wader/fq
1
1
Fork 0
mirror of https://github.com/wader/fq.git synced 2024-09-19 15:57:29 +03:00
Code Issues Projects Releases Wiki Activity

pcap: Add pcap, pcapng, ether8023, ipv4, udp, udp

Browse Source
This commit is contained in:
Mattias Wadman 2021-11-22 22:08:36 +01:00
parent 9d116df799
commit 7b7faaf02b
36 changed files with 9213 additions and 757 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -63,7 +63,7 @@ cp fq /usr/local/bin
[./formats_list.jq]: sh-start
aac_frame, adts, adts_frame, apev2, av1_ccr, av1_frame, av1_obu, avc_annexb, avc_au, avc_dcr, avc_nalu, avc_pps, avc_sei, avc_sps, bzip2, dns, elf, exif, flac, flac_frame, flac_metadatablock, flac_metadatablocks, flac_picture, flac_streaminfo, gif, gzip, hevc_annexb, hevc_au, hevc_dcr, hevc_nalu, icc_profile, id3v1, id3v11, id3v2, jpeg, json, matroska, mp3, mp3_frame, mp4, mpeg_asc, mpeg_es, mpeg_pes, mpeg_pes_packet, mpeg_spu, mpeg_ts, ogg, ogg_page, opus_packet, png, protobuf, protobuf_widevine, pssh_playready, raw, tar, tiff, vorbis_comment, vorbis_packet, vp8_frame, vp9_cfm, vp9_frame, vpx_ccr, wav, webp, xing, zip
aac_frame, adts, adts_frame, apev2, av1_ccr, av1_frame, av1_obu, avc_annexb, avc_au, avc_dcr, avc_nalu, avc_pps, avc_sei, avc_sps, bzip2, dns, elf, ether8023, exif, flac, flac_frame, flac_metadatablock, flac_metadatablocks, flac_picture, flac_streaminfo, gif, gzip, hevc_annexb, hevc_au, hevc_dcr, hevc_nalu, icc_profile, id3v1, id3v11, id3v2, ipv4, jpeg, json, matroska, mp3, mp3_frame, mp4, mpeg_asc, mpeg_es, mpeg_pes, mpeg_pes_packet, mpeg_spu, mpeg_ts, ogg, ogg_page, opus_packet, pcap, pcapng, png, protobuf, protobuf_widevine, pssh_playready, raw, tar, tcp, tiff, udp, vorbis_comment, vorbis_packet, vp8_frame, vp9_cfm, vp9_frame, vpx_ccr, wav, webp, xing, zip
[#]: sh-end

8
doc/formats.md
View File

@ -21,6 +21,7 @@
|`bzip2` |bzip2&nbsp;compression |<sub>`probe`</sub>|
|`dns` |DNS&nbsp;packet |<sub></sub>|
|`elf` |Executable&nbsp;and&nbsp;Linkable&nbsp;Format |<sub></sub>|
|`ether8023` |Ethernet&nbsp;802.3 |<sub>`ipv4`</sub>|
|`exif` |Exchangeable&nbsp;Image&nbsp;File&nbsp;Format |<sub></sub>|
|`flac` |Free&nbsp;Lossless&nbsp;Audio&nbsp;Codec&nbsp;file |<sub>`flac_metadatablocks` `flac_frame`</sub>|
|`flac_frame` |FLAC&nbsp;frame |<sub></sub>|
@ -38,6 +39,7 @@
|`id3v1` |ID3v1&nbsp;metadata |<sub></sub>|
|`id3v11` |ID3v1.1&nbsp;metadata |<sub></sub>|
|`id3v2` |ID3v2&nbsp;metadata |<sub>`image`</sub>|
|`ipv4` |Internet&nbsp;protocol&nbsp;v4 |<sub>`udp` `tcp`</sub>|
|`jpeg` |Joint&nbsp;Photographic&nbsp;Experts&nbsp;Group&nbsp;file |<sub>`exif` `icc_profile`</sub>|
|`json` |JSON |<sub></sub>|
|`matroska` |Matroska&nbsp;file |<sub>`aac_frame` `av1_ccr` `av1_frame` `avc_au` `avc_dcr` `flac_frame` `flac_metadatablocks` `hevc_au` `hevc_dcr` `image` `mp3_frame` `mpeg_asc` `mpeg_pes_packet` `mpeg_spu` `opus_packet` `vorbis_packet` `vp8_frame` `vp9_cfm` `vp9_frame`</sub>|
@ -53,13 +55,17 @@
|`ogg` |OGG&nbsp;file |<sub>`ogg_page` `vorbis_packet` `opus_packet` `flac_metadatablock` `flac_frame`</sub>|
|`ogg_page` |OGG&nbsp;page |<sub></sub>|
|`opus_packet` |Opus&nbsp;packet |<sub>`vorbis_comment`</sub>|
|`pcap` |PCAP&nbsp;packet&nbsp;capture |<sub>`ether8023`</sub>|
|`pcapng` |PCAPNG&nbsp;packet&nbsp;capture |<sub>`ether8023`</sub>|
|`png` |Portable&nbsp;Network&nbsp;Graphics&nbsp;file |<sub>`icc_profile` `exif`</sub>|
|`protobuf` |Protobuf |<sub></sub>|
|`protobuf_widevine` |Widevine&nbsp;protobuf |<sub>`protobuf`</sub>|
|`pssh_playready` |PlayReady&nbsp;PSSH |<sub></sub>|
|`raw` |Raw&nbsp;bits |<sub></sub>|
|`tar` |Tar&nbsp;archive |<sub>`probe`</sub>|
|`tcp` |Transmission&nbsp;Control&nbsp;Protocol |<sub></sub>|
|`tiff` |Tag&nbsp;Image&nbsp;File&nbsp;Format |<sub>`icc_profile`</sub>|
|`udp` |User&nbsp;datagram&nbsp;protocol |<sub>`dns`</sub>|
|`vorbis_comment` |Vorbis&nbsp;comment |<sub>`flac_picture`</sub>|
|`vorbis_packet` |Vorbis&nbsp;packet |<sub>`vorbis_comment`</sub>|
|`vp8_frame` |VP8&nbsp;frame |<sub></sub>|
@ -71,7 +77,7 @@
|`xing` |Xing&nbsp;header |<sub></sub>|
|`zip` |ZIP&nbsp;archive |<sub>`probe`</sub>|
|`image` |Group |<sub>`gif` `jpeg` `mp4` `png` `tiff` `webp`</sub>|
|`probe` |Group |<sub>`adts` `bzip2` `elf` `flac` `gif` `gzip` `jpeg` `json` `matroska` `mp3` `mp4` `mpeg_ts` `ogg` `png` `tar` `tiff` `wav` `webp` `zip`</sub>|
|`probe` |Group |<sub>`adts` `bzip2` `elf` `flac` `gif` `gzip` `jpeg` `json` `matroska` `mp3` `mp4` `mpeg_ts` `ogg` `pcap` `pcapng` `png` `tar` `tiff` `wav` `webp` `zip`</sub>|
[#]: sh-end

1548
doc/formats.svg
View File

File diff suppressed because it is too large Load Diff
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 86 KiB

After

Width:  |  Height:  |  Size: 92 KiB

2
format/all/all.fqtest
View File

@ -10,6 +10,8 @@ $ fq -n _registry.groups.probe
"matroska",
"mp4",
"ogg",
"pcap",
"pcapng",
"png",
"tar",
"tiff",

2
format/all/all.go
View File

@ -13,6 +13,7 @@ import (
_ "github.com/wader/fq/format/gzip"
_ "github.com/wader/fq/format/icc"
_ "github.com/wader/fq/format/id3"
_ "github.com/wader/fq/format/inet"
_ "github.com/wader/fq/format/jpeg"
_ "github.com/wader/fq/format/json"
_ "github.com/wader/fq/format/matroska"
@ -21,6 +22,7 @@ import (
_ "github.com/wader/fq/format/mpeg"
_ "github.com/wader/fq/format/ogg"
_ "github.com/wader/fq/format/opus"
_ "github.com/wader/fq/format/pcap"
_ "github.com/wader/fq/format/png"
_ "github.com/wader/fq/format/protobuf"
_ "github.com/wader/fq/format/raw"

79
format/dns/dns.go
View File

@ -40,8 +40,12 @@ var classNames = map[[2]uint64]decode.Scalar{
const (
typeA = 1
typeAAAA = 28
typeNS = 2
typeCNAME = 5
typeSOA = 6
typePTR = 12
typeTXT = 16
typeAAAA = 28
)
var typeNames = decode.UToStr{
@ -70,24 +74,24 @@ var typeNames = decode.UToStr{
29: "LOC",
15: "MX",
35: "NAPTR",
2: "NS",
typeNS: "NS",
47: "NSEC",
50: "NSEC3",
51: "NSEC3PARAM",
61: "OPENPGPKEY",
12: "PTR",
typePTR: "PTR",
46: "RRSIG",
17: "RP",
24: "SIG",
53: "SMIMEA",
6: "SOA",
typeSOA: "SOA",
33: "SRV",
44: "SSHFP",
32768: "TA",
249: "TKEY",
52: "TLSA",
250: "TSIG",
16: "TXT",
typeTXT: "TXT",
256: "URI",
63: "ZONEMD",
64: "SVCB",
@ -124,7 +128,7 @@ func decodeAAAAStr(d *decode.D) string {
return net.IP(d.BytesLen(16)).String()
}
func fieldFormatLabel(d *decode.D, name string) {
func fieldDecodeLabel(d *decode.D, name string) {
var endPos int64
const maxJumps = 100
jumpCount := 0
@ -165,26 +169,51 @@ func fieldFormatLabel(d *decode.D, name string) {
}
}
func fieldFormatRR(d *decode.D, count uint64, name string, structName string) {
func dnsDecodeRR(d *decode.D, count uint64, name string, structName string) {
d.FieldArray(name, func(d *decode.D) {
for i := uint64(0); i < count; i++ {
d.FieldStruct(structName, func(d *decode.D) {
fieldFormatLabel(d, "name")
fieldDecodeLabel(d, "name")
typ := d.FieldU16("type", d.MapUToStrSym(typeNames))
class := d.FieldU16("class", d.MapURangeToScalar(classNames))
d.FieldU32("ttl")
rdLength := d.FieldU16("rdlength")
switch {
case typ == typeCNAME:
fieldFormatLabel(d, "cname")
case class == classIN && typ == typeA:
d.FieldStrFn("address", decodeAStr)
case class == classIN && typ == typeAAAA:
d.FieldStrFn("address", decodeAAAAStr)
default:
d.FieldUTF8("rdata", int(rdLength))
}
d.LenFn(int64(rdLength)*8, func(d *decode.D) {
// TODO: all only for classIN?
switch {
case class == classIN && typ == typeA:
d.FieldStrFn("address", decodeAStr)
case typ == typeNS:
fieldDecodeLabel(d, "ns")
case typ == typeCNAME:
fieldDecodeLabel(d, "cname")
case typ == typeSOA:
fieldDecodeLabel(d, "mname")
fieldDecodeLabel(d, "rname")
d.FieldU32("serial")
d.FieldU32("refresh")
d.FieldU32("retry")
d.FieldU32("expire")
d.FieldU32("minimum")
case typ == typePTR:
fieldDecodeLabel(d, "ptr")
case typ == typeTXT:
var ss []string
d.FieldStruct("txt", func(d *decode.D) {
d.FieldArray("strings", func(d *decode.D) {
for !d.End() {
ss = append(ss, d.FieldUTF8ShortString("string"))
}
})
d.FieldValueStr("value", strings.Join(ss, ""))
})
case class == classIN && typ == typeAAAA:
d.FieldStrFn("address", decodeAAAAStr)
default:
d.FieldUTF8("rdata", int(rdLength))
}
})
})
}
})
@ -193,9 +222,9 @@ func fieldFormatRR(d *decode.D, count uint64, name string, structName string) {
func dnsDecode(d *decode.D, in interface{}) interface{} {
d.FieldStruct("header", func(d *decode.D) {
d.FieldU16("id")
d.FieldBool("query", d.MapBoolToStrSym(decode.BoolToStr{
true: "Query",
false: "Response",
d.FieldU1("qr", d.MapUToStrSym(decode.UToStr{
0: "query",
1: "response",
}))
d.FieldU4("opcode", d.MapUToStrSym(decode.UToStr{
0: "Query",
@ -220,16 +249,16 @@ func dnsDecode(d *decode.D, in interface{}) interface{} {
d.FieldArray("questions", func(d *decode.D) {
for i := uint64(0); i < qdCount; i++ {
d.FieldStruct("question", func(d *decode.D) {
fieldFormatLabel(d, "name")
fieldDecodeLabel(d, "name")
d.FieldU16("type", d.MapUToStrSym(typeNames))
d.FieldU16("class", d.MapURangeToScalar(classNames))
})
}
})
fieldFormatRR(d, anCount, "answers", "answer")
fieldFormatRR(d, nsCount, "nameservers", "nameserver")
fieldFormatRR(d, arCount, "additionals", "additional")
dnsDecodeRR(d, anCount, "answers", "answer")
dnsDecodeRR(d, nsCount, "nameservers", "nameserver")
dnsDecodeRR(d, arCount, "additionals", "additional")
return nil
}

2
format/dns/testdata/cern-rsp.fqtest vendored
View File

@ -2,7 +2,7 @@ $ fq -d dns verbose /cern-rsp
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.: {} /cern-rsp (dns) 0x0-0x4f.7 (80)
| | | header: {} 0x0-0x3.7 (4)
0x00|71 02 |q. | id: 28930 0x0-0x1.7 (2)
0x00| 81 | . | query: "Query" (true) 0x2-0x2 (0.1)
0x00| 81 | . | qr: "response" (1) 0x2-0x2 (0.1)
0x00| 81 | . | opcode: "Query" (0) 0x2.1-0x2.4 (0.4)
0x00| 81 | . | authoritative_answer: false 0x2.5-0x2.5 (0.1)
0x00| 81 | . | truncation: false 0x2.6-0x2.6 (0.1)

6
format/format.go
View File

@ -26,6 +26,10 @@ const (
BZIP2 = "bzip2"
DNS = "dns"
ELF = "elf"
ETHER8023 = "ether8023"
IPV4 = "ipv4"
UDP = "udp"
TCP = "tcp"
EXIF = "exif"
FLAC = "flac"
FLAC_FRAME = "flac_frame"
@ -66,6 +70,8 @@ const (
OGG = "ogg"
OGG_PAGE = "ogg_page"
OPUS_PACKET = "opus_packet"
PCAP = "pcap"
PCAPNG = "pcapng"
PNG = "png"
PROTOBUF = "protobuf"
PROTOBUF_WIDEVINE = "protobuf_widevine"

113
format/inet/ether8023.go Normal file
View File

@ -0,0 +1,113 @@
package inet
// TODO: move to own package?
import (
"encoding/binary"
"fmt"
"github.com/wader/fq/format"
"github.com/wader/fq/format/registry"
"github.com/wader/fq/pkg/decode"
)
var ipv4Format decode.Group
func init() {
registry.MustRegister(decode.Format{
Name: format.ETHER8023,
Description: "Ethernet 802.3",
Dependencies: []decode.Dependency{
{Names: []string{format.IPV4}, Group: &ipv4Format},
},
DecodeFn: decodeEthernet,
})
}
const (
etherTypeIPv4 = 0x0800
)
// from https://en.wikipedia.org/wiki/EtherType
// TODO: cleanup
var etherTypeMap = decode.UToScalar{
etherTypeIPv4: {Sym: "ipv4", Description: `Internet Protocol version 4`},
0x0806: {Sym: "arp", Description: `Address Resolution Protocol`},
0x0842: {Sym: "wake", Description: `Wake-on-LAN[9]`},
0x22f0: {Sym: "audio", Description: `Audio Video Transport Protocol`},
0x22f3: {Sym: "trill", Description: `IETF TRILL Protocol`},
0x22ea: {Sym: "srp", Description: `Stream Reservation Protocol`},
0x6002: {Sym: "dec", Description: `DEC MOP RC`},
0x6003: {Sym: "decnet", Description: `DECnet Phase IV, DNA Routing`},
0x6004: {Sym: "declat", Description: `DEC LAT`},
0x8035: {Sym: "Reverse", Description: `Reverse Address Resolution Protocol`},
0x809b: {Sym: "appletalk", Description: `AppleTalk`},
0x80f3: {Sym: "appletalk_arp", Description: `AppleTalk Address Resolution Protocol`},
0x8100: {Sym: "vlan", Description: `VLAN-tagged (IEEE 802.1Q)`},
0x8102: {Sym: "slpp", Description: `Simple Loop Prevention Protocol`},
0x8103: {Sym: "vlacp", Description: `Virtual Link Aggregation Control Protocol`},
0x8137: {Sym: "ipx", Description: `IPX`},
0x8204: {Sym: "qnx", Description: `QNX Qnet`},
0x86dd: {Sym: "ipv6", Description: `Internet Protocol Version 6`},
0x8808: {Sym: "flow_control", Description: `Ethernet flow control`},
0x8809: {Sym: "lacp", Description: `Ethernet Slow Protocols] such as the Link Aggregation Control Protocol`},
0x8819: {Sym: "cobranet", Description: `CobraNet`},
0x8847: {Sym: "mpls", Description: `MPLS unicast`},
0x8848: {Sym: "mpls", Description: `MPLS multicast`},
0x8863: {Sym: "pppoe_discovery", Description: `PPPoE Discovery Stage`},
0x8864: {Sym: "pppoe_session", Description: `PPPoE Session Stage`},
0x887b: {Sym: "homeplug", Description: `HomePlug 1.0 MME`},
0x888e: {Sym: "eap", Description: `EAP over LAN (IEEE 802.1X)`},
0x8892: {Sym: "profinet", Description: `PROFINET Protocol`},
0x889a: {Sym: "hyperscsi", Description: `HyperSCSI (SCSI over Ethernet)`},
0x88a2: {Sym: "ata", Description: `ATA over Ethernet`},
0x88a4: {Sym: "ethercat", Description: `EtherCAT Protocol`},
0x88a8: {Sym: "service", Description: `Service VLAN tag identifier (S-Tag) on Q-in-Q tunnel.`},
0x88ab: {Sym: "ethernet", Description: `Ethernet Powerlink`},
0x88b8: {Sym: "goose", Description: `GOOSE (Generic Object Oriented Substation event)`},
0x88b9: {Sym: "gse", Description: `GSE (Generic Substation Events) Management Services`},
0x88ba: {Sym: "sv", Description: `SV (Sampled Value Transmission)`},
0x88bf: {Sym: "mikrotik", Description: `MikroTik RoMON (unofficial)`},
0x88cc: {Sym: "link", Description: `Link Layer Discovery Protocol (LLDP)`},
0x88cd: {Sym: "sercos", Description: `SERCOS III`},
0x88e1: {Sym: "homeplug", Description: `HomePlug Green PHY`},
0x88e3: {Sym: "media", Description: `Media Redundancy Protocol (IEC62439-2)`},
0x88e5: {Sym: "ieee", Description: `IEEE 802.1AE MAC security (MACsec)`},
0x88e7: {Sym: "provider", Description: `Provider Backbone Bridges (PBB) (IEEE 802.1ah)`},
0x88f7: {Sym: "precision", Description: `Precision Time Protocol (PTP) over IEEE 802.3 Ethernet`},
0x88f8: {Sym: "nc", Description: `NC-SI`},
0x88fb: {Sym: "parallel", Description: `Parallel Redundancy Protocol (PRP)`},
0x8902: {Sym: "ieee", Description: `IEEE 802.1ag Connectivity Fault Management (CFM) Protocol / ITU-T Recommendation Y.1731 (OAM)`},
0x8906: {Sym: "fibre", Description: `Fibre Channel over Ethernet (FCoE)`},
0x8914: {Sym: "fcoe", Description: `FCoE Initialization Protocol`},
0x8915: {Sym: "rdma", Description: `RDMA over Converged Ethernet (RoCE)`},
0x891d: {Sym: "ttethernet", Description: `TTEthernet Protocol Control Frame (TTE)`},
0x893a: {Sym: "1905", Description: `1905.1 IEEE Protocol`},
0x892f: {Sym: "high", Description: `High-availability Seamless Redundancy (HSR)`},
0x9000: {Sym: "ethernet", Description: `Ethernet Configuration Testing Protocol[12]`},
0xf1c1: {Sym: "redundancy", Description: `Redundancy Tag (IEEE 802.1CB Frame Replication and Elimination for Reliability)`},
}
var etherTypeFormat = map[uint64]*decode.Group{
etherTypeIPv4: &ipv4Format,
}
func mapUToEtherSym(s decode.Scalar) (decode.Scalar, error) {
var b [8]byte
binary.BigEndian.PutUint64(b[:], s.ActualU())
s.Sym = fmt.Sprintf("%.2x:%.2x:%.2x:%.2x:%.2x:%.2x", b[2], b[3], b[4], b[5], b[6], b[7])
return s, nil
}
func decodeEthernet(d *decode.D, in interface{}) interface{} {
d.FieldU("destination", 48, mapUToEtherSym, d.Hex)
d.FieldU("source", 48, mapUToEtherSym, d.Hex)
etherType := d.FieldU16("ether_type", d.MapUToScalar(etherTypeMap), d.Hex)
if g, ok := etherTypeFormat[etherType]; ok {
d.FieldFormatLen("packet", d.BitsLeft(), *g, nil)
} else {
d.FieldRawLen("data", d.BitsLeft())
}
return nil
}

73
format/inet/ipv4.go Normal file
View File

@ -0,0 +1,73 @@
package inet
import (
"encoding/binary"
"net"
"github.com/wader/fq/format"
"github.com/wader/fq/format/registry"
"github.com/wader/fq/pkg/decode"
)
var udpFormat decode.Group
var tcpFormat decode.Group
func init() {
registry.MustRegister(decode.Format{
Name: format.IPV4,
Description: "Internet protocol v4",
Dependencies: []decode.Dependency{
{Names: []string{format.UDP}, Group: &udpFormat},
{Names: []string{format.TCP}, Group: &tcpFormat},
},
DecodeFn: decodeIPv4,
})
}
const (
ipv4ProtocolTCP = 6
ipv4ProtocolUDP = 17
)
var ipv4ProtocolFormat = map[uint64]*decode.Group{
ipv4ProtocolUDP: &udpFormat,
ipv4ProtocolTCP: &tcpFormat,
}
func mapUToIPv4Sym(s decode.Scalar) (decode.Scalar, error) {
var b [4]byte
binary.BigEndian.PutUint32(b[:], uint32(s.ActualU()))
s.Sym = net.IP(b[:]).String()
return s, nil
}
func decodeIPv4(d *decode.D, in interface{}) interface{} {
d.FieldU4("version")
ihl := d.FieldU4("ihl")
d.FieldU6("dscp")
d.FieldU2("ecn")
totalLength := d.FieldU16("total_length")
d.FieldU16("identification")
d.FieldU1("reserved")
d.FieldBool("dont_fragment")
moreFragments := d.FieldBool("more_fragments")
fragmentOffset := d.FieldU13("fragment_offset")
d.FieldU8("ttl")
protocol := d.FieldU8("protocol", d.MapUToScalar(ipv4ProtocolMap))
d.FieldU16("header_checksum", d.Hex)
d.FieldU32("source_ip", mapUToIPv4Sym, d.Hex)
d.FieldU32("destination_ip", mapUToIPv4Sym, d.Hex)
if ihl > 5 {
d.FieldRawLen("options", (int64(ihl)-5)*8*4)
}
dataLen := int64(totalLength-(ihl*4)) * 8
g, ok := ipv4ProtocolFormat[protocol]
if !ok || moreFragments || fragmentOffset > 0 {
d.FieldRawLen("data", dataLen)
} else {
d.FieldFormatLen("data", dataLen, *g, nil)
}
return nil
}

145
format/inet/protocols.go Normal file
View File

@ -0,0 +1,145 @@
package inet
import "github.com/wader/fq/pkg/decode"
// based on etc/services from Darwin/FreeBSD
// cat /etc/protocols | grep -v '^#' | jq -rR 'capture("(?<name>[\\w\\d-]+)\\s+(?<nr>\\d+)\\s+.*#\\s+(?<desc>.*)") | "\(.nr): {Sym: \(.name|tojson), Description: \(.desc|tojson)},"'
var ipv4ProtocolMap = decode.UToScalar{
0: {Sym: "ip", Description: "internet protocol, pseudo protocol number"},
1: {Sym: "icmp", Description: "internet control message protocol"},
2: {Sym: "igmp", Description: "internet group management protocol"},
3: {Sym: "ggp", Description: "gateway-gateway protocol"},
4: {Sym: "ipencap", Description: "IP encapsulated in IP"},
5: {Sym: "st2", Description: "ST2 datagram mode"},
6: {Sym: "tcp", Description: "transmission control protocol"},
7: {Sym: "cbt"},
8: {Sym: "egp", Description: "exterior gateway protocol"},
9: {Sym: "igp", Description: "any private interior gateway"},
10: {Sym: "bbn-rcc", Description: "BBN RCC Monitoring"},
11: {Sym: "nvp", Description: "Network Voice Protocol"},
12: {Sym: "pup", Description: "PARC universal packet protocol"},
13: {Sym: "argus", Description: "ARGUS"},
14: {Sym: "emcon", Description: "EMCON"},
15: {Sym: "xnet", Description: "Cross Net Debugger"},
16: {Sym: "chaos", Description: "Chaos"},
17: {Sym: "udp", Description: "user datagram protocol"},
18: {Sym: "mux", Description: "Multiplexing protocol"},
19: {Sym: "dcn", Description: "DCN Measurement Subsystems"},
20: {Sym: "hmp", Description: "host monitoring protocol"},
21: {Sym: "prm", Description: "packet radio measurement protocol"},
22: {Sym: "xns-idp", Description: "Xerox NS IDP"},
23: {Sym: "trunk-1", Description: "Trunk-1"},
24: {Sym: "trunk-2", Description: "Trunk-2"},
25: {Sym: "leaf-1", Description: "Leaf-1"},
26: {Sym: "leaf-2", Description: "Leaf-2"},
27: {Sym: "rdp", Description: "reliable datagram protocol"},
28: {Sym: "irtp", Description: "Internet Reliable Transaction Protocol"},
29: {Sym: "iso-tp4", Description: "ISO Transport Protocol Class 4"},
30: {Sym: "netblt", Description: "Bulk Data Transfer Protocol"},
31: {Sym: "mfe-nsp", Description: "MFE Network Services Protocol"},
32: {Sym: "merit-inp", Description: "MERIT Internodal Protocol"},
33: {Sym: "dccp", Description: "Datagram Congestion Control Protocol"},
34: {Sym: "3pc", Description: "Third Party Connect Protocol"},
35: {Sym: "idpr", Description: "Inter-Domain Policy Routing Protocol"},
36: {Sym: "xtp", Description: "Xpress Tranfer Protocol"},
37: {Sym: "ddp", Description: "Datagram Delivery Protocol"},
38: {Sym: "idpr-cmtp", Description: "IDPR Control Message Transport Proto"},
40: {Sym: "il", Description: "IL Transport Protocol"},
41: {Sym: "ipv6", Description: "ipv6"},
42: {Sym: "sdrp", Description: "Source Demand Routing Protocol"},
43: {Sym: "ipv6-route", Description: "routing header for ipv6"},
44: {Sym: "ipv6-frag", Description: "fragment header for ipv6"},
45: {Sym: "idrp", Description: "Inter-Domain Routing Protocol"},
46: {Sym: "rsvp", Description: "Resource ReSerVation Protocol"},
47: {Sym: "gre", Description: "Generic Routing Encapsulation"},
48: {Sym: "dsr", Description: "Dynamic Source Routing Protocol"},
49: {Sym: "bna", Description: "BNA"},
50: {Sym: "esp", Description: "encapsulating security payload"},
51: {Sym: "ah", Description: "authentication header"},
52: {Sym: "i-nlsp", Description: "Integrated Net Layer Security TUBA"},
53: {Sym: "swipe", Description: "IP with Encryption"},
54: {Sym: "narp", Description: "NBMA Address Resolution Protocol"},
55: {Sym: "mobile", Description: "IP Mobility"},
56: {Sym: "tlsp", Description: "Transport Layer Security Protocol"},
57: {Sym: "skip", Description: "SKIP"},
58: {Sym: "ipv6-icmp", Description: "ICMP for IPv6"},
59: {Sym: "ipv6-nonxt", Description: "no next header for ipv6"},
60: {Sym: "ipv6-opts", Description: "destination options for ipv6"},
62: {Sym: "cftp", Description: "CFTP"},
64: {Sym: "sat-expak", Description: "SATNET and Backroom EXPAK"},
65: {Sym: "kryptolan", Description: "Kryptolan"},
66: {Sym: "rvd", Description: "MIT Remote Virtual Disk Protocol"},
67: {Sym: "ippc", Description: "Internet Pluribus Packet Core"},
69: {Sym: "sat-mon", Description: "SATNET Monitoring"},
70: {Sym: "visa", Description: "VISA Protocol"},
71: {Sym: "ipcv", Description: "Internet Packet Core Utility"},
72: {Sym: "cpnx", Description: "Computer Protocol Network Executive"},
73: {Sym: "cphb", Description: "Computer Protocol Heart Beat"},
74: {Sym: "wsn", Description: "Wang Span Network"},
75: {Sym: "pvp", Description: "Packet Video Protocol"},
76: {Sym: "br-sat-mon", Description: "Backroom SATNET Monitoring"},
77: {Sym: "sun-nd", Description: "SUN ND PROTOCOL-Temporary"},
78: {Sym: "wb-mon", Description: "WIDEBAND Monitoring"},
79: {Sym: "wb-expak", Description: "WIDEBAND EXPAK"},
80: {Sym: "iso-ip", Description: "ISO Internet Protocol"},
81: {Sym: "vmtp", Description: "Versatile Message Transport"},
82: {Sym: "secure-vmtp", Description: "SECURE-VMTP"},
83: {Sym: "vines", Description: "VINES"},
84: {Sym: "ttp", Description: "TTP"},
85: {Sym: "nsfnet-igp", Description: "NSFNET-IGP"},
86: {Sym: "dgp", Description: "Dissimilar Gateway Protocol"},
87: {Sym: "tcf", Description: "TCF"},
88: {Sym: "eigrp", Description: "Enhanced Interior Routing Protocol (Cisco)"},
89: {Sym: "ospf", Description: "Open Shortest Path First IGP"},
90: {Sym: "sprite-rpc", Description: "Sprite RPC Protocol"},
91: {Sym: "larp", Description: "Locus Address Resolution Protocol"},
92: {Sym: "mtp", Description: "Multicast Transport Protocol"},
93: {Sym: "25", Description: "AX.25 Frames"},
94: {Sym: "ipip", Description: "Yet Another IP encapsulation"},
95: {Sym: "micp", Description: "Mobile Internetworking Control Pro."},
96: {Sym: "scc-sp", Description: "Semaphore Communications Sec. Pro."},
97: {Sym: "etherip", Description: "Ethernet-within-IP Encapsulation"},
98: {Sym: "encap", Description: "Yet Another IP encapsulation"},
100: {Sym: "gmtp", Description: "GMTP"},
101: {Sym: "ifmp", Description: "Ipsilon Flow Management Protocol"},
102: {Sym: "pnni", Description: "PNNI over IP"},
103: {Sym: "pim", Description: "Protocol Independent Multicast"},
104: {Sym: "aris", Description: "ARIS"},
105: {Sym: "scps", Description: "SCPS"},
106: {Sym: "qnx", Description: "QNX"},
107: {Sym: "n", Description: "Active Networks"},
108: {Sym: "ipcomp", Description: "IP Payload Compression Protocol"},
109: {Sym: "snp", Description: "Sitara Networks Protocol"},
110: {Sym: "compaq-peer", Description: "Compaq Peer Protocol"},
111: {Sym: "ipx-in-ip", Description: "IPX in IP"},
112: {Sym: "carp", Description: "Common Address Redundancy Protocol"},
113: {Sym: "pgm", Description: "PGM Reliable Transport Protocol"},
115: {Sym: "l2tp", Description: "Layer Two Tunneling Protocol"},
116: {Sym: "ddx", Description: "D-II Data Exchange"},
117: {Sym: "iatp", Description: "Interactive Agent Transfer Protocol"},
118: {Sym: "stp", Description: "Schedule Transfer Protocol"},
119: {Sym: "srp", Description: "SpectraLink Radio Protocol"},
120: {Sym: "uti", Description: "UTI"},
121: {Sym: "smp", Description: "Simple Message Protocol"},
122: {Sym: "sm", Description: "SM"},
123: {Sym: "ptp", Description: "Performance Transparency Protocol"},
124: {Sym: "isis", Description: "ISIS over IPv4"},
126: {Sym: "crtp", Description: "Combat Radio Transport Protocol"},
127: {Sym: "crudp", Description: "Combat Radio User Datagram"},
130: {Sym: "sps", Description: "Secure Packet Shield"},
131: {Sym: "pipe", Description: "Private IP Encapsulation within IP"},
132: {Sym: "sctp", Description: "Stream Control Transmission Protocol"},
133: {Sym: "fc", Description: "Fibre Channel"},
134: {Sym: "rsvp-e2e-ignore", Description: "Aggregation of RSVP for IP reservations"},
135: {Sym: "mobility-header", Description: "Mobility Support in IPv6"},
136: {Sym: "udplite", Description: "The UDP-Lite Protocol"},
137: {Sym: "mpls-in-ip", Description: "Encapsulating MPLS in IP"},
138: {Sym: "manet", Description: "MANET Protocols (RFC5498)"},
139: {Sym: "hip", Description: "Host Identity Protocol (RFC5201)"},
140: {Sym: "shim6", Description: "Shim6 Protocol (RFC5533)"},
141: {Sym: "wesp", Description: "Wrapped Encapsulating Security Payload (RFC5840)"},
142: {Sym: "rohc", Description: "Robust Header Compression (RFC5858)"},
240: {Sym: "pfsync", Description: "PF Synchronization"},
258: {Sym: "divert", Description: "Divert pseudo-protocol [non IANA]"},
}

1377
format/inet/services.go Normal file
View File

File diff suppressed because it is too large Load Diff

42
format/inet/tcp.go Normal file
View File

@ -0,0 +1,42 @@
package inet
import (
"github.com/wader/fq/format"
"github.com/wader/fq/format/registry"
"github.com/wader/fq/pkg/decode"
)
func init() {
registry.MustRegister(decode.Format{
Name: format.TCP,
Description: "Transmission Control Protocol",
DecodeFn: decodeTCP,
})
}
func decodeTCP(d *decode.D, in interface{}) interface{} {
d.FieldU16("source_port", d.MapUToScalar(tcpPortMap))
d.FieldU16("destination_port", d.MapUToScalar(tcpPortMap))
d.FieldU32("sequence_number")
d.FieldU32("acknowledgment_number")
dataOffset := d.FieldU4("data_offset")
d.FieldU3("reserved")
d.FieldBool("ns")
d.FieldBool("cwr")
d.FieldBool("ece")
d.FieldBool("urg")
d.FieldBool("ack")
d.FieldBool("psh")
d.FieldBool("rst")
d.FieldBool("syn")
d.FieldBool("fin")
d.FieldU16("window_size")
d.FieldU16("checksum", d.Hex)
d.FieldU16("urgent_pointer")
if dataOffset > 5 {
d.FieldRawLen("options", (int64(dataOffset)-5)*8*4)
}
d.FieldRawLen("data", d.BitsLeft())
return nil
}

BIN
format/inet/testdata/ether8023 vendored Normal file
View File

Binary file not shown.

31
format/inet/testdata/ether8023.fqtest vendored Normal file
View File

@ -0,0 +1,31 @@
# fq 'first(.. | select(format=="ether8023")) | tobytes' many_interfaces.pcapng > ether8023
$ fq -d ether8023 verbose /ether8023
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.: {} /ether8023 (ether8023) 0x0-0xb1.7 (178)
0x00|ff ff ff ff ff ff |...... | destination: "ff:ff:ff:ff:ff:ff" (0xffffffffffff) 0x0-0x5.7 (6)
0x00| a4 5e 60 f1 7d 93 | .^`.}. | source: "a4:5e:60:f1:7d:93" (0xa45e60f17d93) 0x6-0xb.7 (6)
0x00| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0xc-0xd.7 (2)
| | | packet: {} (ipv4) 0xe-0xb1.7 (164)
0x00| 45 | E | version: 4 0xe-0xe.3 (0.4)
0x00| 45 | E | ihl: 5 0xe.4-0xe.7 (0.4)
0x00| 00| .| dscp: 0 0xf-0xf.5 (0.6)
0x00| 00| .| ecn: 0 0xf.6-0xf.7 (0.2)
0x10|00 a4 |.. | total_length: 164 0x10-0x11.7 (2)
0x10| c6 ce | .. | identification: 50894 0x12-0x13.7 (2)
0x10| 00 | . | reserved: 0 0x14-0x14 (0.1)
0x10| 00 | . | dont_fragment: false 0x14.1-0x14.1 (0.1)
0x10| 00 | . | more_fragments: false 0x14.2-0x14.2 (0.1)
0x10| 00 00 | .. | fragment_offset: 0 0x14.3-0x15.7 (1.5)
0x10| 40 | @ | ttl: 64 0x16-0x16.7 (1)
0x10| 11 | . | protocol: "udp" (17) (user datagram protocol) 0x17-0x17.7 (1)
0x10| f1 47 | .G | header_checksum: 0xf147 0x18-0x19.7 (2)
0x10| c0 a8 01 8b | .... | source_ip: "192.168.1.139" (0xc0a8018b) 0x1a-0x1d.7 (4)
0x10| ff ff| ..| destination_ip: "255.255.255.255" (0xffffffff) 0x1e-0x21.7 (4)
0x20|ff ff |.. |
| | | data: {} (udp) 0x22-0xb1.7 (144)
0x20| 44 5c | D\ | source_port: 17500 0x22-0x23.7 (2)
0x20| 44 5c | D\ | destination_port: 17500 0x24-0x25.7 (2)
0x20| 00 90 | .. | length: 144 0x26-0x27.7 (2)
0x20| ba 03 | .. | checksum: 0xba03 0x28-0x29.7 (2)
0x20| 7b 22 68 6f 73 74| {"host| data: raw bits 0x2a-0xb1.7 (136)
0x30|5f 69 6e 74 22 3a 20 34 30 39 34 35 31 34 34 38|_int": 409451448|
* |until 0xb1.7 (end) (136) | |

BIN
format/inet/testdata/ipv4 vendored Normal file
View File

Binary file not shown.

21
format/inet/testdata/ipv4.fqtest vendored Normal file
View File

@ -0,0 +1,21 @@
# fq 'first(.. | select(format=="ipv4")) | tobytes' many_interfaces.pcapng > ipv4
$ fq -d ipv4 verbose /ipv4
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.: {} /ipv4 (ipv4) 0x0-0x3e3.7 (996)
0x000|45 |E | version: 4 0x0-0x0.3 (0.4)
0x000|45 |E | ihl: 5 0x0.4-0x0.7 (0.4)
0x000| 00 | . | dscp: 0 0x1-0x1.5 (0.6)
0x000| 00 | . | ecn: 0 0x1.6-0x1.7 (0.2)
0x000| 03 e4 | .. | total_length: 996 0x2-0x3.7 (2)
0x000| b5 d0 | .. | identification: 46544 0x4-0x5.7 (2)
0x000| 20 | | reserved: 0 0x6-0x6 (0.1)
0x000| 20 | | dont_fragment: false 0x6.1-0x6.1 (0.1)
0x000| 20 | | more_fragments: true 0x6.2-0x6.2 (0.1)
0x000| 20 00 | . | fragment_offset: 0 0x6.3-0x7.7 (1.5)
0x000| 40 | @ | ttl: 64 0x8-0x8.7 (1)
0x000| 01 | . | protocol: "icmp" (1) (internet control message protocol) 0x9-0x9.7 (1)
0x000| 9b 44 | .D | header_checksum: 0x9b44 0xa-0xb.7 (2)
0x000| 02 01 01 02| ....| source_ip: "2.1.1.2" (0x2010102) 0xc-0xf.7 (4)
0x010|02 01 01 01 |.... | destination_ip: "2.1.1.1" (0x2010101) 0x10-0x13.7 (4)
0x010| 08 00 4d 71 13 c2 00 01 14 2b d2 59| ..Mq.....+.Y| data: raw bits 0x14-0x3e3.7 (976)
0x020|00 00 00 00 3d 2a 08 00 00 00 00 00 10 11 12 13|....=*..........|
* |until 0x3e3.7 (end) (976) | |

BIN
format/inet/testdata/tcp vendored Normal file
View File

Binary file not shown.

24
format/inet/testdata/tcp.fqtest vendored Normal file
View File

@ -0,0 +1,24 @@
# fq 'first(.. | select(format=="tcp")) | tobytes' many_interfaces.pcapng > tcp
$ fq -d tcp verbose /tcp
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.: {} /tcp (tcp) 0x0-0x2b.7 (44)
0x00|c7 25 |.% | source_port: 50981 0x0-0x1.7 (2)
0x00| 01 bb | .. | destination_port: "https" (443) (http protocol over TLS/SSL) 0x2-0x3.7 (2)
0x00| 2b ce 2e 8a | +... | sequence_number: 734932618 0x4-0x7.7 (4)
0x00| 00 00 00 00 | .... | acknowledgment_number: 0 0x8-0xb.7 (4)
0x00| b0 | . | data_offset: 11 0xc-0xc.3 (0.4)
0x00| b0 | . | reserved: 0 0xc.4-0xc.6 (0.3)
0x00| b0 | . | ns: false 0xc.7-0xc.7 (0.1)
0x00| 02 | . | cwr: false 0xd-0xd (0.1)
0x00| 02 | . | ece: false 0xd.1-0xd.1 (0.1)
0x00| 02 | . | urg: false 0xd.2-0xd.2 (0.1)
0x00| 02 | . | ack: false 0xd.3-0xd.3 (0.1)
0x00| 02 | . | psh: false 0xd.4-0xd.4 (0.1)
0x00| 02 | . | rst: false 0xd.5-0xd.5 (0.1)
0x00| 02 | . | syn: true 0xd.6-0xd.6 (0.1)
0x00| 02 | . | fin: false 0xd.7-0xd.7 (0.1)
0x00| ff ff| ..| window_size: 65535 0xe-0xf.7 (2)
0x10|45 e4 |E. | checksum: 0x45e4 0x10-0x11.7 (2)
0x10| 00 00 | .. | urgent_pointer: 0 0x12-0x13.7 (2)
0x10| 02 04 05 b4 01 03 03 05 01 01 08 0a| ............| options: raw bits 0x14-0x2b.7 (24)
0x20|4b 2a 91 21 00 00 00 00 04 02 00 00| |K*.!........| |
| | | data: raw bits 0x2c-NA (0)

BIN
format/inet/testdata/udp vendored Normal file
View File

Binary file not shown.

10
format/inet/testdata/udp.fqtest vendored Normal file
View File

@ -0,0 +1,10 @@
# fq 'first(.. | select(format=="udp")) | tobytes' many_interfaces.pcapng > udp
$ fq -d udp verbose /udp
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.: {} /udp (udp) 0x0-0x8f.7 (144)
0x00|44 5c |D\ | source_port: 17500 0x0-0x1.7 (2)
0x00| 44 5c | D\ | destination_port: 17500 0x2-0x3.7 (2)
0x00| 00 90 | .. | length: 144 0x4-0x5.7 (2)
0x00| ba 03 | .. | checksum: 0xba03 0x6-0x7.7 (2)
0x00| 7b 22 68 6f 73 74 5f 69| {"host_i| data: raw bits 0x8-0x8f.7 (136)
0x10|6e 74 22 3a 20 34 30 39 34 35 31 34 34 38 33 2c|nt": 4094514483,|
* |until 0x8f.7 (end) (136) | |

49
format/inet/udp.go Normal file
View File

@ -0,0 +1,49 @@
package inet
import (
"github.com/wader/fq/format"
"github.com/wader/fq/format/registry"
"github.com/wader/fq/pkg/decode"
)
var udpDNSFormat decode.Group
func init() {
registry.MustRegister(decode.Format{
Name: format.UDP,
Description: "User datagram protocol",
Dependencies: []decode.Dependency{
{Names: []string{format.DNS}, Group: &udpDNSFormat},
},
DecodeFn: decodeUDP,
})
}
const (
udpPortDNS = 53
)
var udpPortFormat = map[uint64]*decode.Group{
udpPortDNS: &udpDNSFormat,
}
func decodeUDP(d *decode.D, in interface{}) interface{} {
soucePort := d.FieldU16("source_port", d.MapUToScalar(udpPortMap))
destPort := d.FieldU16("destination_port", d.MapUToScalar(udpPortMap))
length := d.FieldU16("length")
d.FieldU16("checksum", d.Hex)
// TODO: prio? src/dst map?
g := udpPortFormat[soucePort]
if g == nil {
g = udpPortFormat[destPort]
}
dataLen := int64(length-8) * 8
if g != nil {
d.FieldFormatLen("data", dataLen, *g, nil)
} else {
d.FieldRawLen("data", dataLen)
}
return nil
}

70
format/pcap/pcap.go Normal file
View File

@ -0,0 +1,70 @@
package pcap
// https://wiki.wireshark.org/Development/LibpcapFileFormat
import (
"github.com/wader/fq/format"
"github.com/wader/fq/format/registry"
"github.com/wader/fq/pkg/decode"
)
var pcapEther8023Format decode.Group
const (
bigEndian = 0xa1b2c3d4
littleEndian = 0xd4c3b2a1
)
var endianMap = decode.UToStr{
bigEndian: "big_endian",
littleEndian: "little_endian",
}
func init() {
registry.MustRegister(decode.Format{
Name: format.PCAP,
Description: "PCAP packet capture",
Groups: []string{format.PROBE},
Dependencies: []decode.Dependency{
{Names: []string{format.ETHER8023}, Group: &pcapEther8023Format},
},
DecodeFn: decodePcap,
})
}
func decodePcap(d *decode.D, in interface{}) interface{} {
endian := d.FieldU32("magic", d.AssertU(bigEndian, littleEndian), d.MapUToStrSym(endianMap), d.Hex)
switch endian {
case bigEndian:
d.Endian = decode.BigEndian
case littleEndian:
d.Endian = decode.LittleEndian
default:
d.Fatalf("unknown endian %d", endian)
}
d.FieldU16("version_major")
d.FieldU16("version_minor")
d.FieldS32("thiszone")
d.FieldU32("sigfigs")
d.FieldU32("snaplen")
linkType := int(d.FieldU32("network", d.MapUToScalar(linkTypeMap)))
d.FieldArray("packets", func(d *decode.D) {
for !d.End() {
d.FieldStruct("packet", func(d *decode.D) {
d.FieldU32("ts_sec")
d.FieldU32("ts_usec")
inclLen := d.FieldU32("incl_len")
origLen := d.FieldU32("orig_len")
if g, ok := linkToFormat[linkType]; ok {
d.FieldFormatLen("packet", int64(origLen)*8, *g, nil)
} else {
d.FieldRawLen("packet", int64(origLen)*8)
}
d.FieldRawLen("capture_padding", int64(inclLen-origLen)*8)
})
}
})
return nil
}

357
format/pcap/pcapng.go Normal file
View File

@ -0,0 +1,357 @@
package pcap
// https://pcapng.github.io/pcapng/draft-ietf-opsawg-pcapng.html
import (
"encoding/binary"
"net"
"github.com/wader/fq/format"
"github.com/wader/fq/format/registry"
"github.com/wader/fq/pkg/decode"
)
var pcapngEther8023Format decode.Group
func init() {
registry.MustRegister(decode.Format{
Name: format.PCAPNG,
Description: "PCAPNG packet capture",
RootArray: true,
Groups: []string{format.PROBE},
Dependencies: []decode.Dependency{
{Names: []string{format.ETHER8023}, Group: &pcapngEther8023Format},
},
DecodeFn: decodePcapng,
})
}
const (
ngBigEndian = 0x1a2b3c4d
ngLittleEndian = 0x4d3c2b1a
)
var ngEndianMap = decode.UToStr{
ngBigEndian: "big_endian",
ngLittleEndian: "little_endian",
}
const (
blockTypeSectionHeader = 0x0a0d0d0a
blockTypeInterfaceDescription = 0x00000001
blockTypeNameResolution = 0x00000004
blockTypeInterfaceStatistics = 0x00000005
blockTypeEnhancedPacketBlock = 0x00000006
)
// from https://pcapng.github.io/pcapng/draft-ietf-opsawg-pcapng.html#section_block_code_registry
var blockTypeMap = decode.UToScalar{
blockTypeInterfaceDescription: {Sym: "interface_description", Description: "Interface Description Block"},
0x00000002: {Description: "Packet Block"},
0x00000003: {Description: "Simple Packet Block"},
blockTypeNameResolution: {Sym: "name_resolution", Description: "Name Resolution Block"},
blockTypeInterfaceStatistics: {Sym: "interface_statistics", Description: "Interface Statistics Block"},
blockTypeEnhancedPacketBlock: {Sym: "enhanced_packet", Description: "Enhanced Packet Block"},
0x00000007: {Description: "IRIG Timestamp Block"},
0x00000008: {Description: "ARINC 429 in AFDX Encapsulation Information Block"},
0x00000009: {Description: "systemd Journal Export Block"},
0x0000000a: {Description: "Decryption Secrets Block"},
0x00000101: {Description: "Hone Project Machine Info Block"},
0x00000102: {Description: "Hone Project Connection Event Block"},
0x00000201: {Description: "Sysdig Machine Info Block"},
0x00000202: {Description: "Sysdig Process Info Block, version 1"},
0x00000203: {Description: "Sysdig FD List Block"},
0x00000204: {Description: "Sysdig Event Block"},
0x00000205: {Description: "Sysdig Interface List Block"},
0x00000206: {Description: "Sysdig User List Block"},
0x00000207: {Description: "Sysdig Process Info Block, version 2"},
0x00000208: {Description: "Sysdig Event Block with flags"},
0x00000209: {Description: "Sysdig Process Info Block, version 3"},
0x00000210: {Description: "Sysdig Process Info Block, version 4"},
0x00000211: {Description: "Sysdig Process Info Block, version 5"},
0x00000212: {Description: "Sysdig Process Info Block, version 6"},
0x00000213: {Description: "Sysdig Process Info Block, version 7"},
0x00000bad: {Description: "Custom Block that rewriters can copy into new files"},
0x40000bad: {Description: "Custom Block that rewriters should not copy into new files"},
blockTypeSectionHeader: {Sym: "section_header", Description: "Section Header Block"},
}
const (
optionEnd = 0
optionComment = 1
sectionHeaderOptionHardware = 2
sectionHeaderOptionOS = 3
sectionHeaderOptionUserAppl = 4
interfaceDescriptionName = 2
interfaceDescriptionDescription = 3
interfaceDescriptionIPv4addr = 4
interfaceDescriptionMACaddr = 6
interfaceDescriptionEUIaddr = 7
interfaceDescriptionSpeed = 8
interfaceDescriptionTsresol = 9
interfaceDescriptionTzone = 10
interfaceDescriptionFilter = 11
interfaceDescriptionOS = 12
interfaceDescriptionFcslen = 13
interfaceDescriptionTsoffset = 14
enhancedPacketFlags = 2
enhancedPacketHash = 3
enhancedPacketDropcount = 4
nameResolutionDNSName = 2
nameResolutionDNSIP4addr = 3
nameResolutionDNSIP6addr = 4
interfaceStatisticsStarttime = 2
interfaceStatisticsEndtime = 3
interfaceStatisticsIfRecv = 4
interfaceStatisticsIfDrop = 5
interfaceStatisticsFilterAccept = 6
interfaceStatisticsOSDrop = 7
interfaceStatisticsUsrdeliv = 8
)
var sectionHeaderOptionsMap = decode.UToScalar{
optionEnd: {Sym: "end", Description: "End of options"},
optionComment: {Sym: "comment", Description: "Comment"},
sectionHeaderOptionHardware: {Sym: "hardware"},
sectionHeaderOptionOS: {Sym: "os"},
sectionHeaderOptionUserAppl: {Sym: "userappl"},
}
var interfaceDescriptionOptionsMap = decode.UToScalar{
optionEnd: {Sym: "end", Description: "End of options"},
optionComment: {Sym: "comment", Description: "Comment"},
interfaceDescriptionName: {Sym: "name"},
interfaceDescriptionDescription: {Sym: "description"},
interfaceDescriptionIPv4addr: {Sym: "ipv4addr"},
interfaceDescriptionMACaddr: {Sym: "macaddr"},
interfaceDescriptionEUIaddr: {Sym: "euiaddr"},
interfaceDescriptionSpeed: {Sym: "speed"},
interfaceDescriptionTsresol: {Sym: "tsresol"},
interfaceDescriptionTzone: {Sym: "tzone"},
interfaceDescriptionFilter: {Sym: "filter"},
interfaceDescriptionOS: {Sym: "os"},
interfaceDescriptionFcslen: {Sym: "fcslen"},
interfaceDescriptionTsoffset: {Sym: "tsoffset"},
}
var enhancedPacketOptionsMap = decode.UToScalar{
optionEnd: {Sym: "end", Description: "End of options"},
optionComment: {Sym: "comment", Description: "Comment"},
enhancedPacketFlags: {Sym: "flags"},
enhancedPacketHash: {Sym: "hash"},
enhancedPacketDropcount: {Sym: "dropcount"},
}
var nameResolutionOptionsMap = decode.UToScalar{
optionEnd: {Sym: "end", Description: "End of options"},
optionComment: {Sym: "comment", Description: "Comment"},
nameResolutionDNSName: {Sym: "dnsname"},
nameResolutionDNSIP4addr: {Sym: "dnsip4addr"},
nameResolutionDNSIP6addr: {Sym: "dnsip6addr"},
}
var interfaceStatisticsOptionsMap = decode.UToScalar{
optionEnd: {Sym: "end", Description: "End of options"},
optionComment: {Sym: "comment", Description: "Comment"},
interfaceStatisticsStarttime: {Sym: "starttime"},
interfaceStatisticsEndtime: {Sym: "endtime"},
interfaceStatisticsIfRecv: {Sym: "ifrecv"},
interfaceStatisticsIfDrop: {Sym: "ifdrop"},
interfaceStatisticsFilterAccept: {Sym: "filteraccept"},
interfaceStatisticsOSDrop: {Sym: "osdrop"},
interfaceStatisticsUsrdeliv: {Sym: "usrdeliv"},
}
const (
nameResolutionRecordEnd = 0x0000
nameResolutionRecordIpv4 = 0x0001
nameResolutionRecordIpv6 = 0x0002
)
var nameResolutionRecordMap = decode.UToStr{
nameResolutionRecordEnd: "end",
nameResolutionRecordIpv4: "ipv4",
nameResolutionRecordIpv6: "ipv6",
}
type decodeContext struct {
sectionHeaderFound bool
interfaceTypes map[int]int
}
func decoodeOptions(d *decode.D, opts decode.UToScalar) {
if d.BitsLeft() < 32 {
return
}
seenEnd := false
for !seenEnd {
d.FieldStruct("option", func(d *decode.D) {
code := d.FieldU16("code", d.MapUToScalar(opts))
length := d.FieldU16("length")
if code == optionEnd {
seenEnd = true
return
}
d.FieldUTF8NullFixedLen("value", int(length))
d.FieldRawLen("padding", int64(d.AlignBits(32)))
})
}
}
// TODO: share
func mapUToIPv4Sym(s decode.Scalar) (decode.Scalar, error) {
var b [4]byte
binary.BigEndian.PutUint32(b[:], uint32(s.ActualU()))
s.Sym = net.IP(b[:]).String()
return s, nil
}
var blockFns = map[uint64]func(d *decode.D, dc *decodeContext){
blockTypeInterfaceDescription: func(d *decode.D, dc *decodeContext) {
typ := d.FieldU16("link_type", d.MapUToScalar(linkTypeMap))
d.FieldU16("reserved")
d.FieldU32("snap_len")
d.FieldArray("options", func(d *decode.D) { decoodeOptions(d, interfaceDescriptionOptionsMap) })
dc.interfaceTypes[len(dc.interfaceTypes)] = int(typ)
},
blockTypeEnhancedPacketBlock: func(d *decode.D, dc *decodeContext) {
interfaceID := d.FieldU32("interface_id")
d.FieldU32("timestamp_high")
d.FieldU32("timestamp_low")
capturedLength := d.FieldU32("capture_packet_length")
originalLength := d.FieldU32("original_packet_length")
if g, ok := linkToFormat[dc.interfaceTypes[int(interfaceID)]]; ok {
d.FieldFormatLen("packet", int64(originalLength)*8, *g, nil)
} else {
d.FieldRawLen("packet", int64(originalLength)*8)
}
d.FieldRawLen("capture_padding", int64(capturedLength-originalLength)*8)
d.FieldRawLen("padding", int64(d.AlignBits(32)))
d.FieldArray("options", func(d *decode.D) { decoodeOptions(d, enhancedPacketOptionsMap) })
},
blockTypeNameResolution: func(d *decode.D, _ *decodeContext) {
seenEnd := false
d.FieldArray("records", func(d *decode.D) {
for !seenEnd {
d.FieldStruct("record", func(d *decode.D) {
typ := d.FieldU16("type", d.MapUToStrSym(nameResolutionRecordMap))
length := d.FieldU16("length")
if typ == nameResolutionRecordEnd {
seenEnd = true
return
}
d.LenFn(int64(length)*8, func(d *decode.D) {
switch typ {
case nameResolutionRecordIpv4:
d.FieldU32BE("address", mapUToIPv4Sym, d.Hex)
d.FieldArray("entries", func(d *decode.D) {
for !d.End() {
d.FieldUTF8Null("string")
}
})
default:
d.FieldUTF8NullFixedLen("value", int(d.BitsLeft()/8))
}
})
d.FieldRawLen("padding", int64(d.AlignBits(32)))
})
}
})
d.FieldArray("options", func(d *decode.D) { decoodeOptions(d, nameResolutionOptionsMap) })
},
blockTypeInterfaceStatistics: func(d *decode.D, _ *decodeContext) {
d.FieldU32("interface_id")
d.FieldU32("timestamp_high")
d.FieldU32("timestamp_low")
d.FieldRawLen("padding", int64(d.AlignBits(32)))
d.FieldArray("options", func(d *decode.D) { decoodeOptions(d, interfaceStatisticsOptionsMap) })
},
}
func decodeBlock(d *decode.D, dc *decodeContext) {
typ := d.FieldU32("type", d.MapUToScalar(blockTypeMap), d.Hex)
length := d.FieldU32("length") - 8
const footerLengthSize = 32
d.LenFn(int64(length)*8-footerLengthSize, func(d *decode.D) {
if fn, ok := blockFns[typ]; ok {
fn(d, dc)
} else {
d.FieldRawLen("data", d.BitsLeft())
}
})
d.FieldU32("footer_length")
}
func decodeSection(d *decode.D, dc *decodeContext) {
d.FieldArray("blocks", func(d *decode.D) {
sectionLength := int64(-1)
sectionD := d
sectionStart := d.Pos()
// treat header block differently as it has endian info
d.FieldStruct("block", func(d *decode.D) {
d.FieldU32("type", d.AssertU(blockTypeSectionHeader), d.MapUToScalar(blockTypeMap), d.Hex)
d.SeekRel(32)
endian := d.FieldU32("byte_order_magic", d.MapUToStrSym(ngEndianMap), d.Hex)
// peeks length and byte-order magic and marks away length
switch endian {
case ngBigEndian:
d.Endian = decode.BigEndian
case ngLittleEndian:
d.Endian = decode.LittleEndian
default:
d.Fatalf("unknown endian %d", endian)
}
sectionD.Endian = d.Endian
d.SeekRel(-64)
length := d.FieldU32("length") - 8 - 4
d.SeekRel(32)
d.LenFn(int64(length)*8, func(d *decode.D) {
d.FieldU16("major_version")
d.FieldU16("minor_version")
sectionLength = d.FieldS64("section_length")
d.LenFn(d.BitsLeft()-32, func(d *decode.D) {
d.FieldArray("options", func(d *decode.D) { decoodeOptions(d, sectionHeaderOptionsMap) })
})
d.FieldU32("footer_total_length")
})
dc.sectionHeaderFound = true
})
for (sectionLength == -1 && !d.End()) || (sectionLength != -1 && d.Pos()-sectionStart < sectionLength*8) {
d.FieldStruct("block", func(d *decode.D) { decodeBlock(d, dc) })
}
})
}
func decodePcapng(d *decode.D, in interface{}) interface{} {
sectionHeaders := 0
for !d.End() {
dc := decodeContext{
interfaceTypes: map[int]int{},
}
d.FieldStruct("section", func(d *decode.D) {
decodeSection(d, &dc)
})
if dc.sectionHeaderFound {
sectionHeaders++
}
}
if sectionHeaders == 0 {
d.Fatalf("no section headers found")
}
return nil
}

278
format/pcap/shared.go Normal file
View File

@ -0,0 +1,278 @@
package pcap
import "github.com/wader/fq/pkg/decode"
//nolint:revive
const (
LINKTYPE_NULL = 0
LINKTYPE_ETHERNET = 1
LINKTYPE_AX25 = 3
LINKTYPE_IEEE802_5 = 6
LINKTYPE_ARCNET_BSD = 7
LINKTYPE_SLIP = 8
LINKTYPE_PPP = 9
LINKTYPE_FDDI = 10
LINKTYPE_PPP_HDLC = 50
LINKTYPE_PPP_ETHER = 51
LINKTYPE_ATM_RFC1483 = 100
LINKTYPE_RAW = 101
LINKTYPE_C_HDLC = 104
LINKTYPE_IEEE802_11 = 105
LINKTYPE_FRELAY = 107
LINKTYPE_LOOP = 108
LINKTYPE_LINUX_SLL = 113
LINKTYPE_LTALK = 114
LINKTYPE_PFLOG = 117
LINKTYPE_IEEE802_11_PRISM = 119
LINKTYPE_IP_OVER_FC = 122
LINKTYPE_SUNATM = 123
LINKTYPE_IEEE802_11_RADIOTAP = 127
LINKTYPE_ARCNET_LINUX = 129
LINKTYPE_APPLE_IP_OVER_IEEE1394 = 138
LINKTYPE_MTP2_WITH_PHDR = 139
LINKTYPE_MTP2 = 140
LINKTYPE_MTP3 = 141
LINKTYPE_SCCP = 142
LINKTYPE_DOCSIS = 143
LINKTYPE_LINUX_IRDA = 144
LINKTYPE_USER0 = 147
LINKTYPE_USER1 = 148
LINKTYPE_USER2 = 149
LINKTYPE_USER3 = 150
LINKTYPE_USER4 = 151
LINKTYPE_USER5 = 152
LINKTYPE_USER6 = 153
LINKTYPE_USER7 = 154
LINKTYPE_USER8 = 155
LINKTYPE_USER9 = 156
LINKTYPE_USER10 = 157
LINKTYPE_USER11 = 158
LINKTYPE_USER12 = 159
LINKTYPE_USER13 = 160
LINKTYPE_USER14 = 161
LINKTYPE_USER15 = 162
LINKTYPE_IEEE802_11_AVS = 163
LINKTYPE_BACNET_MS_TP = 165
LINKTYPE_PPP_PPPD = 166
LINKTYPE_GPRS_LLC = 169
LINKTYPE_GPF_T = 170
LINKTYPE_GPF_F = 171
LINKTYPE_LINUX_LAPD = 177
LINKTYPE_MFR = 182
LINKTYPE_BLUETOOTH_HCI_H4 = 187
LINKTYPE_USB_LINUX = 189
LINKTYPE_PPI = 192
LINKTYPE_IEEE802_15_4_WITHFCS = 195
LINKTYPE_SITA = 196
LINKTYPE_ERF = 197
LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR = 201
LINKTYPE_AX25_KISS = 202
LINKTYPE_LAPD = 203
LINKTYPE_PPP_WITH_DIR = 204
LINKTYPE_C_HDLC_WITH_DIR = 205
LINKTYPE_FRELAY_WITH_DIR = 206
LINKTYPE_LAPB_WITH_DIR = 207
LINKTYPE_IPMB_LINUX = 209
LINKTYPE_FLEXRAY = 210
LINKTYPE_LIN = 212
LINKTYPE_IEEE802_15_4_NONASK_PHY = 215
LINKTYPE_USB_LINUX_MMAPPED = 220
LINKTYPE_FC_2 = 224
LINKTYPE_FC_2_WITH_FRAME_DELIMS = 225
LINKTYPE_IPNET = 226
LINKTYPE_CAN_SOCKETCAN = 227
LINKTYPE_IPV4 = 228
LINKTYPE_IPV6 = 229
LINKTYPE_IEEE802_15_4_NOFCS = 230
LINKTYPE_DBUS = 231
LINKTYPE_DVB_CI = 235
LINKTYPE_MUX27010 = 236
LINKTYPE_STANAG_5066_D_PDU = 237
LINKTYPE_NFLOG = 239
LINKTYPE_NETANALYZER = 240
LINKTYPE_NETANALYZER_TRANSPARENT = 241
LINKTYPE_IPOIB = 242
LINKTYPE_MPEG_2_TS = 243
LINKTYPE_NG40 = 244
LINKTYPE_NFC_LLCP = 245
LINKTYPE_INFINIBAND = 247
LINKTYPE_SCTP = 248
LINKTYPE_USBPCAP = 249
LINKTYPE_RTAC_SERIAL = 250
LINKTYPE_BLUETOOTH_LE_LL = 251
LINKTYPE_NETLINK = 253
LINKTYPE_BLUETOOTH_LINUX_MONITOR = 254
LINKTYPE_BLUETOOTH_BREDR_BB = 255
LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR = 256
LINKTYPE_PROFIBUS_DL = 257
LINKTYPE_PKTAP = 258
LINKTYPE_EPON = 259
LINKTYPE_IPMI_HPM_2 = 260
LINKTYPE_ZWAVE_R1_R2 = 261
LINKTYPE_ZWAVE_R3 = 262
LINKTYPE_WATTSTOPPER_DLM = 263
LINKTYPE_ISO_14443 = 264
LINKTYPE_RDS = 265
LINKTYPE_USB_DARWIN = 266
LINKTYPE_SDLC = 268
LINKTYPE_LORATAP = 270
LINKTYPE_VSOCK = 271
LINKTYPE_NORDIC_BLE = 272
LINKTYPE_DOCSIS31_XRA31 = 273
LINKTYPE_ETHERNET_MPACKET = 274
LINKTYPE_DISPLAYPORT_AUX = 275
LINKTYPE_LINUX_SLL2 = 276
LINKTYPE_OPENVIZSLA = 278
LINKTYPE_EBHSCR = 279
LINKTYPE_VPP_DISPATCH = 280
LINKTYPE_DSA_TAG_BRCM = 281
LINKTYPE_DSA_TAG_BRCM_PREPEND = 282
LINKTYPE_IEEE802_15_4_TAP = 283
LINKTYPE_DSA_TAG_DSA = 284
LINKTYPE_DSA_TAG_EDSA = 285
LINKTYPE_ELEE = 286
LINKTYPE_Z_WAVE_SERIAL = 287
LINKTYPE_USB_2_0 = 288
LINKTYPE_ATSC_ALP = 289
LINKTYPE_ETW = 290
)
// from https://www.tcpdump.org/linktypes.html
// TODO cleanup
var linkTypeMap = decode.UToScalar{
LINKTYPE_NULL: {Sym: "null", Description: `BSD loopback encapsulation`},
LINKTYPE_ETHERNET: {Sym: "ethernet", Description: `IEEE 802.3 Ethernet`},
LINKTYPE_AX25: {Sym: "ax25", Description: `AX.25 packet, with nothing preceding it.`},
LINKTYPE_IEEE802_5: {Sym: "ieee802_5", Description: `IEEE 802.5 Token Ring`},
LINKTYPE_ARCNET_BSD: {Sym: "arcnet_bsd", Description: `ARCNET Data Packets`},
LINKTYPE_SLIP: {Sym: "slip", Description: `SLIP, encapsulated with a LINKTYPE_SLIP header.`},
LINKTYPE_PPP: {Sym: "ppp", Description: `PPP`},
LINKTYPE_FDDI: {Sym: "fddi", Description: `FDDI`},
LINKTYPE_PPP_HDLC: {Sym: "ppp_hdlc", Description: `PPP in HDLC-like framing`},
LINKTYPE_PPP_ETHER: {Sym: "ppp_ether", Description: `PPPoE`},
LINKTYPE_ATM_RFC1483: {Sym: "atm_rfc1483", Description: `RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an ISO 8802-2 (formerly known as IEEE 802.2) LLC header.`},
LINKTYPE_RAW: {Sym: "raw", Description: `Raw IP; the packet begins with an IPv4 or IPv6 header, with the "version" field of the header indicating whether it's an IPv4 or IPv6 header.`},
LINKTYPE_C_HDLC: {Sym: "c_hdlc", Description: `Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.`},
LINKTYPE_IEEE802_11: {Sym: "ieee802_11", Description: `IEEE 802.11 wireless LAN.`},
LINKTYPE_FRELAY: {Sym: "frelay", Description: `Frame Relay LAPF frames, beginning with a ITU-T Recommendation Q.922 LAPF header starting with the address field, and without an FCS at the end of the frame.`},
LINKTYPE_LOOP: {Sym: "loop", Description: `OpenBSD loopback encapsulation; the link-layer header is a 4-byte field, in network byte order, containing a value of 2 for IPv4 packets, a value of either 24, 28, or 30 for IPv6 packets, a value of 7 for OSI packets, or a value of 23 for IPX packets. All of the IPv6 values correspond to IPv6 packets; code reading files should check for all of them.`},
LINKTYPE_LINUX_SLL: {Sym: "linux_sll", Description: `Linux "cooked" capture encapsulation.`},
LINKTYPE_LTALK: {Sym: "ltalk", Description: `Apple LocalTalk; the packet begins with an AppleTalk LocalTalk Link Access Protocol header, as described in chapter 1 of Inside AppleTalk, Second Edition.`},
LINKTYPE_PFLOG: {Sym: "pflog", Description: `OpenBSD pflog; the link-layer header contains a "struct pfloghdr" structure, as defined by the host on which the file was saved. (This differs from operating system to operating system and release to release; there is nothing in the file to indicate what the layout of that structure is.)`},
LINKTYPE_IEEE802_11_PRISM: {Sym: "ieee802_11_prism", Description: `Prism monitor mode information followed by an 802.11 header.`},
LINKTYPE_IP_OVER_FC: {Sym: "ip_over_fc", Description: `RFC 2625 IP-over-Fibre Channel, with the link-layer header being the Network_Header as described in that RFC.`},
LINKTYPE_SUNATM: {Sym: "sunatm", Description: `ATM traffic, encapsulated as per the scheme used by SunATM devices.`},
LINKTYPE_IEEE802_11_RADIOTAP: {Sym: "ieee802_11_radiotap", Description: `Radiotap link-layer information followed by an 802.11 header.`},
LINKTYPE_ARCNET_LINUX: {Sym: "arcnet_linux", Description: `ARCNET Data Packets, as described by the ARCNET Trade Association standard ATA 878.1-1999, but without the Starting Delimiter, Information Length, or Frame Check Sequence fields, with only the first ISU of the Destination Identifier, and with an extra two-ISU "offset" field following the Destination Identifier. For most packet types, ARCNET Trade Association draft standard ATA 878.2 is also used; however, no exception frames are supplied, and reassembled frames, rather than fragments, are supplied. See also RFC 1051 and RFC 1201; for RFC 1051 frames, ATA 878.2 is not used.`},
LINKTYPE_APPLE_IP_OVER_IEEE1394: {Sym: "apple_ip_over_ieee1394", Description: `Apple IP-over-IEEE 1394 cooked header.`},
LINKTYPE_MTP2_WITH_PHDR: {Sym: "mtp2_with_phdr", Description: `Signaling System 7 Message Transfer Part Level 2, as specified by ITU-T Recommendation Q.703, preceded by a pseudo-header.`},
LINKTYPE_MTP2: {Sym: "mtp2", Description: `Signaling System 7 Message Transfer Part Level 2, as specified by ITU-T Recommendation Q.703.`},
LINKTYPE_MTP3: {Sym: "mtp3", Description: `Signaling System 7 Message Transfer Part Level 3, as specified by ITU-T Recommendation Q.704, with no MTP2 header preceding the MTP3 packet.`},
LINKTYPE_SCCP: {Sym: "sccp", Description: `Signaling System 7 Signalling Connection Control Part, as specified by ITU-T Recommendation Q.711, ITU-T Recommendation Q.712, ITU-T Recommendation Q.713, and ITU-T Recommendation Q.714, with no MTP3 or MTP2 headers preceding the SCCP packet.`},
LINKTYPE_DOCSIS: {Sym: "docsis", Description: `DOCSIS MAC frames, as described by the DOCSIS 3.1 MAC and Upper Layer Protocols Interface Specification or earlier specifications for MAC frames.`},
LINKTYPE_LINUX_IRDA: {Sym: "linux_irda", Description: `Linux-IrDA packets, with a LINKTYPE_LINUX_IRDA header, with the payload for IrDA frames beginning with by the IrLAP header as defined by IrDA Data Specifications, including the IrDA Link Access Protocol specification.`},
LINKTYPE_USER0: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER1: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER2: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER3: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER4: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER5: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER6: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER7: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER8: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER9: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER10: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER11: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER12: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER13: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER14: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_USER15: {Sym: "user0", Description: `Reserved for private use`},
LINKTYPE_IEEE802_11_AVS: {Sym: "ieee802_11_avs", Description: `AVS monitor mode information followed by an 802.11 header.`},
LINKTYPE_BACNET_MS_TP: {Sym: "bacnet_ms_tp", Description: `BACnet MS/TP frames, as specified by section 9.3 MS/TP Frame Format of ANSI/ASHRAE Standard 135, BACnet® - A Data Communication Protocol for Building Automation and Control Networks, including the preamble and, if present, the Data CRC.`},
LINKTYPE_PPP_PPPD: {Sym: "ppp_pppd", Description: `PPP in HDLC-like encapsulation, like LINKTYPE_PPP_HDLC, but with the 0xff address byte replaced by a direction indication - 0x00 for incoming and 0x01 for outgoing.`},
LINKTYPE_GPRS_LLC: {Sym: "gprs_llc", Description: `General Packet Radio Service Logical Link Control, as defined by 3GPP TS 04.64.`},
LINKTYPE_GPF_T: {Sym: "gpf_t", Description: `Transparent-mapped generic framing procedure, as specified by ITU-T Recommendation G.7041/Y.1303.`},
LINKTYPE_GPF_F: {Sym: "gpf_f", Description: `Frame-mapped generic framing procedure, as specified by ITU-T Recommendation G.7041/Y.1303.`},
LINKTYPE_LINUX_LAPD: {Sym: "linux_lapd", Description: `Link Access Procedures on the D Channel (LAPD) frames, as specified by ITU-T Recommendation Q.920 and ITU-T Recommendation Q.921, captured via vISDN, with a LINKTYPE_LINUX_LAPD header, followed by the Q.921 frame, starting with the address field.`},
LINKTYPE_MFR: {Sym: "mfr", Description: `FRF.16.1 Multi-Link Frame Relay frames, beginning with an FRF.12 Interface fragmentation format fragmentation header.`},
LINKTYPE_BLUETOOTH_HCI_H4: {Sym: "bluetooth_hci_h4", Description: `Bluetooth HCI UART transport layer; the frame contains an HCI packet indicator byte, as specified by the UART Transport Layer portion of the most recent Bluetooth Core specification, followed by an HCI packet of the specified packet type, as specified by the Host Controller Interface Functional Specification portion of the most recent Bluetooth Core Specification.`},
LINKTYPE_USB_LINUX: {Sym: "usb_linux", Description: `USB packets, beginning with a Linux USB header, as specified by the struct usbmon_packet in the Documentation/usb/usbmon.txt file in the Linux source tree. Only the first 48 bytes of that header are present. All fields in the header are in host byte order. When performing a live capture, the host byte order is the byte order of the machine on which the packets are captured. When reading a pcap file, the byte order is the byte order for the file, as specified by the file's magic number; when reading a pcapng file, the byte order is the byte order for the section of the pcapng file, as specified by the Section Header Block.`},
LINKTYPE_PPI: {Sym: "ppi", Description: `Per-Packet Information information, as specified by the Per-Packet Information Header Specification, followed by a packet with the LINKTYPE_ value specified by the pph_dlt field of that header.`},
LINKTYPE_IEEE802_15_4_WITHFCS: {Sym: "ieee802_15_4_withfcs", Description: `IEEE 802.15.4 Low-Rate Wireless Networks, with each packet having the FCS at the end of the frame.`},
LINKTYPE_SITA: {Sym: "sita", Description: `Various link-layer types, with a pseudo-header, for SITA.`},
LINKTYPE_ERF: {Sym: "erf", Description: `Various link-layer types, with a pseudo-header, for Endace DAG cards; encapsulates Endace ERF records.`},
LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR: {Sym: "bluetooth_hci_h4_with_phdr", Description: `Bluetooth HCI UART transport layer; the frame contains a 4-byte direction field, in network byte order (big-endian), the low-order bit of which is set if the frame was sent from the host to the controller and clear if the frame was received by the host from the controller, followed by an HCI packet indicator byte, as specified by the UART Transport Layer portion of the most recent Bluetooth Core specification, followed by an HCI packet of the specified packet type, as specified by the Host Controller Interface Functional Specification portion of the most recent Bluetooth Core Specification.`},
LINKTYPE_AX25_KISS: {Sym: "ax25_kiss", Description: `AX.25 packet, with a 1-byte KISS header containing a type indicator.`},
LINKTYPE_LAPD: {Sym: "lapd", Description: `Link Access Procedures on the D Channel (LAPD) frames, as specified by ITU-T Recommendation Q.920 and ITU-T Recommendation Q.921, starting with the address field, with no pseudo-header.`},
LINKTYPE_PPP_WITH_DIR: {Sym: "ppp_with_dir", Description: `PPP, as per RFC 1661 and RFC 1662, preceded with a one-byte pseudo-header with a zero value meaning "received by this host" and a non-zero value meaning "sent by this host"; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like framing, with the PPP header following those two bytes, otherwise it's PPP without framing, and the packet begins with the PPP header. The data in the frame is not octet-stuffed or bit-stuffed.`},
LINKTYPE_C_HDLC_WITH_DIR: {Sym: "c_hdlc_with_dir", Description: `Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547, preceded with a one-byte pseudo-header with a zero value meaning "received by this host" and a non-zero value meaning "sent by this host".`},
LINKTYPE_FRELAY_WITH_DIR: {Sym: "frelay_with_dir", Description: `Frame Relay LAPF frames, beginning with a one-byte pseudo-header with a zero value meaning "received by this host" (DCE->DTE) and a non-zero value meaning "sent by this host" (DTE->DCE), followed by an ITU-T Recommendation Q.922 LAPF header starting with the address field, and without an FCS at the end of the frame.`},
LINKTYPE_LAPB_WITH_DIR: {Sym: "lapb_with_dir", Description: `Link Access Procedure, Balanced (LAPB), as specified by ITU-T Recommendation X.25, preceded with a one-byte pseudo-header with a zero value meaning "received by this host" (DCE->DTE) and a non-zero value meaning "sent by this host" (DTE->DCE).`},
LINKTYPE_IPMB_LINUX: {Sym: "ipmb_linux", Description: `IPMB over an I2C circuit, with a Linux-specific pseudo-header.`},
LINKTYPE_FLEXRAY: {Sym: "flexray", Description: `FlexRay automotive bus frames or symbols, preceded by a pseudo-header.`},
LINKTYPE_LIN: {Sym: "lin", Description: `Local Interconnect Network (LIN) automotive bus, preceded by a pseudo-header.`},
LINKTYPE_IEEE802_15_4_NONASK_PHY: {Sym: "ieee802_15_4_nonask_phy", Description: `IEEE 802.15.4 Low-Rate Wireless Networks, with each packet having the FCS at the end of the frame, and with the PHY-level data for the O-QPSK, BPSK, GFSK, MSK, and RCC DSS BPSK PHYs (4 octets of 0 as preamble, one octet of SFD, one octet of frame length + reserved bit) preceding the MAC-layer data (starting with the frame control field).`},
LINKTYPE_USB_LINUX_MMAPPED: {Sym: "usb_linux_mmapped", Description: `USB packets, beginning with a Linux USB header, as specified by the struct usbmon_packet in the Documentation/usb/usbmon.txt file in the Linux source tree. All 64 bytes of the header are present. All fields in the header are in host byte order. When performing a live capture, the host byte order is the byte order of the machine on which the packets are captured. When reading a pcap file, the byte order is the byte order for the file, as specified by the file's magic number; when reading a pcapng file, the byte order is the byte order for the section of the pcapng file, as specified by the Section Header Block. For isochronous transfers, the ndesc field specifies the number of isochronous descriptors that follow.`},
LINKTYPE_FC_2: {Sym: "fc_2", Description: `Fibre Channel FC-2 frames, beginning with a Frame_Header.`},
LINKTYPE_FC_2_WITH_FRAME_DELIMS: {Sym: "fc_2_with_frame_delims", Description: `Fibre Channel FC-2 frames, beginning an encoding of the SOF, followed by a Frame_Header, and ending with an encoding of the SOF.`},
LINKTYPE_IPNET: {Sym: "ipnet", Description: `Solaris ipnet pseudo-header, followed by an IPv4 or IPv6 datagram.`},
LINKTYPE_CAN_SOCKETCAN: {Sym: "can_socketcan", Description: `CAN (Controller Area Network) frames, with a pseudo-header followed by the frame payload.`},
LINKTYPE_IPV4: {Sym: "ipv4", Description: `Raw IPv4; the packet begins with an IPv4 header.`},
LINKTYPE_IPV6: {Sym: "ipv6", Description: `Raw IPv6; the packet begins with an IPv6 header.`},
LINKTYPE_IEEE802_15_4_NOFCS: {Sym: "ieee802_15_4_nofcs", Description: `IEEE 802.15.4 Low-Rate Wireless Network, without the FCS at the end of the frame.`},
LINKTYPE_DBUS: {Sym: "dbus", Description: `Raw D-Bus messages, starting with the endianness flag, followed by the message type, etc., but without the authentication handshake before the message sequence.`},
LINKTYPE_DVB_CI: {Sym: "dvb_ci", Description: `DVB-CI (DVB Common Interface for communication between a PC Card module and a DVB receiver), with the message format specified by the PCAP format for DVB-CI specification.`},
LINKTYPE_MUX27010: {Sym: "mux27010", Description: `Variant of 3GPP TS 27.010 multiplexing protocol (similar to, but not the same as, 27.010).`},
LINKTYPE_STANAG_5066_D_PDU: {Sym: "stanag_5066_d_pdu", Description: `D_PDUs as described by NATO standard STANAG 5066, starting with the synchronization sequence, and including both header and data CRCs. The current version of STANAG 5066 is backwards-compatible with the 1.0.2 version, although newer versions are classified.`},
LINKTYPE_NFLOG: {Sym: "nflog", Description: `Linux netlink NETLINK NFLOG socket log messages.`},
LINKTYPE_NETANALYZER: {Sym: "netanalyzer", Description: `Pseudo-header for Hilscher Gesellschaft für Systemautomation mbH netANALYZER devices, followed by an Ethernet frame, beginning with the MAC header and ending with the FCS.`},
LINKTYPE_NETANALYZER_TRANSPARENT: {Sym: "netanalyzer_transparent", Description: `Pseudo-header for Hilscher Gesellschaft für Systemautomation mbH netANALYZER devices, followed by an Ethernet frame, beginning with the preamble, SFD, and MAC header, and ending with the FCS.`},
LINKTYPE_IPOIB: {Sym: "ipoib", Description: `IP-over-InfiniBand, as specified by RFC 4391 section 6.`},
LINKTYPE_MPEG_2_TS: {Sym: "mpeg_2_ts", Description: `MPEG-2 Transport Stream transport packets, as specified by ISO 13818-1/ITU-T Recommendation H.222.0 (see table 2-2 of section 2.4.3.2 "Transport Stream packet layer").`},
LINKTYPE_NG40: {Sym: "ng40", Description: `Pseudo-header for ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as used by their ng40 protocol tester, followed by frames for the Frame Protocol as specified by 3GPP TS 25.427 for dedicated channels and 3GPP TS 25.435 for common/shared channels in the case of ATM AAL2 or UDP traffic, by SSCOP packets as specified by ITU-T Recommendation Q.2110 for ATM AAL5 traffic, and by NBAP packets for SCTP traffic.`},
LINKTYPE_NFC_LLCP: {Sym: "nfc_llcp", Description: `Pseudo-header for NFC LLCP packet captures, followed by frame data for the LLCP Protocol as specified by NFCForum-TS-LLCP_1.1.`},
LINKTYPE_INFINIBAND: {Sym: "infiniband", Description: `Raw InfiniBand frames, starting with the Local Routing Header, as specified in Chapter 5 "Data packet format" of InfiniBand™ Architectural Specification Release 1.2.1 Volume 1 - General Specifications.`},
LINKTYPE_SCTP: {Sym: "sctp", Description: `SCTP packets, as defined by RFC 4960, with no lower-level protocols such as IPv4 or IPv6.`},
LINKTYPE_USBPCAP: {Sym: "usbpcap", Description: `USB packets, beginning with a USBPcap header.`},
LINKTYPE_RTAC_SERIAL: {Sym: "rtac_serial", Description: `Serial-line packet header for the Schweitzer Engineering Laboratories "RTAC" product, followed by a payload for one of a number of industrial control protocols.`},
LINKTYPE_BLUETOOTH_LE_LL: {Sym: "bluetooth_le_ll", Description: `Bluetooth Low Energy air interface Link Layer packets, in the format described in section 2.1 "PACKET FORMAT" of volume 6 of the Bluetooth Specification Version 4.0 (see PDF page 2200), but without the Preamble.`},
LINKTYPE_NETLINK: {Sym: "netlink", Description: `Linux Netlink capture encapsulation.`},
LINKTYPE_BLUETOOTH_LINUX_MONITOR: {Sym: "bluetooth_linux_monitor", Description: `Bluetooth Linux Monitor encapsulation of traffic for the BlueZ stack.`},
LINKTYPE_BLUETOOTH_BREDR_BB: {Sym: "bluetooth_bredr_bb", Description: `Bluetooth Basic Rate and Enhanced Data Rate baseband packets.`},
LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR: {Sym: "bluetooth_le_ll_with_phdr", Description: `Bluetooth Low Energy link-layer packets.`},
LINKTYPE_PROFIBUS_DL: {Sym: "profibus_dl", Description: `PROFIBUS data link layer packets, as specified by IEC standard 61158-4-3, beginning with the start delimiter, ending with the end delimiter, and including all octets between them.`},
LINKTYPE_PKTAP: {Sym: "pktap", Description: `Apple PKTAP capture encapsulation.`},
LINKTYPE_EPON: {Sym: "epon", Description: `Ethernet-over-passive-optical-network packets, starting with the last 6 octets of the modified preamble as specified by 65.1.3.2 "Transmit" in Clause 65 of Section 5 of IEEE 802.3, followed immediately by an Ethernet frame.`},
LINKTYPE_IPMI_HPM_2: {Sym: "ipmi_hpm_2", Description: `IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format" in the PICMG HPM.2 specification. The time stamps for packets in this format must match the time stamps in the Trace Data Blocks.`},
LINKTYPE_ZWAVE_R1_R2: {Sym: "zwave_r1_r2", Description: `Z-Wave RF profile R1 and R2 packets, as specified by ITU-T Recommendation G.9959, with some MAC layer fields moved.`},
LINKTYPE_ZWAVE_R3: {Sym: "zwave_r3", Description: `Z-Wave RF profile R3 packets, as specified by ITU-T Recommendation G.9959, with some MAC layer fields moved.`},
LINKTYPE_WATTSTOPPER_DLM: {Sym: "wattstopper_dlm", Description: `Formats for WattStopper Digital Lighting Management (DLM) and Legrand Nitoo Open protocol common packet structure captures.`},
LINKTYPE_ISO_14443: {Sym: "iso_14443", Description: `Messages between ISO 14443 contactless smartcards (Proximity Integrated Circuit Card, PICC) and card readers (Proximity Coupling Device, PCD), with the message format specified by the PCAP format for ISO14443 specification.`},
LINKTYPE_RDS: {Sym: "rds", Description: `Radio data system (RDS) groups, as per IEC 62106, encapsulated in this form.`},
LINKTYPE_USB_DARWIN: {Sym: "usb_darwin", Description: `USB packets, beginning with a Darwin (macOS, etc.) USB header.`},
LINKTYPE_SDLC: {Sym: "sdlc", Description: `SDLC packets, as specified by Chapter 1, "DLC Links", section "Synchronous Data Link Control (SDLC)" of Systems Network Architecture Formats, GA27-3136-20, without the flag fields, zero-bit insertion, or Frame Check Sequence field, containing SNA path information units (PIUs) as the payload.`},
LINKTYPE_LORATAP: {Sym: "loratap", Description: `LoRaTap pseudo-header, followed by the payload, which is typically the PHYPayload from the LoRaWan specification.`},
LINKTYPE_VSOCK: {Sym: "vsock", Description: `Protocol for communication between host and guest machines in VMware and KVM hypervisors.`},
LINKTYPE_NORDIC_BLE: {Sym: "nordic_ble", Description: `Messages to and from a Nordic Semiconductor nRF Sniffer for Bluetooth LE packets, beginning with a pseudo-header.`},
LINKTYPE_DOCSIS31_XRA31: {Sym: "docsis31_xra31", Description: `DOCSIS packets and bursts, preceded by a pseudo-header giving metadata about the packet.`},
LINKTYPE_ETHERNET_MPACKET: {Sym: "ethernet_mpacket", Description: `mPackets, as specified by IEEE 802.3br Figure 99-4, starting with the preamble and always ending with a CRC field.`},
LINKTYPE_DISPLAYPORT_AUX: {Sym: "displayport_aux", Description: `DisplayPort AUX channel monitoring data as specified by VESA DisplayPort(DP) Standard preceded by a pseudo-header.`},
LINKTYPE_LINUX_SLL2: {Sym: "linux_sll2", Description: `Linux "cooked" capture encapsulation v2.`},
LINKTYPE_OPENVIZSLA: {Sym: "openvizsla", Description: `Openvizsla FPGA-based USB sniffer.`},
LINKTYPE_EBHSCR: {Sym: "ebhscr", Description: `Elektrobit High Speed Capture and Replay (EBHSCR) format.`},
LINKTYPE_VPP_DISPATCH: {Sym: "vpp_dispatch", Description: `Records in traces from the http://fd.io VPP graph dispatch tracer, in the the graph dispatcher trace format.`},
LINKTYPE_DSA_TAG_BRCM: {Sym: "dsa_tag_brcm", Description: `Ethernet frames, with a switch tag inserted between the source address field and the type/length field in the Ethernet header.`},
LINKTYPE_DSA_TAG_BRCM_PREPEND: {Sym: "dsa_tag_brcm_prepend", Description: `Ethernet frames, with a switch tag inserted before the destination address in the Ethernet header.`},
LINKTYPE_IEEE802_15_4_TAP: {Sym: "ieee802_15_4_tap", Description: `IEEE 802.15.4 Low-Rate Wireless Networks, with a pseudo-header containing TLVs with metadata preceding the 802.15.4 header.`},
LINKTYPE_DSA_TAG_DSA: {Sym: "dsa_tag_dsa", Description: `Ethernet frames, with a switch tag inserted between the source address field and the type/length field in the Ethernet header.`},
LINKTYPE_DSA_TAG_EDSA: {Sym: "dsa_tag_edsa", Description: `Ethernet frames, with a programmable Ethernet type switch tag inserted between the source address field and the type/length field in the Ethernet header.`},
LINKTYPE_ELEE: {Sym: "elee", Description: `Payload of lawful intercept packets using the ELEE protocol. The packet begins with the ELEE header; it does not include any transport-layer or lower-layer headers for protcols used to transport ELEE packets.`},
LINKTYPE_Z_WAVE_SERIAL: {Sym: "z_wave_serial", Description: `Serial frames transmitted between a host and a Z-Wave chip over an RS-232 or USB serial connection, as described in section 5 of the Z-Wave Serial API Host Application Programming Guide.`},
LINKTYPE_USB_2_0: {Sym: "usb_2_0", Description: `USB 2.0, 1.1, or 1.0 packet, beginning with a PID, as described by Chapter 8 "Protocol Layer" of the the Universal Serial Bus Specification Revision 2.0.`},
LINKTYPE_ATSC_ALP: {Sym: "atsc_alp", Description: `ATSC Link-Layer Protocol frames, as described in section 5 of the A/330 Link-Layer Protocol specification, found at the ATSC 3.0 standards page, beginning with a Base Header.`},
LINKTYPE_ETW: {Sym: "etw", Description: `Event Tracing for Windows messages, beginning with a pseudo-header.`},
}
var linkToFormat = map[int]*decode.Group{
LINKTYPE_ETHERNET: &pcapngEther8023Format,
}

202
format/pcap/testdata/dhcp_big_endian.fqtest vendored Normal file
View File

@ -0,0 +1,202 @@
# from https://wiki.wireshark.org/Development/PcapNg
$ fq -d pcapng verbose /dhcp_big_endian.pcapng
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.: [1] /dhcp_big_endian.pcapng (pcapng) 0x0-0x5fb.7 (1532)
| | | [0]: section {} 0x0-0x5fb.7 (1532)
| | | blocks: [7] 0x0-0x5fb.7 (1532)
| | | [0]: block {} 0x0-0x1b.7 (28)
0x000|0a 0d 0d 0a |.... | type: "section_header" (0xa0d0d0a) (Section Header Block) 0x0-0x3.7 (4)
0x000| 00 00 00 1c | .... | length: 28 0x4-0x7.7 (4)
0x000| 1a 2b 3c 4d | .+<M | byte_order_magic: "big_endian" (0x1a2b3c4d) 0x8-0xb.7 (4)
0x000| 00 01 | .. | major_version: 1 0xc-0xd.7 (2)
0x000| 00 00| ..| minor_version: 0 0xe-0xf.7 (2)
0x010|ff ff ff ff ff ff ff ff |........ | section_length: -1 0x10-0x17.7 (8)
| | | options: [0] 0x18-NA (0)
0x010| 00 00 00 1c | .... | footer_total_length: 28 0x18-0x1b.7 (4)
| | | [1]: block {} 0x1c-0x2f.7 (20)
0x010| 00 00 00 01| ....| type: "interface_description" (0x1) (Interface Description Block) 0x1c-0x1f.7 (4)
0x020|00 00 00 14 |.... | length: 20 0x20-0x23.7 (4)
0x020| 00 01 | .. | link_type: "ethernet" (1) (IEEE 802.3 Ethernet) 0x24-0x25.7 (2)
0x020| 00 00 | .. | reserved: 0 0x26-0x27.7 (2)
0x020| 00 04 00 00 | .... | snap_len: 262144 0x28-0x2b.7 (4)
| | | options: [0] 0x2c-NA (0)
0x020| 00 00 00 14| ....| footer_length: 20 0x2c-0x2f.7 (4)
| | | [2]: block {} 0x30-0x53.7 (36)
0x030|00 00 00 04 |.... | type: "name_resolution" (0x4) (Name Resolution Block) 0x30-0x33.7 (4)
0x030| 00 00 00 24 | ...$ | length: 36 0x34-0x37.7 (4)
| | | records: [2] 0x38-0x4f.7 (24)
| | | [0]: record {} 0x38-0x4b.7 (20)
0x030| 00 01 | .. | type: "ipv4" (1) 0x38-0x39.7 (2)
0x030| 00 0e | .. | length: 14 0x3a-0x3b.7 (2)
0x030| 7f 00 00 01| ....| address: "127.0.0.1" (0x7f000001) 0x3c-0x3f.7 (4)
| | | entries: [1] 0x40-0x49.7 (10)
0x040|6c 6f 63 61 6c 68 6f 73 74 00 |localhost. | [0]: string "localhost" 0x40-0x49.7 (10)
0x040| 00 00 | .. | padding: raw bits 0x4a-0x4b.7 (2)
| | | [1]: record {} 0x4c-0x4f.7 (4)
0x040| 00 00 | .. | type: "end" (0) 0x4c-0x4d.7 (2)
0x040| 00 00| ..| length: 0 0x4e-0x4f.7 (2)
| | | options: [0] 0x50-NA (0)
0x050|00 00 00 24 |...$ | footer_length: 36 0x50-0x53.7 (4)
| | | [3]: block {} 0x54-0x1af.7 (348)
0x050| 00 00 00 06 | .... | type: "enhanced_packet" (0x6) (Enhanced Packet Block) 0x54-0x57.7 (4)
0x050| 00 00 01 5c | ...\ | length: 348 0x58-0x5b.7 (4)
0x050| 00 00 00 00| ....| interface_id: 0 0x5c-0x5f.7 (4)
0x060|41 b3 5e 88 |A.^. | timestamp_high: 1102274184 0x60-0x63.7 (4)
0x060| 12 eb f2 c8 | .... | timestamp_low: 317453000 0x64-0x67.7 (4)
0x060| 00 00 01 3a | ...: | capture_packet_length: 314 0x68-0x6b.7 (4)
0x060| 00 00 01 3a| ...:| original_packet_length: 314 0x6c-0x6f.7 (4)
| | | packet: {} (ether8023) 0x70-0x1a9.7 (314)
0x070|ff ff ff ff ff ff |...... | destination: "ff:ff:ff:ff:ff:ff" (0xffffffffffff) 0x70-0x75.7 (6)
0x070| 00 0b 82 01 fc 42 | .....B | source: "00:0b:82:01:fc:42" (0xb8201fc42) 0x76-0x7b.7 (6)
0x070| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x7c-0x7d.7 (2)
| | | packet: {} (ipv4) 0x7e-0x1a9.7 (300)
0x070| 45 | E | version: 4 0x7e-0x7e.3 (0.4)
0x070| 45 | E | ihl: 5 0x7e.4-0x7e.7 (0.4)
0x070| 00| .| dscp: 0 0x7f-0x7f.5 (0.6)
0x070| 00| .| ecn: 0 0x7f.6-0x7f.7 (0.2)
0x080|01 2c |., | total_length: 300 0x80-0x81.7 (2)
0x080| a8 36 | .6 | identification: 43062 0x82-0x83.7 (2)
0x080| 00 | . | reserved: 0 0x84-0x84 (0.1)
0x080| 00 | . | dont_fragment: false 0x84.1-0x84.1 (0.1)
0x080| 00 | . | more_fragments: false 0x84.2-0x84.2 (0.1)
0x080| 00 00 | .. | fragment_offset: 0 0x84.3-0x85.7 (1.5)
0x080| fa | . | ttl: 250 0x86-0x86.7 (1)
0x080| 11 | . | protocol: "udp" (17) (user datagram protocol) 0x87-0x87.7 (1)
0x080| 17 8b | .. | header_checksum: 0x178b 0x88-0x89.7 (2)
0x080| 00 00 00 00 | .... | source_ip: "0.0.0.0" (0x0) 0x8a-0x8d.7 (4)
0x080| ff ff| ..| destination_ip: "255.255.255.255" (0xffffffff) 0x8e-0x91.7 (4)
0x090|ff ff |.. |
| | | data: {} (udp) 0x92-0x1a9.7 (280)
0x090| 00 44 | .D | source_port: "bootpc" (68) (Bootstrap Protocol Client) 0x92-0x93.7 (2)
0x090| 00 43 | .C | destination_port: "bootps" (67) (Bootstrap Protocol Server) 0x94-0x95.7 (2)
0x090| 01 18 | .. | length: 280 0x96-0x97.7 (2)
0x090| 59 1f | Y. | checksum: 0x591f 0x98-0x99.7 (2)
0x090| 01 01 06 00 00 00| ......| data: raw bits 0x9a-0x1a9.7 (272)
0x0a0|3d 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00|=...............|
* |until 0x1a9.7 (272) | |
| | | capture_padding: raw bits 0x1aa-NA (0)
0x1a0| 00 00 | .. | padding: raw bits 0x1aa-0x1ab.7 (2)
| | | options: [0] 0x1ac-NA (0)
0x1a0| 00 00 01 5c| ...\| footer_length: 348 0x1ac-0x1af.7 (4)
| | | [4]: block {} 0x1b0-0x327.7 (376)
0x1b0|00 00 00 06 |.... | type: "enhanced_packet" (0x6) (Enhanced Packet Block) 0x1b0-0x1b3.7 (4)
0x1b0| 00 00 01 78 | ...x | length: 376 0x1b4-0x1b7.7 (4)
0x1b0| 00 00 00 00 | .... | interface_id: 0 0x1b8-0x1bb.7 (4)
0x1b0| 41 b3 5e 88| A.^.| timestamp_high: 1102274184 0x1bc-0x1bf.7 (4)
0x1c0|12 f0 73 20 |..s | timestamp_low: 317748000 0x1c0-0x1c3.7 (4)
0x1c0| 00 00 01 56 | ...V | capture_packet_length: 342 0x1c4-0x1c7.7 (4)
0x1c0| 00 00 01 56 | ...V | original_packet_length: 342 0x1c8-0x1cb.7 (4)
| | | packet: {} (ether8023) 0x1cc-0x321.7 (342)
0x1c0| 00 0b 82 01| ....| destination: "00:0b:82:01:fc:42" (0xb8201fc42) 0x1cc-0x1d1.7 (6)
0x1d0|fc 42 |.B |
0x1d0| 00 08 74 ad f1 9b | ..t... | source: "00:08:74:ad:f1:9b" (0x874adf19b) 0x1d2-0x1d7.7 (6)
0x1d0| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x1d8-0x1d9.7 (2)
| | | packet: {} (ipv4) 0x1da-0x321.7 (328)
0x1d0| 45 | E | version: 4 0x1da-0x1da.3 (0.4)
0x1d0| 45 | E | ihl: 5 0x1da.4-0x1da.7 (0.4)
0x1d0| 00 | . | dscp: 0 0x1db-0x1db.5 (0.6)
0x1d0| 00 | . | ecn: 0 0x1db.6-0x1db.7 (0.2)
0x1d0| 01 48 | .H | total_length: 328 0x1dc-0x1dd.7 (2)
0x1d0| 04 45| .E| identification: 1093 0x1de-0x1df.7 (2)
0x1e0|00 |. | reserved: 0 0x1e0-0x1e0 (0.1)
0x1e0|00 |. | dont_fragment: false 0x1e0.1-0x1e0.1 (0.1)
0x1e0|00 |. | more_fragments: false 0x1e0.2-0x1e0.2 (0.1)
0x1e0|00 00 |.. | fragment_offset: 0 0x1e0.3-0x1e1.7 (1.5)
0x1e0| 80 | . | ttl: 128 0x1e2-0x1e2.7 (1)
0x1e0| 11 | . | protocol: "udp" (17) (user datagram protocol) 0x1e3-0x1e3.7 (1)
0x1e0| 00 00 | .. | header_checksum: 0x0 0x1e4-0x1e5.7 (2)
0x1e0| c0 a8 00 01 | .... | source_ip: "192.168.0.1" (0xc0a80001) 0x1e6-0x1e9.7 (4)
0x1e0| c0 a8 00 0a | .... | destination_ip: "192.168.0.10" (0xc0a8000a) 0x1ea-0x1ed.7 (4)
| | | data: {} (udp) 0x1ee-0x321.7 (308)
0x1e0| 00 43| .C| source_port: "bootps" (67) (Bootstrap Protocol Server) 0x1ee-0x1ef.7 (2)
0x1f0|00 44 |.D | destination_port: "bootpc" (68) (Bootstrap Protocol Client) 0x1f0-0x1f1.7 (2)
0x1f0| 01 34 | .4 | length: 308 0x1f2-0x1f3.7 (2)
0x1f0| 22 33 | "3 | checksum: 0x2233 0x1f4-0x1f5.7 (2)
0x1f0| 02 01 06 00 00 00 3d 1d 00 00| ......=...| data: raw bits 0x1f6-0x321.7 (300)
0x200|00 00 00 00 00 00 c0 a8 00 0a c0 a8 00 01 00 00|................|
* |until 0x321.7 (300) | |
| | | capture_padding: raw bits 0x322-NA (0)
0x320| 00 00 | .. | padding: raw bits 0x322-0x323.7 (2)
| | | options: [0] 0x324-NA (0)
0x320| 00 00 01 78 | ...x | footer_length: 376 0x324-0x327.7 (4)
| | | [5]: block {} 0x328-0x483.7 (348)
0x320| 00 00 00 06 | .... | type: "enhanced_packet" (0x6) (Enhanced Packet Block) 0x328-0x32b.7 (4)
0x320| 00 00 01 5c| ...\| length: 348 0x32c-0x32f.7 (4)
0x330|00 00 00 00 |.... | interface_id: 0 0x330-0x333.7 (4)
0x330| 41 b3 5e 88 | A.^. | timestamp_high: 1102274184 0x334-0x337.7 (4)
0x330| 17 18 89 60 | ...` | timestamp_low: 387484000 0x338-0x33b.7 (4)
0x330| 00 00 01 3a| ...:| capture_packet_length: 314 0x33c-0x33f.7 (4)
0x340|00 00 01 3a |...: | original_packet_length: 314 0x340-0x343.7 (4)
| | | packet: {} (ether8023) 0x344-0x47d.7 (314)
0x340| ff ff ff ff ff ff | ...... | destination: "ff:ff:ff:ff:ff:ff" (0xffffffffffff) 0x344-0x349.7 (6)
0x340| 00 0b 82 01 fc 42| .....B| source: "00:0b:82:01:fc:42" (0xb8201fc42) 0x34a-0x34f.7 (6)
0x350|08 00 |.. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x350-0x351.7 (2)
| | | packet: {} (ipv4) 0x352-0x47d.7 (300)
0x350| 45 | E | version: 4 0x352-0x352.3 (0.4)
0x350| 45 | E | ihl: 5 0x352.4-0x352.7 (0.4)
0x350| 00 | . | dscp: 0 0x353-0x353.5 (0.6)
0x350| 00 | . | ecn: 0 0x353.6-0x353.7 (0.2)
0x350| 01 2c | ., | total_length: 300 0x354-0x355.7 (2)
0x350| a8 37 | .7 | identification: 43063 0x356-0x357.7 (2)
0x350| 00 | . | reserved: 0 0x358-0x358 (0.1)
0x350| 00 | . | dont_fragment: false 0x358.1-0x358.1 (0.1)
0x350| 00 | . | more_fragments: false 0x358.2-0x358.2 (0.1)
0x350| 00 00 | .. | fragment_offset: 0 0x358.3-0x359.7 (1.5)
0x350| fa | . | ttl: 250 0x35a-0x35a.7 (1)
0x350| 11 | . | protocol: "udp" (17) (user datagram protocol) 0x35b-0x35b.7 (1)
0x350| 17 8a | .. | header_checksum: 0x178a 0x35c-0x35d.7 (2)
0x350| 00 00| ..| source_ip: "0.0.0.0" (0x0) 0x35e-0x361.7 (4)
0x360|00 00 |.. |
0x360| ff ff ff ff | .... | destination_ip: "255.255.255.255" (0xffffffff) 0x362-0x365.7 (4)
| | | data: {} (udp) 0x366-0x47d.7 (280)
0x360| 00 44 | .D | source_port: "bootpc" (68) (Bootstrap Protocol Client) 0x366-0x367.7 (2)
0x360| 00 43 | .C | destination_port: "bootps" (67) (Bootstrap Protocol Server) 0x368-0x369.7 (2)
0x360| 01 18 | .. | length: 280 0x36a-0x36b.7 (2)
0x360| 9f bd | .. | checksum: 0x9fbd 0x36c-0x36d.7 (2)
0x360| 01 01| ..| data: raw bits 0x36e-0x47d.7 (272)
0x370|06 00 00 00 3d 1e 00 00 00 00 00 00 00 00 00 00|....=...........|
* |until 0x47d.7 (272) | |
| | | capture_padding: raw bits 0x47e-NA (0)
0x470| 00 00| ..| padding: raw bits 0x47e-0x47f.7 (2)
| | | options: [0] 0x480-NA (0)
0x480|00 00 01 5c |...\ | footer_length: 348 0x480-0x483.7 (4)
| | | [6]: block {} 0x484-0x5fb.7 (376)
0x480| 00 00 00 06 | .... | type: "enhanced_packet" (0x6) (Enhanced Packet Block) 0x484-0x487.7 (4)
0x480| 00 00 01 78 | ...x | length: 376 0x488-0x48b.7 (4)
0x480| 00 00 00 00| ....| interface_id: 0 0x48c-0x48f.7 (4)
0x490|41 b3 5e 88 |A.^. | timestamp_high: 1102274184 0x490-0x493.7 (4)
0x490| 17 1d 53 f0 | ..S. | timestamp_low: 387798000 0x494-0x497.7 (4)
0x490| 00 00 01 56 | ...V | capture_packet_length: 342 0x498-0x49b.7 (4)
0x490| 00 00 01 56| ...V| original_packet_length: 342 0x49c-0x49f.7 (4)
| | | packet: {} (ether8023) 0x4a0-0x5f5.7 (342)
0x4a0|00 0b 82 01 fc 42 |.....B | destination: "00:0b:82:01:fc:42" (0xb8201fc42) 0x4a0-0x4a5.7 (6)
0x4a0| 00 08 74 ad f1 9b | ..t... | source: "00:08:74:ad:f1:9b" (0x874adf19b) 0x4a6-0x4ab.7 (6)
0x4a0| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x4ac-0x4ad.7 (2)
| | | packet: {} (ipv4) 0x4ae-0x5f5.7 (328)
0x4a0| 45 | E | version: 4 0x4ae-0x4ae.3 (0.4)
0x4a0| 45 | E | ihl: 5 0x4ae.4-0x4ae.7 (0.4)
0x4a0| 00| .| dscp: 0 0x4af-0x4af.5 (0.6)
0x4a0| 00| .| ecn: 0 0x4af.6-0x4af.7 (0.2)
0x4b0|01 48 |.H | total_length: 328 0x4b0-0x4b1.7 (2)
0x4b0| 04 46 | .F | identification: 1094 0x4b2-0x4b3.7 (2)
0x4b0| 00 | . | reserved: 0 0x4b4-0x4b4 (0.1)
0x4b0| 00 | . | dont_fragment: false 0x4b4.1-0x4b4.1 (0.1)
0x4b0| 00 | . | more_fragments: false 0x4b4.2-0x4b4.2 (0.1)
0x4b0| 00 00 | .. | fragment_offset: 0 0x4b4.3-0x4b5.7 (1.5)
0x4b0| 80 | . | ttl: 128 0x4b6-0x4b6.7 (1)
0x4b0| 11 | . | protocol: "udp" (17) (user datagram protocol) 0x4b7-0x4b7.7 (1)
0x4b0| 00 00 | .. | header_checksum: 0x0 0x4b8-0x4b9.7 (2)
0x4b0| c0 a8 00 01 | .... | source_ip: "192.168.0.1" (0xc0a80001) 0x4ba-0x4bd.7 (4)
0x4b0| c0 a8| ..| destination_ip: "192.168.0.10" (0xc0a8000a) 0x4be-0x4c1.7 (4)
0x4c0|00 0a |.. |
| | | data: {} (udp) 0x4c2-0x5f5.7 (308)
0x4c0| 00 43 | .C | source_port: "bootps" (67) (Bootstrap Protocol Server) 0x4c2-0x4c3.7 (2)
0x4c0| 00 44 | .D | destination_port: "bootpc" (68) (Bootstrap Protocol Client) 0x4c4-0x4c5.7 (2)
0x4c0| 01 34 | .4 | length: 308 0x4c6-0x4c7.7 (2)
0x4c0| df db | .. | checksum: 0xdfdb 0x4c8-0x4c9.7 (2)
0x4c0| 02 01 06 00 00 00| ......| data: raw bits 0x4ca-0x5f5.7 (300)
0x4d0|3d 1e 00 00 00 00 00 00 00 00 c0 a8 00 0a 00 00|=...............|
* |until 0x5f5.7 (300) | |
| | | capture_padding: raw bits 0x5f6-NA (0)
0x5f0| 00 00 | .. | padding: raw bits 0x5f6-0x5f7.7 (2)
| | | options: [0] 0x5f8-NA (0)
0x5f0| 00 00 01 78| | ...x| | footer_length: 376 0x5f8-0x5fb.7 (4)

BIN
format/pcap/testdata/dhcp_big_endian.pcapng vendored Normal file
View File

Binary file not shown.

202
format/pcap/testdata/dhcp_little_endian.fqtest vendored Normal file
View File

@ -0,0 +1,202 @@
# from https://wiki.wireshark.org/Development/PcapNg
$ fq -d pcapng verbose /dhcp_little_endian.pcapng
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.: [1] /dhcp_little_endian.pcapng (pcapng) 0x0-0x5fb.7 (1532)
| | | [0]: section {} 0x0-0x5fb.7 (1532)
| | | blocks: [7] 0x0-0x5fb.7 (1532)
| | | [0]: block {} 0x0-0x1b.7 (28)
0x000|0a 0d 0d 0a |.... | type: "section_header" (0xa0d0d0a) (Section Header Block) 0x0-0x3.7 (4)
0x000| 1c 00 00 00 | .... | length: 28 0x4-0x7.7 (4)
0x000| 4d 3c 2b 1a | M<+. | byte_order_magic: "little_endian" (0x4d3c2b1a) 0x8-0xb.7 (4)
0x000| 01 00 | .. | major_version: 1 0xc-0xd.7 (2)
0x000| 00 00| ..| minor_version: 0 0xe-0xf.7 (2)
0x010|ff ff ff ff ff ff ff ff |........ | section_length: -1 0x10-0x17.7 (8)
| | | options: [0] 0x18-NA (0)
0x010| 1c 00 00 00 | .... | footer_total_length: 28 0x18-0x1b.7 (4)
| | | [1]: block {} 0x1c-0x2f.7 (20)
0x010| 01 00 00 00| ....| type: "interface_description" (0x1) (Interface Description Block) 0x1c-0x1f.7 (4)
0x020|14 00 00 00 |.... | length: 20 0x20-0x23.7 (4)
0x020| 01 00 | .. | link_type: "ethernet" (1) (IEEE 802.3 Ethernet) 0x24-0x25.7 (2)
0x020| 00 00 | .. | reserved: 0 0x26-0x27.7 (2)
0x020| 00 00 04 00 | .... | snap_len: 262144 0x28-0x2b.7 (4)
| | | options: [0] 0x2c-NA (0)
0x020| 14 00 00 00| ....| footer_length: 20 0x2c-0x2f.7 (4)
| | | [2]: block {} 0x30-0x53.7 (36)
0x030|04 00 00 00 |.... | type: "name_resolution" (0x4) (Name Resolution Block) 0x30-0x33.7 (4)
0x030| 24 00 00 00 | $... | length: 36 0x34-0x37.7 (4)
| | | records: [2] 0x38-0x4f.7 (24)
| | | [0]: record {} 0x38-0x4b.7 (20)
0x030| 01 00 | .. | type: "ipv4" (1) 0x38-0x39.7 (2)
0x030| 0e 00 | .. | length: 14 0x3a-0x3b.7 (2)
0x030| 7f 00 00 01| ....| address: "127.0.0.1" (0x7f000001) 0x3c-0x3f.7 (4)
| | | entries: [1] 0x40-0x49.7 (10)
0x040|6c 6f 63 61 6c 68 6f 73 74 00 |localhost. | [0]: string "localhost" 0x40-0x49.7 (10)
0x040| 00 00 | .. | padding: raw bits 0x4a-0x4b.7 (2)
| | | [1]: record {} 0x4c-0x4f.7 (4)
0x040| 00 00 | .. | type: "end" (0) 0x4c-0x4d.7 (2)
0x040| 00 00| ..| length: 0 0x4e-0x4f.7 (2)
| | | options: [0] 0x50-NA (0)
0x050|24 00 00 00 |$... | footer_length: 36 0x50-0x53.7 (4)
| | | [3]: block {} 0x54-0x1af.7 (348)
0x050| 06 00 00 00 | .... | type: "enhanced_packet" (0x6) (Enhanced Packet Block) 0x54-0x57.7 (4)
0x050| 5c 01 00 00 | \... | length: 348 0x58-0x5b.7 (4)
0x050| 00 00 00 00| ....| interface_id: 0 0x5c-0x5f.7 (4)
0x060|88 5e b3 41 |.^.A | timestamp_high: 1102274184 0x60-0x63.7 (4)
0x060| c8 f2 eb 12 | .... | timestamp_low: 317453000 0x64-0x67.7 (4)
0x060| 3a 01 00 00 | :... | capture_packet_length: 314 0x68-0x6b.7 (4)
0x060| 3a 01 00 00| :...| original_packet_length: 314 0x6c-0x6f.7 (4)
| | | packet: {} (ether8023) 0x70-0x1a9.7 (314)
0x070|ff ff ff ff ff ff |...... | destination: "ff:ff:ff:ff:ff:ff" (0xffffffffffff) 0x70-0x75.7 (6)
0x070| 00 0b 82 01 fc 42 | .....B | source: "00:0b:82:01:fc:42" (0xb8201fc42) 0x76-0x7b.7 (6)
0x070| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x7c-0x7d.7 (2)
| | | packet: {} (ipv4) 0x7e-0x1a9.7 (300)
0x070| 45 | E | version: 4 0x7e-0x7e.3 (0.4)
0x070| 45 | E | ihl: 5 0x7e.4-0x7e.7 (0.4)
0x070| 00| .| dscp: 0 0x7f-0x7f.5 (0.6)
0x070| 00| .| ecn: 0 0x7f.6-0x7f.7 (0.2)
0x080|01 2c |., | total_length: 300 0x80-0x81.7 (2)
0x080| a8 36 | .6 | identification: 43062 0x82-0x83.7 (2)
0x080| 00 | . | reserved: 0 0x84-0x84 (0.1)
0x080| 00 | . | dont_fragment: false 0x84.1-0x84.1 (0.1)
0x080| 00 | . | more_fragments: false 0x84.2-0x84.2 (0.1)
0x080| 00 00 | .. | fragment_offset: 0 0x84.3-0x85.7 (1.5)
0x080| fa | . | ttl: 250 0x86-0x86.7 (1)
0x080| 11 | . | protocol: "udp" (17) (user datagram protocol) 0x87-0x87.7 (1)
0x080| 17 8b | .. | header_checksum: 0x178b 0x88-0x89.7 (2)
0x080| 00 00 00 00 | .... | source_ip: "0.0.0.0" (0x0) 0x8a-0x8d.7 (4)
0x080| ff ff| ..| destination_ip: "255.255.255.255" (0xffffffff) 0x8e-0x91.7 (4)
0x090|ff ff |.. |
| | | data: {} (udp) 0x92-0x1a9.7 (280)
0x090| 00 44 | .D | source_port: "bootpc" (68) (Bootstrap Protocol Client) 0x92-0x93.7 (2)
0x090| 00 43 | .C | destination_port: "bootps" (67) (Bootstrap Protocol Server) 0x94-0x95.7 (2)
0x090| 01 18 | .. | length: 280 0x96-0x97.7 (2)
0x090| 59 1f | Y. | checksum: 0x591f 0x98-0x99.7 (2)
0x090| 01 01 06 00 00 00| ......| data: raw bits 0x9a-0x1a9.7 (272)
0x0a0|3d 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00|=...............|
* |until 0x1a9.7 (272) | |
| | | capture_padding: raw bits 0x1aa-NA (0)
0x1a0| 00 00 | .. | padding: raw bits 0x1aa-0x1ab.7 (2)
| | | options: [0] 0x1ac-NA (0)
0x1a0| 5c 01 00 00| \...| footer_length: 348 0x1ac-0x1af.7 (4)
| | | [4]: block {} 0x1b0-0x327.7 (376)
0x1b0|06 00 00 00 |.... | type: "enhanced_packet" (0x6) (Enhanced Packet Block) 0x1b0-0x1b3.7 (4)
0x1b0| 78 01 00 00 | x... | length: 376 0x1b4-0x1b7.7 (4)
0x1b0| 00 00 00 00 | .... | interface_id: 0 0x1b8-0x1bb.7 (4)
0x1b0| 88 5e b3 41| .^.A| timestamp_high: 1102274184 0x1bc-0x1bf.7 (4)
0x1c0|20 73 f0 12 | s.. | timestamp_low: 317748000 0x1c0-0x1c3.7 (4)
0x1c0| 56 01 00 00 | V... | capture_packet_length: 342 0x1c4-0x1c7.7 (4)
0x1c0| 56 01 00 00 | V... | original_packet_length: 342 0x1c8-0x1cb.7 (4)
| | | packet: {} (ether8023) 0x1cc-0x321.7 (342)
0x1c0| 00 0b 82 01| ....| destination: "00:0b:82:01:fc:42" (0xb8201fc42) 0x1cc-0x1d1.7 (6)
0x1d0|fc 42 |.B |
0x1d0| 00 08 74 ad f1 9b | ..t... | source: "00:08:74:ad:f1:9b" (0x874adf19b) 0x1d2-0x1d7.7 (6)
0x1d0| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x1d8-0x1d9.7 (2)
| | | packet: {} (ipv4) 0x1da-0x321.7 (328)
0x1d0| 45 | E | version: 4 0x1da-0x1da.3 (0.4)
0x1d0| 45 | E | ihl: 5 0x1da.4-0x1da.7 (0.4)
0x1d0| 00 | . | dscp: 0 0x1db-0x1db.5 (0.6)
0x1d0| 00 | . | ecn: 0 0x1db.6-0x1db.7 (0.2)
0x1d0| 01 48 | .H | total_length: 328 0x1dc-0x1dd.7 (2)
0x1d0| 04 45| .E| identification: 1093 0x1de-0x1df.7 (2)
0x1e0|00 |. | reserved: 0 0x1e0-0x1e0 (0.1)
0x1e0|00 |. | dont_fragment: false 0x1e0.1-0x1e0.1 (0.1)
0x1e0|00 |. | more_fragments: false 0x1e0.2-0x1e0.2 (0.1)
0x1e0|00 00 |.. | fragment_offset: 0 0x1e0.3-0x1e1.7 (1.5)
0x1e0| 80 | . | ttl: 128 0x1e2-0x1e2.7 (1)
0x1e0| 11 | . | protocol: "udp" (17) (user datagram protocol) 0x1e3-0x1e3.7 (1)
0x1e0| 00 00 | .. | header_checksum: 0x0 0x1e4-0x1e5.7 (2)
0x1e0| c0 a8 00 01 | .... | source_ip: "192.168.0.1" (0xc0a80001) 0x1e6-0x1e9.7 (4)
0x1e0| c0 a8 00 0a | .... | destination_ip: "192.168.0.10" (0xc0a8000a) 0x1ea-0x1ed.7 (4)
| | | data: {} (udp) 0x1ee-0x321.7 (308)
0x1e0| 00 43| .C| source_port: "bootps" (67) (Bootstrap Protocol Server) 0x1ee-0x1ef.7 (2)
0x1f0|00 44 |.D | destination_port: "bootpc" (68) (Bootstrap Protocol Client) 0x1f0-0x1f1.7 (2)
0x1f0| 01 34 | .4 | length: 308 0x1f2-0x1f3.7 (2)
0x1f0| 22 33 | "3 | checksum: 0x2233 0x1f4-0x1f5.7 (2)
0x1f0| 02 01 06 00 00 00 3d 1d 00 00| ......=...| data: raw bits 0x1f6-0x321.7 (300)
0x200|00 00 00 00 00 00 c0 a8 00 0a c0 a8 00 01 00 00|................|
* |until 0x321.7 (300) | |
| | | capture_padding: raw bits 0x322-NA (0)
0x320| 00 00 | .. | padding: raw bits 0x322-0x323.7 (2)
| | | options: [0] 0x324-NA (0)
0x320| 78 01 00 00 | x... | footer_length: 376 0x324-0x327.7 (4)
| | | [5]: block {} 0x328-0x483.7 (348)
0x320| 06 00 00 00 | .... | type: "enhanced_packet" (0x6) (Enhanced Packet Block) 0x328-0x32b.7 (4)
0x320| 5c 01 00 00| \...| length: 348 0x32c-0x32f.7 (4)
0x330|00 00 00 00 |.... | interface_id: 0 0x330-0x333.7 (4)
0x330| 88 5e b3 41 | .^.A | timestamp_high: 1102274184 0x334-0x337.7 (4)
0x330| 60 89 18 17 | `... | timestamp_low: 387484000 0x338-0x33b.7 (4)
0x330| 3a 01 00 00| :...| capture_packet_length: 314 0x33c-0x33f.7 (4)
0x340|3a 01 00 00 |:... | original_packet_length: 314 0x340-0x343.7 (4)
| | | packet: {} (ether8023) 0x344-0x47d.7 (314)
0x340| ff ff ff ff ff ff | ...... | destination: "ff:ff:ff:ff:ff:ff" (0xffffffffffff) 0x344-0x349.7 (6)
0x340| 00 0b 82 01 fc 42| .....B| source: "00:0b:82:01:fc:42" (0xb8201fc42) 0x34a-0x34f.7 (6)
0x350|08 00 |.. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x350-0x351.7 (2)
| | | packet: {} (ipv4) 0x352-0x47d.7 (300)
0x350| 45 | E | version: 4 0x352-0x352.3 (0.4)
0x350| 45 | E | ihl: 5 0x352.4-0x352.7 (0.4)
0x350| 00 | . | dscp: 0 0x353-0x353.5 (0.6)
0x350| 00 | . | ecn: 0 0x353.6-0x353.7 (0.2)
0x350| 01 2c | ., | total_length: 300 0x354-0x355.7 (2)
0x350| a8 37 | .7 | identification: 43063 0x356-0x357.7 (2)
0x350| 00 | . | reserved: 0 0x358-0x358 (0.1)
0x350| 00 | . | dont_fragment: false 0x358.1-0x358.1 (0.1)
0x350| 00 | . | more_fragments: false 0x358.2-0x358.2 (0.1)
0x350| 00 00 | .. | fragment_offset: 0 0x358.3-0x359.7 (1.5)
0x350| fa | . | ttl: 250 0x35a-0x35a.7 (1)
0x350| 11 | . | protocol: "udp" (17) (user datagram protocol) 0x35b-0x35b.7 (1)
0x350| 17 8a | .. | header_checksum: 0x178a 0x35c-0x35d.7 (2)
0x350| 00 00| ..| source_ip: "0.0.0.0" (0x0) 0x35e-0x361.7 (4)
0x360|00 00 |.. |
0x360| ff ff ff ff | .... | destination_ip: "255.255.255.255" (0xffffffff) 0x362-0x365.7 (4)
| | | data: {} (udp) 0x366-0x47d.7 (280)
0x360| 00 44 | .D | source_port: "bootpc" (68) (Bootstrap Protocol Client) 0x366-0x367.7 (2)
0x360| 00 43 | .C | destination_port: "bootps" (67) (Bootstrap Protocol Server) 0x368-0x369.7 (2)
0x360| 01 18 | .. | length: 280 0x36a-0x36b.7 (2)
0x360| 9f bd | .. | checksum: 0x9fbd 0x36c-0x36d.7 (2)
0x360| 01 01| ..| data: raw bits 0x36e-0x47d.7 (272)
0x370|06 00 00 00 3d 1e 00 00 00 00 00 00 00 00 00 00|....=...........|
* |until 0x47d.7 (272) | |
| | | capture_padding: raw bits 0x47e-NA (0)
0x470| 00 00| ..| padding: raw bits 0x47e-0x47f.7 (2)
| | | options: [0] 0x480-NA (0)
0x480|5c 01 00 00 |\... | footer_length: 348 0x480-0x483.7 (4)
| | | [6]: block {} 0x484-0x5fb.7 (376)
0x480| 06 00 00 00 | .... | type: "enhanced_packet" (0x6) (Enhanced Packet Block) 0x484-0x487.7 (4)
0x480| 78 01 00 00 | x... | length: 376 0x488-0x48b.7 (4)
0x480| 00 00 00 00| ....| interface_id: 0 0x48c-0x48f.7 (4)
0x490|88 5e b3 41 |.^.A | timestamp_high: 1102274184 0x490-0x493.7 (4)
0x490| f0 53 1d 17 | .S.. | timestamp_low: 387798000 0x494-0x497.7 (4)
0x490| 56 01 00 00 | V... | capture_packet_length: 342 0x498-0x49b.7 (4)
0x490| 56 01 00 00| V...| original_packet_length: 342 0x49c-0x49f.7 (4)
| | | packet: {} (ether8023) 0x4a0-0x5f5.7 (342)
0x4a0|00 0b 82 01 fc 42 |.....B | destination: "00:0b:82:01:fc:42" (0xb8201fc42) 0x4a0-0x4a5.7 (6)
0x4a0| 00 08 74 ad f1 9b | ..t... | source: "00:08:74:ad:f1:9b" (0x874adf19b) 0x4a6-0x4ab.7 (6)
0x4a0| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x4ac-0x4ad.7 (2)
| | | packet: {} (ipv4) 0x4ae-0x5f5.7 (328)
0x4a0| 45 | E | version: 4 0x4ae-0x4ae.3 (0.4)
0x4a0| 45 | E | ihl: 5 0x4ae.4-0x4ae.7 (0.4)
0x4a0| 00| .| dscp: 0 0x4af-0x4af.5 (0.6)
0x4a0| 00| .| ecn: 0 0x4af.6-0x4af.7 (0.2)
0x4b0|01 48 |.H | total_length: 328 0x4b0-0x4b1.7 (2)
0x4b0| 04 46 | .F | identification: 1094 0x4b2-0x4b3.7 (2)
0x4b0| 00 | . | reserved: 0 0x4b4-0x4b4 (0.1)
0x4b0| 00 | . | dont_fragment: false 0x4b4.1-0x4b4.1 (0.1)
0x4b0| 00 | . | more_fragments: false 0x4b4.2-0x4b4.2 (0.1)
0x4b0| 00 00 | .. | fragment_offset: 0 0x4b4.3-0x4b5.7 (1.5)
0x4b0| 80 | . | ttl: 128 0x4b6-0x4b6.7 (1)
0x4b0| 11 | . | protocol: "udp" (17) (user datagram protocol) 0x4b7-0x4b7.7 (1)
0x4b0| 00 00 | .. | header_checksum: 0x0 0x4b8-0x4b9.7 (2)
0x4b0| c0 a8 00 01 | .... | source_ip: "192.168.0.1" (0xc0a80001) 0x4ba-0x4bd.7 (4)
0x4b0| c0 a8| ..| destination_ip: "192.168.0.10" (0xc0a8000a) 0x4be-0x4c1.7 (4)
0x4c0|00 0a |.. |
| | | data: {} (udp) 0x4c2-0x5f5.7 (308)
0x4c0| 00 43 | .C | source_port: "bootps" (67) (Bootstrap Protocol Server) 0x4c2-0x4c3.7 (2)
0x4c0| 00 44 | .D | destination_port: "bootpc" (68) (Bootstrap Protocol Client) 0x4c4-0x4c5.7 (2)
0x4c0| 01 34 | .4 | length: 308 0x4c6-0x4c7.7 (2)
0x4c0| df db | .. | checksum: 0xdfdb 0x4c8-0x4c9.7 (2)
0x4c0| 02 01 06 00 00 00| ......| data: raw bits 0x4ca-0x5f5.7 (300)
0x4d0|3d 1e 00 00 00 00 00 00 00 00 c0 a8 00 0a 00 00|=...............|
* |until 0x5f5.7 (300) | |
| | | capture_padding: raw bits 0x5f6-NA (0)
0x5f0| 00 00 | .. | padding: raw bits 0x5f6-0x5f7.7 (2)
| | | options: [0] 0x5f8-NA (0)
0x5f0| 78 01 00 00| | x...| | footer_length: 376 0x5f8-0x5fb.7 (4)

BIN
format/pcap/testdata/dhcp_little_endian.pcapng vendored Normal file
View File

Binary file not shown.

101
format/pcap/testdata/ipv4frags.fqtest vendored Normal file
View File

@ -0,0 +1,101 @@
# from https://wiki.wireshark.org/SampleCaptures
$ fq -d pcap verbose /ipv4frags.pcap
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.: {} /ipv4frags.pcap (pcap) 0x0-0xbad.7 (2990)
0x000|d4 c3 b2 a1 |.... | magic: "little_endian" (0xd4c3b2a1) (valid) 0x0-0x3.7 (4)
0x000| 02 00 | .. | version_major: 2 0x4-0x5.7 (2)
0x000| 04 00 | .. | version_minor: 4 0x6-0x7.7 (2)
0x000| 00 00 00 00 | .... | thiszone: 0 0x8-0xb.7 (4)
0x000| 00 00 00 00| ....| sigfigs: 0 0xc-0xf.7 (4)
0x010|d0 07 00 00 |.... | snaplen: 2000 0x10-0x13.7 (4)
0x010| 01 00 00 00 | .... | network: "ethernet" (1) (IEEE 802.3 Ethernet) 0x14-0x17.7 (4)
| | | packets: [3] 0x18-0xbad.7 (2966)
| | | [0]: packet {} 0x18-0x419.7 (1026)
0x010| 14 2b d2 59 | .+.Y | ts_sec: 1506945812 0x18-0x1b.7 (4)
0x010| 5c 2a 08 00| \*..| ts_usec: 535132 0x1c-0x1f.7 (4)
0x020|f2 03 00 00 |.... | incl_len: 1010 0x20-0x23.7 (4)
0x020| f2 03 00 00 | .... | orig_len: 1010 0x24-0x27.7 (4)
| | | packet: {} (ether8023) 0x28-0x419.7 (1010)
0x020| 08 00 27 e2 9f a6 | ..'... | destination: "08:00:27:e2:9f:a6" (0x80027e29fa6) 0x28-0x2d.7 (6)
0x020| 08 00| ..| source: "08:00:27:fc:6a:c9" (0x80027fc6ac9) 0x2e-0x33.7 (6)
0x030|27 fc 6a c9 |'.j. |
0x030| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x34-0x35.7 (2)
| | | packet: {} (ipv4) 0x36-0x419.7 (996)
0x030| 45 | E | version: 4 0x36-0x36.3 (0.4)
0x030| 45 | E | ihl: 5 0x36.4-0x36.7 (0.4)
0x030| 00 | . | dscp: 0 0x37-0x37.5 (0.6)
0x030| 00 | . | ecn: 0 0x37.6-0x37.7 (0.2)
0x030| 03 e4 | .. | total_length: 996 0x38-0x39.7 (2)
0x030| b5 d0 | .. | identification: 46544 0x3a-0x3b.7 (2)
0x030| 20 | | reserved: 0 0x3c-0x3c (0.1)
0x030| 20 | | dont_fragment: false 0x3c.1-0x3c.1 (0.1)
0x030| 20 | | more_fragments: true 0x3c.2-0x3c.2 (0.1)
0x030| 20 00 | . | fragment_offset: 0 0x3c.3-0x3d.7 (1.5)
0x030| 40 | @ | ttl: 64 0x3e-0x3e.7 (1)
0x030| 01| .| protocol: "icmp" (1) (internet control message protocol) 0x3f-0x3f.7 (1)
0x040|9b 44 |.D | header_checksum: 0x9b44 0x40-0x41.7 (2)
0x040| 02 01 01 02 | .... | source_ip: "2.1.1.2" (0x2010102) 0x42-0x45.7 (4)
0x040| 02 01 01 01 | .... | destination_ip: "2.1.1.1" (0x2010101) 0x46-0x49.7 (4)
0x040| 08 00 4d 71 13 c2| ..Mq..| data: raw bits 0x4a-0x419.7 (976)
0x050|00 01 14 2b d2 59 00 00 00 00 3d 2a 08 00 00 00|...+.Y....=*....|
* |until 0x419.7 (976) | |
| | | capture_padding: raw bits 0x41a-NA (0)
| | | [1]: packet {} 0x41a-0x5fb.7 (482)
0x410| 14 2b d2 59 | .+.Y | ts_sec: 1506945812 0x41a-0x41d.7 (4)
0x410| 9d 2a| .*| ts_usec: 535197 0x41e-0x421.7 (4)
0x420|08 00 |.. |
0x420| d2 01 00 00 | .... | incl_len: 466 0x422-0x425.7 (4)
0x420| d2 01 00 00 | .... | orig_len: 466 0x426-0x429.7 (4)
| | | packet: {} (ether8023) 0x42a-0x5fb.7 (466)
0x420| 08 00 27 e2 9f a6| ..'...| destination: "08:00:27:e2:9f:a6" (0x80027e29fa6) 0x42a-0x42f.7 (6)
0x430|08 00 27 fc 6a c9 |..'.j. | source: "08:00:27:fc:6a:c9" (0x80027fc6ac9) 0x430-0x435.7 (6)
0x430| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x436-0x437.7 (2)
| | | packet: {} (ipv4) 0x438-0x5fb.7 (452)
0x430| 45 | E | version: 4 0x438-0x438.3 (0.4)
0x430| 45 | E | ihl: 5 0x438.4-0x438.7 (0.4)
0x430| 00 | . | dscp: 0 0x439-0x439.5 (0.6)
0x430| 00 | . | ecn: 0 0x439.6-0x439.7 (0.2)
0x430| 01 c4 | .. | total_length: 452 0x43a-0x43b.7 (2)
0x430| b5 d0 | .. | identification: 46544 0x43c-0x43d.7 (2)
0x430| 00 | . | reserved: 0 0x43e-0x43e (0.1)
0x430| 00 | . | dont_fragment: false 0x43e.1-0x43e.1 (0.1)
0x430| 00 | . | more_fragments: false 0x43e.2-0x43e.2 (0.1)
0x430| 00 7a| .z| fragment_offset: 122 0x43e.3-0x43f.7 (1.5)
0x440|40 |@ | ttl: 64 0x440-0x440.7 (1)
0x440| 01 | . | protocol: "icmp" (1) (internet control message protocol) 0x441-0x441.7 (1)
0x440| bc ea | .. | header_checksum: 0xbcea 0x442-0x443.7 (2)
0x440| 02 01 01 02 | .... | source_ip: "2.1.1.2" (0x2010102) 0x444-0x447.7 (4)
0x440| 02 01 01 01 | .... | destination_ip: "2.1.1.1" (0x2010101) 0x448-0x44b.7 (4)
0x440| c8 c9 ca cb| ....| data: raw bits 0x44c-0x5fb.7 (432)
0x450|cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db|................|
* |until 0x5fb.7 (432) | |
| | | capture_padding: raw bits 0x5fc-NA (0)
| | | [2]: packet {} 0x5fc-0xbad.7 (1458)
0x5f0| 14 2b d2 59| .+.Y| ts_sec: 1506945812 0x5fc-0x5ff.7 (4)
0x600|59 2c 08 00 |Y,.. | ts_usec: 535641 0x600-0x603.7 (4)
0x600| a2 05 00 00 | .... | incl_len: 1442 0x604-0x607.7 (4)
0x600| a2 05 00 00 | .... | orig_len: 1442 0x608-0x60b.7 (4)
| | | packet: {} (ether8023) 0x60c-0xbad.7 (1442)
0x600| 08 00 27 fc| ..'.| destination: "08:00:27:fc:6a:c9" (0x80027fc6ac9) 0x60c-0x611.7 (6)
0x610|6a c9 |j. |
0x610| 08 00 27 e2 9f a6 | ..'... | source: "08:00:27:e2:9f:a6" (0x80027e29fa6) 0x612-0x617.7 (6)
0x610| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x618-0x619.7 (2)
| | | packet: {} (ipv4) 0x61a-0xbad.7 (1428)
0x610| 45 | E | version: 4 0x61a-0x61a.3 (0.4)
0x610| 45 | E | ihl: 5 0x61a.4-0x61a.7 (0.4)
0x610| 00 | . | dscp: 0 0x61b-0x61b.5 (0.6)
0x610| 00 | . | ecn: 0 0x61b.6-0x61b.7 (0.2)
0x610| 05 94 | .. | total_length: 1428 0x61c-0x61d.7 (2)
0x610| 83 f6| ..| identification: 33782 0x61e-0x61f.7 (2)
0x620|00 |. | reserved: 0 0x620-0x620 (0.1)
0x620|00 |. | dont_fragment: false 0x620.1-0x620.1 (0.1)
0x620|00 |. | more_fragments: false 0x620.2-0x620.2 (0.1)
0x620|00 00 |.. | fragment_offset: 0 0x620.3-0x621.7 (1.5)
0x620| 40 | @ | ttl: 64 0x622-0x622.7 (1)
0x620| 01 | . | protocol: "icmp" (1) (internet control message protocol) 0x623-0x623.7 (1)
0x620| eb 6e | .n | header_checksum: 0xeb6e 0x624-0x625.7 (2)
0x620| 02 01 01 01 | .... | source_ip: "2.1.1.1" (0x2010101) 0x626-0x629.7 (4)
0x620| 02 01 01 02 | .... | destination_ip: "2.1.1.2" (0x2010102) 0x62a-0x62d.7 (4)
0x620| 00 00| ..| data: raw bits 0x62e-0xbad.7 (1408)
0x630|55 71 13 c2 00 01 14 2b d2 59 00 00 00 00 3d 2a|Uq.....+.Y....=*|
* |until 0xbad.7 (end) (1408) | |
| | | capture_padding: raw bits 0xbae-NA (0)

BIN
format/pcap/testdata/ipv4frags.pcap vendored Normal file
View File

Binary file not shown.

5201
format/pcap/testdata/many_interfaces.fqtest vendored Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
format/pcap/testdata/many_interfaces.pcapng vendored Normal file
View File

Binary file not shown.

11
pkg/bitio/buffer.go
View File

@ -205,13 +205,18 @@ func (b *Buffer) BitsLeft() (int64, error) {
return b.bitLen - bPos, nil
}
// ByteAlignBits number of bits to next byte align
func (b *Buffer) ByteAlignBits() (int, error) {
// AlignBits number of bits to next nBits align
func (b *Buffer) AlignBits(nBits int) (int, error) {
bPos, err := b.Pos()
if err != nil {
return 0, err
}
return int((8 - (bPos & 0x7)) & 0x7), nil
return int((int64(nBits) - (bPos % int64(nBits))) % int64(nBits)), nil
}
// ByteAlignBits number of bits to next byte align
func (b *Buffer) ByteAlignBits() (int, error) {
return b.AlignBits(8)
}
// BytePos byte position of current bit position

8
pkg/decode/decode.go
View File

@ -458,6 +458,14 @@ func (d *D) BitsLeft() int64 {
return bBitsLeft
}
func (d *D) AlignBits(nBits int) int {
bByteAlignBits, err := d.bitBuf.AlignBits(nBits)
if err != nil {
panic(IOError{Err: err, Op: "AlignBits", ReadSize: 0, Pos: d.Pos()})
}
return bByteAlignBits
}
func (d *D) ByteAlignBits() int {
bByteAlignBits, err := d.bitBuf.ByteAlignBits()
if err != nil {

6
pkg/interp/testdata/args.fqtest vendored
View File

@ -70,6 +70,7 @@ avc_sps H.264/AVC Sequence Parameter Set
bzip2 bzip2 compression
dns DNS packet
elf Executable and Linkable Format
ether8023 Ethernet 802.3
exif Exchangeable Image File Format
flac Free Lossless Audio Codec file
flac_frame FLAC frame
@ -87,6 +88,7 @@ icc_profile International Color Consortium profile
id3v1 ID3v1 metadata
id3v11 ID3v1.1 metadata
id3v2 ID3v2 metadata
ipv4 Internet protocol v4
jpeg Joint Photographic Experts Group file
json JSON
matroska Matroska file
@ -102,13 +104,17 @@ mpeg_ts MPEG Transport Stream
ogg OGG file
ogg_page OGG page
opus_packet Opus packet
pcap PCAP packet capture
pcapng PCAPNG packet capture
png Portable Network Graphics file
protobuf Protobuf
protobuf_widevine Widevine protobuf
pssh_playready PlayReady PSSH
raw Raw bits
tar Tar archive
tcp Transmission Control Protocol
tiff Tag Image File Format
udp User datagram protocol
vorbis_comment Vorbis comment
vorbis_packet Vorbis packet
vp8_frame VP8 frame