[tcpdump-workers] [AiG-CERT #104737] DLT value
--- Begin Message --- Hello libpcap team, I would like to request you to get a DTL value for the PR https://github.com/the-tcpdump-group/libpcap/pull/934. This PR intend to add ETW capture for libpcap. Thanks in advance, Have a nice day, Sylvain Peyrefitte -- -- Don't hesitate to contact us if you have questions or need assistance. Best regards, Airbus CERT (AiG CERT) Airbus CERT PGP KeyId: 527B1472 PGP Fingerprint: 8001 FDE8 84DA 90FD 6D5F D011 6B83 10FF 527B 1472 The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free. --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
[tcpdump-workers] [AiG-CERT #104734]
--- Begin Message --- Hello libpcap team, I would like to request you to get a DTL value for the PR https://github.com/the-tcpdump-group/libpcap/pull/934. This PR intend to add ETW capture for libpcap. Thanks in advance, Have a nice day, Sylvain Peyrefitte -- -- Don't hesitate to contact us if you have questions or need assistance. Best regards, Airbus CERT (AiG CERT) Airbus CERT PGP KeyId: 527B1472 PGP Fingerprint: 8001 FDE8 84DA 90FD 6D5F D011 6B83 10FF 527B 1472 The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free. --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] [AiG-CERT #104737] DLT value
--- Begin Message --- Hello libpcap team, Yes exactly each packet is an event. The layout of the event is https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header and https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header_extended_data_item. But we aligned this format with the ETL (serialization use by microsoft) which is not well documented. Thanks in advance to take care about our request. Have a nice day, Sylvain -- -- Don't hesitate to contact us if you have questions or need assistance. Best regards, Airbus CERT (AiG CERT) Airbus CERT PGP KeyId: 527B1472 PGP Fingerprint: 8001 FDE8 84DA 90FD 6D5F D011 6B83 10FF 527B 1472 On Fri May 29 19:08:04 2020, ghar...@sonic.net wrote: > On May 29, 2020, at 3:23 AM, Airbus CERT via tcpdump-workers work...@lists.tcpdump.org> wrote: > > I would like to request you to get a DTL value for the PR > > https://github.com/the-tcpdump-group/libpcap/pull/934. > > This PR intend to add ETW capture for libpcap. > So is each packet an Event Tracing for Windows: > https://docs.microsoft.com/en-us/windows/win32/etw/event- > tracing-portal > record of some sort? If so, where is the format of that record > defined? The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free. --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] [AiG-CERT #104737] DLT value
--- Begin Message --- Hello, The layout is https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header following by one or more https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header_extended_data_item depending of the flag _EVENT_HEADER.Flags. I strictly follow the two upper links. Another good point for including ETW capability is a new way for network capture https://docs.microsoft.com/en-us/message-analyzer/microsoft-windows-ndis-packetcapture-provider without requiring to an NDIS driver. Thanks for all your works on my PR, Have a nice day, Sylvain -- -- Don't hesitate to contact us if you have questions or need assistance. Best regards, Airbus CERT (AiG CERT) Airbus CERT PGP KeyId: 527B1472 PGP Fingerprint: 8001 FDE8 84DA 90FD 6D5F D011 6B83 10FF 527B 1472 On Tue Jun 02 09:44:07 2020, ghar...@sonic.net wrote: > On Jun 2, 2020, at 12:22 AM, Airbus CERT via tcpdump-workers work...@lists.tcpdump.org> wrote: > > Yes exactly each packet is an event. The layout of the event is > > https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns- > > evntcons-event_header and https://docs.microsoft.com/en- > > us/windows/win32/api/evntcons/ns-evntcons- > > event_header_extended_data_item. But we aligned this format with the > > ETL (serialization use by microsoft) which is not well documented. > Is it documented at all? > The description of a given LINKTYPE_/DLT_ value on > https://www.tcpdump.org/linktypes.html > and the pages linked to by that description must be sufficient to > allow somebody to write code to, at minimum, parse the link-layer > headers, without ever looking at Wireshark or tcpdump code. The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free. --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] [AiG-CERT #104737] DLT value
--- Begin Message --- Hi libpcap team, Have you advanced on the subject? The project is published on the Airbus CERT github if you want to take a look : https://github.com/airbus-cert/Winshark Have a nice day, Sylvain -- -- Don't hesitate to contact us if you have questions or need assistance. Best regards, Airbus CERT (AiG CERT) Airbus CERT PGP KeyId: 527B1472 PGP Fingerprint: 8001 FDE8 84DA 90FD 6D5F D011 6B83 10FF 527B 1472 On Tue Jun 02 09:58:02 2020, speyrefitte wrote: > Hello, > > The layout is https://docs.microsoft.com/en- > us/windows/win32/api/evntcons/ns-evntcons-event_header following by > one or more https://docs.microsoft.com/en- > us/windows/win32/api/evntcons/ns-evntcons- > event_header_extended_data_item depending of the flag > _EVENT_HEADER.Flags. I strictly follow the two upper links. > > Another good point for including ETW capability is a new way for > network capture https://docs.microsoft.com/en-us/message- > analyzer/microsoft-windows-ndis-packetcapture-provider without > requiring to an NDIS driver. > > Thanks for all your works on my PR, > > Have a nice day, > > Sylvain > > -- > -- > Don't hesitate to contact us if you have questions or need assistance. > > Best regards, > > Airbus CERT (AiG CERT) > > Airbus CERT > PGP KeyId: 527B1472 > PGP Fingerprint: 8001 FDE8 84DA 90FD 6D5F D011 6B83 10FF 527B 1472 > > On Tue Jun 02 09:44:07 2020, ghar...@sonic.net wrote: > > On Jun 2, 2020, at 12:22 AM, Airbus CERT via tcpdump-workers > > > work...@lists.tcpdump.org> wrote: > > > Yes exactly each packet is an event. The layout of the event is > > > https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns- > > > evntcons-event_header and https://docs.microsoft.com/en- > > > us/windows/win32/api/evntcons/ns-evntcons- > > > event_header_extended_data_item. But we aligned this format with > > > the > > > ETL (serialization use by microsoft) which is not well documented. > > Is it documented at all? > > The description of a given LINKTYPE_/DLT_ value on > > https://www.tcpdump.org/linktypes.html > > and the pages linked to by that description must be sufficient to > > allow somebody to write code to, at minimum, parse the link-layer > > headers, without ever looking at Wireshark or tcpdump code. The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free. --- End Message --- ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
