pcapng数据包分析

1. 概述

本文解析文件 many_interfaces.pcapng 。

2. 解析过程

4.1. Section Header Block

position->0x00000000

0A 0D 0D 0A  Block Type = 0x0A0D0D0A
8C 00 00 00  Block Total Length
4D 3C 2B 1A  Byte-Order Magic
01 00 00 00  Major Version, Minor Version (1.0)
FF FF FF FF  Section Length (High)
FF FF FF FF  Section Length (Low)
             Options(variable)
03 00 2D 00  Option Code, Option Length; Code为3表示shb_os
4d6163204f5320582031302e31302e342c206275696c64203134453436202844617277696e2031342e342e3029
             Mac OS X 10.10.4, build 14E46 (Darwin 14.4.0)
00 00 00     Padding, 以符合32bits对齐
04 00 34 00  Option Code, Option Length; Code为4表示shb_userappl
44756d7063617020312e31322e36202876312e31322e362d302d67656531666365362066726f6d206d61737465722d312e313229
             Dumpcap 1.12.6 (v1.12.6-0-gee1fce6 from master-1.12)
00 00 00 00  Option Code, Option Length; Code为0表示opt_endofopt
             Options(variable)
8C 00 00 00  Block Total Length

4.2. Interface Description Block

position->0x0000008C

01 00 00 00  Block Type = 0x00000001
74 00 00 00  Block Total Length
01 00 00 00  LinkType, (LINKTYPE_ETHERNET)
00 00 04 00  SnapLen
             Options(variable)
02 00 03 00  Option Code, Option Length; Code为2表示if_name
65 6E 30 00  if_name为en0, 最后的00为Padding
09 00 01 00  Option Code, Option Length; Code为9表示if_tsresol
06 00 00 00  if_tsresol为0x06，后面三个00为Padding
0B 00 13 00  Option Code, Option Length; Code为11表示if_filter
686f7374203139322e3136382e312e313339
             host 192.168.1.139
00           Padding
0C 00 2D 00  Option Code, Option Length; Code为12表示if_os
4d6163204f5320582031302e31302e342c206275696c64203134453436202844617277696e2031342e342e3029
             Mac OS X 10.10.4, build 14E46 (Darwin 14.4.0)
00 00 00     Padding
00 00 00 00  Option Code, Option Length; Code为0表示opt_endofopt
             Options(variable)
74 00 00 00  Block Total Length

中间还有9个IDB，差不多的解析方式，省略掉。接着第11个IDB解析如下：

position->0x0000052C

01 00 00 00  Block Type = 0x00000001
74 00 00 00  Block Total Length
00 00 00 00  LinkType, (LINKTYPE_NULL)
00 00 04 00  SnapLen
             Options(variable)
02 00 03 00  Option Code, Option Length; Code为2表示if_name
65 6F 30 00  if_name为lo0, 最后的00为Padding
09 00 01 00  Option Code, Option Length; Code为9表示if_tsresol
06 00 00 00  if_tsresol为0x06，后面三个00为Padding
0B 00 13 00  Option Code, Option Length; Code为11表示if_filter
686f7374203139322e3136382e312e313339
             host 192.168.1.139
00           Padding
0C 00 2D 00  Option Code, Option Length; Code为12表示if_os
4d6163204f5320582031302e31302e342c206275696c64203134453436202844617277696e2031342e342e3029
             Mac OS X 10.10.4, build 14E46 (Darwin 14.4.0)
00 00 00     Padding
00 00 00 00  Option Code, Option Length; Code为0表示opt_endofopt
             Options(variable)
74 00 00 00  Block Total Length

4.3. Enhanced Packet Block

position->0x000005A0

06 00 00 00  Block Type = 0x00000006
D4 00 00 00  Block Total Length
00 00 00 00  Interface ID
72 1D 05 00  Timestamp (High)  
E7 6D 62 C9  Timestamp (Low) 
B2 00 00 00  Captured Len
B2 00 00 00  Packet Len
Packet Data(variable length, padded to 32 bits)  可参考下图
00 00        Padding
D4 00 00 00  Block Total Length

再看另一组数据:

position->0x00000810

06 00 00 00  Block Type = 0x00000006
C8 00 00 00  Block Total Length
0A 00 00 00  Interface ID
72 1D 05 00  Timestamp (High)  
BE 6E 62 C9  Timestamp (Low) 
A8 00 00 00  Captured Len
A8 00 00 00  Packet Len
Packet Data(variable length, padded to 32 bits)  可参考下图
C8 00 00 00  Block Total Length

3. 参考资料

1.PCAP Next Generation Dump File Format (PCAP-DumpFileFormat)
https://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
该文档简单介绍了pcapng，是一个过时的文档

2.PCAP Next Generation (pcapng) Capture File Format
https://github.com/pcapng/pcapng
查看 Individual Draft ，可看到最新的pcapng文档。本文章节参考draft-tuexen-opsawg-pcapng-05。

3.在线16进制文件编辑器
https://hexed.it/

4.Wireshark wiki上对PcapNg的介绍
https://wiki.wireshark.org/Development/PcapNg

5.python-pcapng
https://pypi.org/project/python-pcapng/
https://github.com/rshk/python-pcapng
https://python-pcapng.readthedocs.io/en/latest/api/blocks.html
pip install python-pcapng

6.LibpcapFileFormat
https://wiki.wireshark.org/Development/LibpcapFileFormat

7.LINK-LAYER HEADER TYPES
https://www.tcpdump.org/linktypes.html
LINKTYPE_NULL 0
LINKTYPE_ETHERNET 1
LINKTYPE_RAW 101
LINKTYPE_USER0–LINKTYPE_USER15 147-162

8.字符串转16进制工具
https://codebeautify.org/string-hex-converter

9.TLS
https://wiki.wireshark.org/TLS

10.HowTo handle PcapNG files
https://www.netresec.com/?page=Blog&month=2012-12&post=HowTo-handle-PcapNG-files