//--------------------------------------
//--- 010 Editor v3.0.3 Binary Template
//
// File: PCAPTemplate.bt
// Author: Didier Stevens (https://DidierStevens.com)
// Revision: 0.1, prototype, only tested on 1 PCAP file
// Date: 2009/05/24
// Purpose:  Defines a template for parsing PCAP files.
// References:
//  http://wiki.wireshark.org/Development/LibpcapFileFormat
//--------------------------------------


typedef struct {
        uint32 magic_number <format=hex>;   /* magic number */
        if(magic_number != 0xA1B2C3D4) {
            Warning("Not a valid PCAP file");
            return 1;
        }
        uint16 version_major;  /* major version number */
        uint16 version_minor;  /* minor version number */
        int32  thiszone;       /* GMT to local correction */
        uint32 sigfigs;        /* accuracy of timestamps */
        uint32 snaplen;        /* max length of captured packets, in octets */
        uint32 network;        /* data link type */
} PCAPHEADER;

typedef struct {
        time_t ts_sec;         /* timestamp seconds */
        uint32 ts_usec;        /* timestamp microseconds */
        uint32 incl_len;       /* number of octets of packet saved in file */
        uint32 orig_len;       /* actual length of packet */
        BYTE packet[incl_len];
} PCAPRECORD <read=ReadPCAPRECORD>;

string ReadPCAPRECORD(PCAPRECORD &record)
{
	string strReturn;
	
	SPrintf(strReturn, "%s.%06u", TimeTToString(record.ts_sec), record.ts_usec);
	return strReturn;
}

// Define the headers
LittleEndian();
PCAPHEADER header;

while( !FEof() )
{
	PCAPRECORD record;
}