1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
# netflowv9.pcap from https://github.com/secdev/scapy/tree/master/test/pcaps
# fq '(.header,.packets[0]) | tobytes' netflowv9.pcap > ns.pcap
$ fq dv ns.pcap
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: ns.pcap (pcap) 0x0-0xc6 (198)
| | | header{}: 0x0-0x18 (24)
0x00|4d 3c b2 a1 |M<.. | magic: "little_endian_ns" (0x4d3cb2a1) (valid) 0x0-0x4 (4)
0x00| 02 00 | .. | version_major: 2 0x4-0x6 (2)
0x00| 04 00 | .. | version_minor: 4 0x6-0x8 (2)
0x00| 00 00 00 00 | .... | thiszone: 0 0x8-0xc (4)
0x00| 00 00 00 00| ....| sigfigs: 0 0xc-0x10 (4)
0x10|ff ff 00 00 |.... | snaplen: 65535 0x10-0x14 (4)
0x10| 01 00 00 00 | .... | network: "ethernet" (1) (IEEE 802.3 Ethernet) 0x14-0x18 (4)
| | | packets[0:1]: 0x18-0xc6 (174)
| | | [0]{}: packet 0x18-0xc6 (174)
0x10| 0d 82 e8 59 | ...Y | ts_sec: 1508409869 0x18-0x1c (4)
0x10| 53 c6 50 22| S.P"| ts_nsec: 575718995 0x1c-0x20 (4)
0x20|9e 00 00 00 |.... | incl_len: 158 0x20-0x24 (4)
0x20| 9e 00 00 00 | .... | orig_len: 158 0x24-0x28 (4)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| packet{}: (ether8023_frame) 0x28-0xc6 (158)
0x20| 00 10 94 00 00 01 | ...... | destination: "00:10:94:00:00:01" (0x1094000001) 0x28-0x2e (6)
0x20| 00 1d| ..| source: "00:1d:b5:cb:28:ce" (0x1db5cb28ce) 0x2e-0x34 (6)
0x30|b5 cb 28 ce |..(. |
0x30| 08 00 | .. | ether_type: "ipv4" (0x800) (Internet Protocol version 4) 0x34-0x36 (2)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (ipv4_packet) 0x36-0xc6 (144)
0x30| 45 | E | version: 4 (valid) 0x36-0x36.4 (0.4)
0x30| 45 | E | ihl: 5 0x36.4-0x37 (0.4)
0x30| 00 | . | dscp: 0 0x37-0x37.6 (0.6)
0x30| 00 | . | ecn: 0 0x37.6-0x38 (0.2)
0x30| 00 8c | .. | total_length: 140 0x38-0x3a (2)
0x30| 00 00 | .. | identification: 0 0x3a-0x3c (2)
0x30| 40 | @ | reserved: 0 0x3c-0x3c.1 (0.1)
0x30| 40 | @ | dont_fragment: true 0x3c.1-0x3c.2 (0.1)
0x30| 40 | @ | more_fragments: false 0x3c.2-0x3c.3 (0.1)
0x30| 40 00 | @. | fragment_offset: 0 0x3c.3-0x3e (1.5)
0x30| 3f | ? | ttl: 63 0x3e-0x3f (1)
0x30| 11| .| protocol: "udp" (17) (User datagram protocol) 0x3f-0x40 (1)
0x40|a7 52 |.R | header_checksum: 0xa752 (valid) 0x40-0x42 (2)
0x40| c0 a8 64 01 | ..d. | source_ip: "192.168.100.1" (0xc0a86401) 0x42-0x46 (4)
0x40| 0a 64 65 01 | .de. | destination_ip: "10.100.101.1" (0xa646501) 0x46-0x4a (4)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| payload{}: (udp_datagram) 0x4a-0xc2 (120)
0x40| 81 44 | .D | source_port: 33092 0x4a-0x4c (2)
0x40| 08 07 | .. | destination_port: 2055 0x4c-0x4e (2)
0x40| 00 78| .x| length: 120 0x4e-0x50 (2)
0x50|1f 03 |.. | checksum: 0x1f03 0x50-0x52 (2)
0x50| 00 09 00 01 24 3c ba a0 59 e8 82 21 00 00| ....$<..Y..!..| payload: raw bits 0x52-0xc2 (112)
0x60|04 24 00 00 00 08 00 00 00 5c 01 a8 00 15 00 08|.$.......\......|
* |until 0xc1.7 (112) | |
0xc0| 74 be 47 c0| | t.G.| | gap0: raw bits 0xc2-0xc6 (4)
| | | ipv4_reassembled[0:0]: 0xc6-0xc6 (0)
| | | tcp_connections[0:0]: 0xc6-0xc6 (0)
|
