Some time we may have the packet dumps in the ASCII hex dump format. In this format, the packet content will be shown as a string of HEX values. It is tough to analyze/decode the content of such packet manually. "text2pcap" is a command line utility available in most Linux distributions which is a handy tool to convert the packets from ASCII HEX dump format into "libpcap" format. The resultant "pcap" file can be viewed with "wireshark" and hence the packet analysis becomes easier.
"text2pcap" utility takes a text file as input and generates an output file in "libpcap" format. This utility expects its input file to be formatted in certain order. Then only, the "pcap" file can be generated. Consider the below example.
We are having a packet in the ASCII HEX dump format as given below. From this string of HEX values, it is very tough to analyze the packet. We want to convert it into "pcap" format so that we will be able to view it in the "wireshark" tool and analysis will become easier.
01 80 c2 00 00 00 00 03 b1 d1 2d 00 81 00 0f fc 00 26 42 42 03 00 00 00 00 81 80 00 00 03 b1 d1
2d 00 00 00 00 00 80 00 00 03 b1 d1 2d 00 80 15 00 00 14 00 02 00 0f 00 00 00 00 00 00 00 00 00
- Let us copy this ASCII HEX dump values to a file "dump" as it is.
- Invoke the "text2pcap" utility with this input file.
- text2pcap -d dump pktcap.pcap
Input from: dump
Output to: pktcap.pcap
-------------------------
Read 0 potential packets, wrote 0 packets
- The conversion of the HEX dump to ".pcap" file has failed as the data in the input file "dump" is not in the prescribed format.
| Syntax of "text2pcap" |
|---|
| text2pcap [options] [input_file] [output_file] Here, input_file is having the ASCII HEX dump of packets and the output_file will be generated in "libpcap" format. -d --> This option will display debug messages related to "pcap" file generation. |
Formatting the ASCII HEX Dump:
- Each byte should be displayed and surrounded individually with a space.
- Each line begins with an offset describing the position of each byte in the packet dump. Usually the offset value is specified in HEX format with more than two digits.
- Each line can have any number of bytes; but the only requirement is the offset of the consecutive lines should be calculated properly.
- The HEX dump is case-insensitive.
- Any line starting with # will be treated as comment and it will be ignored.
Now, we format the input file "dump" as per the above guidelines and will try to generate the "pcap" file.
| Input File after formatting | cat dump 0000 01 80 c2 00 00 00 00 03 b1 d1 2d 00 81 00 0f fc 0010 00 26 42 42 03 00 00 00 00 81 80 00 00 03 b1 d1 0020 2d 00 00 00 00 00 80 00 00 03 b1 d1 2d 00 80 15 0030 00 00 14 00 02 00 0f 00 00 00 00 00 00 00 00 00 As we can see, each line starts with an offset which is specified in HEX format and each line is having a 16 bytes of data. Each byte is surrounded by space. |
| Generating the "pcap" File | text2pcap -d dump pktcap.pcap Input from: dump Output to: pktcap.pcap Start new packet Wrote packet of 64 bytes at 0 ------------------------- Read 1 potential packet, wrote 1 packet Now, the "pcap" file has been successfully generated. [root@bash temp]# ls dump pktcap.pcap [root@bash temp]# |
Reading the file "pktcap.pcap" in Wireshark:
The generated "libpcap" file can be read using wireshark which will give us detailed info of the received HEX dump of packet.
 |
| Viewing the HEX Dump in libpcap format using wireshark |
Generating single "pcap" file from HEX dump of multiple packets:
"text2pcap" allows the series of packet hexdumps present in a single input file to be converted into a single "pcap" file. The generated "pcap" file will have the series of converted packets. This can be achieved by starting the offset of each new HEX dump with zero.
Consider the below example where HEX dump of two packets are specified in a single input file.
[root@bash temp]# cat dump
### HEX DUMP OF PACKET 1
0000 01 80 c2 00 00 00 00 03 b1 d1 2d 00 81 00 0f fc
0010 00 26 42 42 03 00 00 00 00 81 80 00 00 03 b1 d1
0020 2d 00 00 00 00 00 80 00 00 03 b1 d1 2d 00 80 15
0030 00 00 14 00 02 00 0f 00 00 00 00 00 00 00 00 00
### HEX DUMP OF PACKET 2
0000 2c b6 93 18 32 00 00 03 b3 d1 2d 00 81 00 00 03
0010 08 06 00 01 08 00 06 04 00 02 00 03 b2 d1 2d 00
0020 ac 1f 7e fa 2c b6 93 18 32 00 ac 1f 7e 65 00 00
0030 00 00 00 00 00 00 00 00 00 00 00 00
[root@bash temp]#
Now convert this HEX dump into "pcap" file using "text2pcap" tool.
[root@bash temp]# text2pcap -d dump pktcap.pcap
Input from: dump
Output to: pktcap.pcap
Start new packet
Start new packet
Wrote packet of 64 bytes at 0
Wrote packet of 60 bytes at 64
-------------------------
Read 2 potential packets, wrote 2 packets
[root@bash temp]#
Please find below the wireshark output for the generated "pcap" file which shows two packets.
 |
| Converting HEX dump of multiple packets into pcap format |
References:
1. Manual page of "text2pcap" tool.
No comments:
Post a Comment