On Jul 21, 2009, at 10:36 PM, Andrej van der Zee wrote:
I was wondering if it is possible to regenerate pcap from the
text-output from tcpdump. I mean something like this:
tcpdump -r dump.pcap -n -q -e > dump.txt
some-tool dump.txt > dump2.pcap
And then dupm.pcap equals dump2.pcap.
No, not in general.
Tcpdump - like Wireshark/TShark - discards information; it summarizes
the packet (and there can be information loss even in the packet
detail pane of Wireshark and the output of TShark -V).
If you used "-xx" with tcpdump, so that you got a full hex dump of the
raw packet data, it might be possible to reconstruct the pcap file,
just as you could with TShark's output with "-x".