text2pcap - How to convert ASCII packet dumps to .pcap files?
Nothing in my experince is better at telling the real story than a packet capture. They tell exactly what is really going on and whether the configuration or changes are working as expected or not. Sometimes an engineer needs to look at packet captures taken from devices that don't generate .pcap files directly. Although with some experince and familarity, one can visually inspect some packets for certain pieces of informaiton but after all this is what computers are made for.
You are probably familiar with text2pcap but in case you aren't, It is a command line tool that comes pre-installed with wireshark package. The program simply does what it's name implies. It converts the ASCII hex representation of a packet or a series of packets to a pcap file to inspect with whatever tool you prefer. For me I just love wireshark.
text2pcap, has some nice features including adding dummy L2/L3 headers to application layer headers if your orginal capture is missing those layers. It allows text comments within the ASCII files. Also being a command line tool makes it easily intergratable in scripts; which is another thing I like about it.
99% of the time I just use the main function without any options and it is as simple as following steps:
- Capture the ASCII dump of some packets.
- Save them to a file and make sure they are in the correct fromat for text2pcap. Example below.
- From your shell type text2pcap <textfile> <new-pcap-file>
That's all. Here is a quick example:
0000 00 a0 a5 81 7d b1 00 23 9c 13 53 82 08 00 45 00 ....m..#..T...E. 0010 00 40 00 00 40 00 3e 11 ba f2 ac 1d 99 34 ac 1e [email protected]@.>......3.. 0020 92 4b 0b f8 cd 6a 00 2c 18 a3 03 b9 00 24 2c ef .J...j.,.....$,. 0030 7f 2e c0 ff f3 f8 b4 1c df 1d 8e 01 3d f4 12 10 ............=... 0040 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Request.Denied [wael:~/Desktop/Workspace] wael% text2pcap -d ../packet.txt ../radius.pcap Input from: ../packet.txt Output to: ../radius.pcap Output format: PCAP Start new packet (cont = FALSE). [[parse_preamble: ""]] Wrote packet of 78 bytes.
The following link offers more information about text2pcap https://www.wireshark.org/docs/man-pages/text2pcap.html. There are also some online tools that can be used to inspect packet dumps quickly. One of them is http://sadjad.me/phd/.