Saturday, May 01, 2004

Packet Description Markup Language

While reviewing a new book on Ethereal, I learned about the Packet Details Markup Language (PDML). PDML is a way to express a packet in XML format. For example, here is an ICMP echo request:

tethereal -n -r snort.log.1082637820 -T pdml icmp

<?xml version="1.0"?>
<pdml version="0" creator="ethereal/0.10.3">
<packet>
<proto name="geninfo" pos="0" showname="General information" size="60">
<field name="num" pos="0" show="1" showname="Number" value="1" size="60"/>
<field name="len" pos="0" show="60" showname="Packet Length" value="3c" size="60"/>
<field name="caplen" pos="0" show="60" showname="Captured Length" value="3c" size="60"/>
<field name="timestamp" pos="0" show="Apr 22, 2004 08:47:14.358334000" showname="Captured Time" value="1082638034.358334000" size="60"/>
</proto>
<proto name="frame" showname="Frame 1 (60 bytes on wire, 60 bytes captured)" size="60" pos="0">
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.time" showname="Arrival Time: Apr 22, 2004 08:47:14.358334000" size="0" pos="0" show="Apr 22, 2004 08:47:14.358334000"/>
<field name="frame.time_delta" showname="Time delta from previous packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
<field name="frame.pkt_len" showname="Packet Length: 60 bytes" size="0" pos="0" show="60"/>
<field name="frame.cap_len" showname="Capture Length: 60 bytes" size="0" pos="0" show="60"/>
</proto>
<proto name="eth" showname="Ethernet II, Src: 00:00:d1:ec:f5:8e, Dst: 00:03:47:75:18:20" size="14" pos="0">
<field name="eth.dst" showname="Destination: 00:03:47:75:18:20 (00:03:47:75:18:20)" size="6" pos="0" show="00:03:47:75:18:20" value="000347751820"/>
<field name="eth.src" showname="Source: 00:00:d1:ec:f5:8e (00:00:d1:ec:f5:8e)" size="6" pos="6" show="00:00:d1:ec:f5:8e" value="0000d1ecf58e"/>
<field name="eth.addr" showname="Source or Destination Address: 00:03:47:75:18:20 (00:03:47:75:18:20)" size="6" pos="0" show="00:03:47:75:18:20" value="000347751820"/>
<field name="eth.addr" showname="Source or Destination Address: 00:00:d1:ec:f5:8e (00:00:d1:ec:f5:8e)" size="6" pos="6" show="00:00:d1:ec:f5:8e" value="0000d1ecf58e"/>
<field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="0x0800" value="0800"/>
<field name="eth.trailer" showname="Trailer: 00000000000000000000000000000000..." size="18" pos="42" show="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" value="00000000000000000000000
0000000000000"/>
</proto>
<proto name="ip" showname="Internet Protocol, Src Addr: 172.27.20.4 (172.27.20.4), Dst Addr: 192.168.60.3 (192.168.60.3)" size="20" pos="14">
<field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
<field name="ip.hdr_len" showname="Header length: 20 bytes" size="1" pos="14" show="20" value="45"/>
<field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)" size="1" pos="15" show="0" value="00">
<field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0x00" value="00"/>
<field name="ip.dsfield.ect" showname=".... ..0. = ECN-Capable Transport (ECT): 0" size="1" pos="15" show="0" value="00"/>
<field name="ip.dsfield.ce" showname=".... ...0 = ECN-CE: 0" size="1" pos="15" show="0" value="00"/>
</field>
<field name="ip.len" showname="Total Length: 28" size="2" pos="16" show="28" value="001c"/>
<field name="ip.id" showname="Identification: 0x1026 (4134)" size="2" pos="18" show="0x1026" value="1026"/>
<field name="ip.flags" showname="Flags: 0x00" size="1" pos="20" show="0x00" value="00">
<field name="ip.flags.rb" showname="0... = Reserved bit: Not set" size="1" pos="20" show="0" value="00"/>
<field name="ip.flags.df" showname=".0.. = Don't fragment: Not set" size="1" pos="20" show="0" value="00"/>
<field name="ip.flags.mf" showname="..0. = More fragments: Not set" size="1" pos="20" show="0" value="00"/>
</field>
<field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="0000"/>
<field name="ip.ttl" showname="Time to live: 53" size="1" pos="22" show="53" value="35"/>
<field name="ip.proto" showname="Protocol: ICMP (0x01)" size="1" pos="23" show="0x01" value="01"/>
<field name="ip.checksum" showname="Header checksum: 0xb8f0 (correct)" size="2" pos="24" show="0xb8f0" value="b8f0"/>
<field name="ip.src" showname="Source: 172.27.20.4 (172.27.20.4)" size="4" pos="26" show="172.27.20.4" value="ac1b1404"/>
<field name="ip.addr" showname="Source or Destination Address: 172.27.20.4 (172.27.20.4)" size="4" pos="26" show="172.27.20.4" value="ac1b1404"/>
<field name="ip.dst" showname="Destination: 192.168.60.3 (192.168.60.3)" size="4" pos="30" show="192.168.60.3" value="c0a83c03"/>
<field name="ip.addr" showname="Source or Destination Address: 192.168.60.3 (192.168.60.3)" size="4" pos="30" show="192.168.60.3" value="c0a83c03"/>
</proto>
<proto name="icmp" showname="Internet Control Message Protocol" size="8" pos="34">
<field name="icmp.type" showname="Type: 8 (Echo (ping) request)" size="1" pos="34" show="8" value="08"/>
<field name="icmp.code" showname="Code: 0 " size="1" pos="35" show="0x00" value="00"/>
<field name="icmp.checksum" showname="Checksum: 0x6861 (correct)" size="2" pos="36" show="0x6861" value="6861"/>
<field name="icmp.ident" showname="Identifier: 0x809e" size="2" pos="38" show="0x809e" value="809e"/>
<field name="icmp.seq" showname="Sequence number: 0x0f00" size="2" pos="40" show="0x0f00" value="0f00"/>
</proto>
</packet>

PDML is related to NetPDL. Both were created at the same Italian university that brought the world Windump.

No comments: