I am trying to convert the hex dump obtained from a Cisco router via embedded packet capture feature to pcap file.
My input format is as listed below
0
0000: 70E42273 90D2003A 7D36A502 81000183 p."s...:}6......
0010: 080045C0 003BB1BF 40000106 8FA20A10 ..E..;..@.......
0020: 91BD0A10 91BEAC03 00B313C4 EE96E803 ................
0030: 1C875018 3D41832D 0000FFFF FFFFFFFF ..P.=A.-........
0040: FFFFFFFF FFFFFFFF FFFF0013 04 .............
1
0000: 003A7D36 A50270E4 227390D2 81000183 .:}6..p."s......
0010: 08004500 00281097 40000106 319E0A10 ..E..([email protected]...
0020: 91BE0A10 91BD00B3 AC03E803 1C8713C4 ................
0030: EEA95010 7B534936 0000 ..P.{SI6..
2
0000: 003A7D36 A50270E4 227390D2 81000183 .:}6..p."s......
0010: 08004500 003B1197 40000106 308B0A10 ..E..;[email protected]...
0020: 91BE0A10 91BD00B3 AC03E803 1C8713C4 ................
0030: EEA95018 7B534508 0000FFFF FFFFFFFF ..P.{SE.........
0040: FFFFFFFF FFFFFFFF FFFF0013 04 .............
The above format is not accepted in text2pcap, as text2pcap is expecting
0000: 70 E4 22 73 90 D2 00 3A 7D 36 A5 02 81 00 01 83
0010: 08 00 45 C0 00 3B B1 BF 40 00 01 06 8F A2 0A 10
Is there any converter tools or scripts available for the same?
Is there any converter tools or scripts available for the same?
As you know, text2pcap
doesn't currently support this data format; however, I have opened a Wireshark bug report so that one day text2pcap may natively support reading data in such a format. Feel free to follow Wireshark Bug 16193 - text2pcap could be enhanced to accept input in other formats for any updates to this enhancement request.
In the meantime, you will either have to write your own script/command(s), find someone to write one for you, or use/modify an existing script/command in order to convert the data into a format readable by text2pcap. To help get you going, I'm providing you with one method that seems to work in my testing. Assuming your output is saved in a dump.in
file, you can run the following:
cat dump.in | sed 's/\([0-9A-F]\{2\}\)/\1 /g' | sed 's/\([0-9A-F]\{2\}\) \([0-9A-F]\{2\}\) : /\1\2 /g' > dump.out
Both cat
and sed
should be available on most platforms. I actually ran this command on Windows 10 under Cygwin.
NOTE: I am no sed expert, but there are almost certainly sed experts out there who can probably figure out how to get this to work in 1 pass; I couldn't in the time I was willing to spend on this.
Using the command provided, I was able to convert the data to a format that text2pcap could read and then ran text2pcap -a dump.out dump.pcap
to generate a valid pcap file. Running tshark -r dump.pcap
generates the following output:
1 387 2019-11-12 21:49:23.000000 0.000000 0.000000 10.16.145.189 → 10.16.145.190 BGP 77 KEEPALIVE Message
2 387 2019-11-12 21:49:23.000001 0.000001 0.000001 10.16.145.190 → 10.16.145.189 TCP 58 bgp(179) → 44035 [ACK] Seq=1 Ack=20 Win=31571 Len=0
3 387 2019-11-12 21:49:23.000002 0.000002 0.000001 10.16.145.190 → 10.16.145.189 BGP 77 KEEPALIVE Message
I assume that's the correct and expected output.
See also: How to convert hex dump from 4 hex digit groups to 2 hex digit groups