CAP files format and CAP reader utility ========================================= Author : big VuZZ e-mail : bigvuzz@bigfoot.com Date : 10/10/2000 1) Introduction --------------- The purpose of this memo is to give some help to network engineers, developers or simply curious peoples who spend time building, debugging, cracking networked applications. If you're one of them, you may have used some network sniffer tools that let you capture frames and decode them off-line. My current tool is SnifferPro. This doc presents a partially decoded file format for the captured frames files (with a default '.cap' extension). I developed a utility to dump a partial or entire CAP file, in ASCII. The goal was to retrieve some sequences of an HTTP dialog (notice that HTTP is an ASCII protocol, i.e. human readable and forgeable !). 2) CAP file format ------------------ Product : Sniffer Pro 1.5.02 Category: Multi-protocols network analyzer Editor : NAI The table below depicts the format of the files containing captured frames. The files have a default '.cap' extensions. The file format is not totally decoded. My purpose wasn't to have full details but only to extract TCP data "payload" (particularly HTTP requests & responses that are in ASCII form). If you have further details on this file format, please let me know... =============================================================================== | Offset | Len | Type | Description / Value | (hex) | | | |============================================================================== | File Header (fixed part) |------------------------------------------------------------------------------ | 0 | 16 | str | Signature : "XCP\0001.100\0" + ??? + "9" | 10 | 4 | long | Total frame number in the file | 14 | 8 | byte | ? | 1C | 4 | long | File size | 20 | 4 | long | Last frame offset in file | 24 | 16 | byte | ? | 34 | 4 | long | Global date & time ? | 38 | 72 | byte | ? |------------------------------------------------------------------------------ | Frame records (variable part) |------------------------------------------------------------------------------ | 80 | 4 | long | frame time ? | 84 | 4 | long | Always 0 ? | 88 | 2 | int | Frame length (FL) | 8A | 2 | int | Frame length (repeated) | 8C | 16 | byte | Start of frame (e.g.: DLC + IP + TCP + data) | 8C+ FL | | | Next frame record (same that at offset 0x80) ============================================================================== 3) CAP File reader ------------------ The 'rdcap.exe' utility (running on Win9x/NT) implements a .CAP file reader, that is : it read a CAP file, extract frames with TCP payload and dump these data to an ASCII file. NB : 'rdcap' dumps frames that encapsulate TCP protocol only. Frames transporting other protocols (such as UDP) are read but only the DLC and IP headers are dump to the result file. Why this utility, you may ask ? - First, SnifferPro 1.5.02 doesn't have a dump frame features and copy/paste doesn't work from the GUI of this product ! - Second, it may be useful (for education or debugging purposes) to understand some details of a TCP application. Sniffing frames and then using rdcap.exe against the cap files let you have a global view of a dialog between a client and a server, in an ASCII form. The 'rdcap' utility is very simple (written in standard C). Let me know for any bug (although I spend a few time for quality code) or new functionality.