[Gilbert Ramirez <gilbertr@xxxxxxxxx>]

That sounds like a challenge to me. It looks like the netscreen dump
contains everything from layer 2 and above, so I don't think any of
that needs to be sent to text2pcap -- just the link layer, and
text2pcap defaults to Ethernet, which it appears you are using.

Try this Python script.

$ netscreen2dump.py ns-snoop.txt out.txt
$ text2pcap out.txt out.pcap
$ ethereal out.pcap

It works for the sample ns-snoop.txt you sent; if it seems to
generally work for you, I can add it to the Ethereal distribution. If
you could figure out what the timestamp format is, I might be able to
add proper timestamps to the generated hexdump file.

-gilbert


On Tue, 26 Oct 2004 20:12:04 +0200, netsc@xxxxxxxxxx <netsc@xxxxxxxxxx> wrote:
> Gilbert sorry to not post feeback after your suggestion ; thanks for it.
> As specified by Graeme, the offset of each line is not included in the text
> output from netscreen. Then  text2pcap does not reconize any packet in the
> text file. Additionaly, even if packet are detected, L2, L3 and L4 have to
> be manualy instructed to text2pcap, which is not interresting at all.
> 
> I really need some improvement from netscreen on their "snoop".
> 
> Thanks to all
> Florent
>

#!/usr/bin/env python
"""
Converst netscreen snoop hex-dumps to a hex-dump that text2pcap can read.

Copyright (c) 2004 by Gilbert Ramirez <gram@xxxxxxxxxxxxxxx>

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
"""

import sys
import re

class OutputFile:
    def __init__(self, name):
        try:
            self.fh = open(name, "w")
        except IOError, err:
            sys.exit(err)


    def PrintPacket(self, timestamp, datalines):
        # What do to with the timestamp? I need more data about what
        # the netscreen timestamp is, then I can generate one for the text file.
#        print "TS:", timestamp.group("time")

        offset = 0
        for lineno, hexgroup in datalines:
            hexline = hexgroup.group("hex")
            hexpairs = hexline.split()
            print >> self.fh, "%08x   %s" % (offset, hexline)
            offset += len(hexpairs)

        # Blank line
        print >> self.fh

re_timestamp = re.compile(r"^(?P<time>\d+\.\d): \d+\((?P<io>.)\):")
re_hex_line = re.compile(r"(?P<hex>([0-9a-f]{2} ){1,16})\s+(?P<ascii>.){1,16}")

def run(input_filename, output_filename):
    try:
        ifh = open(input_filename, "r")
    except IOError, err:
        sys.exit(err)

    output_file = OutputFile(output_filename)

    timestamp = None
    datalines = []
    lineno = 0

    for line in ifh.xreadlines():
        lineno += 1
        if not timestamp:
            m = re_timestamp.search(line)
            if m:
                timestamp = m

        else:
            m = re_hex_line.search(line)
            if m:
                datalines.append((lineno, m))
            else:
                if datalines:
                    output_file.PrintPacket(timestamp, datalines)
                    timestamp = None
                    datalines = []

    if datalines:
        output_file.PrintPacket(timestamp, datalines)
        timestamp = None
        datalines = []


def usage():
    print >> sys.stderr, "Usage: netscreen2dump.py netscreen-dump-file new-dump-file"
    sys.exit(1)

def main():
    if len(sys.argv) != 3:
        usage()

    run(sys.argv[1], sys.argv[2])

if __name__ == "__main__":
    main()