No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Convert terminal packet captures with Wireshark or text2pcap

Publication Date:  2018-04-30 Views:  1027 Downloads:  0
Issue Description
Scenario: When troubleshooitn packet forwarding, performing packet capture on the terminal will output the packet data as hex dumps, which are not easily readable.
Requirement: convert the hex data into pcap files readabla by Wireshark, in order to analyze the packets
Solution

Wireshark has the ability to import packet data from hex dumps.

There is also a command-line tool text2pacp included with the Wireshark installation, located in C:\Program Files\Wireshark\text2pcap.exe


  


However, in order to succesfully import the captured packets, the hex dump data must be formated following the specifications:

- each line begins with an offset describing the position in the packet

- each new packet starts with an offset of 0 and there is a space separating the offset from the following bytes

- the offset is a hex number (can also be octal or decimal), of more than two hex digits

- there is no limit on the width or number of bytes per line

- byte and hex numbers can be uppercase or lowercase

- any text before the offset is ignored

- any lines of text between the bytestring lines are ignored

- the offsets are used to track the bytes, so offsets must be correct

- any line which has only bytes without a leading offset is ignored

- an offset is recognized as being a hex number longer than two characters

- any text after the bytes is ignored

- an offset of zero is indicative of starting a new packet



Example:

1. Terminal Hex Dump

[AR169FGVW-L]capture-packet interface GigabitEthernet 0/0/0 destination terminal packet-len total-packet packet-num 5                                           

Warning: Get packets will be showed on terminal.                                

[AR169FGVW-L]                                                                   

  Packet: 1                                                                     

  -------------------------------------------------------                       

  01 00 5e 00 00 05 20 3d b2 02 4d 68 81 00 00 05                               

  08 00 45 c0 00 50 a3 41 00 00 01 59 6f a1 c0 a8                               

  05 05 e0 00 00 05 02 01 00 3c c0 a8 05 05 00 00                               

  00 00 93 c0 00 00 00 00 00 00 00 00 00 00 ff ff                               

  ff 00 00 0a 02 01 00 00 00 28 c0 a8 05 32 c0 a8                               

  05 0b c0 a8 05 09 c0 a8 05 0b c0 a8 05 32 c0 a8                               

  05 a9                                                                         

  -------------------------------------------------------                       

                                                                  

  Packet: 2                                                                     

  -------------------------------------------------------                       

  01 00 5e 00 00 05 2c 9d 1e cf f3 ba 81 00 c0 05                               

  08 00 45 c0 00 50 89 72 00 00 01 59 89 6c c0 a8                               

  05 09 e0 00 00 05 02 01 00 3c c0 a8 05 09 00 00                               

  00 00 93 c0 00 00 00 00 00 00 00 00 00 00 ff ff                               

  ff 00 00 0a 02 01 00 00 00 28 c0 a8 05 32 c0 a8                               

  05 0b c0 a8 05 05 c0 a8 05 0b c0 a8 05 32 c0 a8                               

  05 a9                                                                         

  -------------------------------------------------------  


2. Prepare dump for import by adding offsets and cleaning text

000000  01 00 5e 00 00 05 20 3d b2 02 4d 68 81 00 00 05                               

000010  08 00 45 c0 00 50 a3 41 00 00 01 59 6f a1 c0 a8                               

000020  05 05 e0 00 00 05 02 01 00 3c c0 a8 05 05 00 00                               

000030  00 00 93 c0 00 00 00 00 00 00 00 00 00 00 ff ff                               

000040  ff 00 00 0a 02 01 00 00 00 28 c0 a8 05 32 c0 a8                               

000050  05 0b c0 a8 05 09 c0 a8 05 0b c0 a8 05 32 c0 a8                               

000060  05 a9                                                                         


000000  01 00 5e 00 00 05 2c 9d 1e cf f3 ba 81 00 c0 05                               

000010  08 00 45 c0 00 50 89 72 00 00 01 59 89 6c c0 a8                               

000020  05 09 e0 00 00 05 02 01 00 3c c0 a8 05 09 00 00                               

000030  00 00 93 c0 00 00 00 00 00 00 00 00 00 00 ff ff                               

000040  ff 00 00 0a 02 01 00 00 00 28 c0 a8 05 32 c0 a8                               

000050  05 0b c0 a8 05 05 c0 a8 05 0b c0 a8 05 32 c0 a8                               

000060  05 a9                                                                         



3. Resulted import


END