[File] [PATCH] Magdir/sniffer HP/UX nettl capture only for "newer as" HP-UX 10
Jörg Jenderek
joerg.jen.der.ek at gmx.net
Sun Oct 30 22:40:30 UTC 2022
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
some weeks ago ago i send patch for 5View capture files. Such
examples are created by wireshark tool.This can open and save
captures also in other file formats. One format start with file
name extension TRC.
When running file command version 5.43 on such captures examples
then i get an output like:
hp-nettl-2.trc0: HP/UX nettl capture file
hp-nettl-3.trc0: HP/UX nettl capture file
hp-nettl-win8.trc0: HP/UX nettl capture file
hp-ux-nettl-trace-1.trc0: HP/UX nettl capture file
hp-win10-2.trc0: HP/UX nettl capture file
hp-win10.trc0: HP/UX nettl capture file
old-hp.trc0: HP/UX nettl capture file
test-hp10.trc0: HP/UX nettl capture file
test-hp9.trc0: data
Furthermore with -i option only generic application/octet-stream is
shown. With option --extension only 3 byte sequence ??? is shown.
Luckily some information can be found in HP man page for nettl
command. Some details can be found in Wireshark source nettl.c.
That is now expressed by lines like:
# URL: https://nixdoc.net/man-pages/HP-UX/man1m/
# nettl.1m.html
# Reference: https://github.com/wireshark/wireshark/blob/master/
# wiretap/nettl.c
The description happens inside Magdir/sniffer by lines like:
0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file
I installed wireshark on window and a Linux system. Afterwards the
examples are called "HP-UX nettl trace" on Windows system and on
Linux. There the information is based or correlates with
description of shared MIME-info database. There it is called
"Packet Capture (HP-UX nettl)". This information can for example be
found on web site reposcope.com. So the HP captures get their own
mime type. My examples are all uncompressed and have file name
extension TRC0, but
according to mime database also TRC1 can occur. In the hp nettl(1m)
man page the mentioned extension contains 3 digit number like
TRC000. There it is also written that this sequence number is increas
ed
by one when file is full until the limit is reached. This is given
by option -n with default value 2. So there may exist also samples
with with more and higher digits in file suffix ( like TRC000
TRC001 TRC002 ...). So these facts are now expressed by additional
lines like:
!:mime application/x-nettl
!:ext trc0/trc1
When saving the captures in HP format i can choose any main name,
but inside at offset 12 56 bytes with file name is stored. For the
wireshark (version 1.12.1 3.6.8 4.0.1 ) generated examples this was
always nil padded /tmp/wireshark.TRC000. At offset 68 12 byte "time
zone structure" is stored. In my examples this was nil padded UTC
string. At offset 97 9 bytes "os version" and 1 byte os_v is
stored. In my wireshark examples this was nil padded B.11.11 string
followed by value 55h. At offset 115 model name is stored as 11
bytes. In my examples this was nil padded 9000/800. At offset 88 9
byte host name is stored. Here in my examples i get always nil
bytes. The last 2 padding bytes of 128 bytes header are always
0406h in my examples. So apparently wireshark fills this "meta
information fields" just
with "dummy" values to generate valid HP nettl captures. When i
look in HP man page i expect for "real" HP captures i get there
other values. So i chose for such cases to display "meta
information fields" by additional lines like:
>12 string !/tmp/wireshark.TRC000
>>12 string x "%-.56s"
>68 string !UTC \b, tz
>>68 string x %-.20s
>88 string >\0 \b, host %-.9s
In the source is written that this 12 byte magic at the beginning
is only found in HP-UX 10.x and 11.x, whereas in HP-UX 9.x another
12 byte magic called nettl_magic_hpux is used. So i add for such
"older" HP Unix test lines which looks like:
0 string \x00\x00\x00\x01\x00\x00\x00 HP/UX 9.x nettl capture file
!:mime application/x-nettl
!:ext trc0/trc1
After applying the above mentioned modifications by patch
file-5.43-sniffer-hp.diff then my HP captures are still described
but also older version 9 is identified and more details are shown.
This now looks like:
hp-nettl-2.trc0: HP/UX nettl capture file
hp-nettl-3.trc0: HP/UX nettl capture file
hp-nettl-win8.trc0: HP/UX nettl capture file
hp-ux-nettl-trace-1.trc0: HP/UX nettl capture file
hp-win10-2.trc0: HP/UX nettl capture file
hp-win10.trc0: HP/UX nettl capture file
old-hp.trc0: HP/UX nettl capture file
test-hp10.trc0: HP/UX nettl capture file
"/tmp/raw.tr.TRC000", tz UTc, host MyHoSt,
os b.11.11 (0x55), xxa=0x587841f000000000
, model 9foo/800, at 126 0x3436
test-hp9.trc0: HP/UX 9.x nettl capture file
I hope my diff file can be applied in future version of file
utility.
With best wishes,
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCY179XgAKCRCv8rHJQhrU
1hOsAJ4hU8GEN0V7HQEvmL0BXCJRJIJYJgCgqgDHoD8VphbgoQtc4Zrwx+StPoU=
=NhQD
-----END PGP SIGNATURE-----
-------------- next part --------------
--- file-5.43/magic/Magdir/softquad.old 2021-02-23 01:49:24.000000000 +0100
+++ file-5.43/magic/Magdir/softquad 2022-10-27 21:33:14.848882800 +0200
@@ -4,2 +4,3 @@
# softquad: file(1) magic for SoftQuad Publishing Software
+# URL: https://en.wikipedia.org/wiki/SoftQuad_Software
#
@@ -19,4 +20,6 @@
# Binary sqtroff font/desc files...
-0 short 0125252 SoftQuad DESC or font file binary
->2 short >0 - version %d
+# GRR: the line below is also true for 5View capture file handled by ./sniffer
+0 short 0125252
+# skip 5View capture file with "invalid" version AAAAh
+>2 short >0 SoftQuad DESC or font file binary - version %d
# Bitmaps...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.43-softquad-5vw.diff.sig
Type: application/octet-stream
Size: 541 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221030/fd7a9fe7/attachment.obj>
-------------- next part --------------
--
File mailing list
File at astron.com
https://mailman.astron.com/mailman/listinfo/file
-------------- next part --------------
--- file-5.43/magic/Magdir/sniffer.old 2022-08-16 13:15:19.000000000 +0200
+++ file-5.43/magic/Magdir/sniffer 2022-10-30 23:22:45.109969800 +0100
@@ -334,6 +334,38 @@
#
# HP-UX "nettl" capture files.
-#
+# URL: https://nixdoc.net/man-pages/HP-UX/man1m/nettl.1m.html
+# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/nettl.c
+# Update: Joerg Jenderek
+# Note: Wireshark fills "meta information header fields" with "dummy" values
+# nettl_magic_hpux9[12]; for HP-UX 9.x not tested
+0 string \x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\xD0\x00 HP/UX 9.x nettl capture file
+!:mime application/x-nettl
+!:ext trc0/trc1
+# nettl_magic_hpux10[12]; for HP-UX 10.x and 11.x
0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file
+# https://reposcope.com/mimetype/application/x-nettl
+!:mime application/x-nettl
+# maybe also TRC000 TRC001 TRC002 ...
+!:ext trc0/trc1
+# file_name[56]; maybe also like /tmp/raw.tr.TRC000
+>12 string !/tmp/wireshark.TRC000
+>>12 string x "%-.56s"
+# tz[20]; like UTC
+>68 string !UTC \b, tz
+>>68 string x %-.20s
+# host_name[9];
+>88 string >\0 \b, host %-.9s
+# os_vers[9]; like B.11.11
+>97 string !B.11.11 \b, os
+>>97 string x %-.9s
+# os_v; like 55h
+>>106 ubyte x (%#x)
+# xxa[8]; like 0
+>107 ubequad !0 \b, xxa=%#16.16llx
+# model[11] like: 9000/800
+>115 string !9000/800 \b, model
+>>115 string x %-.11s
+# unknown; probably just padding to 128 bytes like: 0406h
+>126 ubeshort !0x0406h \b, at 126 %#4.4x
#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.43-sniffer-hp.diff.sig
Type: application/octet-stream
Size: 951 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221030/fd7a9fe7/attachment-0001.obj>
More information about the File
mailing list