Search code examples
pythonwiresharkpcaptshark

How to convert a pcap into hex stream using tshark?

All I tried is this in Python:

First, I read the pcap file and used this command in Python:

with open("pcap_files/DCERPC.pcap", 'rb') as f:
    content = f.read()
binascii.hexlify(content)

I am not getting the exact hex stream since its reading the entire file.

Hence alternatively, is it possible to copy a pcap into hex stream using tshark?

Edit:

In the image wireshark capture , there are many Frames, where i select one and copy it has hex stream. What is the command to perform this action in either tshark or xxd?

Solution

  • As you are using python, you may want to look at PyShark, which leverages tshark.

    Setup: Create a File

    Let's create a one-packet file for demonstration purposes:

    bash-5.0$ tshark -w temp.pcap -c 10
Capturing on 'Wi-Fi: en0'
1 
1 packet dropped from Wi-Fi: en0

    Parsing Hex

    There are many ways to parse hex. Which method you choose will depend on what you are trying to do. Tshark will show you packets while hexdump and xxd will show you every byte, including capture format bytes. For an idea of the difference between packet and file format bytes, this article on deconstructing the pcap format may be helpful. Wireshark is also capable of doing this with View -> "Reload as File Format/Capture".

    Get hex with tshark

    To get the hex from tshark for each packet, use -T json and then find the "frame_raw" field.

    bash-5.0$ tshark -x -r temp.pcap -T json
[
  {
    "_index": "packets-2019-09-10",
    "_type": "pcap_file",
    "_score": null,
    "_source": {
      "layers": {
        "frame_raw": ["cc65adda39706c96cfd87fe7080045000028910000004006ca3fc0a801f69765c58cc08001bb2f5a0b8169ef01ab501008001f930000",
          0,
          54,
          0,
          1
        ],
        "frame": {
          "frame.encap_type": "1",
          "frame.time": "Sep 10, 2019 18:57:29.571371000 PDT",
          "frame.offset_shift": "0.000000000",
...

    Get hex with tshark in python

    import json
import subprocess as sp

def get_tshark_hexstreams(capture_path: str) -> list:
    """Get the frames in a capture as a list of hex strings."""
    cmds = ["tshark", "-x", "-r", capture_path, "-T", "json"]
    frames_text = sp.check_output(cmds, text=True)
    frames_json = json.loads(frames_text)
    hexstreams = [frame["_source"]["layers"]["frame_raw"][0] for frame in frames_json]
    return hexstreams

output = get_tshark_hexstreams('temp.pcap')
print(output)
['6c96cfd87fe7cc65adda'...
 'cc65adda39706c96cfd8'...
 'ffffffffffff60a44c24'...
 ...

    Edited per update in question.