mirror of https://github.com/x64dbg/btparser
187 lines
4.8 KiB
Plaintext
187 lines
4.8 KiB
Plaintext
1:
|
|
2:
|
|
3:
|
|
4:
|
|
5:
|
|
6:
|
|
7:
|
|
8:
|
|
9:
|
|
10:
|
|
11:
|
|
12:
|
|
13:
|
|
14: typedef struct {
|
|
15: uint32 magic_number < format = hex > ;
|
|
16: if ( magic_number != 0xA1B2C3D4 ) {
|
|
17: Warning ( "Not a valid PCAP file" ) ;
|
|
18: return 1 ;
|
|
19: }
|
|
20: uint16 version_major ;
|
|
21: uint16 version_minor ;
|
|
22: int32 thiszone ;
|
|
23: uint32 sigfigs ;
|
|
24: uint32 snaplen ;
|
|
25: uint32 network ;
|
|
26: } PCAPHEADER ;
|
|
27:
|
|
28: typedef struct
|
|
29: {
|
|
30: uchar Byte [ 6 ] ;
|
|
31: } MACaddr < read = MACname > ;
|
|
32:
|
|
33: typedef struct
|
|
34: {
|
|
35: MACaddr DstMac < name = "Destination MAC" > ;
|
|
36: MACaddr SrcMac < name = "Source MAC" > ;
|
|
37: uint16 L3type < name = "Layer 3 Protocol" > ;
|
|
38: } Layer_2 < size = 14 > ;
|
|
39:
|
|
40: typedef struct
|
|
41: {
|
|
42: uchar Byte [ 4 ] ;
|
|
43: } IPv4addr < read = IPv4addrName > ;
|
|
44:
|
|
45: string IPv4addrName ( IPv4addr & IP )
|
|
46: {
|
|
47: string strReturn ;
|
|
48: SPrintf ( strReturn , "%d.%d.%d.%d" , IP . Byte [ 0 ] , IP . Byte [ 1 ] , IP . Byte [ 2 ] , IP . Byte [ 3 ] ) ;
|
|
49: return strReturn ;
|
|
50: }
|
|
51: typedef struct ( uint16 proto_type )
|
|
52: {
|
|
53: uchar version : 4 ;
|
|
54: uchar ip_hdr_len : 4 ;
|
|
55: local int hdr_length = ip_hdr_len * 4 ;
|
|
56: BYTE DiffServField ;
|
|
57: uint16 total_length ;
|
|
58: if ( proto_type == 0x800 )
|
|
59: {
|
|
60: uint16 Identification ;
|
|
61: uint16 Flags ;
|
|
62: BYTE TTL ;
|
|
63: BYTE L4proto < name = "Layer 4 Protocol" , read = L4protoName > ;
|
|
64: uint16 HdrChecksum ;
|
|
65: IPv4addr SRC_IP < name = "Source IP" > ;
|
|
66: IPv4addr DST_IP < name = "Dest IP" > ;
|
|
67: }
|
|
68: else
|
|
69: {
|
|
70: BYTE Unknown [ hdr_length - 4 ] ;
|
|
71: }
|
|
72: } Layer_3 ;
|
|
73:
|
|
74: typedef struct ( ushort VER_HDR , uint16 total_length , uint L4proto )
|
|
75: {
|
|
76: local uint16 ip_hdr_length = VER_HDR * 4 ;
|
|
77:
|
|
78: if ( L4proto == 0x11 )
|
|
79: {
|
|
80: uint16 SrcPort < name = "Source Port" > ;
|
|
81: uint16 DstPort < name = "Destination Port" > ;
|
|
82: uint16 udp_hdr_len < name = "Datagram Length" > ;
|
|
83: uint16 ChkSum < name = "Checksum" > ;
|
|
84: }
|
|
85: else if ( L4proto == 0x6 )
|
|
86: {
|
|
87: uint16 SrcPort < name = "Source Port" > ;
|
|
88: uint16 DstPort < name = "Destination Port" > ;
|
|
89: uint32 SEQ ;
|
|
90: uint32 ACK ;
|
|
91: uchar tcp_hdr_len : 4 ;
|
|
92: uchar Reserved : 4 ;
|
|
93: BYTE Crap [ tcp_hdr_len * 4 - 13 ] ;
|
|
94: }
|
|
95: else
|
|
96: {
|
|
97: BYTE packet [ total_length - ip_hdr_length ] < name = "Unknown Layer 4 Data" > ;
|
|
98: }
|
|
99:
|
|
100: } Layer_4 ;
|
|
101:
|
|
102: string L4protoName ( BYTE val )
|
|
103: {
|
|
104: if ( val == 0x6 )
|
|
105: {
|
|
106: return "TCP" ;
|
|
107: }
|
|
108: else if ( val == 0x11 )
|
|
109: {
|
|
110: return "UDP" ;
|
|
111: }
|
|
112: else
|
|
113: {
|
|
114: return "Unknown" ;
|
|
115: }
|
|
116: }
|
|
117:
|
|
118: typedef struct {
|
|
119: time_t ts_sec ;
|
|
120: uint32 ts_usec ;
|
|
121: uint32 incl_len ;
|
|
122: uint32 orig_len ;
|
|
123: BigEndian ( ) ;
|
|
124: Layer_2 L2 < name = "Layer 2" > ;
|
|
125: Layer_3 L3 ( L2 . L3type ) < name = "Layer 3" > ;
|
|
126: Layer_4 L4 ( L3 . ip_hdr_len , L3 . total_length , L3 . L4proto ) < name = "Layer 4" > ;
|
|
127:
|
|
128: if ( L3 . L4proto == 0x6 )
|
|
129: {
|
|
130: local uint16 AppDataLen = L3 . total_length - L3 . ip_hdr_len * 4 - L4 . tcp_hdr_len * 4 ;
|
|
131: if ( AppDataLen > 0 )
|
|
132: {
|
|
133: BYTE AppData [ AppDataLen ] < name = "TCP Application Data" > ;
|
|
134: }
|
|
135: }
|
|
136: else if ( L3 . L4proto == 0x11 )
|
|
137: {
|
|
138: local uint AppDataLen = L4 . udp_hdr_len - 8 ;
|
|
139: if ( AppDataLen > 0 )
|
|
140: {
|
|
141: BYTE AppData [ AppDataLen ] < name = "UDP Application Data" > ;
|
|
142: }
|
|
143: }
|
|
144: LittleEndian ( ) ;
|
|
145: } PCAPRECORD < read = ReadPCAPRECORD , comment = PCAPcomments > ;
|
|
146:
|
|
147: string PCAPcomments ( PCAPRECORD & P )
|
|
148: {
|
|
149: local uint16 L4_proto = P . L3 . L4proto ;
|
|
150: string strReturn ;
|
|
151: local uint16 AppDataLen = 0 ;
|
|
152: if ( L4_proto == 0x6 )
|
|
153: {
|
|
154: AppDataLen = P . L3 . total_length - P . L3 . ip_hdr_len * 4 - P . L4 . tcp_hdr_len * 4 ;
|
|
155: }
|
|
156: else if ( L4_proto == 0x11 )
|
|
157: {
|
|
158: AppDataLen = P . L4 . udp_hdr_len - 8 ;
|
|
159: }
|
|
160: SPrintf ( strReturn , "%s:%d -> %s:%d %s %s" , IPv4addrName ( P . L3 . SRC_IP ) , P . L4 . SrcPort , IPv4addrName ( P . L3 . DST_IP ) , P . L4 . DstPort , L4protoName ( L4_proto ) , AppDataLen > 0 ? "***" : "" ) ;
|
|
161: return strReturn ;
|
|
162: }
|
|
163: string ReadPCAPRECORD ( PCAPRECORD & record )
|
|
164: {
|
|
165: string strReturn ;
|
|
166:
|
|
167: SPrintf ( strReturn , "%s.%06u" , TimeTToString ( record . ts_sec ) , record . ts_usec ) ;
|
|
168: return strReturn ;
|
|
169: }
|
|
170:
|
|
171: string MACname ( MACaddr & addr )
|
|
172: {
|
|
173: string strReturn ;
|
|
174: SPrintf ( strReturn , "%.02x:%.02x:%.02x:%.02x:%.02x:%.02x" , addr . Byte [ 0 ] , addr . Byte [ 1 ] , addr . Byte [ 2 ] , addr . Byte [ 3 ] , addr . Byte [ 4 ] , addr . Byte [ 5 ] ) ;
|
|
175: return strReturn ;
|
|
176: }
|
|
177:
|
|
178:
|
|
179: LittleEndian ( ) ;
|
|
180: PCAPHEADER header ;
|
|
181:
|
|
182: while ( ! FEof ( ) )
|
|
183: {
|
|
184: PCAPRECORD record < name = "Frame" > ;
|
|
185:
|
|
186: }
|
|
187: tok_eof |