I have written a small and basic parser to determine the orientation of some jpeg images but it is not clear to me how to use the 0x112 tag, I do not find this information. Regarding ImageDescription, DateTime Value, I learned that it is enough to jump to the corresponding example address for date and time just refer to:
tag 3201
which is at values 0200 (ascii)
length 00000014 (20 characters)
and address calculated from the beginning of APP1 000000C2 (194 decimal).
The same reasoning made for orientation does not work: why?
Thanks
APP1 Length: 3710
APP1: Exif
byte order: MM
42: |00|2A|
offset: |00|00|00|08|
dir entry: 0 11
0F01|0200|00000006|00000092|
1001|0200|0000000E|00000098|
1201|0300|00000001|00010000|
1A01|0500|00000001|000000A6|
1B01|0500|00000001|000000AE|
2801|0300|00000001|00020000|
3101|0200|0000000B|000000B6|
3201|0200|00000014|000000C2|
1302|0300|00000001|00020000|
6987|0400|00000001|000000D6|
2588|0400|00000001|000003D6|
void MyExif(AnsiString filename)
{
static unsigned char exif_data[65536L];
FILE *fp;
int c, length;
fp=fopen(filename.c_str(),"rb");
if(!fp) return;
for (int i = 0; i < 500; i++) // I read 'n' data from the file to study Exif
{
c = (unsigned char) getc(fp);
if(c == 0xFF) //FF D8
{
c = (unsigned char) getc(fp);
if(c == 0xE1) //FF E1
{
length = (((unsigned int) getc(fp)) << 8) + ((unsigned int) getc(fp));
length -= 8;
/* Read Exif head and check for "Exif" */
for (int i = 0; i < 6; i++)
exif_data[i] = (unsigned char) getc(fp);
// check Exif head
if(exif_data[0] == 'E' && exif_data[1] == 'x' &&
exif_data[2] == 'i' && exif_data[3] == 'f' &&
exif_data[4] == 0 && exif_data[5] == 0)
{
Form1->Memo1->Lines->Add("APP1: Exif, Length: " + IntToStr(length));
}
else
{
Form1->Memo1->Lines->Add("APP1: Not Exif");
if(fp) fclose(fp);
return;
}
// I read from byte order ....... onwards
for(int i=0; i<length;i++)
exif_data[i] = (unsigned char) getc(fp);
// byte order II o MM
AnsiString s;
s.sprintf("byte order: %c%c",exif_data[0], exif_data[1]);
Form1->Memo1->Lines->Add(s);
// offset
s.sprintf("offset: |%02X|%02X|%02X|%02X|",exif_data[4], exif_data[5],exif_data[6], exif_data[7]);
Form1->Memo1->Lines->Add(s);
// number of directory entry
s.sprintf("dir entry: %d %d",exif_data[8],exif_data[9]);
Form1->Memo1->Lines->Add(s);
// the directory entry
int numdataentry=exif_data[8]+exif_data[9];
int tag[20], typ[20], cnt[20], ofs[20];
int k=0; // indice dei data entry
int byteorder = 0;
if(exif_data[0] == 'M' && exif_data[1] == 'M') // big endian
byteorder=1;
if(exif_data[0] == 'I' && exif_data[1] == 'I') // little endian
byteorder=0;
// metto alcune info Exif negli array per usi vari
for(int i=10; i < numdataentry*12; i+=12) // that's 12 bytes per directory entry
{
if(byteorder) // if MM
{
tag[k]=exif_data[i] | exif_data[i+1] << 8;
typ[k]=exif_data[i+2] | exif_data[i+3] << 8;
cnt[k]=exif_data[i+4]<<24|exif_data[i+5]<<16|exif_data[i+6]<<8|exif_data[i+7];
ofs[k]=exif_data[i+8]<<24|exif_data[i+9]<<16|exif_data[i+10]<<8|exif_data[i+11];
}
else // if II
{
tag[k]=exif_data[i] << 8 | exif_data[i+1];
typ[k]=exif_data[i+2] << 8 | exif_data[i+3];
cnt[k]=exif_data[i+4]|exif_data[i+5]<<8|exif_data[i+6]<<16|exif_data[i+7]<<24;
ofs[k]=exif_data[i+8]|exif_data[i+9]<<8|exif_data[i+10]<<16|exif_data[i+11]<<24;
}
k++;
}
int t, start, stop;
for(t=0;t<numdataentry; t++)
{
if(tag[t] == 0x1201)
{
// autorotation
if(ofs[t] == 0x80000) {ruota2(90.0);ruota2(90.0);ruota2(90.0);}
if(ofs[t] == 0x60000) ruota2(90.0);
if(ofs[t] == 0x30000) {ruota2(90.0); ruota2(90.0);}
if(ofs[t] == 0x03) {ruota2(90.0); ruota2(90.0);}
s="Rot: ";
s+=IntToHex(ofs[t],2);
Form1->Memo1->Lines->Add(IntToHex(tag[t],2)+ ")" + s);
}
if(tag[t] == 0x0F01)
{
s="Dev: ";
start=ofs[t], stop=ofs[t]+cnt[t]; //0x0F01
for(int i = start;i < stop ;i++)
s+=(char)exif_data[i];
Form1->Memo1->Lines->Add(IntToHex(tag[t],2)+ ")" + s);
//Form1->Image2->Canvas->TextOutW(10,135+k*15,s);
}
if(tag[t] == 0x1001)
{
s="Dev: ";
start=ofs[t], stop=ofs[t]+cnt[t]; //0x1001
for(int i = start;i < stop ;i++)
s+=(char)exif_data[i];
Form1->Memo1->Lines->Add(IntToHex(tag[t],2)+ ")" + s);
//Form1->Image2->Canvas->TextOutW(10,135+k*15,s);
}
if(tag[t] == 0x3201)
{
s="Data: ";
start=ofs[t], stop=ofs[t]+cnt[t]; //0x3201
for(int i = start;i < stop ;i++)
s+=(char)exif_data[i];
Form1->Memo1->Lines->Add(IntToHex(tag[t],2)+ ")" + s);
//Form1->Image2->Canvas->TextOutW(10,135+k*15,s);
}
}
}
}
}
fclose(fp);
}
As you didn't share your code, it is hard to say what is wrong. Here's a way to work it out though:
# Make a simple 1x1 black starting image with ImageMagick
magick xc:black start.jpg
# Make a copy with orientation=3 in "3.jpg"
exiftool -orientation#=3 start.jpg -o 3.jpg
# Analyse
exiftool -v -v -v 3.jpg
ExifToolVersion = 12.00
FileName = 3.jpg
Directory = .
FileSize = 260
FileModifyDate = 1632816155
FileAccessDate = 1632816155
FileInodeChangeDate = 1632816155
FilePermissions = 33188
FileType = JPEG
FileTypeExtension = JPG
MIMEType = image/jpeg
JPEG APP0 (14 bytes):
0006: 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 [JFIF..........]
+ [BinaryData directory, 9 bytes]
| JFIFVersion = 1 1
| - Tag 0x0000 (2 bytes, int8u[2]):
| 000b: 01 01 [..]
| ResolutionUnit = 0
| - Tag 0x0002 (1 bytes, int8u[1]):
| 000d: 00 [.]
| XResolution = 1
| - Tag 0x0003 (2 bytes, int16u[1]):
| 000e: 00 01 [..]
| YResolution = 1
| - Tag 0x0005 (2 bytes, int16u[1]):
| 0010: 00 01 [..]
| ThumbnailWidth = 0
| - Tag 0x0007 (1 bytes, int8u[1]):
| 0012: 00 [.]
| ThumbnailHeight = 0
| - Tag 0x0008 (1 bytes, int8u[1]):
| 0013: 00 [.]
JPEG APP1 (96 bytes):
0018: 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 [Exif..MM.*......]
0028: 01 12 00 03 00 00 00 01 00 03 00 00 01 1a 00 05 [................]
0038: 00 00 00 01 00 00 00 4a 01 1b 00 05 00 00 00 01 [.......J........]
0048: 00 00 00 52 01 28 00 03 00 00 00 01 00 01 00 00 [...R.(..........]
0058: 02 13 00 03 00 00 00 01 00 01 00 00 00 00 00 00 [................]
0068: 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 [................]
ExifByteOrder = MM
+ [IFD0 directory with 5 entries]
| 0) Orientation = 3
| - Tag 0x0112 (2 bytes, int16u[1]):
| 0030: 00 03 [..]
| 1) XResolution = 1 (1/1)
| - Tag 0x011a (8 bytes, rational64u[1]):
| 0068: 00 00 00 01 00 00 00 01 [........]
| 2) YResolution = 1 (1/1)
| - Tag 0x011b (8 bytes, rational64u[1]):
| 0070: 00 00 00 01 00 00 00 01 [........]
| 3) ResolutionUnit = 1
| - Tag 0x0128 (2 bytes, int16u[1]):
| 0054: 00 01 [..]
| 4) YCbCrPositioning = 1
| - Tag 0x0213 (2 bytes, int16u[1]):
| 0060: 00 01 [..]
JPEG DQT (65 bytes):
007c: 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 [................]
008c: 06 04 04 04 04 04 08 06 06 05 06 09 08 0a 0a 09 [................]
009c: 08 09 09 0a 0c 0f 0c 0a 0b 0e 0b 09 09 0d 11 0d [................]
00ac: 0e 0f 10 10 11 10 0a 0c 12 13 12 10 13 0f 10 10 [................]
00bc: 10 [.]
JPEG SOF0 (9 bytes):
00c1: 08 00 01 00 01 01 01 11 00 [.........]
ImageWidth = 1
ImageHeight = 1
EncodingProcess = 0
BitsPerSample = 8
ColorComponents = 1
JPEG DHT (18 bytes):
00ce: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
00de: 00 09 [..]
JPEG DHT (18 bytes):
00e4: 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
00f4: 00 00 [..]
JPEG SOS
JPEG EOI
# Dump
xxd 3.jpg
00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0001 ......JFIF......
00000010: 0001 0000 ffe1 0062 4578 6966 0000 4d4d .......bExif..MM
00000020: 002a 0000 0008 0005 0112 0003 0000 0001 .*..............
00000030: 0003 0000 011a 0005 0000 0001 0000 004a ...............J
00000040: 011b 0005 0000 0001 0000 0052 0128 0003 ...........R.(..
00000050: 0000 0001 0001 0000 0213 0003 0000 0001 ................
00000060: 0001 0000 0000 0000 0000 0001 0000 0001 ................
00000070: 0000 0001 0000 0001 ffdb 0043 0003 0202 ...........C....
00000080: 0202 0203 0202 0203 0303 0304 0604 0404 ................
00000090: 0404 0806 0605 0609 080a 0a09 0809 090a ................
000000a0: 0c0f 0c0a 0b0e 0b09 090d 110d 0e0f 1010 ................
000000b0: 1110 0a0c 1213 1210 130f 1010 10ff c000 ................
000000c0: 0b08 0001 0001 0101 1100 ffc4 0014 0001 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0009 ................
000000e0: ffc4 0014 1001 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 ffda 0008 0101 0000 3f00 ..............?.
00000100: 2a9f ffd9 *...
# Make a copy with orientation=5 in "5.jpg"
exiftool -orientation#=5 start.jpg -o 5.jpg
# Analyse
exiftool -v -v -v 5.jpg
ExifToolVersion = 12.00
FileName = 5.jpg
Directory = .
FileSize = 260
FileModifyDate = 1632816155
FileAccessDate = 1632816155
FileInodeChangeDate = 1632816155
FilePermissions = 33188
FileType = JPEG
FileTypeExtension = JPG
MIMEType = image/jpeg
JPEG APP0 (14 bytes):
0006: 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 [JFIF..........]
+ [BinaryData directory, 9 bytes]
| JFIFVersion = 1 1
| - Tag 0x0000 (2 bytes, int8u[2]):
| 000b: 01 01 [..]
| ResolutionUnit = 0
| - Tag 0x0002 (1 bytes, int8u[1]):
| 000d: 00 [.]
| XResolution = 1
| - Tag 0x0003 (2 bytes, int16u[1]):
| 000e: 00 01 [..]
| YResolution = 1
| - Tag 0x0005 (2 bytes, int16u[1]):
| 0010: 00 01 [..]
| ThumbnailWidth = 0
| - Tag 0x0007 (1 bytes, int8u[1]):
| 0012: 00 [.]
| ThumbnailHeight = 0
| - Tag 0x0008 (1 bytes, int8u[1]):
| 0013: 00 [.]
JPEG APP1 (96 bytes):
0018: 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 [Exif..MM.*......]
0028: 01 12 00 03 00 00 00 01 00 05 00 00 01 1a 00 05 [................]
0038: 00 00 00 01 00 00 00 4a 01 1b 00 05 00 00 00 01 [.......J........]
0048: 00 00 00 52 01 28 00 03 00 00 00 01 00 01 00 00 [...R.(..........]
0058: 02 13 00 03 00 00 00 01 00 01 00 00 00 00 00 00 [................]
0068: 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 [................]
ExifByteOrder = MM
+ [IFD0 directory with 5 entries]
| 0) Orientation = 5
| - Tag 0x0112 (2 bytes, int16u[1]):
| 0030: 00 05 [..]
| 1) XResolution = 1 (1/1)
| - Tag 0x011a (8 bytes, rational64u[1]):
| 0068: 00 00 00 01 00 00 00 01 [........]
| 2) YResolution = 1 (1/1)
| - Tag 0x011b (8 bytes, rational64u[1]):
| 0070: 00 00 00 01 00 00 00 01 [........]
| 3) ResolutionUnit = 1
| - Tag 0x0128 (2 bytes, int16u[1]):
| 0054: 00 01 [..]
| 4) YCbCrPositioning = 1
| - Tag 0x0213 (2 bytes, int16u[1]):
| 0060: 00 01 [..]
JPEG DQT (65 bytes):
007c: 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 [................]
008c: 06 04 04 04 04 04 08 06 06 05 06 09 08 0a 0a 09 [................]
009c: 08 09 09 0a 0c 0f 0c 0a 0b 0e 0b 09 09 0d 11 0d [................]
00ac: 0e 0f 10 10 11 10 0a 0c 12 13 12 10 13 0f 10 10 [................]
00bc: 10 [.]
JPEG SOF0 (9 bytes):
00c1: 08 00 01 00 01 01 01 11 00 [.........]
ImageWidth = 1
ImageHeight = 1
EncodingProcess = 0
BitsPerSample = 8
ColorComponents = 1
JPEG DHT (18 bytes):
00ce: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
00de: 00 09 [..]
JPEG DHT (18 bytes):
00e4: 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
00f4: 00 00 [..]
JPEG SOS
JPEG EOI
# Dump
xxd 5.jpg
00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0001 ......JFIF......
00000010: 0001 0000 ffe1 0062 4578 6966 0000 4d4d .......bExif..MM
00000020: 002a 0000 0008 0005 0112 0003 0000 0001 .*..............
00000030: 0005 0000 011a 0005 0000 0001 0000 004a ...............J
00000040: 011b 0005 0000 0001 0000 0052 0128 0003 ...........R.(..
00000050: 0000 0001 0001 0000 0213 0003 0000 0001 ................
00000060: 0001 0000 0000 0000 0000 0001 0000 0001 ................
00000070: 0000 0001 0000 0001 ffdb 0043 0003 0202 ...........C....
00000080: 0202 0203 0202 0203 0303 0304 0604 0404 ................
00000090: 0404 0806 0605 0609 080a 0a09 0809 090a ................
000000a0: 0c0f 0c0a 0b0e 0b09 090d 110d 0e0f 1010 ................
000000b0: 1110 0a0c 1213 1210 130f 1010 10ff c000 ................
000000c0: 0b08 0001 0001 0101 1100 ffc4 0014 0001 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0009 ................
000000e0: ffc4 0014 1001 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 ffda 0008 0101 0000 3f00 ..............?.
00000100: 2a9f ffd9 *...
Difference the two:
Related
I have this code:
from scapy.all import *
packet = rdpcap("hand.pcap")[0]
Now when I use print(packet) I get normal bytes
b"\x00\x00\x18\x00+\x00\x00\x00\x19\x81\xea\x02\x00\x00\x00\x00\x10\x00l\t\x00\x00\xdb\x00\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff\x06\xd6\xaa\xb0x\xe9\x06\xd6\xaa\xb0x\xe9\x80V\x8cAn\xa0\x01\x00\x00\x00d\x00\x11\x15\x00\nHuawei281s\x01\x08\x82\x84\x8b\x96$0Hl\x03\x01\x01\x05\x04\x00\x02\x00\x00\x07\x06HR \x01\r\x14 \x01\x00#\x02\x13\x00*\x01\x022\x04\x0c\x12\x18`0\x14\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x02\x0c\x00-\x1a\xad\x01\x1b\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00=\x16\x01\x00\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7f\x08\x04\x00\x08\x00\x00\x00\x00#\xdd\x05\x00\x162\x80\x00\xdd\x08\x00P\xf2\x11\x02\x00\x00\x00\xdd\x1e\x00\x90L\x04\x08\xbf\x0c\xb2y\x81\x0f\xfa\xff\x00\x00\xfa\xff\x00\x00\xc0\x05\x00\x01\x00\x00\x00\xc3\x02\x00\x02\xdd\t\x00\x10\x18\x02\x01\x00\x1c\x00\x00\xdd\x18\x00P\xf2\x02\x01\x01\x00\x00\x03\xa4\x00\x00'\xa4\x00\x00BC^\x00b2/\x00\xdd\x1d\x00\x90L\\\x02\x01\n\x00\x08\x07\x01\x0f\x00\x00\x00\x00\x00\x01\n\x01\x01\x01\x01\x0f\x00\x00\x00\x00\x00d\x08\x06~"
When I use hexdump(packet) I get this
0000 00 00 18 00 2B 00 00 00 19 81 EA 02 00 00 00 00 ....+...........
0010 10 00 6C 09 00 00 DB 00 80 00 00 00 FF FF FF FF ..l.............
0020 FF FF 06 D6 AA B0 78 E9 06 D6 AA B0 78 E9 80 56 ......x.....x..V
0030 8C 41 6E A0 01 00 00 00 64 00 11 15 00 0A 48 75 .An.....d.....Hu
0040 61 77 65 69 32 38 31 73 01 08 82 84 8B 96 24 30 awei281s......$0
0050 48 6C 03 01 01 05 04 00 02 00 00 07 06 48 52 20 Hl...........HR
0060 01 0D 14 20 01 00 23 02 13 00 2A 01 02 32 04 0C ... ..#...*..2..
0070 12 18 60 30 14 01 00 00 0F AC 04 01 00 00 0F AC ..`0............
0080 04 01 00 00 0F AC 02 0C 00 2D 1A AD 01 1B FF FF .........-......
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 3D 16 01 00 17 00 00 00 00 00 00 .....=..........
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 7F 08 04 ................
00c0 00 08 00 00 00 00 40 DD 05 00 16 32 80 00 DD 08 ......#....2....
00d0 00 50 F2 11 02 00 00 00 DD 1E 00 90 4C 04 08 BF .P..........L...
00e0 0C B2 79 81 0F FA FF 00 00 FA FF 00 00 C0 05 00 ..y.............
00f0 01 00 00 00 C3 02 00 02 DD 09 00 10 18 02 01 00 ................
0100 1C 00 00 DD 18 00 50 F2 02 01 01 00 00 03 A4 00 ......P.........
0110 00 27 A4 00 00 42 43 5E 00 62 32 2F 00 DD 1D 00 .'...BC^.b2/....
0120 90 4C 5C 02 01 0A 00 08 07 01 0F 00 00 00 00 00 .L\.............
0130 01 0A 01 01 01 01 0F 00 00 00 00 00 64 08 06 7E ............d..~
And in that is my SSID with name Huawei281s in scambled in
When I use print(packet.show)
I get this
<bound method Packet.show of <RadioTap version=0 pad=0 len=24 present=TSFT+Flags+Channel+dBm_AntSignal mac_timestamp=48922905 Flags=FCS ChannelFrequency=2412 ChannelFlags= dBm_AntSignal=-37dBm notdecoded='\x00' |<Dot11FCS subtype=8 type=Management proto=0 FCfield= ID=0 addr1=ff:ff:ff:ff:ff:ff addr2=06:d6:aa:b0:78:e9 addr3=06:d6:aa:b0:78:e9 SC=22144 fcs=0x7e060864 |<Dot11Beacon timestamp=6986547596 beacon_interval=100 cap=res8+short-slot+res12+ESS+privacy |<Dot11Elt ID=SSID len=10 info='Huawei281s' |<Dot11EltRates ID=1 len=8 rates=[0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c] |<Dot11Elt ID=DSset len=1 info='\x01' |<Dot11Elt ID=TIM len=4 info='\x00\x02\x00\x00' |<Dot11EltCountry ID=7 len=6 country_string='HR ' descriptors=[<Dot11EltCountryConstraintTriplet first_channel_number=1 num_channels=13 mtp=20 |>] pad=32 |<Dot11EltRates ID=1 len=0 |<Dot11Elt ID=35 len=2 info='\x13\x00' |<Dot11Elt ID=ERPinfo len=1 info='\x02' |<Dot11Elt ID=ESRates len=4 info='\x0c\x12\x18`' |<Dot11EltRSN ID=48 len=20 version=1 group_cipher_suite=<RSNCipherSuite oui=0xfac cipher=CCMP |> nb_pairwise_cipher_suites=1 pairwise_cipher_suites=[<RSNCipherSuite oui=0xfac cipher=CCMP |>] nb_akm_suites=1 akm_suites=[<AKMSuite oui=0xfac suite=PSK |>] mfp_capable=0 mfp_required=0 gtksa_replay_counter=0 ptksa_replay_counter=3 no_pairwise=0 pre_auth=0 reserved=0 |<Dot11Elt ID=HTCapabilities len=26 info='\xad\x01\x1b\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |<Dot11Elt ID=HTinfo len=22 info='\x01\x00\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |<Dot11Elt ID=ExtendendCapatibilities len=8 info='\x04\x00\x08\x00\x00\x00\x00#' |<Dot11EltVendorSpecific ID=221 len=5 oui=0x1632 info='\x80\x00' |<Dot11EltVendorSpecific ID=221 len=8 oui=0x50f2 info='\x11\x02\x00\x00\x00' |<Dot11EltVendorSpecific ID=221 len=30 oui=0x904c info='\x04\x08\xbf\x0c\xb2y\x81\x0f\xfa\xff\x00\x00\xfa\xff\x00\x00\xc0\x05\x00\x01\x00\x00\x00\xc3\x02\x00\x02' |<Dot11EltVendorSpecific ID=221 len=9 oui=0x1018 info='\x02\x01\x00\x1c\x00\x00' |<Dot11EltVendorSpecific ID=221 len=24 oui=0x50f2 info="\x02\x01\x01\x00\x00\x03\xa4\x00\x00'\xa4\x00\x00BC^\x00b2/\x00" |<Dot11EltVendorSpecific ID=221 len=29 oui=0x904c info='\\\x02\x01\n\x00\x08\x07\x01\x0f\x00\x00\x00\x00\x00\x01\n\x01\x01\x01\x01\x0f\x00\x00\x00\x00\x00' |>>>>>>>>>>>>>>>>>>>>>>>
And there is my SSID under info
and for print(type(packet.show)) I get
<class 'method'>
And when I use packet.show() I get bunch of data with this
###[ 802.11 Information Element ]###
ID = SSID
len = 10
info = 'Huawei281s'
So im wondering how can I extract my SSID from packet
In this specific case you could use
packet[Dot11Beacon].network_stats()
But have a look at the doc for a more in depth tutorial. it seems you haven't really looked into Scapy's syntax :)
I am taking hex dump of the same file from two Machines ( Mac & Linux), but the order bytes looks different in both. I am something wrong?
Hexdump output from OSX
➜ samples hexdump 1500_77807e3eb2eeacd9ac870c24103f5b_fno.bin
0000000 02 20 00 01 01 0b 1a 02 59 5a 2a 2a 31 32 33 00
0000010 40 00 05 4a fa a4 77 00 00 1c 28 40 28 02 17 ef
0000020 6a 36 00 e0 4c 01 b8 f5 32 20 a0 00 07 01 d6 00
0000030 02 00 00 c3 1f 00 01 40 1f 18 67 8f 00 2f 26 43
0000040 2d 40 96 30 89 40 11 4b a0 ff 28 34 00 35 00 02
0000050 02 58 40 bd 25 40 ec 40 01 01 40 a6 26 20 61 34
0000060 40 2d c2 5f 16 00 03 27 00 2d 11 be 00 4b 5d 0c
0000070 c0 bd 2c 40 2d 4d a0 be 06 72 40 2f 52 00 05 7e
0000080 00 96 5d 57 a0 5c 80 2d 5c be 04 b0 5d 61 bc 03
0000090 00 00 41 1c f7 a0 80 1f 05 c5 70 7d 40 c2 ce 2a
00000a0 e9 00 0e 2c dd 00 0e 24 ef 00 0e b7 f0 83 54 61
00000b0 d7 03 bb 3c 43 57 03 c6 c7 be 99 84 60 44 36 03
00000c0 54 41 d7 03 b0 e2 a2 96 00 e1 00 2e af 5c bc 43
00000d0 b7 03 ad 6d c0 5c 41 4e 9f 6c 28 00 2e 9c c9 28
00000e0 00 2e b9 43 dc 41 1d b9 c2 c4 43 b7 03 ba 51 27
00000f0 03 e7 03 bb af a0 2e 0e a6 5d dc bc 43 17 d0 a0
0000100 40 80 1f d3 30 80 c3 54 62 cc 62 ac c0 0c 11 00
0000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
00005d0 00 00 00 00 00 00 00 00 00 00 00 00
00005dc
Hexdump output of the same file from Ubuntu server SSH ed in from OSX
exdump 1500_77807e3eb2eeacd9ac870c24103f5b_fno.bin
0000000 2002 0100 0b01 021a 5a59 2a2a 3231 0033
0000010 0040 4a05 a4fa 0077 1c00 4028 0228 ef17
0000020 366a e000 014c f5b8 2032 00a0 0107 00d6
0000030 0002 c300 001f 4001 181f 8f67 2f00 4326
0000040 402d 3096 4089 4b11 ffa0 3428 3500 0200
0000050 5802 bd40 4025 40ec 0101 a640 2026 3461
0000060 2d40 5fc2 0016 2703 2d00 be11 4b00 0c5d
0000070 bdc0 402c 4d2d bea0 7206 2f40 0052 7e05
0000080 9600 575d 5ca0 2d80 be5c b004 615d 03bc
0000090 0000 1c41 a0f7 1f80 c505 7d70 c240 2ace
00000a0 00e9 2c0e 00dd 240e 00ef b70e 83f0 6154
00000b0 03d7 3cbb 5743 c603 bec7 8499 4460 0336
00000c0 4154 03d7 e2b0 96a2 e100 2e00 5caf 43bc
00000d0 03b7 6dad 5cc0 4e41 6c9f 0028 9c2e 28c9
00000e0 2e00 43b9 41dc b91d c4c2 b743 ba03 2751
00000f0 e703 bb03 a0af 0e2e 5da6 bcdc 1743 a0d0
0000100 8040 d31f 8030 54c3 cc62 ac62 0cc0 0011
0000110 0000 0000 0000 0000 0000 0000 0000 0000
*
Even the 1st word is different 0220 & 2002
It looks like you're having an issue with both endianness and hexdump defaulting to single bytes on your OSX environment and 2-byte words on your Linux environment.
To get identical output you might need to explicitly provide a format string.
Running hexdump -e \"%07_ax\ \"\ 16/1\ \"\ %02x\"\ \"\\n\" 1500_77807e3eb2eeacd9ac870c24103f5b_fno.bin should give you the same result in both environments.
The format string is "%08_ax " 16/1 " %02x" "\n" with escaping.
I need to get only the payload of network packets (without Ethernet header). I used TCPDump, I get something like :
0x0000: 4500 013f 7913 4000 4006 72ee ac10 01e3 E..?y.#.#.r.....
0x0010: c732 d894 b826 0050 9455 3f65 51f9 a5f4 ./...&.P.U?eQ...
0x0020: 8018 0990 4ee9 0000 0101 080a 0079 6387 ....N........yc.
[...]
I also tried with Scapy :
>>>hexdump(p)
0000 00 19 4B 10 38 79 00 26 5E 17 00 6E 08 00 45 00 ..K.8y.&^..n..E.
0010 00 40 90 E7 40 00 40 11 26 66 C0 A8 01 0E C0 A8 .#..#.#.&f......
0020 01 01 97 F1 00 35 00 2C 06 5A 6E 18 01 00 00 01 .....5.,.Zn.....
Do you know how to get only the middle column? (preferably all on one line)
(I tried Tshark, but it doesn't correspond to my expectations)
Thanks
There is a tcpick project on sourceforge that should do what you want.
You can use wireshark to analyzes the packets.And also you get more detailed description
With the Buffer() I form the packet header to 100 bytes
According to the rules of formation of the title I have to specify the following:
Offset Length(bytes) Type Description
0 4 Int The length of the message (no header)
4 4 Int Time to create the query (the number of seconds since January 1, 1970 GMT)
8 4 Int The message ID
12 32 Reserved (filled with null byte)
44 2 Int The client ID
46 1 1st byte of message flags
47 1 2nd byte of message flags
48 4 Int The identifier of the symmetric key
52 48 Reserved (filled with null byte)
Here is my code:
var query="<?xml version=\"1.0\" encoding=\"utf-8\"?><sirena><query><get_currency_rates><curr1>RUB</curr1><curr2>USD</curr2><owner>IATA</owner></get_currency_rates></query></sirena>";
var buf=new Buffer(100);
var query1=new Buffer(query);
console.log(query1.length);
buf.writeInt32BE(query1.length, 0, true);//Длина текста сообщения (без заголовка)
var foo = new Date;
var unixtime_ms = foo.getTime();
var unixtime = parseInt(unixtime_ms / 1000);
console.log(unixtime);
buf.writeInt32BE(unixtime, 4, true);//Время создания запроса (кол-во секунд с 1 января 1970 GMT)
buf.writeInt32BE(1, 8, true);//id сообщения. потом нужно автоинкрементить
for(var i=12; i<44;i++){//Зарезервировано (заполнено нулевым байтом)
buf.writeInt8(0, i, true);
}
buf.writeInt16BE(5985, 44, true);//Идентификатор клиента
buf.writeInt8(0, 46, true);//1-й байт флагов сообщения - обязательно ли это??
buf.writeInt8(0, 47, true);//2-й байт флагов сообщения - обязательно ли это??
buf.writeInt32BE(0, 48, true);//Идентификатор симметричного ключа - обязательно ли это??
for(var i=52; i<100;i++){//Зарезервировано (заполнено нулевым байтом)
buf.writeInt8(0, i, true);
}
var packet=buf.toString();//+query;
here is the byte order that gives buf.inspect()
<Buffer 00 00 00 a6 51 c0 15 db 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00>
but it is passed to the socket
0000 00ef bfbd 51ef bfbd 15ef bfbd 0000
0001 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 1761 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000
what's happened?
you are using different encodings in conversions string<->buffer
//...
console.log(buf);
var packet=buf.toString('binary');//+query;
console.log(Buffer(packet, 'binary'));
//...
->
<Buffer 00 00 00 a6 51 c0 27 d6 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 61 00 00 00 00 00 ...>
<Buffer 00 00 00 a6 51 c0 27 d6 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 61 00 00 00 00 00 ...>
but
//...
console.log(buf);
var packet=buf.toString();//+query; // looks like utf8 here
console.log(Buffer(packet, 'binary')); // and binary here (even without explicit 'binary')
//...
->
<Buffer 00 00 00 a6 51 c0 27 d6 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 61 00 00 00 00 00 ...>
<Buffer 00 00 00 fd 51 fd 28 28 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17 61 00 00 00 00 00 ...>
Firstly , I am mentioning whatever happened on my linux mint/ubuntu system ...
udit#udit-Dabba ~/ah $ xxd -r -p input.txt output.txt
udit#udit-Dabba ~/ah $ cat input.txt
60 00 00 00 00 14 06 20 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 00 15 00 15 7A 32 B1 08
00 00 00 00 50 02 FF FF 7E 95 00 00 00 00 02 29
udit#udit-Dabba ~/ah $ cat output.txt
` z2P��~�)
udit#udit-Dabba ~/ah $ hexdump -C output.txt
00000000 60 00 00 00 00 14 06 20 00 00 00 00 00 00 00 00 |`...... ........|
00000010 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 02 00 15 00 15 7a 32 b1 08 |............z2..|
00000030 00 00 00 00 50 02 ff ff 7e 95 00 00 00 00 02 29 |....P...~......)|
00000040
udit#udit-Dabba ~/ah $ od -x output.txt
0000000 0060 0000 1400 2006 0000 0000 0000 0000
0000020 0000 0000 0000 0100 0000 0000 0000 0000
0000040 0000 0000 0000 0200 1500 1500 327a 08b1
0000060 0000 0000 0250 ffff 957e 0000 0000 2902
0000100
Now when I tried same thing on red hat , some strange behaviour is occuring.
[root#cc]$ xxd -r -p input.txt output.txt
[root#cc]$ cat input.txt
60 00 00 00 00 14 06 20 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 00 15 00 15 7A 32 B1 08
00 00 00 00 50 02 FF FF 7E 95 00 00 00 00 02 29
[root#cc]$ cat output.txt
` P~)[root#cc]$ hexdump -C output.txt
00000000 60 00 00 00 00 14 06 20 00 00 00 00 00 00 00 00 |`...... ........|
00000010 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 50 02 ff ff 7e 95 00 00 00 00 02 29 |....P...~......)|
00000030
[root#cc]$ od -x output.txt
0000000 0060 0000 1400 2006 0000 0000 0000 0000
0000020 0000 0000 0000 0100 0000 0000 0000 0000
0000040 0000 0000 0250 ffff 957e 0000 0000 2902
0000060
I am not able to find out why this discrepency occcuring between outputs of red hat and linux mint/ubuntu.
If possible tell me some awk/shell to perform the same in place of xxd -r -p
Pleae help me !!
EDIT:
On linux mint/ubuntu system ..
udit#udit-Dabba ~/ah $ hexdump -C input.txt
00000000 36 30 20 30 30 20 30 30 20 30 30 20 30 30 20 31 |60 00 00 00 00 1|
00000010 34 20 30 36 20 32 30 20 30 30 20 30 30 20 30 30 |4 06 20 00 00 00|
00000020 20 30 30 20 30 30 20 30 30 20 30 30 20 30 30 20 | 00 00 00 00 00 |
00000030 0a 30 30 20 30 30 20 30 30 20 30 30 20 30 30 20 |.00 00 00 00 00 |
00000040 30 30 20 30 30 20 30 31 20 30 30 20 30 30 20 30 |00 00 01 00 00 0|
00000050 30 20 30 30 20 30 30 20 30 30 20 30 30 20 30 30 |0 00 00 00 00 00|
00000060 20 0a 30 30 20 30 30 20 30 30 20 30 30 20 30 30 | .00 00 00 00 00|
00000070 20 30 30 20 30 30 20 30 32 20 30 30 20 31 35 20 | 00 00 02 00 15 |
00000080 30 30 20 31 35 20 37 41 20 33 32 20 42 31 20 30 |00 15 7A 32 B1 0|
00000090 38 20 0a 30 30 20 30 30 20 30 30 20 30 30 20 35 |8 .00 00 00 00 5|
000000a0 30 20 30 32 20 46 46 20 46 46 20 37 45 20 39 35 |0 02 FF FF 7E 95|
000000b0 20 30 30 20 30 30 20 30 30 20 30 30 20 30 32 20 | 00 00 00 00 02 |
000000c0 32 39 20 0a 0a 0a 0a 0a |29 .....|
000000c8
On red hat machine ..
[root#cc]$ hexdump -C input.txt
00000000 36 30 20 30 30 20 30 30 20 30 30 20 30 30 20 31 |60 00 00 00 00 1|
00000010 34 20 30 36 20 32 30 20 30 30 20 30 30 20 30 30 |4 06 20 00 00 00|
00000020 20 30 30 20 30 30 20 30 30 20 30 30 20 30 30 0a | 00 00 00 00 00.|
00000030 30 30 20 30 30 20 30 30 20 30 30 20 30 30 20 30 |00 00 00 00 00 0|
00000040 30 20 30 30 20 30 31 20 30 30 20 30 30 20 30 30 |0 00 01 00 00 00|
00000050 20 30 30 20 30 30 20 30 30 20 30 30 20 30 30 20 | 00 00 00 00 00 |
00000060 0a 30 30 20 30 30 20 30 30 20 30 30 20 30 30 20 |.00 00 00 00 00 |
00000070 30 30 20 30 30 20 30 32 20 30 30 20 31 35 20 30 |00 00 02 00 15 0|
00000080 30 20 31 35 20 37 41 20 33 32 20 42 31 20 30 38 |0 15 7A 32 B1 08|
00000090 20 0a 30 30 20 30 30 20 30 30 20 30 30 20 35 30 | .00 00 00 00 50|
000000a0 20 30 32 20 46 46 20 46 46 20 37 45 20 39 35 20 | 02 FF FF 7E 95 |
000000b0 30 30 20 30 30 20 30 30 20 30 30 20 30 32 20 32 |00 00 00 00 02 2|
000000c0 39 20 20 0a |9 .|
000000c4
I have no idea whats happening, but the third line is being eaten on red hat.
This is what you asked for. Reverse hexdump with awk+bash.
echo 'ibase=16' | cat - hdump | tr ' ' \; | bc | awk '{printf("%c",$0)}'
replace hdump with input.txt
echo 'ibase=16' | cat - input.txt | tr ' ' \; | bc | awk '{printf("%c",$0)}' > output.txt
codes were found here:
http://www.unix.com/shell-programming-scripting/132294-reverse-hexdump-without-xxd.html#post302404631
A late answer, but hopefully may help to somebody else reading this:
xxd had buggy handling of spaces in "-r -p" mode. As it scanned the characters, if it hit 2 consecutive non-hex characters, it would throw away everything until the next newline or end of file. If the second of the 2 consecutive characters was itself the newline character (i.e., the line ended with a space followed by a newline), the net effect would be to discard the entire next line.
I am pretty certain this is what caused Udit's problem. (I think the hexdump he later added of input.txt did not actually reflect the original state of that file.)
It looks like xxd is primarily maintained as part of the vim distribution. I looked at the xxd source included with vim 7.3, and it has the buggy handling problem fixed. Unfortunately nobody bothers to update the version #, so it still reports the same xxd 1.10 version string.
Try creating this test file (with 1 blank space at the end of the first line and none on the second; should be a 22 byte file on Linux/Unix; if you run "xxd -p" on it, it should report 3230200a34652034662035340a34322034312034340a):
20
4e 4f 54
42 41 44
If you run "xxd -r -p" on this, with a version of xxd exhibiting the buggy handling, you should see it print BAD. With a newer (fixed) version of xxd, it'll print NOTBAD.
If you run into this buggy handling and updating to a newer version of xxd is not an option, you can avoid this problem with some sed preprocessing, e.g.,
$ sed -e 's/ *//g' -e '/^$/d' input.txt | xxd -r -p > output.txt
I'd say that you have some invisible character in the input.txt file that makes the third line look invalid somehow.
And maybe the invalid character is encoding-dependent, and that's why it works in one machine and not in other.
It would be helpful to see the result of hexdump -C input.txt to check that.
$ cat foo
60 00 00 00 00 14 06 20 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 00 15 00 15 7A 32 B1 08
00 00 00 00 50 02 FF FF 7E 95 00 00 00 00 02 29
$ cat foo | xxd -r -p | hexdump -C
00000000 60 00 00 00 00 14 06 20 00 00 00 00 00 00 00 00 |`...... ........|
00000010 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 02 00 15 00 15 7a 32 b1 08 |............z2..|
00000030 00 00 00 00 50 02 ff ff 7e 95 00 00 00 00 02 29 |....P...~......)|
00000040