converts TEXT Captures Output in Pcap File
Sample:
Output from a Software with not working pcap export, but we can "cut and paste"
one frame.
45 00 00 34 71 b7 40 00 69 06 49 78 0a 0a 0a 01 E..4q.@.i.Ix....
0a 00 00 02 12 97 01 bd e6 19 3f 48 00 00 00 00 ..........?H....
80 02 7f ff 5e ce 00 00 02 04 05 b4 01 03 03 00 ....^...........
01 01 04 02 35 78 69 6a 41 0d 0a 41 41 41 41 41 ....5xijA..AAAAA
41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA
you must convert this to a text2pcap readable format with this script
arbor2text.pl
#!/usr/bin/perl
#
# arbor2text.pl
#
# converts arbor text export ASCII Files to text2pcap readable input format
#
# Version 0.3
# date 30.12.2009
# (c) by packetlevel.ch
#
#################################################
#
# Usage: arbor2test.pl arbor_txt.txt > arbor_hex.txt
#
# create PCAP File with text2pcap (included in wireshark / tshark)
# text2pcap -l 1 -e 0x0800 arbor_hex.txt arbor.pcap
#
#################################################
#
@packets = ();
$i = 1;
while (<>) {
$line = $_;
if ( $line =~ /^[0-9A-Fa-f]{2} / ) {
$hex_part = substr($line, 0, 47);
$hex_part =~ s/\s//g;
$packets[$i] .= $hex_part;
}
else {
$i++;
}
}
for ($i = 1; $i <= @packets; $i++) {
if ( exists $packets[$i] ) {
for ( $j = 0; $j < length($packets[$i]); $j += 2 ) {
if ( $j == 0 ) {
printf "# Packet \n%08X";
} elsif ( $j % 32 == 0 ) {
printf "\n%08X", $j/2;
}
print " ".substr($packets[$i], $j, 2);
}
print "\n";
}
}
this generate following output in a file
# Packet
00000000 45 00 00 34 71 b7 40 00 69 06 49 78 0a 0a 0a 01
00000010 0a 00 00 02 12 97 01 bd e6 19 3f 48 00 00 00 00
00000020 80 02 7f ff 5e ce 00 00 02 04 05 b4 01 03 03 00
00000030 01 01 04 02 35 78 69 6a 41 0d 0a 41 41 41 41 41
00000040 41 41 41 41 41 41 41 41 41 41 41 41
and now we create the pcap file.
text2pcap -l 1 -e 0x0800 arbor_hex.txt arbor.pcap