There may be some occasions when you wish to convert a hex dump of some network traffic into a libpcap file.
Text2pcap is a program that reads in an ASCII hex dump and writes the data described into a libpcap-style capture file. text2pcap can read hexdumps with multiple packets in them, and build a capture file of multiple packets. text2pcap is also capable of generating dummy Ethernet, IP and UDP headers, in order to build fully processable packet dumps from hexdumps of application-level data only.
Text2pcap understands a hexdump of the form generated by od -A x -t x1. In other words, each byte is individually displayed and surrounded with a space. Each line begins with an offset describing the position in the file. The offset is a hex number (can also be octal - see -o), of more than two hex digits. Here is a sample dump that text2pcap can recognize:
000000 00 e0 1e a7 05 6f 00 10 ........ 000008 5a a0 b9 12 08 00 46 00 ........ 000010 03 68 00 00 00 00 0a 2e ........ 000018 ee 33 0f 19 08 7f 0f 19 ........ 000020 03 80 94 04 00 00 10 01 ........ 000028 16 a2 0a 00 03 50 00 0c ........ 000030 01 01 0f 19 03 80 11 01 ........
There is no limit on the width or number of bytes per line. Also the text dump at the end of the line is ignored. Bytes/hex numbers can be uppercase or lowercase. Any text before the offset is ignored, including email forwarding characters '>'. Any lines of text between the bytestring lines is ignored. The offsets are used to track the bytes, so offsets must be correct. Any line which has only bytes without a leading offset is ignored. An offset is recognized as being a hex number longer than two characters. Any text after the bytes is ignored (e.g. the character dump). Any hex numbers in this text are also ignored. An offset of zero is indicative of starting a new packet, so a single text file with a series of hexdumps can be converted into a packet capture with multiple packets. Multiple packets are read in with timestamps differing by one second each. In general, short of these restrictions, text2pcap is pretty liberal about reading in hexdumps and has been tested with a variety of mangled outputs (including being forwarded through email multiple times, with limited line wrap etc.)
There are a couple of other special features to note. Any line where the first non-whitespace character is '#' will be ignored as a comment. Any line beginning with #TEXT2PCAP is a directive and options can be inserted after this command to be processed by text2pcap. Currently there are no directives implemented; in the future, these may be used to give more fine grained control on the dump and the way it should be processed e.g. timestamps, encapsulation type etc.
Text2pcap also allows the user to read in dumps of application-level data, by inserting dummy L2, L3 and L4 headers before each packet. Possibilities include inserting headers such as Ethernet, Ethernet + IP, Ethernet + IP + UDP, or Ethernet + Ip + TCP before each packet. This allows Wireshark or any other full-packet decoder to handle these dumps.
Example D.10. Help information available from text2pcap
Text2pcap 1.10.0 (SVN Rev 48974 from /trunk-1.10) Generate a capture file from an ASCII hexdump of packets. See http://www.wireshark.org for more information. Usage: text2pcap [options] <infile> <outfile> where <infile> specifies input filename (use - for standard input) <outfile> specifies output filename (use - for standard output) Input: -o hex|oct|dec parse offsets as (h)ex, (o)ctal or (d)ecimal; default is hex. -t <timefmt> treat the text before the packet as a date/time code; the specified argument is a format string of the sort supported by strptime. Example: The time "10:15:14.5476" has the format code "%H:%M:%S." NOTE: The subsecond component delimiter, '.', must be given, but no pattern is required; the remaining number is assumed to be fractions of a second. NOTE: Date/time fields from the current date/time are used as the default for unspecified fields. -D the text before the packet starts with an I or an O, indicating that the packet is inbound or outbound. This is only stored if the output format is PCAP-NG. -a enable ASCII text dump identification. The start of the ASCII text dump can be identified and excluded from the packet data, even if it looks like a HEX dump. NOTE: Do not enable it if the input file does not contain the ASCII text dump. Output: -l <typenum> link-layer type number; default is 1 (Ethernet). See http://www.tcpdump.org/linktypes.html for a list of numbers. Use this option if your dump is a complete hex dump of an encapsulated packet and you wish to specify the exact type of encapsulation. Example: -l 7 for ARCNet packets. -m <max-packet> max packet length in output; default is 65535 Prepend dummy header: -e <l3pid> prepend dummy Ethernet II header with specified L3PID (in HEX). Example: -e 0x806 to specify an ARP packet. -i <proto> prepend dummy IP header with specified IP protocol (in DECIMAL). Automatically prepends Ethernet header as well. Example: -i 46 -u <srcp>,<destp> prepend dummy UDP header with specified source and destination ports (in DECIMAL). Automatically prepends Ethernet & IP headers as well. Example: -u 1000,69 to make the packets look like TFTP/UDP packets. -T <srcp>,<destp> prepend dummy TCP header with specified source and destination ports (in DECIMAL). Automatically prepends Ethernet & IP headers as well. Example: -T 50,60 -s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified source/dest ports and verification tag (in DECIMAL). Automatically prepends Ethernet & IP headers as well. Example: -s 30,40,34 -S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified source/dest ports and verification tag 0. Automatically prepends a dummy SCTP DATA chunk header with payload protocol identifier ppi. Example: -S 30,40,34 Miscellaneous: -h display this help and exit. -d show detailed debug of parser states. -q generate no output at all (automatically disables -d). -n use PCAP-NG instead of PCAP as output format.