search

jmatj / har2pcap

har2pcap converts .har (HTTP Archive Viewer) files into the pcapng file format - which can be analyzed with Wireshark.
GNU General Public License v3.0
8 stars 1 forks source link

Understand PCAPNG Format #1

Closed raphiz closed 8 years ago

raphiz commented 8 years ago

I tried to decode some of the generated pcapng content.

Here are my results:

# BEGIN Section header Block

# Block Type:
0A 0D 0D 0A

# Block total length in Bytes (0x0000001c) = 28
1C 00 00 00

# Byte-Order Magic: magic number, whose value is the hexadecimal number 0x1A2B3C4D.
# This number can be used to distinguish sections that have been saved on little-endian machines from the ones saved on big-endian machines.
4D 3C 2B 1A

# Major Version: number of the current mayor version of the format. Current value is 1.
01 00 

# Minor Version. Current value is 0
00 00

# Section Length (a signed 64-bit value )
# Section Length equal -1 (0xFFFFFFFFFFFFFFFF) means that the size of the section is not specified
FF FF FF FF FF FF FF FF

# No options are set...

# Block Total Length
1C 00 00 00

# END Section header Block
   +---------------------------------------------------------------+
 0 |                   Block Type = 0x0A0D0D0A                     |
   +---------------------------------------------------------------+
 4 |                      Block Total Length                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 8 |                      Byte-Order Magic                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
12 |          Major Version        |         Minor Version         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
16 |                                                               |
   |                          Section Length                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
24 /                                                               /
   /                      Options (variable)                       /
   /                                                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Block Total Length                       |
   +---------------------------------------------------------------+

(via http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/pcapng/pcapng/master/draft-tuexen-opsawg-pcapng.xml&modeAsFormat=html/ascii&type=ascii#rfc.section.3)

jmatj commented 8 years ago

Thanks a lot! Input was introduced in 3d0277a119511a2be21f47c56a087120bda8d12f