1TEXT2PCAP(1)            The Wireshark Network Analyzer            TEXT2PCAP(1)
2
3
4

NAME

6       text2pcap - Generate a capture file from an ASCII hexdump of packets
7

SYNOPSIS

9       text2pcap [ -h ] [ -d ] [ -q ] [ -o hex|oct|dec ] [ -l <typenum> ]
10       [ -e <l3pid> ] [ -i <proto> ] [ -m <max-packet> ]
11       [ -u <srcport>,<destport> ] [ -T <srcport>,<destport> ]
12       [ -s <srcport>,<destport>,<tag> ] [ -S <srcport>,<destport>,<ppi> ]
13       [ -t <timefmt> ] <infile>|- <outfile>|-
14

DESCRIPTION

16       Text2pcap is a program that reads in an ASCII hex dump and writes the
17       data described into a libpcap capture file.  text2pcap can read
18       hexdumps with multiple packets in them, and build a capture file of
19       multiple packets.  text2pcap is also capable of generating dummy
20       Ethernet, IP and UDP, TCP, or SCTP headers, in order to build fully
21       processable packet dumps from hexdumps of application-level data only.
22
23       Text2pcap understands a hexdump of the form generated by od -Ax -tx1
24       -v.  In other words, each byte is individually displayed and surrounded
25       with a space. Each line begins with an offset describing the position
26       in the file. The offset is a hex number (can also be octal or decimal -
27       see -o), of more than two hex digits.  Here is a sample dump that
28       text2pcap can recognize:
29
30           000000 00 e0 1e a7 05 6f 00 10 ........
31           000008 5a a0 b9 12 08 00 46 00 ........
32           000010 03 68 00 00 00 00 0a 2e ........
33           000018 ee 33 0f 19 08 7f 0f 19 ........
34           000020 03 80 94 04 00 00 10 01 ........
35           000028 16 a2 0a 00 03 50 00 0c ........
36           000030 01 01 0f 19 03 80 11 01 ........
37
38       There is no limit on the width or number of bytes per line. Also the
39       text dump at the end of the line is ignored. Bytes/hex numbers can be
40       uppercase or lowercase. Any text before the offset is ignored,
41       including email forwarding characters '>'. Any lines of text between
42       the bytestring lines is ignored. The offsets are used to track the
43       bytes, so offsets must be correct. Any line which has only bytes
44       without a leading offset is ignored. An offset is recognized as being a
45       hex number longer than two characters. Any text after the bytes is
46       ignored (e.g. the character dump). Any hex numbers in this text are
47       also ignored. An offset of zero is indicative of starting a new packet,
48       so a single text file with a series of hexdumps can be converted into a
49       packet capture with multiple packets. Multiple packets are read in with
50       timestamps differing by one second each. In general, short of these
51       restrictions, text2pcap is pretty liberal about reading in hexdumps and
52       has been tested with a variety of mangled outputs (including being
53       forwarded through email multiple times, with limited line wrap etc.)
54
55       There are a couple of other special features to note. Any line where
56       the first non-whitespace character is '#' will be ignored as a comment.
57       Any line beginning with #TEXT2PCAP is a directive and options can be
58       inserted after this command to be processed by text2pcap. Currently
59       there are no directives implemented; in the future, these may be used
60       to give more fine grained control on the dump and the way it should be
61       processed e.g. timestamps, encapsulation type etc.
62
63       Text2pcap also allows the user to read in dumps of application-level
64       data, by inserting dummy L2, L3 and L4 headers before each packet. The
65       user can elect to insert Ethernet headers, Ethernet and IP, or
66       Ethernet, IP and UDP/TCP headers before each packet. This allows
67       Wireshark or any other full-packet decoder to handle these dumps.
68

OPTIONS

70       -h  Displays a help message.
71
72       -d  Displays debugging information during the process. Can be used
73           multiple times to generate more debugging information.
74
75       -q  Be completely quiet during the process.
76
77       -o hex|oct|dec
78           Specify the radix for the offsets (hex, octal or decimal). Defaults
79           to hex. This corresponds to the "-A" option for od.
80
81       -l  Specify the link-layer header type of this packet.  Default is
82           Ethernet (1).  See <http://www.tcpdump.org/linktypes.html> for the
83           complete list of possible encapsulations.  Note that this option
84           should be used if your dump is a complete hex dump of an
85           encapsulated packet and you wish to specify the exact type of
86           encapsulation.  Example: -l 7 for ARCNet packets.
87
88       -e <l3pid>
89           Include a dummy Ethernet header before each packet. Specify the
90           L3PID for the Ethernet header in hex. Use this option if your dump
91           has Layer 3 header and payload (e.g. IP header), but no Layer 2
92           encapsulation. Example: -e 0x806 to specify an ARP packet.
93
94           For IP packets, instead of generating a fake Ethernet header you
95           can also use -l 12 to indicate a raw IP packet to Wireshark. Note
96           that -l 12 does not work for any non-IP Layer 3 packet (e.g. ARP),
97           whereas generating a dummy Ethernet header with -e works for any
98           sort of L3 packet.
99
100       -i <proto>
101           Include dummy IP headers before each packet. Specify the IP
102           protocol for the packet in decimal. Use this option if your dump is
103           the payload of an IP packet (i.e. has complete L4 information) but
104           does not have an IP header with each packet. Note that an
105           appropriate Ethernet header is automatically included with each
106           packet as well.  Example: -i 46 to specify an RSVP packet (IP
107           protocol 46).
108
109       -m <max-packet>
110           Set the maximum packet length, default is 64000.  Useful for
111           testing various packet boundaries when only an application level
112           datastream is available.  Example:
113
114           od -Ax -tx1 stream | text2pcap -m1460 -T1234,1234 - stream.pcap
115
116           will convert from plain datastream format to a sequence of Ethernet
117           TCP packets.
118
119       -u <srcport>,<destport>
120           Include dummy UDP headers before each packet. Specify the source
121           and destination UDP ports for the packet in decimal. Use this
122           option if your dump is the UDP payload of a packet but does not
123           include any UDP, IP or Ethernet headers. Note that appropriate
124           Ethernet and IP headers are automatically also included with each
125           packet.  Example: -u1000,69 to make the packets look like TFTP/UDP
126           packets.
127
128       -T <srcport>,<destport>
129           Include dummy TCP headers before each packet. Specify the source
130           and destination TCP ports for the packet in decimal. Use this
131           option if your dump is the TCP payload of a packet but does not
132           include any TCP, IP or Ethernet headers. Note that appropriate
133           Ethernet and IP headers are automatically also included with each
134           packet.  Sequence numbers will start at 0.
135
136       -s <srcport>,<destport>,<tag>
137           Include dummy SCTP headers before each packet.  Specify, in
138           decimal, the source and destination SCTP ports, and verification
139           tag, for the packet.  Use this option if your dump is the SCTP
140           payload of a packet but does not include any SCTP, IP or Ethernet
141           headers.  Note that appropriate Ethernet and IP headers are
142           automatically also included with each packet.  A CRC32C checksum
143           will be put into the SCTP header.
144
145       -S <srcport>,<destport>,<ppi>
146           Include dummy SCTP headers before each packet.  Specify, in
147           decimal, the source and destination SCTP ports, and a verification
148           tag of 0, for the packet, and prepend a dummy SCTP DATA chunk
149           header with a payload protocol identifier if ppi.  Use this option
150           if your dump is the SCTP payload of a packet but does not include
151           any SCTP, IP or Ethernet headers.  Note that appropriate Ethernet
152           and IP headers are automatcally included with each packet.  A
153           CRC32C checksum will be put into the SCTP header.
154
155       -t <timefmt>
156           Treats the text before the packet as a date/time code; timefmt is a
157           format string of the sort supported by strptime(3).  Example: The
158           time "10:15:14.5476" has the format code "%H:%M:%S."
159
160           NOTE: The subsecond component delimiter must be specified (.) but
161           no pattern is required; the remaining number is assumed to be
162           fractions of a second.
163
164           NOTE: Date/time fields from the current date/time are used as the
165           default for unspecified fields.
166

SEE ALSO

168       od(1), tcpdump(8), pcap(3), wireshark(1), tshark(1), dumpcap(1),
169       mergecap(1), editcap(1), strptime(3).
170

NOTES

172       Text2pcap is part of the Wireshark distribution.  The latest version of
173       Wireshark can be found at <http://www.wireshark.org>.
174

AUTHORS

176         Ashok Narayanan          <ashokn[AT]cisco.com>
177
178
179
1801.4.10                            2011-11-01                      TEXT2PCAP(1)
Impressum