReturn;
}
string ReadPCAPRECORD(PCAPRECORD &record)
{
string strReturn;
SPrintf(strReturn, "%s.%06u", TimeTToString(record.ts_sec), record.ts_usec);
return strReturn;
}
string MACname(MACaddr &addr)
{
string strReturn;
SPrintf(strReturn,"%.02x:%.02x:%.02x:%.02x:%.02x:%.02x",addr.Byte[0],addr.Byte[1],addr.Byte[2],addr.Byte[3],addr.Byte[4],addr.Byte[5]);
return strReturn;
}
// Define the headers
LittleEndian();
PCAPHEADER header;
while( !FEof() )
{
PCAPRECORD record<name="Frame">;
}