[File] [PATCH] Magdir/sniffer HP/UX nettl capture only for "newer as" HP-UX 10

Christos Zoulas christos at zoulas.com
Mon Oct 31 14:42:58 UTC 2022


Committed, thanks!

christos

> On Oct 30, 2022, at 6:40 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> some weeks ago ago i send patch for 5View capture files. Such
> examples are created by wireshark tool.This can open and save
> captures also in other file formats. One format start with file
> name extension TRC.
> 
> When running file command version 5.43 on such captures examples
> then i get an output like:
> 
> hp-nettl-2.trc0:          HP/UX nettl capture file
> hp-nettl-3.trc0:          HP/UX nettl capture file
> hp-nettl-win8.trc0:       HP/UX nettl capture file
> hp-ux-nettl-trace-1.trc0: HP/UX nettl capture file
> hp-win10-2.trc0:          HP/UX nettl capture file
> hp-win10.trc0:            HP/UX nettl capture file
> old-hp.trc0:              HP/UX nettl capture file
> test-hp10.trc0:           HP/UX nettl capture file
> test-hp9.trc0:            data
> 
> Furthermore with -i option only generic application/octet-stream is
> shown. With option --extension only 3 byte sequence ??? is shown.
> 
> Luckily some information can be found in HP man page for nettl
> command. Some details can be found in Wireshark source nettl.c.
> That is now expressed by lines like:
> # URL:		https://nixdoc.net/man-pages/HP-UX/man1m/
> #		nettl.1m.html
> # Reference:	https://github.com/wireshark/wireshark/blob/master/
> #		wiretap/nettl.c
> 
> The description happens inside Magdir/sniffer by lines like:
> 0	string	\x54\x52\x00\x64\x00	HP/UX nettl capture file
> 
> I installed wireshark on window and a Linux system.  Afterwards the
> examples are called "HP-UX nettl trace" on Windows system and on
> Linux. There the information is based or correlates with
> description of shared MIME-info database. There it is called
> "Packet Capture (HP-UX nettl)". This information can for example be
> found on web site reposcope.com. So the HP captures get their own
> mime type. My examples are all uncompressed and have file name
> extension TRC0, but
> according to mime database also TRC1 can occur. In the hp nettl(1m)
> man page the mentioned extension contains 3 digit number like
> TRC000. There it is also written that this sequence number is increas
> ed
> by one when file is full until the limit is reached. This is given
> by option -n with default value 2. So there may exist also samples
> with with more and higher digits in file suffix ( like TRC000
> TRC001 TRC002 ...). So these facts are now expressed by additional
> lines like:
> !:mime	application/x-nettl
> !:ext	trc0/trc1
> 
> When saving the captures in HP format i can choose any main name,
> but inside at offset 12 56 bytes with file name is stored. For the
> wireshark (version 1.12.1 3.6.8 4.0.1 ) generated examples this was
> always nil padded /tmp/wireshark.TRC000. At offset 68 12 byte "time
> zone structure" is stored. In my examples this was nil padded UTC
> string. At offset 97 9 bytes "os version" and 1 byte os_v is
> stored. In my wireshark examples this was nil padded B.11.11 string
> followed by value 55h. At offset 115 model name is stored as 11
> bytes. In my examples this was nil padded 9000/800. At offset 88 9
> byte host name is stored. Here in my examples i get always nil
> bytes. The last 2 padding bytes of 128 bytes header are always
> 0406h in my examples. So apparently wireshark fills this "meta
> information fields" just
> with "dummy" values to generate valid HP nettl captures. When i
> look in HP man page i expect for "real" HP captures i get there
> other values. So i chose for such cases to display "meta
> information fields" by additional lines like:
>> 12	string		!/tmp/wireshark.TRC000
>>> 12	string		x			"%-.56s"
>> 68	string		!UTC			\b, tz
>>> 68	string		x			%-.20s
>> 88	string		>\0			\b, host %-.9s
> 
> In the source is written that this 12 byte magic at the beginning
> is only found in HP-UX 10.x and 11.x, whereas in HP-UX 9.x another
> 12 byte magic called nettl_magic_hpux is used. So i add for such
> "older" HP Unix test lines which looks like:
> 0 string \x00\x00\x00\x01\x00\x00\x00	HP/UX 9.x nettl capture file
> !:mime	application/x-nettl
> !:ext	trc0/trc1
> 
> After applying the above mentioned modifications by patch
> file-5.43-sniffer-hp.diff then my HP captures are still described
> but also older version 9 is identified and more details are shown.
> This now looks like:
> 
> hp-nettl-2.trc0:          HP/UX nettl capture file
> hp-nettl-3.trc0:          HP/UX nettl capture file
> hp-nettl-win8.trc0:       HP/UX nettl capture file
> hp-ux-nettl-trace-1.trc0: HP/UX nettl capture file
> hp-win10-2.trc0:          HP/UX nettl capture file
> hp-win10.trc0:            HP/UX nettl capture file
> old-hp.trc0:              HP/UX nettl capture file
> test-hp10.trc0:           HP/UX nettl capture file
> 			  "/tmp/raw.tr.TRC000", tz UTc, host MyHoSt,
> 			  os b.11.11 (0x55), xxa=0x587841f000000000
> 			  , model 9foo/800, at 126 0x3436
> test-hp9.trc0:            HP/UX 9.x nettl capture file
> 
> I hope my diff file can be applied in future version of file
> utility.
> 
> With best wishes,
> Jörg Jenderek
> - --
> Jörg Jenderek
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> 
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCY179XgAKCRCv8rHJQhrU
> 1hOsAJ4hU8GEN0V7HQEvmL0BXCJRJIJYJgCgqgDHoD8VphbgoQtc4Zrwx+StPoU=
> =NhQD
> -----END PGP SIGNATURE-----
> <file-5_43-softquad-5vw_diff.DEFANGED-0><file-5_43-softquad-5vw_diff_sig.DEFANGED-1><Nachrichtenteil als Anhang.DEFANGED-2><file-5_43-sniffer-hp_diff.DEFANGED-3><file-5_43-sniffer-hp_diff_sig.DEFANGED-4>-- 
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>



More information about the File mailing list