Binary File manipulation Hex, decimal, etc

[TurionAltec]

I'm working on trying to create a parcer for Wireshark files formated as .PCAP files (which are simpler than the new .pcapng files). As such there are parts that are pure binary (the header, and MAC addreses), and other parts that are more text (packet content). I'm really struggling with the understanding of how Autoit handles Hex, Binary, Little/big endian, and Files with binary strings

 

I'm using this as a basis of PCAP format:

http://www.kroosec.com/2012/10/a-look-at-pcap-file-format.html

There is a link in the first paragraph to " this capture file."

I created code:

 

 

;PCAP demo
$file=Fileopen("connection termination.cap",16)
If $File=-1 Then
    ConsoleWrite("Error opening File"&@CRLF)
Else
    ConsoleWrite("File opened with Handle:" &$file&@CRLF)
    EndIf
    $RawData=FileRead($file)
$compare=0xD4C3B2A1 ;Big Endian
;$compare=0xA1B2C3D4 ;Little endian represenation
;Check if First 4 bytes contain "Magic number" indicating valid PCAP file
;The first 4 bytes should contain, in exact order on the disk D4 C3 B2 A1
ConsoleWrite("First 4 bytes:"&Stringleft($RawData,10)&@CRLF)
If Stringleft($RawData,4)==$compare Then
    ConsoleWrite("True"&@CRLF)
Else
    ConsoleWrite("False"&@CRLF)
EndIf

#cs
;;;;Results I get are-----------------------------------------
--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
File opened with Handle:1
First 4 bytes:0xD4C3B2A1
False
-------------------------------------
This tells me it sucessfully opened the file, could read the 4 bytes, but somehow fails to make the compare. Any ideas why?
#ce

Edited July 18, 2016 by TurionAltec

[jvds]

you have to be careful with what is binary and what is string, when using string to read the 4 bytes you will have the 0x infront of the string + the 8 characters representing the 4 bytes 0x D4 C3 B2 A1, or use binary mid instead here are 2 examples, your error is on line 9 and 14

 

;PCAP demo
$file=Fileopen("connection termination.cap",16)
If $File=-1 Then
    ConsoleWrite("Error opening File"&@CRLF)
Else
    ConsoleWrite("File opened with Handle:" &$file&@CRLF)
    EndIf
    $RawData=FileRead($file)


#binary test
$compare='0xD4C3B2A1' ;Big Endian
ConsoleWrite("!First 4 bytes:"&binarymid($RawData,1,4)&@CRLF)
If binarymid($RawData,1,4) == $compare Then
    ConsoleWrite("!True"&@CRLF)
Else
    ConsoleWrite("!False"&@CRLF)
EndIf

#string test
$compare='0xD4C3B2A1' ;Big Endian
ConsoleWrite("-First 4 bytes:"&Stringleft($RawData,10)&@CRLF)
If Stringleft($RawData,10)==$compare Then
    ConsoleWrite("-True"&@CRLF)
Else
    ConsoleWrite("-False"&@CRLF)
EndIf

not sure why $compare='0xD4C3B2A1' is diferent than $compare=0xD4C3B2A1 i thought that the last one would be recognized as binary, and used correctly with Binarymid, for the comparison,  but it does not apparently

[TurionAltec]

Thanks. This works

$file=Fileopen("connection termination.cap",16)
If $File=-1 Then
    ConsoleWrite("Error opening File"&@CRLF)
Else
    ConsoleWrite("File opened with Handle:" &$file&@CRLF)
    EndIf
    $RawData=FileRead($file)
$compare="0xD4C3B2A1" ;Big Endian
;$compare=0xA1B2C3D4 ;Little endian represenation
;Check if First 4 bytes contain "Magic number" indicating valid PCAP file
;The first 4 bytes should contain, in exact order on the disk D4 C3 B2 A1
ConsoleWrite("First 4 bytes:"&Stringleft($RawData,10)&@CRLF)
If Stringleft($RawData,10)==$compare Then
    ConsoleWrite("True"&@CRLF)
Else
    ConsoleWrite("False"&@CRLF)
EndIf

I guess Opening the file as binary causes it to return string values of hex, of the contents

 

Likewise using BinaryToString in this manner has the desired results:

Consolewrite("Binary to String is:"&BinaryToString("0x4a4b4c4d4e")&@CRLF)
    #cs
0x4a=J
0x4b=K
0x4c=L
0x4d=M
0x4e=N
#CE

Edited July 19, 2016 by TurionAltec

[TurionAltec]

Thanks again. My real struggle with Binary manipulation was understanding how BinarytoString() and StringtoBinary() worked. The examples in the usually outstanding documentation left the gap that I need to do something like $compare=BinaryToString("0xD4C3B2A1") because in the examples, they start with readable text, so you don't see the inner workings of what those functions are expecting.

 

I was able to finish writing my PCAP parcer. I actually opened it with the flag 512 (to treat it as ANSI string). I will clean it up and share what I have as it seems like it could be useful to someone in the future. Once I do some StringtoBinary() of the various values (eg timestamp), I can rearrange it in the right endian using string functions, then convert it to Dec to get a useful number

Below is another working example of the BinarytoString and StringtoBinary

$file=Fileopen("connection termination.cap",512)
If $File=-1 Then
    ConsoleWrite("Error opening File"&@CRLF)
Else
    ConsoleWrite("File opened with Handle:" &$file&@CRLF)
    EndIf
    $RawData=FileRead($file)
$compare=BinaryToString("0xD4C3B2A1") ;Big Endian
;Check if First 4 bytes contain "Magic number" indicating valid PCAP file
;The first 4 bytes should contain, in exact order on the disk D4 C3 B2 A1
ConsoleWrite("First 4 bytes:"&StringToBinary(Stringleft($RawData,4))&@CRLF)
If Stringleft($RawData,4)==$compare Then
    ConsoleWrite("True"&@CRLF)
Else
    ConsoleWrite("False"&@CRLF)
EndIf
    #cs
    Results
--> Press Ctrl+Alt+Break to Restart or Ctrl+Break to Stop
File opened with Handle:1
First 4 bytes:0xD4C3B2A1
True
    #ce

Edited July 21, 2016 by TurionAltec