Guy Harris wrote:
>On Thu, Jun 12, 2003 at 09:46:24PM -0400, Joshua Wright wrote:
>> Would it be possible to run the file though a "tethereal -v > foo",
>> then use text2pcap to read the file back into a libpcap file?
>
>That should work, if you give the right link-layer type with the "-l"
>flag, and if text2pcap ignores the decoded packet data, and if you use
>the "-x" and "-V" flags instead of the "-v" flag, and if that hex dump
>format can be read by text2pcap.
>
>You would also need to supply the right "-t" flag.
>
>However, my first attempt at reading that output didn't succeed. I have
>not looked into why it didn't succeed, and don't expect to have time to
>do so.
>
I have noticed that I often need to do some hand-editing or use a program/script to filter the
tethereal "-x -V" output before I can use it with text2pcap.
I made a try with a program that added "# " to the lines that was not hex data or blank lines, but I still got problems.
Just when I removed the lines completely it seemed to work without problems.
If there is only hex data (+ time stamps) then it's normally working without problems - but otherwise it
seems that text2pcap sometimes misinterprets the information.
I don't know exactly what is causing the problem. I tried to add some printouts in text2pcap to see why it was happening, but never
found out how to avoid it ijn text2pcap.
It was quite easy to write a C-program that made some kind of filtering to remove the lines that wasn't hex data, or similar.