TurionAltec Posted July 18, 2016 Share Posted July 18, 2016 (edited) I'm working on trying to create a parcer for Wireshark files formated as .PCAP files (which are simpler than the new .pcapng files). As such there are parts that are pure binary (the header, and MAC addreses), and other parts that are more text (packet content). I'm really struggling with the understanding of how Autoit handles Hex, Binary, Little/big endian, and Files with binary strings I'm using this as a basis of PCAP format: http://www.kroosec.com/2012/10/a-look-at-pcap-file-format.html There is a link in the first paragraph to " this capture file." I created code: ;PCAP demo $file=Fileopen("connection termination.cap",16) If $File=-1 Then ConsoleWrite("Error opening File"&@CRLF) Else ConsoleWrite("File opened with Handle:" &$file&@CRLF) EndIf $RawData=FileRead($file) $compare=0xD4C3B2A1 ;Big Endian ;$compare=0xA1B2C3D4 ;Little endian represenation ;Check if First 4 bytes contain "Magic number" indicating valid PCAP file ;The first 4 bytes should contain, in exact order on the disk D4 C3 B2 A1 ConsoleWrite("First 4 bytes:"&Stringleft($RawData,10)&@CRLF) If Stringleft($RawData,4)==$compare Then ConsoleWrite("True"&@CRLF) Else ConsoleWrite("False"&@CRLF) EndIf #cs ;;;;Results I get are----------------------------------------- --> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop File opened with Handle:1 First 4 bytes:0xD4C3B2A1 False ------------------------------------- This tells me it sucessfully opened the file, could read the 4 bytes, but somehow fails to make the compare. Any ideas why? #ce Edited July 18, 2016 by TurionAltec Link to comment Share on other sites More sharing options...
jvds Posted July 19, 2016 Share Posted July 19, 2016 you have to be careful with what is binary and what is string, when using string to read the 4 bytes you will have the 0x infront of the string + the 8 characters representing the 4 bytes 0x D4 C3 B2 A1, or use binary mid instead here are 2 examples, your error is on line 9 and 14 ;PCAP demo $file=Fileopen("connection termination.cap",16) If $File=-1 Then ConsoleWrite("Error opening File"&@CRLF) Else ConsoleWrite("File opened with Handle:" &$file&@CRLF) EndIf $RawData=FileRead($file) #binary test $compare='0xD4C3B2A1' ;Big Endian ConsoleWrite("!First 4 bytes:"&binarymid($RawData,1,4)&@CRLF) If binarymid($RawData,1,4) == $compare Then ConsoleWrite("!True"&@CRLF) Else ConsoleWrite("!False"&@CRLF) EndIf #string test $compare='0xD4C3B2A1' ;Big Endian ConsoleWrite("-First 4 bytes:"&Stringleft($RawData,10)&@CRLF) If Stringleft($RawData,10)==$compare Then ConsoleWrite("-True"&@CRLF) Else ConsoleWrite("-False"&@CRLF) EndIf not sure why $compare='0xD4C3B2A1' is diferent than $compare=0xD4C3B2A1 i thought that the last one would be recognized as binary, and used correctly with Binarymid, for the comparison, but it does not apparently Link to comment Share on other sites More sharing options...
TurionAltec Posted July 19, 2016 Author Share Posted July 19, 2016 (edited) Thanks. This works $file=Fileopen("connection termination.cap",16) If $File=-1 Then ConsoleWrite("Error opening File"&@CRLF) Else ConsoleWrite("File opened with Handle:" &$file&@CRLF) EndIf $RawData=FileRead($file) $compare="0xD4C3B2A1" ;Big Endian ;$compare=0xA1B2C3D4 ;Little endian represenation ;Check if First 4 bytes contain "Magic number" indicating valid PCAP file ;The first 4 bytes should contain, in exact order on the disk D4 C3 B2 A1 ConsoleWrite("First 4 bytes:"&Stringleft($RawData,10)&@CRLF) If Stringleft($RawData,10)==$compare Then ConsoleWrite("True"&@CRLF) Else ConsoleWrite("False"&@CRLF) EndIf I guess Opening the file as binary causes it to return string values of hex, of the contents Likewise using BinaryToString in this manner has the desired results: Consolewrite("Binary to String is:"&BinaryToString("0x4a4b4c4d4e")&@CRLF) #cs 0x4a=J 0x4b=K 0x4c=L 0x4d=M 0x4e=N #CE Edited July 19, 2016 by TurionAltec Link to comment Share on other sites More sharing options...
TurionAltec Posted July 19, 2016 Author Share Posted July 19, 2016 (edited) Thanks again. My real struggle with Binary manipulation was understanding how BinarytoString() and StringtoBinary() worked. The examples in the usually outstanding documentation left the gap that I need to do something like $compare=BinaryToString("0xD4C3B2A1") because in the examples, they start with readable text, so you don't see the inner workings of what those functions are expecting. I was able to finish writing my PCAP parcer. I actually opened it with the flag 512 (to treat it as ANSI string). I will clean it up and share what I have as it seems like it could be useful to someone in the future. Once I do some StringtoBinary() of the various values (eg timestamp), I can rearrange it in the right endian using string functions, then convert it to Dec to get a useful number Below is another working example of the BinarytoString and StringtoBinary $file=Fileopen("connection termination.cap",512) If $File=-1 Then ConsoleWrite("Error opening File"&@CRLF) Else ConsoleWrite("File opened with Handle:" &$file&@CRLF) EndIf $RawData=FileRead($file) $compare=BinaryToString("0xD4C3B2A1") ;Big Endian ;Check if First 4 bytes contain "Magic number" indicating valid PCAP file ;The first 4 bytes should contain, in exact order on the disk D4 C3 B2 A1 ConsoleWrite("First 4 bytes:"&StringToBinary(Stringleft($RawData,4))&@CRLF) If Stringleft($RawData,4)==$compare Then ConsoleWrite("True"&@CRLF) Else ConsoleWrite("False"&@CRLF) EndIf #cs Results --> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop File opened with Handle:1 First 4 bytes:0xD4C3B2A1 True #ce Edited July 21, 2016 by TurionAltec Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now