Packet Description Markup Language

While reviewing a new book on Ethereal, I learned about the Packet Details Markup Language (PDML). PDML is a way to express a packet in XML format. For example, here is an ICMP echo request:

tethereal -n -r snort.log.1082637820 -T pdml icmp

<?xml version="1.0"?>
<pdml version="0" creator="ethereal/0.10.3">
<packet>
<proto name="geninfo" pos="0" showname="General information" size="60">
<field name="num" pos="0" show="1" showname="Number" value="1" size="60"/>
<field name="len" pos="0" show="60" showname="Packet Length" value="3c" size="60"/>
<field name="caplen" pos="0" show="60" showname="Captured Length" value="3c" size="60"/>
<field name="timestamp" pos="0" show="Apr 22, 2004 08:47:14.358334000" showname="Captured Time" value="1082638034.358334000" size="60"/>
</proto>
<proto name="frame" showname="Frame 1 (60 bytes on wire, 60 bytes captured)" size="60" pos="0">
<field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
<field name="frame.time" showname="Arrival Time: Apr 22, 2004 08:47:14.358334000" size="0" pos="0" show="Apr 22, 2004 08:47:14.358334000"/>
<field name="frame.time_delta" showname="Time delta from previous packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
<field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
<field name="frame.pkt_len" showname="Packet Length: 60 bytes" size="0" pos="0" show="60"/>
<field name="frame.cap_len" showname="Capture Length: 60 bytes" size="0" pos="0" show="60"/>
</proto>
<proto name="eth" showname="Ethernet II, Src: 00:00:d1:ec:f5:8e, Dst: 00:03:47:75:18:20" size="14" pos="0">
<field name="eth.dst" showname="Destination: 00:03:47:75:18:20 (00:03:47:75:18:20)" size="6" pos="0" show="00:03:47:75:18:20" value="000347751820"/>
<field name="eth.src" showname="Source: 00:00:d1:ec:f5:8e (00:00:d1:ec:f5:8e)" size="6" pos="6" show="00:00:d1:ec:f5:8e" value="0000d1ecf58e"/>
<field name="eth.addr" showname="Source or Destination Address: 00:03:47:75:18:20 (00:03:47:75:18:20)" size="6" pos="0" show="00:03:47:75:18:20" value="000347751820"/>
<field name="eth.addr" showname="Source or Destination Address: 00:00:d1:ec:f5:8e (00:00:d1:ec:f5:8e)" size="6" pos="6" show="00:00:d1:ec:f5:8e" value="0000d1ecf58e"/>
<field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="0x0800" value="0800"/>
<field name="eth.trailer" showname="Trailer: 00000000000000000000000000000000..." size="18" pos="42" show="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" value="00000000000000000000000
0000000000000"/>
</proto>
<proto name="ip" showname="Internet Protocol, Src Addr: 172.27.20.4 (172.27.20.4), Dst Addr: 192.168.60.3 (192.168.60.3)" size="20" pos="14">
<field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
<field name="ip.hdr_len" showname="Header length: 20 bytes" size="1" pos="14" show="20" value="45"/>
<field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)" size="1" pos="15" show="0" value="00">
<field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0x00" value="00"/>
<field name="ip.dsfield.ect" showname=".... ..0. = ECN-Capable Transport (ECT): 0" size="1" pos="15" show="0" value="00"/>
<field name="ip.dsfield.ce" showname=".... ...0 = ECN-CE: 0" size="1" pos="15" show="0" value="00"/>
</field>
<field name="ip.len" showname="Total Length: 28" size="2" pos="16" show="28" value="001c"/>
<field name="ip.id" showname="Identification: 0x1026 (4134)" size="2" pos="18" show="0x1026" value="1026"/>
<field name="ip.flags" showname="Flags: 0x00" size="1" pos="20" show="0x00" value="00">
<field name="ip.flags.rb" showname="0... = Reserved bit: Not set" size="1" pos="20" show="0" value="00"/>
<field name="ip.flags.df" showname=".0.. = Don't fragment: Not set" size="1" pos="20" show="0" value="00"/>
<field name="ip.flags.mf" showname="..0. = More fragments: Not set" size="1" pos="20" show="0" value="00"/>
</field>
<field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="0000"/>
<field name="ip.ttl" showname="Time to live: 53" size="1" pos="22" show="53" value="35"/>
<field name="ip.proto" showname="Protocol: ICMP (0x01)" size="1" pos="23" show="0x01" value="01"/>
<field name="ip.checksum" showname="Header checksum: 0xb8f0 (correct)" size="2" pos="24" show="0xb8f0" value="b8f0"/>
<field name="ip.src" showname="Source: 172.27.20.4 (172.27.20.4)" size="4" pos="26" show="172.27.20.4" value="ac1b1404"/>
<field name="ip.addr" showname="Source or Destination Address: 172.27.20.4 (172.27.20.4)" size="4" pos="26" show="172.27.20.4" value="ac1b1404"/>
<field name="ip.dst" showname="Destination: 192.168.60.3 (192.168.60.3)" size="4" pos="30" show="192.168.60.3" value="c0a83c03"/>
<field name="ip.addr" showname="Source or Destination Address: 192.168.60.3 (192.168.60.3)" size="4" pos="30" show="192.168.60.3" value="c0a83c03"/>
</proto>
<proto name="icmp" showname="Internet Control Message Protocol" size="8" pos="34">
<field name="icmp.type" showname="Type: 8 (Echo (ping) request)" size="1" pos="34" show="8" value="08"/>
<field name="icmp.code" showname="Code: 0 " size="1" pos="35" show="0x00" value="00"/>
<field name="icmp.checksum" showname="Checksum: 0x6861 (correct)" size="2" pos="36" show="0x6861" value="6861"/>
<field name="icmp.ident" showname="Identifier: 0x809e" size="2" pos="38" show="0x809e" value="809e"/>
<field name="icmp.seq" showname="Sequence number: 0x0f00" size="2" pos="40" show="0x0f00" value="0f00"/>
</proto>
</packet>

PDML is related to NetPDL. Both were created at the same Italian university that brought the world Windump.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics