Ask Your Question
0

how can i read the raw packet data from my /dev/nvme0n1p with wireshark

asked 2019-07-16 08:55:25 +0000

rkprabhatk gravatar image

I have raw packet packet which has been stored in device of my linux sytem. Below is 1 of my packet content- ff ff ff ff ff ff 00 00 00 00 00 02 81 00 ab ab ab ab ab ab ab ab ab ab like that i have n no of packet which has been stored in my /dev/nvme0n1p.

problem which i am facing now is when i convert this raw data from device with below command- od -Ax -tx1 -v /dev/nvme0n1p1 [file_name]

and when i import this data with wireshark , wireshark doesn't understand where does my packet end. so i see ónly one packet with large no of byte in data.

any idea how can i read all my packets with wireshark ?

edit retag flag offensive close merge delete

Comments

  1. By "stored in device" do you mean that there's a file system on that device, or just raw data?

  2. Is there one packet or are there multiple packets?

  3. Is it just raw packet data or are there any headers, such as pcap packet headers, giving information such as the packet length and packet time stamps?

Guy Harris gravatar imageGuy Harris ( 2019-07-16 22:39:50 +0000 )edit

Please find below ans to your question->

  1. By "stored in device" do you mean that there's a file system on that device, or just raw data? -> I have not created the file inside the device , I am just dumping my packet raw data into the device.

  2. Is there one packet or are there multiple packets? -> there are multiple packets.

  3. Is it just raw packet data or are there any headers, such as pcap packet headers, giving information such as the packet length and packet time stamps?-> Now this is important point. I have tried both way.. By including packet header along with packet data and also by storing only packet data. But did not help.

when i include packet header, wireshark thought my pcap header as my starting of my packet data and think first byte as a destination mac address.

problem which i am suspecting ...(more)

rkprabhatk gravatar imagerkprabhatk ( 2019-07-17 07:17:42 +0000 )edit
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2019-07-19 10:12:12 +0000

SYN-bit gravatar image

In order for Wireshark to be able to read your packets, they need to be stored in one of the file formats Wireshark understands. The oldest and simplest format Wireshark can read is the pcap format, as outlined on https://wiki.wireshark.org/Development/LibpcapFileFormat.

Simply put, you need to have the following elements:

  1. A pcap file header
  2. Per packet:
    1. A pcap packet header
    2. The raw packet data

You can also use the newer and more versatile pcapng format as described on https://github.com/pcapng/pcapng

edit flag offensive delete link more

Comments

Thanks for your ans here. But This is not what exactly i am looking for, I tried the way you are telling me it did not help here.

Important point which we have to understand here is -> I am dumping my data directly to device (/dev/dev/nvme0n1p block device) not as a normal file like (.pcap).

So even if i dump my data including the pcap format But when i read back from device to one file(like .pcap) ,it will be having device index no and that's where data will be disturbed. Basically i need to read the same data which i dumped into the device. I hope you understood my point.

Thanks and have a good day.

rkprabhatk gravatar imagerkprabhatk ( 2019-07-19 10:30:06 +0000 )edit

OK, good that you are aware of the need for a file header and a packet header per packet. I have no experience with reading from a device and so I do not know about device indices being added in the read output. If this is always the case with your device, you can't just read from the device, you will have to write some software to read from the device, strip the inserted indices (restoring the pcap format) and then pass the data to Wireshark or Tshark

SYN-bit gravatar imageSYN-bit ( 2019-07-19 15:02:48 +0000 )edit
add a comment
0

answered 2019-07-16 13:53:39 +0000

Jaap gravatar image

If you read the text2pcap manual carefully it says: "An offset of zero is indicative of starting a new packet, so a single text file with a series of hexdumps can be converted into a packet capture with multiple packets."

edit flag offensive delete link more

Comments

Yes you are perfectly right according to text2pcap manual. But if you read carefully my question ,the situation here is not exactly same.

Let me clarify my question again- I am storing the raw packet directly to Linux based system device like /dev/nvme0n1p1. every device has index no of storing the data and since i have large no of packets , It will keep on storing the data and increment index according to byte per length.

Now the problem comes after first packet , new packet data will be stored with increment index not with index zero. which is real problem here while importing hex data into wireshark.

rkprabhatk gravatar imagerkprabhatk ( 2019-07-17 07:35:25 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-07-16 08:55:25 +0000

Seen: 4,351 times

Last updated: Jul 19 '19

Related questions

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

Client is waiting for FIN flag from server for 30 sec

wifi disconnects as wireshark starts

How do I add "child item" to an item in the subtree?

What is the syntax for wireshark custom column

Getting error MSB4018 when trying to build wireshark sources

Monitoring UDP data on wireshark shows ARP packet