Ullmann, Robert <robert.ullmann@...> writes:
> we need to convert a hex dump written with tshark to a pcap-file to replay the
packets.
> We’re capturing http-streams and write them as hex.
> When we use text2pcap to convert it to pcap format, the output of text2pcap is
with no error – the packets got written successfully.
>
> The strange thing happens, when we replay the pcap or just let tshark read the
pcap file.
> The most packets are told to be malformed. Sometimes we also find f.e.
hsrp-packets.
> What are we doing wrong ?
>
> Capturing packets with: “tshark -i eth1 –n port 443 –V –R http” (we see the
http stream/ packets)
> Writing to file: “tshark -i eth1 –n port 443 –V –R http | grep -e
"^[0-9a-f][0-9a-f][0-9a-f][0-9a-f]" > file_hex.dump”
Maybe you already solved this yourself by now or no longer have the need for a
solution, but it looks to me like you're missing the tshark -x option.