pcap.lua: slight cleanup
Should be a tiny bit faster, too.
This commit is contained in:
parent
aff07bc63d
commit
9d81b137e7
|
@ -182,34 +182,19 @@ end
|
||||||
|
|
||||||
hex.register { type="pcap", detect=detect, decode=decode }
|
hex.register { type="pcap", detect=detect, decode=decode }
|
||||||
|
|
||||||
-- As described by https://github.com/pcapng/pcapng
|
local block_types = {
|
||||||
local decode_ng = function (c)
|
[0x0a0d0d0a] = "Section Header Block",
|
||||||
assert (c.position == 1)
|
[0x00000001] = "Interface Description Block",
|
||||||
if not detect_ng (c ()) then error ("not a PCAPNG file") end
|
[0x00000003] = "Simple Packet Block",
|
||||||
|
[0x00000004] = "Name Resolution Block",
|
||||||
|
[0x00000005] = "Interface Statistics Block",
|
||||||
|
[0x00000006] = "Enhanced Packet Block",
|
||||||
|
|
||||||
c.endianity = "le"
|
[0x00000BAD] = "Custom Block",
|
||||||
c (9):u32 ("byte-order magic: %s", function (u32)
|
[0x40000BAD] = "Custom Block"
|
||||||
if u32 == 0x1a2b3c4d then return "little-endian" end
|
}
|
||||||
|
|
||||||
c.endianity = "be"
|
local decode_shb = function (c)
|
||||||
return "big-endian"
|
|
||||||
end)
|
|
||||||
|
|
||||||
local function decode_block_type (u32)
|
|
||||||
if u32 == 0x0a0d0d0a then return "Section Header Block" end
|
|
||||||
if u32 == 0x00000001 then return "Interface Description Block" end
|
|
||||||
if u32 == 0x00000003 then return "Simple Packet Block" end
|
|
||||||
if u32 == 0x00000004 then return "Name Resolution Block" end
|
|
||||||
if u32 == 0x00000005 then return "Interface Statistics Block" end
|
|
||||||
if u32 == 0x00000006 then return "Enhanced Packet Block" end
|
|
||||||
|
|
||||||
if u32 == 0x00000BAD or u32 == 0x40000BAD then
|
|
||||||
return "Custom Block"
|
|
||||||
end
|
|
||||||
return "unknown: %d", u32
|
|
||||||
end
|
|
||||||
|
|
||||||
local function decode_shb (c)
|
|
||||||
local magic = c:u32 ()
|
local magic = c:u32 ()
|
||||||
local p, vmajor, vminor = c.position, c:u16 (), c:u16 ()
|
local p, vmajor, vminor = c.position, c:u16 (), c:u16 ()
|
||||||
c (p, c.position - 1):mark ("PCAPNG version: %d.%d", vmajor, vminor)
|
c (p, c.position - 1):mark ("PCAPNG version: %d.%d", vmajor, vminor)
|
||||||
|
@ -225,21 +210,39 @@ local decode_ng = function (c)
|
||||||
c.position = c.position + length + (-length & 3)
|
c.position = c.position + length + (-length & 3)
|
||||||
c (p, c.position - 1):mark ("option value")
|
c (p, c.position - 1):mark ("option value")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
local block_decoders = {
|
||||||
|
-- TODO: also decode other types of blocks
|
||||||
|
[0x0a0d0d0a] = decode_shb
|
||||||
|
}
|
||||||
|
|
||||||
|
-- As described by https://github.com/pcapng/pcapng
|
||||||
|
local decode_ng = function (c)
|
||||||
|
assert (c.position == 1)
|
||||||
|
if not detect_ng (c ()) then error ("not a PCAPNG file") end
|
||||||
|
|
||||||
|
c.endianity = "le"
|
||||||
|
c (9):u32 ("byte-order magic: %s", function (u32)
|
||||||
|
if u32 == 0x1a2b3c4d then return "little-endian" end
|
||||||
|
|
||||||
|
c.endianity = "be"
|
||||||
|
return "big-endian"
|
||||||
|
end)
|
||||||
|
|
||||||
while not c.eof do
|
while not c.eof do
|
||||||
local block_start = c.position
|
local block_start = c.position
|
||||||
local block_type = c:u32 ("PCAPNG block type: %s", decode_block_type)
|
local block_type = c:u32 ("PCAPNG block type: %s", function (u32)
|
||||||
|
local name = block_types[u32]
|
||||||
|
if name then return name end
|
||||||
|
return "unknown: %d", u32
|
||||||
|
end)
|
||||||
local block_len = c:u32 ("PCAPNG block length: %d")
|
local block_len = c:u32 ("PCAPNG block length: %d")
|
||||||
|
|
||||||
local data_start = c.position
|
local data_start = c.position
|
||||||
c.position = block_start + block_len - 4
|
c.position = block_start + block_len - 4
|
||||||
|
local decoder = block_decoders[block_type]
|
||||||
local data = c (data_start, c.position - 1)
|
if decoder then decoder (c (data_start, c.position - 1)) end
|
||||||
-- TODO: also decode other types of blocks
|
c:u32 ("PCAPNG trailing block length: %d")
|
||||||
if block_type == 0x0a0d0d0a then decode_shb (data) end
|
|
||||||
|
|
||||||
local shb_len_end = c:u32 ("PCAPNG trailing block length: %d")
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue