                      CAP files format and CAP reader utility
                     =========================================

Author : big VuZZ
e-mail : bigvuzz@bigfoot.com
Date   : 10/10/2000


1) Introduction
---------------

The purpose of this memo is to give some help to network engineers, developers 
or simply curious peoples who spend time building, debugging, cracking  
networked applications. If you're one of them, you may have used some network
sniffer tools that let you capture frames and decode them off-line.

My current tool is SnifferPro. This doc presents a partially decoded file 
format for the captured frames files (with a default '.cap' extension).

I developed a utility to dump a partial or entire CAP file, in ASCII. The 
goal was to retrieve some sequences of an HTTP dialog (notice that HTTP is
an ASCII protocol, i.e. human readable and forgeable !).


2) CAP file format
------------------

Product : Sniffer Pro 1.5.02
Category: Multi-protocols network analyzer
Editor  : NAI

The table below depicts the format of the files containing captured frames.
The files have a default '.cap' extensions.

The file format is not totally decoded. My purpose wasn't to have full details
but only to extract TCP data "payload" (particularly HTTP requests & responses 
that are in ASCII form).

If you have further details on this file format, please let me know...

===============================================================================
| Offset | Len | Type | Description / Value
| (hex)  |     |      |
|==============================================================================
| File Header (fixed part)
|------------------------------------------------------------------------------
|   0    | 16  | str  | Signature : "XCP\0001.100\0" + ??? + "9"
|   10   |  4  | long | Total frame number in the file
|   14   |  8  | byte | ?
|   1C   |  4  | long | File size
|   20   |  4  | long | Last frame offset in file
|   24   | 16  | byte | ?
|   34   |  4  | long | Global date & time ?
|   38   | 72  | byte | ?
|------------------------------------------------------------------------------
|  Frame records (variable part)			
|------------------------------------------------------------------------------
|   80   |  4  | long | frame time ?
|   84   |  4  | long | Always 0 ?
|   88   |  2  | int  | Frame length (FL)
|   8A   |  2  | int  | Frame length (repeated)
|   8C   | 16  | byte | Start of frame (e.g.: DLC + IP + TCP + data)
| 8C+ FL |     |      | Next frame record (same that at offset 0x80)
==============================================================================


3) CAP File reader
------------------

The 'rdcap.exe' utility (running on Win9x/NT) implements a .CAP file reader,
that is : it read a CAP file, extract frames with TCP payload and dump these
data to an ASCII file.

NB : 'rdcap' dumps frames that encapsulate TCP protocol only.
     Frames transporting other protocols (such as UDP) are read but only the
     DLC and IP headers are dump to the result file.

Why this utility, you may ask ?
- First, SnifferPro 1.5.02 doesn't have a dump frame features and copy/paste
  doesn't work from the GUI of this product !
- Second, it may be useful (for education or debugging purposes) to understand 
  some details of a TCP application. Sniffing frames and then using rdcap.exe
  against the cap files let you have a global view of a dialog between a client
  and a server, in an ASCII form.

The 'rdcap' utility is very simple (written in standard C). Let me know for
any bug (although I spend a few time for quality code) or new functionality.

