text2pcap

ADVANCED TOPICS
ANALYZE PCAP
OBTAIN PCAP
GET STARTED
Edit Pcap

Convert hexdumps to packet captures
5 min |  Ross Jacobs |  March 3, 2019

Table of Contents

Quicklinks: manpage | Wireshark Docs | code


Quick Tips

When in doubt, use text2pcap’s -dd option and analysis of the preamble and of every byte will be provided.

Examples

Example 1: Create packets from scratch with text2pcap dummy headers

Let’s create two messages to put into two packets: I am a 27 byte TCP payload! and I am a longer 34 byte TCP payload!. For this to be valid text2pcap input, it needs to be converted to space-delimited hex that looks like this:

$ printf "I am a 27 byte TCP payload!" | xxd -g 1
00000000: 49 20 61 6d 20 61 20 32 37 20 62 79 74 65 20 54  I am a 27 byte T
00000010: 43 50 20 70 61 79 6c 6f 61 64 21                 CP payload!

xxd -g 1, hexdump -C, and od -Ax -tx1 -v produce valid this kind of input. There are two are other variables besides packet bytes that we can add: Packet direction and timestamp. Direction is specified at the beginning of a packet by I (input) or O (output). Timestamp is specified by strftime. While later on, we could specify any timestamp type (like %s for unixtime in seconds).

# -g adds a space every 1 byte, which text2pcap requires
$ printf "I2019-01-01 00:00:00\n" > payload.txt
$ printf "I am a 27 byte TCP payload!" | xxd -g 1 >> payload.txt
$ printf "O2019-01-02 10:17:36\n" >> payload.txt
$ printf "I am a longer 34 byte TCP payload!" | xxd -g 1 >> payload.txt
$ cat payload.txt
I2019-01-01 00:00:00.000000
00000000: 49 20 61 6d 20 61 20 32 37 20 62 79 74 65 20 54  I am a 27 byte T
00000010: 43 50 20 70 61 79 6c 6f 61 64 21                 CP payload!
O2019-01-01 00:02:03.456789
00000000: 49 20 61 6d 20 61 20 6c 6f 6e 67 65 72 20 33 34  I am a longer 34
00000010: 20 62 79 74 65 20 54 43 50 20 70 61 79 6c 6f 61   byte TCP payloa
00000020: 64 21

We can then take this and add specify dummy data. -4 is for IP addresses, -T for TCP ports. %F and %T are from the date command. %F => YYYY-MM-DD, %T => HH:MM:SS Note the ‘.’ after %T. This tells text2pcap to read fractional seconds.

$ text2pcap -4 10.0.0.1,9.9.9.9 -T 12345,80 -t "%F %T." payload.txt hello.pcap
Input from: hello.txt
Output to: hello.pcap
Output format: pcap
Generate dummy Ethernet header: Protocol: 0x800
Generate dummy IP header: Protocol: 6
Generate dummy TCP header: Source port: 12345. Dest port: 80
Wrote packet of 66 bytes.
Read 1 potential packet, wrote 1 packet (106 bytes).

We can then double check that it wrote correctly: While this could be a one liner, it’s extended into a for loop so that each line of output is on its own line

tshark -r hello.pcap
    1 0.000000000     10.0.0.1 → 9.9.9.9      TCP 81 1234580 [ACK] Seq=1 Ack=1 Win=8192 Len=27 [TCP segment of a reassembled PDU]
    2 123.456789000      9.9.9.9 → 10.0.0.1     TCP 88 8012345 [ACK] Seq=1 Ack=28 Win=8192 Len=34 [TCP segment of a reassembled PDU]
$ for i in $(tshark -r hello.pcap -T fields -e tcp.payload); do
>   printf $i | xxd -r -p
>   printf "\n"
> done
I am a 27 byte TCP payload!
I am a longer 34 byte TCP payload!

Example 2: Using -o with a base 10 offset

The packets of the Example 1 with base10 offset looks like this:

I2019-01-01 00:00:00.000000
00000000: 49 20 61 6d 20 61 20 32 37 20 62 79 74 65 20 54  I am a 27 byte T
00000016: 43 50 20 70 61 79 6c 6f 61 64 21                 CP payload!
O2019-01-01 00:02:03.456789
00000000: 49 20 61 6d 20 61 20 6c 6f 6e 67 65 72 20 33 34  I am a longer 34
00000016: 20 62 79 74 65 20 54 43 50 20 70 61 79 6c 6f 61   byte TCP payloa
00000032: 64 21

Add -o dec to the text2pcap command and the output pcap will be the same.

In this example, we’ll be changing the radix with -o to see what that looks like.

Example 3: Use text2pcap to read in any data type

Wireshark has a good article on creating a user-defined DLT for an HTTP response. Related question.

Resources

Similar Articles

There are a couple articles out there that describe how to use text2pcap. It is worth mentioning that text2pcap is very picky about the input formatting, so you should try to format your hexdump using linuxfu to match expected input. The Huawai article below has a list of required formatting.

Date Article Author
2018-04-30 Hexdump -> pcap guide Huawei
2012-07-24 Create pcap from Juniper hexdump Juniper
2009-06-02 Deciphering packets challenge Chris Christianson

Similar Tools

  • packet dump decode: C++/Qt4 utility to decode hexdumps. Note that it was last updated 10 years ago and Qt4 is somewhat deprecated.