Wireshark-users: Re: [Wireshark-users] text2pcap - strange packets after converting a Hex-dump

From: "Ullmann, Robert" <robert.ullmann@xxxxxxx>
Date: Fri, 22 Jul 2011 15:23:18 +0200
Also tried with -x. The result is the same.

@ Shaineel: to answer your question: we use the first "tshark" with ssl-decryption. Writing this output to stdout or a simple text file gives the decrypted ssl-http-traffic. But writing the decrypted traffic with "-w" as a pcap-file results in just recording the ENCRYPTED traffic to this pcap-file. So the decryption seems to be only something like a "display filter". Isn't tshark able to write this decrypted traffic to a pcap directly???

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Chris Maynard
Sent: Dienstag, 28. Juni 2011 22:11
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] text2pcap - strange packets after converting a Hex-dump

Ullmann, Robert <robert.ullmann@...> writes:

> we need to convert a hex dump written with tshark to a pcap-file to replay the
packets.
> We’re capturing http-streams and write them as hex.
> When we use text2pcap to convert it to pcap format, the output of text2pcap is
with no error – the packets got written successfully.
>  
> The strange thing happens, when we replay the pcap or just let tshark read the
pcap file.
> The most packets are told to be malformed. Sometimes we also find f.e.
hsrp-packets.
> What are we doing wrong ?
>  
> Capturing packets with: “tshark  -i eth1 –n port 443 –V –R http” (we see the
http stream/ packets)
> Writing to file: “tshark  -i eth1 –n port 443 –V –R http | grep -e
"^[0-9a-f][0-9a-f][0-9a-f][0-9a-f]" > file_hex.dump”

Maybe you already solved this yourself by now or no longer have the need for a
solution, but it looks to me like you're missing the tshark -x option.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe