Dear all,
I just wanted to share some information what might save people some time. (It took me two days to figure out.)
Some people use text2pcap to feed any hex dumps into Ethereal; for example those coming from Cisco debug ip packet details dump outputs (which is a whole separate story).
I found that text2pcap has problems with lines such as
00000000 45 00 00 28 09 3E 40 00 7E 06 8D 97 0A 02 50 97\n
(Note: The line feed comes right after the last digit.)
If your file is structured like that text2pcap will write a lot of 15 bytes packets. Only when you switch on debugging with -d you will see an error message about wrong offsets (found 10, expected F) that leads you that direction.
A good workaround is to make sure that your lines look like
00000000 45 00 00 28 09 3E 40 00 7E 06 8D 97 0A 02 50 97 \n
(Note: a space character before the newline.)
The text2pcap manpage states that text2pcap will read any two digit hex numbers that are "enclosed" in spaces. So literally the first version of the format is not compliant. But I think in daily use people might overlook that detail and maybe one should chance text2pcap in a later version.
Regards,
Torsten Schlabach
