[César Cárdenas <ccardena@xxxxxxxx>]

Dear all:

Apologizes for the long text...

In testing the operation from *.cap to *.txt and viceversa...here are my
directives (original file has no extension but is recognized by ethereal
for windows):

>tethereal -r file -x > file.txt

Output "file.txt" is of the form:

-----
  1   0.000000 83.97.170.103 -> 81.220.252.238 TCP 1438 > microsoft-ds [SYN]
Seq=0 Ack=0 Win=16384 Len=0 MSS=1460

0000  00 03 47 8c 39 16 00 0a 42 6c 3c 54 08 00 45 00   ..G.9...Bl<T..E.
0010  00 30 79 18 40 00 74 06 41 1c 53 61 aa 67 51 dc   .0y.@xxxxxxxxxx.
0020  fc ee 05 9e 01 bd 5f a9 a1 62 00 00 00 00 70 02   ......_..b....p.
0030  40 00 ee 24 00 00 02 04 05 b4 01 01 04 02         @..$..........

...
-----

Then applying the viceversa operation:

>text2pcap file.txt filecap.cap

Output "filecap.cap" is not the original one...???:

-----
No.     Time        Source                Destination           Protocol
Info
      1 0.000000                                                Ethernet
[Malformed Packet]

Frame 1 (2 bytes on wire, 2 bytes captured)
    Arrival Time: Aug 31, 2004 19:48:17.000000000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 2 bytes
    Capture Length: 2 bytes
[Malformed Packet: Ethernet]

0000  00 03                                             ..
...
-----

Looking for the reason, I erased the first line for some packets in the
"file.txt" and applied the same operation:

>text2pcap file.txt filecap.cap

The output is of the form:

-----
No.     Time        Source                Destination           Protocol
Info
      1 0.000000    83.97.170.103         81.220.252.238        TCP
 1438 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460

Frame 1 (62 bytes on wire, 62 bytes captured)
    Arrival Time: Aug 31, 2004 20:44:09.000000000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 62 bytes
    Capture Length: 62 bytes
Ethernet II, Src: 00:0a:42:6c:3c:54, Dst: 00:03:47:8c:39:16
Internet Protocol, Src Addr: 83.97.170.103 (83.97.170.103), Dst Addr: 81.220.252.238
(81.220.252.238)
Transmission Control Protocol, Src Port: 1438 (1438), Dst Port: microsoft-ds
(445), Seq: 0, Ack: 0, Len: 0

0000  00 03 47 8c 39 16 00 0a 42 6c 3c 54 08 00 45 00   ..G.9...Bl<T..E.
0010  00 30 79 18 40 00 74 06 41 1c 53 61 aa 67 51 dc   .0y.@xxxxxxxxxx.
0020  fc ee 05 9e 01 bd 5f a9 a1 62 00 00 00 00 70 02   ......_..b....p.
0030  40 00 ee 24 00 00 02 04 05 b4 01 01 04 02         @..$..........

No.     Time        Source                Destination           Protocol
Info
      2 0.000001    81.220.252.238        83.97.170.103         TCP
 microsoft-ds > 1438 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0

Frame 2 (54 bytes on wire, 54 bytes captured)
    Arrival Time: Aug 31, 2004 20:44:09.000001000
    Time delta from previous packet: 0.000001000 seconds
    Time since reference or first frame: 0.000001000 seconds
    Frame Number: 2
    Packet Length: 54 bytes
    Capture Length: 54 bytes
Ethernet II, Src: 00:03:47:8c:39:16, Dst: 00:0a:42:6c:3c:54
Internet Protocol, Src Addr: 81.220.252.238 (81.220.252.238), Dst Addr:
83.97.170.103 (83.97.170.103)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1438
(1438), Seq: 0, Ack: 0, Len: 0

0000  00 0a 42 6c 3c 54 00 03 47 8c 39 16 08 00 45 00   ..Bl<T..G.9...E.
0010  00 28 3b e3 00 00 40 06 f2 59 51 dc fc ee 53 61   .(;...@..YQ...Sa
0020  aa 67 01 bd 05 9e 00 00 00 00 5f a9 a1 63 50 14   .g........_..cP.
0030  00 00 5a d5 00 00                                 ..Z...
-----

Everything is OK but the timestamp is not recovered...so...my questions
are, for the direct or inverse conversion and exact original file recovering:

Do I need to add a command to the *.cap to *.txt conversion?
Do I need to add a command to the *.txt to *.cap conversion?

I really appreciate your help,
César Cárdenas