Skip to content

B
binwalk
Commit ddf183a9 by devttys0
Options

Added pcap file signatures, improved sanity checks on reported file-size keywords

parent a056aedc
Showing with 311 additions and 1 deletions
src/binwalk/__init__.py
......@@ -716,7 +716,7 @@ class Binwalk(object):
if self.filter.show_invalid_results:
return True
if result['jump'] < 0 or result['invalid']:
if result['invalid'] or result['jump'] < 0 or result['size'] < 0:
return False
if ((location + result['size']) > file_size) or (self.year and result['year'] > self.year) or (self.epoch and result['epoch'] > self.epoch):
return False
......
src/binwalk/magic/binwalk
......@@ -4879,6 +4879,160 @@
0 string \x3c?xml\x20version XML document,
>15 string x version: "%.3s"
#
# "pcap-ng" capture files.
# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
# Pcap-ng files can contain multiple sections. Printing the endianness,
# snaplen, or other information from the first SHB may be misleading.
#
0 string \x0a\x0d\x0d\x0a\x1a\x2b\x3c\x4d Pcap-ng capture file, big-endian,
>>12 beshort x version %d
>>14 beshort x \b.%d
0 string \x0a\x0d\x0d\x0a\x4d\x3c\x2b\x1a Pcap-ng capture file, little-endian,
>>12 leshort x version %d
>>14 leshort x \b.%d
#
# "libpcap" capture files.
#
0 string \xa1\xb2\xc3\xd4\x00 Libpcap capture file, big-endian,
>4 beshort >2 invalid
>4 beshort x version %d
>6 beshort x \b.%d,
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25
>20 belong 4 (ProNET
>20 belong 5 (CHAOS
>20 belong 6 (Token Ring
>20 belong 7 (BSD ARCNET
>20 belong 8 (SLIP
>20 belong 9 (PPP
>20 belong 10 (FDDI
>20 belong 11 (RFC 1483 ATM
>20 belong 12 (raw IP
>20 belong 13 (BSD/OS SLIP
>20 belong 14 (BSD/OS PPP
>20 belong 19 (Linux ATM Classical IP
>20 belong 50 (PPP or Cisco HDLC
>20 belong 51 (PPP-over-Ethernet
>20 belong 99 (Symantec Enterprise Firewall
>20 belong 100 (RFC 1483 ATM
>20 belong 101 (raw IP
>20 belong 102 (BSD/OS SLIP
>20 belong 103 (BSD/OS PPP
>20 belong 104 (BSD/OS Cisco HDLC
>20 belong 105 (802.11
>20 belong 106 (Linux Classical IP over ATM
>20 belong 107 (Frame Relay
>20 belong 108 (OpenBSD loopback
>20 belong 109 (OpenBSD IPsec encrypted
>20 belong 112 (Cisco HDLC
>20 belong 113 (Linux "cooked"
>20 belong 114 (LocalTalk
>20 belong 117 (OpenBSD PFLOG
>20 belong 119 (802.11 with Prism header
>20 belong 122 (RFC 2625 IP over Fibre Channel
>20 belong 123 (SunATM
>20 belong 127 (802.11 with radiotap header
>20 belong 129 (Linux ARCNET
>20 belong 138 (Apple IP over IEEE 1394
>20 belong 140 (MTP2
>20 belong 141 (MTP3
>20 belong 143 (DOCSIS
>20 belong 144 (IrDA
>20 belong 147 (Private use 0
>20 belong 148 (Private use 1
>20 belong 149 (Private use 2
>20 belong 150 (Private use 3
>20 belong 151 (Private use 4
>20 belong 152 (Private use 5
>20 belong 153 (Private use 6
>20 belong 154 (Private use 7
>20 belong 155 (Private use 8
>20 belong 156 (Private use 9
>20 belong 157 (Private use 10
>20 belong 158 (Private use 11
>20 belong 159 (Private use 12
>20 belong 160 (Private use 13
>20 belong 161 (Private use 14
>20 belong 162 (Private use 15
>20 belong 163 (802.11 with AVS header
>20 belong >163 (invalid link layer
>20 belong <0 (invalid link layer
>16 belong x \b, snaplen: %d)
0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian,
>4 leshort >2 invalid
>4 leshort <0 invalid
>4 leshort x version %d
>6 leshort x \b.%d,
>20 lelong 0 (No link-layer encapsulation
>20 lelong 1 (Ethernet
>20 lelong 2 (3Mb Ethernet
>20 lelong 3 (AX.25
>20 lelong 4 (ProNET
>20 lelong 5 (CHAOS
>20 lelong 6 (Token Ring
>20 lelong 7 (ARCNET
>20 lelong 8 (SLIP
>20 lelong 9 (PPP
>20 lelong 10 (FDDI
>20 lelong 11 (RFC 1483 ATM
>20 lelong 12 (raw IP
>20 lelong 13 (BSD/OS SLIP
>20 lelong 14 (BSD/OS PPP
>20 lelong 19 (Linux ATM Classical IP
>20 lelong 50 (PPP or Cisco HDLC
>20 lelong 51 (PPP-over-Ethernet
>20 lelong 99 (Symantec Enterprise Firewall
>20 lelong 100 (RFC 1483 ATM
>20 lelong 101 (raw IP
>20 lelong 102 (BSD/OS SLIP
>20 lelong 103 (BSD/OS PPP
>20 lelong 104 (BSD/OS Cisco HDLC
>20 lelong 105 (802.11
>20 lelong 106 (Linux Classical IP over ATM
>20 lelong 107 (Frame Relay
>20 lelong 108 (OpenBSD loopback
>20 lelong 109 (OpenBSD IPsec encrypted
>20 lelong 112 (Cisco HDLC
>20 lelong 113 (Linux "cooked"
>20 lelong 114 (LocalTalk
>20 lelong 117 (OpenBSD PFLOG
>20 lelong 119 (802.11 with Prism header
>20 lelong 122 (RFC 2625 IP over Fibre Channel
>20 lelong 123 (SunATM
>20 lelong 127 (802.11 with radiotap header
>20 lelong 129 (Linux ARCNET
>20 lelong 138 (Apple IP over IEEE 1394
>20 lelong 140 (MTP2
>20 lelong 141 (MTP3
>20 lelong 143 (DOCSIS
>20 lelong 144 (IrDA
>20 lelong 147 (Private use 0
>20 lelong 148 (Private use 1
>20 lelong 149 (Private use 2
>20 lelong 150 (Private use 3
>20 lelong 151 (Private use 4
>20 lelong 152 (Private use 5
>20 lelong 153 (Private use 6
>20 lelong 154 (Private use 7
>20 lelong 155 (Private use 8
>20 lelong 156 (Private use 9
>20 lelong 157 (Private use 10
>20 lelong 158 (Private use 11
>20 lelong 159 (Private use 12
>20 lelong 160 (Private use 13
>20 lelong 161 (Private use 14
>20 lelong 162 (Private use 15
>20 lelong 163 (802.11 with AVS header
>20 lelong >163 (invalid link layer
>20 lelong <0 (invalid link layer
>16 lelong x \b, snaplen: %d)
#------------------------------------------------------------------------------
# $File: sql,v 1.6 2009/09/19 16:28:12 christos Exp $
# sql: file(1) magic for SQL files
......
src/binwalk/plotter.py
......@@ -79,6 +79,8 @@ class Plotter(object):
self._print("Generating data points for %s" % file_name)
with BlockFile(file_name, 'r', offset=self.offset, length=self.length) as fp:
fp.MAX_TRAILING_SIZE = 0
while True:
(data, dlen) = fp.read_block()
if not data or not dlen:
......
src/magic/network 0 → 100644
#
# "pcap-ng" capture files.
# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
# Pcap-ng files can contain multiple sections. Printing the endianness,
# snaplen, or other information from the first SHB may be misleading.
#
0 string \x0a\x0d\x0d\x0a\x1a\x2b\x3c\x4d Pcap-ng capture file, big-endian,
>>12 beshort x version %d
>>14 beshort x \b.%d
0 string \x0a\x0d\x0d\x0a\x4d\x3c\x2b\x1a Pcap-ng capture file, little-endian,
>>12 leshort x version %d
>>14 leshort x \b.%d
#
# "libpcap" capture files.
#
0 string \xa1\xb2\xc3\xd4\x00 Libpcap capture file, big-endian,
>4 beshort >2 invalid
>4 beshort x version %d
>6 beshort x \b.%d,
>20 belong 0 (No link-layer encapsulation
>20 belong 1 (Ethernet
>20 belong 2 (3Mb Ethernet
>20 belong 3 (AX.25
>20 belong 4 (ProNET
>20 belong 5 (CHAOS
>20 belong 6 (Token Ring
>20 belong 7 (BSD ARCNET
>20 belong 8 (SLIP
>20 belong 9 (PPP
>20 belong 10 (FDDI
>20 belong 11 (RFC 1483 ATM
>20 belong 12 (raw IP
>20 belong 13 (BSD/OS SLIP
>20 belong 14 (BSD/OS PPP
>20 belong 19 (Linux ATM Classical IP
>20 belong 50 (PPP or Cisco HDLC
>20 belong 51 (PPP-over-Ethernet
>20 belong 99 (Symantec Enterprise Firewall
>20 belong 100 (RFC 1483 ATM
>20 belong 101 (raw IP
>20 belong 102 (BSD/OS SLIP
>20 belong 103 (BSD/OS PPP
>20 belong 104 (BSD/OS Cisco HDLC
>20 belong 105 (802.11
>20 belong 106 (Linux Classical IP over ATM
>20 belong 107 (Frame Relay
>20 belong 108 (OpenBSD loopback
>20 belong 109 (OpenBSD IPsec encrypted
>20 belong 112 (Cisco HDLC
>20 belong 113 (Linux "cooked"
>20 belong 114 (LocalTalk
>20 belong 117 (OpenBSD PFLOG
>20 belong 119 (802.11 with Prism header
>20 belong 122 (RFC 2625 IP over Fibre Channel
>20 belong 123 (SunATM
>20 belong 127 (802.11 with radiotap header
>20 belong 129 (Linux ARCNET
>20 belong 138 (Apple IP over IEEE 1394
>20 belong 140 (MTP2
>20 belong 141 (MTP3
>20 belong 143 (DOCSIS
>20 belong 144 (IrDA
>20 belong 147 (Private use 0
>20 belong 148 (Private use 1
>20 belong 149 (Private use 2
>20 belong 150 (Private use 3
>20 belong 151 (Private use 4
>20 belong 152 (Private use 5
>20 belong 153 (Private use 6
>20 belong 154 (Private use 7
>20 belong 155 (Private use 8
>20 belong 156 (Private use 9
>20 belong 157 (Private use 10
>20 belong 158 (Private use 11
>20 belong 159 (Private use 12
>20 belong 160 (Private use 13
>20 belong 161 (Private use 14
>20 belong 162 (Private use 15
>20 belong 163 (802.11 with AVS header
>20 belong >163 (invalid link layer
>20 belong <0 (invalid link layer
>16 belong x \b, snaplen: %d)
0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian,
>4 leshort >2 invalid
>4 leshort <0 invalid
>4 leshort x version %d
>6 leshort x \b.%d,
>20 lelong 0 (No link-layer encapsulation
>20 lelong 1 (Ethernet
>20 lelong 2 (3Mb Ethernet
>20 lelong 3 (AX.25
>20 lelong 4 (ProNET
>20 lelong 5 (CHAOS
>20 lelong 6 (Token Ring
>20 lelong 7 (ARCNET
>20 lelong 8 (SLIP
>20 lelong 9 (PPP
>20 lelong 10 (FDDI
>20 lelong 11 (RFC 1483 ATM
>20 lelong 12 (raw IP
>20 lelong 13 (BSD/OS SLIP
>20 lelong 14 (BSD/OS PPP
>20 lelong 19 (Linux ATM Classical IP
>20 lelong 50 (PPP or Cisco HDLC
>20 lelong 51 (PPP-over-Ethernet
>20 lelong 99 (Symantec Enterprise Firewall
>20 lelong 100 (RFC 1483 ATM
>20 lelong 101 (raw IP
>20 lelong 102 (BSD/OS SLIP
>20 lelong 103 (BSD/OS PPP
>20 lelong 104 (BSD/OS Cisco HDLC
>20 lelong 105 (802.11
>20 lelong 106 (Linux Classical IP over ATM
>20 lelong 107 (Frame Relay
>20 lelong 108 (OpenBSD loopback
>20 lelong 109 (OpenBSD IPsec encrypted
>20 lelong 112 (Cisco HDLC
>20 lelong 113 (Linux "cooked"
>20 lelong 114 (LocalTalk
>20 lelong 117 (OpenBSD PFLOG
>20 lelong 119 (802.11 with Prism header
>20 lelong 122 (RFC 2625 IP over Fibre Channel
>20 lelong 123 (SunATM
>20 lelong 127 (802.11 with radiotap header
>20 lelong 129 (Linux ARCNET
>20 lelong 138 (Apple IP over IEEE 1394
>20 lelong 140 (MTP2
>20 lelong 141 (MTP3
>20 lelong 143 (DOCSIS
>20 lelong 144 (IrDA
>20 lelong 147 (Private use 0
>20 lelong 148 (Private use 1
>20 lelong 149 (Private use 2
>20 lelong 150 (Private use 3
>20 lelong 151 (Private use 4
>20 lelong 152 (Private use 5
>20 lelong 153 (Private use 6
>20 lelong 154 (Private use 7
>20 lelong 155 (Private use 8
>20 lelong 156 (Private use 9
>20 lelong 157 (Private use 10
>20 lelong 158 (Private use 11
>20 lelong 159 (Private use 12
>20 lelong 160 (Private use 13
>20 lelong 161 (Private use 14
>20 lelong 162 (Private use 15
>20 lelong 163 (802.11 with AVS header
>20 lelong >163 (invalid link layer
>20 lelong <0 (invalid link layer
>16 lelong x \b, snaplen: %d)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment