From b3bb187233baed3d79bed337b54818b9d8fdd7ec Mon Sep 17 00:00:00 2001 From: Přemysl Janouch Date: Thu, 26 Jan 2017 20:45:53 +0100 Subject: Add a partial decoder for PCAP --- plugins/pcap.lua | 178 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 plugins/pcap.lua (limited to 'plugins') diff --git a/plugins/pcap.lua b/plugins/pcap.lua new file mode 100644 index 0000000..1b8d791 --- /dev/null +++ b/plugins/pcap.lua @@ -0,0 +1,178 @@ +-- +-- pcap.lua: libpcap file format +-- +-- Copyright (c) 2017, Přemysl Janouch +-- +-- Permission to use, copy, modify, and/or distribute this software for any +-- purpose with or without fee is hereby granted, provided that the above +-- copyright notice and this permission notice appear in all copies. +-- +-- THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +-- WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +-- MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +-- SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +-- WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION +-- OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN +-- CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +-- + +local detect = function (c) + local magic = c:read (4) + return magic == "\xa1\xb2\xc3\xd4" or magic == "\xd4\xc3\xb2\xa1" +end + +-- Specified in http://www.tcpdump.org/linktypes.html +local link_types = { + [0] = "NULL", + [1] = "ETHERNET", + [3] = "AX25", + [6] = "IEEE802_5", + [7] = "ARCNET_BSD", + [8] = "SLIP", + [9] = "PPP", + [10] = "FDDI", + [50] = "PPP_HDLC", + [51] = "PPP_ETHER", + [100] = "ATM_RFC1483", + [101] = "RAW", + [104] = "C_HDLC", + [105] = "IEEE802_11", + [107] = "FRELAY", + [108] = "LOOP", + [113] = "LINUX_SLL", + [114] = "LTALK", + [117] = "PFLOG", + [119] = "IEEE802_11_PRISM", + [122] = "IP_OVER_FC", + [123] = "SUNATM", + [127] = "IEEE802_11_RADIOTAP", + [129] = "ARCNET_LINUX", + [138] = "APPLE_IP_OVER_IEEE1394", + [139] = "MTP2_WITH_PHDR", + [140] = "MTP2", + [141] = "MTP3", + [142] = "SCCP", + [143] = "DOCSIS", + [144] = "LINUX_IRDA", + [147] = "USER0", + [148] = "USER1", + [149] = "USER2", + [150] = "USER3", + [151] = "USER4", + [152] = "USER5", + [153] = "USER6", + [154] = "USER7", + [155] = "USER8", + [156] = "USER9", + [157] = "USER10", + [158] = "USER11", + [159] = "USER12", + [160] = "USER13", + [161] = "USER14", + [162] = "USER15", + [163] = "IEEE802_11_AVS", + [165] = "BACNET_MS_TP", + [166] = "PPP_PPPD", + [169] = "GPRS_LLC", + [170] = "GPF_T", + [171] = "GPF_F", + [177] = "LINUX_LAPD", + [187] = "BLUETOOTH_HCI_H4", + [189] = "USB_LINUX", + [192] = "PPI", + [195] = "IEEE802_15_4", + [196] = "SITA", + [197] = "ERF", + [201] = "BLUETOOTH_HCI_H4_WITH_PHDR", + [202] = "AX25_KISS", + [203] = "LAPD", + [204] = "PPP_WITH_DIR", + [205] = "C_HDLC_WITH_DIR", + [206] = "FRELAY_WITH_DIR", + [209] = "IPMB_LINUX", + [215] = "IEEE802_15_4_NONASK_PHY", + [220] = "USB_LINUX_MMAPPED", + [224] = "FC_2", + [225] = "FC_2_WITH_FRAME_DELIMS", + [226] = "IPNET", + [227] = "CAN_SOCKETCAN", + [228] = "IPV4", + [229] = "IPV6", + [230] = "IEEE802_15_4_NOFCS", + [231] = "DBUS", + [235] = "DVB_CI", + [236] = "MUX27010", + [237] = "STANAG_5066_D_PDU", + [239] = "NFLOG", + [240] = "NETANALYZER", + [241] = "NETANALYZER_TRANSPARENT", + [242] = "IPOIB", + [243] = "MPEG_2_TS", + [244] = "NG40", + [245] = "NFC_LLCP", + [247] = "INFINIBAND", + [248] = "SCTP", + [249] = "USBPCAP", + [250] = "RTAC_SERIAL", + [251] = "BLUETOOTH_LE_LL", + [253] = "NETLINK", + [254] = "BLUETOOTH_LINUX_MONITOR", + [255] = "BLUETOOTH_BREDR_BB", + [256] = "BLUETOOTH_LE_LL_WITH_PHDR", + [257] = "PROFIBUS_DL", + [258] = "PKTAP", + [259] = "EPON", + [260] = "IPMI_HPM_2", + [261] = "ZWAVE_R1_R2", + [262] = "ZWAVE_R3", + [263] = "WATTSTOPPER_DLM", + [264] = "ISO_14443", + [265] = "RDS", + [266] = "USB_DARWIN" +} + +-- As described by https://wiki.wireshark.org/Development/LibpcapFileFormat +local decode = function (c) + if not detect (c ()) then error ("not a PCAP file") end + + c.endianity = "le" + c:u32 ("PCAP magic: %s", function (u32) + if u32 == 0xa1b2c3d4 then return "little-endian" end + + c.endianity = "be" + return "big-endian" + end) + + local p, vmajor, vminor = c.position, c:u16 (), c:u16 () + c (p, c.position - 1):mark ("PCAP version: %d.%d", vmajor, vminor) + + local zone = c:i32 ("UTC to local TZ correction: %d seconds") + local sigfigs = c:u32 ("timestamp accuracy") + local snaplen = c:u32 ("max. length of captured packets") + + local network = c:u32 ("data link type: %s", function (u32) + name = link_types[u32] + if name then return name end + return "unknown: %d", u32 + end) + + local i = 0 + while not c.eof do + c (c.position, c.position + 23):mark ("PCAP record %d header", i) + i = i + 1 + + local p, ts_sec, ts_usec = p, c:u32 (), c:u32 () + c (p, c.position - 1):mark ("timestamp: %s.%06d", + os.date ("!%F %T", ts_sec + zonen), ts_usec) + local incl_len = c:u32 ("included record length") + local orig_len = c:u32 ("original record length") + + local p = c.position + c.position = c.position + incl_len + -- TODO: also decode record contents as per the huge table + c (p, c.position - 1):mark ("PCAP record %d data", i) + end +end + +hex.register { type="pcap", detect=detect, decode=decode } + -- cgit v1.2.3-70-g09d2