Wireshark-users: [Wireshark-users] text2pcap - strange packets after converting a Hex-dump
From: "Ullmann, Robert" <robert.ullmann@xxxxxxx>
Date: Tue, 14 Jun 2011 10:29:18 +0200

Hi list,

 

we need to convert a hex dump written with tshark to a pcap-file to replay the packets.

We’re capturing http-streams and write them as hex.

When we use text2pcap to convert it to pcap format, the output of text2pcap is with no error – the packets got written successfully.

 

The strange thing happens, when we replay the pcap or just let tshark read the pcap file.

The most packets are told to be malformed. Sometimes we also find f.e. hsrp-packets.

What are we doing wrong ?

 

Capturing packets with: “tshark  -i eth1 –n port 443 –V –R http” (we see the http stream/ packets)

Writing to file: “tshark  -i eth1 –n port 443 –V –R http | grep -e "^[0-9a-f][0-9a-f][0-9a-f][0-9a-f]" > file_hex.dump”

Converting: “text2pcap file_hex.dump file_hex.pcap” (no errors)

 

Wrote packet of 10 bytes at 0

Wrote packet of 5786 bytes at 10

Wrote packet of 2896 bytes at 5796

Wrote packet of 2277 bytes at 8692

Wrote packet of 10 bytes at 10969

Wrote packet of 1981 bytes at 10979

Wrote packet of 10 bytes at 12960

Wrote packet of 4338 bytes at 12970

Wrote packet of 8000 bytes at 17308

Wrote packet of 688 bytes at 25308

Wrote packet of 3590 bytes at 25996

Read 11 potential packets, wrote 11 packets

 

Reading with tshark: “tshark –r file_hex.pcap”

  1   0.000000              ->              Ethernet [Malformed Packet]

  2   0.000001 b6:ee:ff:8e:e8:77 -> ed:7d:eb:72:e2:48 0xd010 Ethernet II

  3   0.000002 73:72:65:8a:3b:93 -> 3e:07:9c:ae:53:b1 0x27e2 Ethernet II

  4   0.000003 fa:93:2e:4a:68:8f -> 42:f2:2e:c9:7d:46 0x7d8a Ethernet II

  5   0.000004              ->              Ethernet [Malformed Packet]

  6   0.000005 12:ff:3f:52:de:81 -> dd:59:fd:6e:e2:48 0xb5b4 Ethernet II

  7   0.000006              ->              Ethernet [Malformed Packet]

  8   0.000007 d5:e6:75:52:95:77 -> ed:7d:db:72:db:ca 0xc0cf Ethernet II

  9   0.000008 2e:21:ca:d8:41:3e -> 8e:9f:5f:95:6e:9a 0xf728 Ethernet II

10   0.000009 a9:15:ec:dd:ae:9b -> e7:d4:72:ba:b2:d3 0x3e4e Ethernet II

11   0.000010 00:4a:ba:1a:e6:33 -> 24:8f:67:ee:96:a4 0x08c6 Ethernet II

 

And, of course:

“tshark –r file_hex.pcap  -V -R http” outputs nothing.

 

Is this a bug or are we just doing it wrong?

 

Thanks,

Robert