From d67293403321bb1e07a19378288aa7c854d9b41c Mon Sep 17 00:00:00 2001 From: Ilja van Sprundel Date: Wed, 2 Jun 2021 16:08:25 +0200 Subject: [PATCH] Add pcap support to hex patterns (#16) * Add initial pcap support Assumes little endian and fixed to 1000 packets, but it's a start. * update readme for pcap entry added initial pcap support --- README.md | 1 + patterns/pcap.hexpat | 140 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 141 insertions(+) create mode 100644 patterns/pcap.hexpat diff --git a/README.md b/README.md index ead8702..77ccfb6 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ Hex patterns, include patterns and magic files for the use with the ImHex Hex Ed | MIDI | `audio/midi` | `patterns/midi.hexpat` | MIDI header, event fields provided | | WAV | `audio/wav` | `patterns/wav.hexpat` | RIFF header, WAVE header, PCM header | | ZIP | `application/zip` | `patterns/zip.hexpat` | End of Central Directory Header, Central Directory File Headers | +| PCAP | `application/vnd.tcpdump.pcap` | `patterns/pcap.hexpat` | pcap header and packets | ### Include Patterns diff --git a/patterns/pcap.hexpat b/patterns/pcap.hexpat new file mode 100644 index 0000000..73eb02c --- /dev/null +++ b/patterns/pcap.hexpat @@ -0,0 +1,140 @@ +#pragma MIME application/vnd.tcpdump.pcap +#pragma endian little + +enum network_type : u32 { + LINKTYPE_NULL = 0, + LINKTYPE_ETHERNET = 1, + LINKTYPE_AX25 = 3, + LINKTYPE_IEEE802_5 = 6, + LINKTYPE_ARCNET_BSD = 7, + LINKTYPE_SLIP = 8, + LINKTYPE_PPP = 9, + LINKTYPE_FDDI = 10, + LINKTYPE_PPP_HDLC = 50, + LINKTYPE_PPP_ETHER = 51, + LINKTYPE_ATM_RFC1483 = 100, + LINKTYPE_RAW = 101, + LINKTYPE_C_HDLC = 104, + LINKTYPE_IEEE802_11 = 105, + LINKTYPE_FRELAY = 107, + LINKTYPE_LOOP = 108, + LINKTYPE_LINUX_SLL = 113, + LINKTYPE_LTALK = 114, + LINKTYPE_PFLOG = 117, + LINKTYPE_IEEE802_11_PRISM = 119, + LINKTYPE_IP_OVER_FC = 122, + LINKTYPE_SUNATM = 123, + LINKTYPE_IEEE802_11_RADIOTAP = 127, + LINKTYPE_ARCNET_LINUX = 129, + LINKTYPE_APPLE_IP_OVER_IEEE1394 = 138, + LINKTYPE_MTP2_WITH_PHDR = 139, + LINKTYPE_MTP2 = 140, + LINKTYPE_MTP3 = 141, + LINKTYPE_SCCP = 142, + LINKTYPE_DOCSIS = 143, + LINKTYPE_LINUX_IRDA = 144, + LINKTYPE_IEEE802_11_AVS = 163, + LINKTYPE_BACNET_MS_TP = 165, + LINKTYPE_PPP_PPPD = 166, + LINKTYPE_GPRS_LLC = 169, + LINKTYPE_GPF_T = 170, + LINKTYPE_GPF_F = 171, + LINKTYPE_LINUX_LAPD = 177, + LINKTYPE_MFR = 182, + LINKTYPE_BLUETOOTH_HCI_H4 = 187, + LINKTYPE_USB_LINUX = 189, + LINKTYPE_PPI = 192, + LINKTYPE_IEEE802_15_4_WITHFCS = 195, + LINKTYPE_SITA = 196, + LINKTYPE_ERF = 197, + LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR = 201, + LINKTYPE_AX25_KISS = 202, + LINKTYPE_LAPD = 203, + LINKTYPE_PPP_WITH_DIR = 204, + LINKTYPE_C_HDLC_WITH_DIR = 205, + LINKTYPE_FRELAY_WITH_DIR = 206, + LINKTYPE_LAPB_WITH_DIR = 207, + LINKTYPE_IPMB_LINUX = 209, + LINKTYPE_FLEXRAY = 210, + LINKTYPE_IEEE802_15_4_NONASK_PHY = 215, + LINKTYPE_USB_LINUX_MMAPPED = 220, + LINKTYPE_FC_2 = 224, + LINKTYPE_FC_2_WITH_FRAME_DELIMS = 225, + LINKTYPE_IPNET = 226, + LINKTYPE_CAN_SOCKETCAN = 227, + LINKTYPE_IPV4 = 228, + LINKTYPE_IPV6 = 229, + LINKTYPE_IEEE802_15_4_NOFCS = 230, + LINKTYPE_DBUS = 231, + LINKTYPE_DVB_CI = 235, + LINKTYPE_MUX27010 = 236, + LINKTYPE_STANAG_5066_D_PDU = 237, + LINKTYPE_NFLOG = 239, + LINKTYPE_NETANALYZER = 240, + LINKTYPE_NETANALYZER_TRANSPARENT = 241, + LINKTYPE_IPOIB = 242, + LINKTYPE_MPEG_2_TS = 243, + LINKTYPE_NG40 = 244, + LINKTYPE_NFC_LLCP = 245, + LINKTYPE_INFINIBAND = 247, + LINKTYPE_SCTP = 248, + LINKTYPE_USBPCAP = 249, + LINKTYPE_RTAC_SERIAL = 250, + LINKTYPE_BLUETOOTH_LE_LL = 251, + LINKTYPE_NETLINK = 253, + LINKTYPE_BLUETOOTH_LINUX_MONITOR = 254, + LINKTYPE_BLUETOOTH_BREDR_BB = 255, + LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR = 256, + LINKTYPE_PROFIBUS_DL = 257, + LINKTYPE_PKTAP = 258, + LINKTYPE_EPON = 259, + LINKTYPE_IPMI_HPM_2 = 260, + LINKTYPE_ZWAVE_R1_R2 = 261, + LINKTYPE_ZWAVE_R3 = 262, + LINKTYPE_WATTSTOPPER_DLM = 263, + LINKTYPE_ISO_14443 = 264, + LINKTYPE_RDS = 265, + LINKTYPE_USB_DARWIN = 266, + LINKTYPE_SDLC = 268, + LINKTYPE_LORATAP = 270, + LINKTYPE_VSOCK = 271, + LINKTYPE_NORDIC_BLE = 272, + LINKTYPE_DOCSIS31_XRA31 = 273, + LINKTYPE_ETHERNET_MPACKET = 274, + LINKTYPE_DISPLAYPORT_AUX = 275, + LINKTYPE_LINUX_SLL2 = 276, + LINKTYPE_OPENVIZSLA = 278, + LINKTYPE_EBHSCR = 279, + LINKTYPE_VPP_DISPATCH = 280, + LINKTYPE_DSA_TAG_BRCM = 281, + LINKTYPE_DSA_TAG_BRCM_PREPEND = 282, + LINKTYPE_IEEE802_15_4_TAP = 283, + LINKTYPE_DSA_TAG_DSA = 284, + LINKTYPE_DSA_TAG_EDSA = 285, + LINKTYPE_ELEE = 286, + LINKTYPE_Z_WAVE_SERIAL = 287, + LINKTYPE_USB_2_0 = 288, + LINKTYPE_ATSC_ALP = 289, + LINKTYPE_ETW = 290 +}; + +struct pcaprec_hdr_t { + u32 ts_sec; /* timestamp seconds */ + u32 ts_usec; /* timestamp microseconds */ + u32 incl_len; /* number of octets of packet saved in file */ + u32 orig_len; /* actual length of packet */ + u8 data[incl_len]; +}; + +struct pcap_hdr_t { + u32 magic_number; /* magic number */ + u16 version_major; /* major version number */ + u16 version_minor; /* minor version number */ + s32 thiszone; /* GMT to local correction */ + u32 sigfigs; /* accuracy of timestamps */ + u32 snaplen; /* max length of captured packets, in octets */ + network_type network; /* data link type */ + pcaprec_hdr_t packet[1000]; +}; + +pcap_hdr_t pcap @ 0x00;