Dear all:
Apologizes for the long text...
In testing the operation from *.cap to *.txt and viceversa...here are my
directives (original file has no extension but is recognized by ethereal
for windows):
>tethereal -r file -x > file.txt
Output "file.txt" is of the form:
-----
1 0.000000 83.97.170.103 -> 81.220.252.238 TCP 1438 > microsoft-ds [SYN]
Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
0000 00 03 47 8c 39 16 00 0a 42 6c 3c 54 08 00 45 00 ..G.9...Bl<T..E.
0010 00 30 79 18 40 00 74 06 41 1c 53 61 aa 67 51 dc .0y.@xxxxxxxxxx.
0020 fc ee 05 9e 01 bd 5f a9 a1 62 00 00 00 00 70 02 ......_..b....p.
0030 40 00 ee 24 00 00 02 04 05 b4 01 01 04 02 @..$..........
...
-----
Then applying the viceversa operation:
>text2pcap file.txt filecap.cap
Output "filecap.cap" is not the original one...???:
-----
No. Time Source Destination Protocol
Info
1 0.000000 Ethernet
[Malformed Packet]
Frame 1 (2 bytes on wire, 2 bytes captured)
Arrival Time: Aug 31, 2004 19:48:17.000000000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 2 bytes
Capture Length: 2 bytes
[Malformed Packet: Ethernet]
0000 00 03 ..
...
-----
Looking for the reason, I erased the first line for some packets in the
"file.txt" and applied the same operation:
>text2pcap file.txt filecap.cap
The output is of the form:
-----
No. Time Source Destination Protocol
Info
1 0.000000 83.97.170.103 81.220.252.238 TCP
1438 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
Frame 1 (62 bytes on wire, 62 bytes captured)
Arrival Time: Aug 31, 2004 20:44:09.000000000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 62 bytes
Capture Length: 62 bytes
Ethernet II, Src: 00:0a:42:6c:3c:54, Dst: 00:03:47:8c:39:16
Internet Protocol, Src Addr: 83.97.170.103 (83.97.170.103), Dst Addr: 81.220.252.238
(81.220.252.238)
Transmission Control Protocol, Src Port: 1438 (1438), Dst Port: microsoft-ds
(445), Seq: 0, Ack: 0, Len: 0
0000 00 03 47 8c 39 16 00 0a 42 6c 3c 54 08 00 45 00 ..G.9...Bl<T..E.
0010 00 30 79 18 40 00 74 06 41 1c 53 61 aa 67 51 dc .0y.@xxxxxxxxxx.
0020 fc ee 05 9e 01 bd 5f a9 a1 62 00 00 00 00 70 02 ......_..b....p.
0030 40 00 ee 24 00 00 02 04 05 b4 01 01 04 02 @..$..........
No. Time Source Destination Protocol
Info
2 0.000001 81.220.252.238 83.97.170.103 TCP
microsoft-ds > 1438 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
Frame 2 (54 bytes on wire, 54 bytes captured)
Arrival Time: Aug 31, 2004 20:44:09.000001000
Time delta from previous packet: 0.000001000 seconds
Time since reference or first frame: 0.000001000 seconds
Frame Number: 2
Packet Length: 54 bytes
Capture Length: 54 bytes
Ethernet II, Src: 00:03:47:8c:39:16, Dst: 00:0a:42:6c:3c:54
Internet Protocol, Src Addr: 81.220.252.238 (81.220.252.238), Dst Addr:
83.97.170.103 (83.97.170.103)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1438
(1438), Seq: 0, Ack: 0, Len: 0
0000 00 0a 42 6c 3c 54 00 03 47 8c 39 16 08 00 45 00 ..Bl<T..G.9...E.
0010 00 28 3b e3 00 00 40 06 f2 59 51 dc fc ee 53 61 .(;...@..YQ...Sa
0020 aa 67 01 bd 05 9e 00 00 00 00 5f a9 a1 63 50 14 .g........_..cP.
0030 00 00 5a d5 00 00 ..Z...
-----
Everything is OK but the timestamp is not recovered...so...my questions
are, for the direct or inverse conversion and exact original file recovering:
Do I need to add a command to the *.cap to *.txt conversion?
Do I need to add a command to the *.txt to *.cap conversion?
I really appreciate your help,
César Cárdenas
