Wireshark-users: [Wireshark-users] convert an ASCII files whithout using text2pcap

From: "Faten SOLTANI" <faten.soltani@xxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Mar 2009 09:59:55 +0100 (CET)
Hi all,
I have an ASCII file format, and I want to convert it to Pcap format,
using an other methode than Text2pcap.If someone know how to do that with
an external tools of Wireshark(using PERL or another tool for
example...),please let me know it.
 Regards
Faten






Send Wireshark-users mailing list submissions to
> 	wireshark-users@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
> 	wireshark-users-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
> 	wireshark-users-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Where is hex2pcap (giobuon@xxxxxxxxx)
>    2. Re: "Top Talkers" using Wireshark? (Hansang Bae)
>    3. Re: capture a message from a global ip   address (Hansang Bae)
>    4. Re: Slow gigabit network (Hansang Bae)
>    5. Re: Slow gigabit network (Scott Chapman)
>    6. Re: out-of-orders instead of duplicates (Hansang Bae)
>    7. LTE MAC Packet capture in WireShark (Dinesh Arora)
>    8. Re: Live capture stops suddenly (Chris Henderson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 18 Mar 2009 02:35:00 +0700
> From: "giobuon@xxxxxxxxx" <giobuon@xxxxxxxxx>
> Subject: Re: [Wireshark-users] Where is hex2pcap
> To: Community support list for Wireshark
> 	<wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
> 	<719abdf00903171235m2480eee2i3d7ebe92678ea224@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thanks Joerg for the script.
> Thanks Joan for your time
> I don't know why but when I using text2pcap I have to add an extra space
> character at end of each line. If not pcap packet generated will be
> corrupt.
> Maybe text2pcap prefer text format "offset-hex-ASCII" than "offset-hex"
>
> Regards
> -giobuon
>
> On Tue, Mar 17, 2009 at 4:13 AM, <j.snelders@xxxxxxxxxx> wrote:
>
>> On Mon, Mar 16, 2009 at 11:58:33PM +0700, giobuon@xxxxxxxxx wrote:
>> > I have a file exported from a TCP stream, it include few packet. And
>> it
>> > isn't text so I can't using text2pcap tools. How can I read it using
>> > wireshark.
>>
>> Here is your packet;-)
>>
>> The text file with hex values must look like this:
>> 0000 00 13 49 D3 9A 28 00 E0 B0 F5 EB 4B 08 00 45 00
>> 0010 02 7B 8D E8 40 00 80 06 E8 A2 0A 00 00 11 4A 7D
>> 0020 2D 64 0B D7 00 50 A7 FB BC FC 54 24 1E 52 50 18
>> 0030 FF FF 84 5F 00 00 47 45 54 20 2F 20 48 54 54 50
>> 0040 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 67 6F 6F 67
>> 0050 6C 65 2E 63 6F 6D 0D .... and so on
>>
>> Next you can use text2pcap:
>>
>> $ text2pcap 001349.txt 001349.cap
>> Input from: 001349.txt
>> Output to: 001349.cap
>> Wrote packet of 649 bytes at 0
>> Read 1 potential packet, wrote 1 packet
>>
>> Regards
>> Joan
>>
>>
>>
>>
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list
>> <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>             mailto:wireshark-users-request@xxxxxxxxxxxxx
>> ?subject=unsubscribe
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.wireshark.org/lists/wireshark-users/attachments/20090318/bcc62d62/attachment.htm
>
> ------------------------------
>
> Message: 2
> Date: Tue, 17 Mar 2009 16:16:36 -0400
> From: Hansang Bae <hbae@xxxxxxxxxx>
> Subject: Re: [Wireshark-users] "Top Talkers" using Wireshark?
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID:
> 	<20090317201638.ROTN27662.hrndva-omta04.mail.rr.com@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
> Shannon,
> Pilot definitely has some cool features.  You should ask for a demo
> license from Cace to play around with it.
>
>
>
>
> At 09:09 AM 3/12/2009, Shannon Adams wrote:
>
>>I have been reviewing the Network Instruments Observer product and the
>> most useful feature for me is the "Top Talkers" screen.  I can start a
>> packet capture and sort by total bytes or packets.
>>
>>I just discovered and installed Wireshark this morning, but I cannot seem
>> to locate a "Top Talkers" type tool.  If I it has that, it would save me
>> a small fortune in having to purchase a license for Network Observer.
>> Does Wireshark have this feature?  If so, can someone please lead me in
>> the right direction on how to use it?
>>
>>Thanks in advance,
>>Shannon
>>
>>
>>
>>___________________________________________________________________________
>>Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>Archives:    http://www.wireshark.org/lists/wireshark-users
>>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 17 Mar 2009 16:18:53 -0400
> From: Hansang Bae <hbae@xxxxxxxxxx>
> Subject: Re: [Wireshark-users] capture a message from a global ip
> 	address
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID:
> 	<20090317201855.OOY26578.hrndva-omta05.mail.rr.com@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
>
> At 03:10 AM 3/11/2009, manasi mohanty wrote:
>
>>yes, the ip address that is generally used in case of public internet
>
>
> OK, that's what I thought.  Wirehark doesn't have an agent that you can
> install, nor do most cable modems allow you to do that.  So you're going
> to have to mirror the outside (dirty side) link somehow and present the
> data to wireshark.
>
> hsb
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 17 Mar 2009 16:30:59 -0400
> From: Hansang Bae <hbae@xxxxxxxxxx>
> Subject: Re: [Wireshark-users] Slow gigabit network
> To: wireshark-users@xxxxxxxxxxxxx
> Cc: Scott Chapman <WireShark@xxxxxxxxxxxxxxxxx>,	Community support
> 	list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
> 	<20090317203100.ZYQ26578.hrndva-omta05.mail.rr.com@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
> At 11:09 AM 3/10/2009, Scott Chapman wrote:
>>I have experimented with forcing 1000/full explicitly on both sides with
>> out any effect.
>>
>>Incidentally, I do occasionally get 20MB/sec.
>>
>>Before I go buy anew switch I was hoping to learn how to use wireshark to
>> see what is going on, perhaps to help point the finger somewhere...
>
>
> Scott,
> Divide and conquer.  I don't recall if you tried netperf or UDP based
> testing tools or not.  The slowness could be your NIC, it could be the
> protocol in use, or it could be the switch.  Does performance stats (like
> perfmon if using wintel) show that cpu is shooting high?  Do you have tcp
> off loading enabled?  Did you try disabling it?  Did you try applying the
> latest NIC drivers?
>
> Did you try using ports 1 and 2 (not 1 and 25)?  If the are right next to
> each other, did you try separating them (if on 1 and 2, move it to 1 and
> 13) to rule out ASIC based issues?  Have you monitored netstat or switch
> counters (if avail) for packet drops?
>
> hsb
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 17 Mar 2009 15:36:01 -0500 (GMT-05:00)
> From: Scott Chapman <scottchapman@xxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Slow gigabit network
> To: Hansang Bae <hbae@xxxxxxxxxx>
> Cc: Community support list for Wireshark
> 	<wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <17861656.281237322161182.JavaMail.root@zimbra>
> Content-Type: text/plain; charset="utf-8"
>
> I have checked all the obvious things (CPU is under utilized, and I have
> fiddled around with some of the driver settings that might be related like
> buffer sizes, and off loading and the like).
>
> I am expecting to get a managed HP switch in a couple of days, so perhaps
> that could shed some light (or just fix it outright!).
>
> -Scott
>
>
> ----- Original Message -----
> From: "Hansang Bae" <hbae@xxxxxxxxxx>
> To: wireshark-users@xxxxxxxxxxxxx
> Cc: "Scott Chapman" <WireShark@xxxxxxxxxxxxxxxxx>, "Community support list
> for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Sent: Tuesday, March 17, 2009 4:30:59 PM GMT -05:00 US/Canada Eastern
> Subject: Re: [Wireshark-users] Slow gigabit network
>
> At 11:09 AM 3/10/2009, Scott Chapman wrote:
>>I have experimented with forcing 1000/full explicitly on both sides with
>> out any effect.
>>
>>Incidentally, I do occasionally get 20MB/sec.
>>
>>Before I go buy anew switch I was hoping to learn how to use wireshark to
>> see what is going on, perhaps to help point the finger somewhere...
>
>
> Scott,
> Divide and conquer. I don't recall if you tried netperf or UDP based
> testing tools or not. The slowness could be your NIC, it could be the
> protocol in use, or it could be the switch. Does performance stats (like
> perfmon if using wintel) show that cpu is shooting high? Do you have tcp
> off loading enabled? Did you try disabling it? Did you try applying the
> latest NIC drivers?
>
> Did you try using ports 1 and 2 (not 1 and 25)? If the are right next to
> each other, did you try separating them (if on 1 and 2, move it to 1 and
> 13) to rule out ASIC based issues? Have you monitored netstat or switch
> counters (if avail) for packet drops?
>
> hsb
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.wireshark.org/lists/wireshark-users/attachments/20090317/36ffd2b6/attachment.htm
>
> ------------------------------
>
> Message: 6
> Date: Tue, 17 Mar 2009 16:40:39 -0400
> From: Hansang Bae <hbae@xxxxxxxxxx>
> Subject: Re: [Wireshark-users] out-of-orders instead of duplicates
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID:
> 	<20090317204040.YJXG18800.hrndva-omta06.mail.rr.com@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
> At 08:32 AM 3/12/2009, Pawel K wrote:
>>Hello
>>
>>I receive many packets that look like duplicates.
>>They are exactly the same - even with respect to the receiving time.
>>Wireshark reports the second packet as a TCP Out-Of-Order.
>>IMHO it should be reported as a duplicate.
>>Am I right ?
>>
>>thank You for an answer
>
>
>
> It would be easier if you didn't span the entire vlan.  But sometimes,
> you're forced to do this because you have a case of
>
>
> A <--->B <---> C <----> D <---> E
>        \               /
>         \-------------/
>
> Capturing on B and D would give you duplicates (leaving B and arriving at
> D)
>
> So you can use editcap -d option.  But if I recall, it can only look at
> packets +/1 4 away.  So if you have:
>
> pkt 1
> pkt 2
> pkt 3
> pkt 4
> pkt 5
> pkt 6
> pkt (exact replica of 1)
>
>
> editcap won't find it (I'm pretty sure).  In the past, I had my guys write
> script that compared MAC/IP ID to remove duplicates.
>
>
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 17 Mar 2009 16:19:13 -0700 (PDT)
> From: Dinesh Arora <dineshk_arora@xxxxxxxxx>
> Subject: [Wireshark-users] LTE MAC Packet capture in WireShark
> To: wireshark-users@xxxxxxxxxxxxx
> Message-ID: <609919.66410.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
> ?
> I am new to WireShark tool and joined this mailing list recently.
> ?
> I have seen some discussion in the list related to LTE-MAC/RLC/PDCP packet
> layers monitoring using TCP port 9999. Can you please let me know some
> sample packet formats that I can inject inside TCP packet containing some
> LTE MAC PDUs and then see the live capture in WireShark?
> ?
> I want to make a tool that sends LTE MAC PDUs over TCP and this format
> will help me in understanding that how it will be decoded by WireShark?
> Unfortunately, Wiki does not have info related to the same.
> ?
> Thanks in Advance.
> ?
> Regards,
> Dinesh
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.wireshark.org/lists/wireshark-users/attachments/20090317/b5eb479b/attachment.htm
>
> ------------------------------
>
> Message: 8
> Date: Wed, 18 Mar 2009 14:55:58 +1100
> From: Chris Henderson <henders254@xxxxxxxxx>
> Subject: Re: [Wireshark-users] Live capture stops suddenly
> To: Community support list for Wireshark
> 	<wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
> 	<d4ee74cf0903172055x14d0677crc07ded35eb317d82@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Sat, Mar 14, 2009 at 2:09 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>>
>> On Mar 12, 2009, at 8:15 PM, Chris Henderson wrote:
>>
>>> I am running wireshark/ ethereal version 1.0.4 on Linux. My only
>>> network interface is eth0 and when I start a live capture on eth0, it
>>> stops capturing any packet after a while. It's hard to say when it
>>> actually stops the capture as it's quite random. It doesn't give any
>>> error, just sits there not capturing anything; although in the bottom
>>> panel I can see: eth0: live capture in progress message. I have over
>>> 10GB disk space in my /tmp directory.
>>
>> Is dumpcap still running when packets stop arriving?
>
> I started dumpcap after wireshark stopped capturing and dumpcap
> staretd capturing packets.
>
>> What happens if you try running dumpcap, or tcpdump, from a terminal
>> window? ?Does it also stop seeing packets after a while?
>
> dumpcap stops after a while as well. Here's the output
>
> # dumpcap
> File: /tmp/etherXXXXm6M5no
> Packets: 13831
>
> it stopped at that. when I did ^c it said: Packets dropped: 17716
>
> the file size (/tmp/etherXXXXm6M5no) grew to 2042160 and stopped as well.
>
>> Are you using ring buffers?
>
> not sure what that is - so probably no.
>
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 34, Issue 36
> ***********************************************
>