Hi,
Can anyone assist on this?
Thanks,
Robert
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Ullmann, Robert
Sent: Dienstag, 14. Juni 2011 10:29
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] text2pcap - strange packets after converting a Hex-dump
Hi list,
we need to convert a hex dump written with tshark to a pcap-file to replay the packets.
We’re capturing http-streams and write them as hex.
When we use text2pcap to convert it to pcap format, the output of text2pcap is with no error – the packets got written successfully.
The strange thing happens, when we replay the pcap or just let tshark read the pcap file.
The most packets are told to be malformed. Sometimes we also find f.e. hsrp-packets.
What are we doing wrong ?
Capturing packets with: “tshark -i eth1 –n port 443 –V –R http” (we see the http stream/ packets)
Writing to file: “tshark -i eth1 –n port 443 –V –R http | grep -e "^[0-9a-f][0-9a-f][0-9a-f][0-9a-f]" > file_hex.dump”
Converting: “text2pcap file_hex.dump file_hex.pcap” (no errors)
Wrote packet of 10 bytes at 0
Wrote packet of 5786 bytes at 10
Wrote packet of 2896 bytes at 5796
Wrote packet of 2277 bytes at 8692
Wrote packet of 10 bytes at 10969
Wrote packet of 1981 bytes at 10979
Wrote packet of 10 bytes at 12960
Wrote packet of 4338 bytes at 12970
Wrote packet of 8000 bytes at 17308
Wrote packet of 688 bytes at 25308
Wrote packet of 3590 bytes at 25996
Read 11 potential packets, wrote 11 packets
Reading with tshark: “tshark –r file_hex.pcap”
1 0.000000 -> Ethernet [Malformed Packet]
2 0.000001 b6:ee:ff:8e:e8:77 -> ed:7d:eb:72:e2:48 0xd010 Ethernet II
3 0.000002 73:72:65:8a:3b:93 -> 3e:07:9c:ae:53:b1 0x27e2 Ethernet II
4 0.000003 fa:93:2e:4a:68:8f -> 42:f2:2e:c9:7d:46 0x7d8a Ethernet II
5 0.000004 -> Ethernet [Malformed Packet]
6 0.000005 12:ff:3f:52:de:81 -> dd:59:fd:6e:e2:48 0xb5b4 Ethernet II
7 0.000006 -> Ethernet [Malformed Packet]
8 0.000007 d5:e6:75:52:95:77 -> ed:7d:db:72:db:ca 0xc0cf Ethernet II
9 0.000008 2e:21:ca:d8:41:3e -> 8e:9f:5f:95:6e:9a 0xf728 Ethernet II
10 0.000009 a9:15:ec:dd:ae:9b -> e7:d4:72:ba:b2:d3 0x3e4e Ethernet II
11 0.000010 00:4a:ba:1a:e6:33 -> 24:8f:67:ee:96:a4 0x08c6 Ethernet II
And, of course:
“tshark –r file_hex.pcap -V -R http” outputs nothing.
Is this a bug or are we just doing it wrong?
Thanks,
Robert