I have a pcap file that can be opened in Wireshark. I opened the pcap file in Vim in hex mode with :%!xxd and modified a clear text letter e.g. A to B. However, after changing the file back to text mode with :%!xxd -r and trying to open the file in wireshark, I get either (depending on what I edit in the PCAP), errors:
If I go back into that same file in hex mode and undo the changes i.e. B back to A, I definitely will get error 2 mentioned above.
Any idea why just modifying the packet by one letter in hex mode will cause wireshark to behave this way? And why modifying back to the original state will definitely break the pcap file?
It appears to be an issue with either vim or the xxd -r command appending a line feed at the end. Just converting from hex then back again also triggers this.
Running the following:
xxd < 51996055.pcap > 51996055.pcap.before
vim -c ':%!xxd' -c '%!xxd -r' -c ':wq' 51996055.pcap
xxd < 51996055.pcap > 51996055.pcap.after
diff 51996055.pcap.before 51996055.pcap.after
gives the following output:
59c59
< 000003a0: 3031 3233 3435 3637 01234567
---
> 000003a0: 3031 3233 3435 3637 0a 01234567.
Opening this file in Wireshark gives me the first error that you encountered.
Running :%!xxd doesn't put vim into hex mode per se, it just replaces the the current buffer with the output of passing that through the command xxd. Likewise with the reverse.
There are some ways to improve vim's hex editting abilities, or you could try another hex specific editor, like hexedit.