diff --git a/README.md b/README.md index b02078c..cb8a19f 100644 --- a/README.md +++ b/README.md @@ -63,14 +63,43 @@ The following pipe is equivalent to "cat": ./xor 42 | ./xor -x 2A +### skip: discard initial octets + +Throws away some initial octets from stdin, +and sends the rest to stdout. +You could use `dd` for the same purpose. + +This skip command: + + skip 5 + +Is equivalent to this `dd` command: + + dd skip=5 bs=1 status=none + + ### pcat: print text representation of pcap file Prints a (lossy) text representation of a pcap file to stdout. + This program is the keystone of the Fluffy Suite. By representing everything as text, programmers can use any number of standard Unix text processing tools, such as sed, awk, cut, grep, or head. +Output is tab-separated, of the format: + + timestamp protocol options src dst payload + +Frequently you are only interested in the payload, +so you can run pcat like: + + cat myfile.pcap | pcat | cut -f 6 + +Remember the `unhex` program, +which will convert payloads to an octet stream, +after you have done any maniuplations you want. + ### pmerge: merge pcap files @@ -79,18 +108,18 @@ Takes a list of pcap files, assuming they are sorted by time and merges them into a single sorted output. -### printfesc: printf escape input - -Reads octets, -writes a string suitable for copy-paste into printf. - - ### puniq: omit repeated frames Removes duplicate frames from input, writing to output. +### printfesc: printf escape input + +Reads octets, +writes a string suitable for copy-paste into printf. + + ### pyesc: python escape input Escapes input octets for pasting into a python "print" statement. diff --git a/pcat.c b/pcat.c index 1ea6dcd..c54f742 100644 --- a/pcat.c +++ b/pcat.c @@ -78,7 +78,7 @@ process_tcp(struct stream *s, char *saddr_s, char *daddr_s) printf("!"); } - printf("TCP %s,%u %s,%u %u,%u,%d ", saddr_s, sport, daddr_s, dport, seq, ack, flags); + printf("TCP\t%s,%u\t%s,%u\t%u,%u,%d\t", saddr_s, sport, daddr_s, dport, seq, ack, flags); } void @@ -89,7 +89,7 @@ process_udp(struct stream *s, char *saddr_s, char *daddr_s) uint16_t len = read_uint16(s); uint16_t chksum = read_uint16(s); - printf("UDP %s,%u %s,%u 0 ", saddr_s, sport, daddr_s, dport); + printf("UDP\t%s,%u\t%s,%u\t0\t", saddr_s, sport, daddr_s, dport); } void @@ -99,7 +99,7 @@ process_icmp(struct stream *s, char *saddr_s, char *daddr_s) uint8_t code = read_uint8(s); uint16_t checksum = read_uint16(s); - printf("ICMP %d,%d %s %s ", type, code, saddr_s, daddr_s); + printf("ICMP\t%d,%d\t%s\t%s\t", type, code, saddr_s, daddr_s); } void @@ -140,7 +140,7 @@ process_ip4(struct stream *s) process_icmp(s, saddr_s, daddr_s); break; default: - printf("P%d %s %s ", proto, saddr_s, daddr_s); + printf("P%d\t%s\t%s\t", proto, saddr_s, daddr_s); break; } @@ -179,7 +179,7 @@ print_frame(struct pcap_file *p, struct pcap_pkthdr *hdr, char const *frame) struct stream *s = &streambuf; sinit(s, frame, hdr->caplen, ENDIAN_NETWORK); // pcap.c always outputs network byte order - printf("%u.%u ", hdr->ts.tv_sec, hdr->ts.tv_usec); + printf("%u.%u\t", hdr->ts.tv_sec, hdr->ts.tv_usec); switch (p->linktype) { case LINKTYPE_ETHERNET: print_ethernet(s); diff --git a/skip.c b/skip.c new file mode 100644 index 0000000..c466c8d --- /dev/null +++ b/skip.c @@ -0,0 +1,42 @@ +/* + * skip octets -- 2017 Neale Pickett + * + * This file is in the public domain. I make no promises about the functionality + * of this program. + */ + +#include +#include + +int +main(int argc, char *argv[]) +{ + long int count; + + if (argc != 2) { + fprintf(stderr, "Usage: %s count\n", argv[0]); + return 1; + } + + count = strtol(argv[1], NULL, 0); + /* Throw away count octets */ + for (; count > 0; count -= 1) { + int c = getchar(); + + if (EOF == c) { + break; + } + } + + /* Spit out the rest */ + while (1) { + int c = getchar(); + + if (EOF == c) { + break; + } + putchar(c); + } + + return 0; +}