Ask Your Question
0

How to convert TcpDump output to Pcap

asked 2019-09-20 19:13:08 +0000

Zahra gravatar image

updated 2019-09-23 20:06:53 +0000

Previously, I have converted some TcpDump output as text to Pcap file with your help. Now I need to convert another TcpDump output to a Pcap file, but with the limited information. In this case I have only the headers, is it possible to do so?

Following is the example of what I have as a captured traffic. (I have just mask mac and IP addresses because of privacy.)

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
1509471560.944080 MAC1 > MAC2, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 23237, offset 0, flags [DF], proto TCP (6), length 60)
    ip1.port1 > ip2.port2: Flags [S], cksum 0x6d2f (incorrect -> 0x0b4a), seq 1127096708, win 65535, options [mss 1460,sackOK,TS val 817985 ecr 0,nop,wscale 6], length 0
1509471561.042855 MAC2 > MAC1, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 64, id 3107, offset 0, flags [none], proto TCP (6), length 44)
    ip2.port2 > ip1.port1: Flags [S.], cksum 0x85d8 (correct), seq 449984001, ack 1127096709, win 65535, options [mss 1460], length 0
1509471561.044008 MAC1 > MAC2, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 23238, offset 0, flags [DF], proto TCP (6), length 40)
    ip1.port1 > ip2.port2: Flags [.], cksum 0x6d1b (incorrect -> 0x9d95), seq 1, ack 1, win 65535, length 0
1509471561.046607 MAC1 > MAC2, ethertype IPv4 (0x0800), length 191: (tos 0x0, ttl 64, id 23239, offset 0, flags [DF], proto TCP (6), length 177)
    ip1.port1 > ip2.port2: Flags [P.], cksum 0x6da4 (incorrect -> 0x98df), seq 1:138, ack 1, win 65535, length 137

Edit 1:

I have written following python script and try to generate a pcap file from my text file usinf Scapy package.

from scapy.all import *
import secrets

def generatePcapfromText(inputtxt,output):
    with open (inputtxt,encoding='cp850') as input:
        framenum=0
        for line in input:
            if "ARP" in line:
                continue
            if line[0].isdigit(): # line one
                framenum += 1
                frametime=line[:16]
                srcmac= line[18:34]
                dstmac= line[38:54]
               # ethertype = hex(int(line[line.find('(')+1:line.find(')')], 16))
                frameLen=int(line[line.find('length')+7:line.find(': (')])
                frameTos=line[line.find('tos')+4:line.find(', ttl')]
                frameTtl=int(line[line.find('ttl')+4:line.find(', id')])
                frameId=int(line[line.find('id')+3:line.find(', offset')])
                frameOffset=line[line.find('offset')+7:line.find(', flags')]
                frameFlags=line[line.find('[')+1:line.find(']')]
                protocol = line[line.find('proto')+6:line.rfind('(')-1]
                ipLen = int(line[line.rfind('length')+6:line.rfind(')')])

                ether = Ether(dst=dstmac, src=srcmac, type=0x0800)

            elif len(line)>5:
                if line[5].isdigit(): # line two
                    srcinfo = line[4:line.find ( '>' )]
                    dstinfo = line[line.find ( '>' ) + 1:line.find ( ':' )]
                    ipsrc = srcinfo[:srcinfo.rfind ( '.' )]
                    ipdst = dstinfo[:dstinfo.rfind ( '.' )]
                    srcport = int(srcinfo[srcinfo.rfind ( '.' ) + 1:])
                    dstport = int(dstinfo[dstinfo.rfind ( '.' ) + 1:])

              ***      ip = ether/IP(src=ipsrc, dst=ipdst, len=frameLen, tos=frameTos, ttl=frameTtl,
                                 id=frameId, flags=frameFlags, proto=protocol.lower())

                    if protocol == "TCP":
                        frameFlag = line[line ...
(more)
edit retag flag offensive close merge delete

Comments

Are you the one running tcpdump? If so you can use -w <filename> to write to a PCAP file directly.

Spooky gravatar imageSpooky ( 2019-09-20 23:33:14 +0000 )edit

And I might save you some pain by suggesting you use -s 0 (snaplen) so you capture the whole packet.

Spooky gravatar imageSpooky ( 2019-09-21 01:08:28 +0000 )edit

@Spooky They are some traffic captured in past, and I wana to have some pcap for them.

Zahra gravatar imageZahra ( 2019-09-21 11:41:49 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-20 23:57:30 +0000

Ross Jacobs gravatar image

As in your previous linked post, you will need to write a short script to convert this to a packet capture. Like as not, you will need to fudge some values that are not listed in the text summary so that the Wireshark family can read it.

It's spooky how right Spooky is. You will save time if you set up your capture correctly in the first place. This is obviously not applicable to existing captures.

edit flag offensive delete link more

Comments

Unfortunately, I found out about the problem with captured file, when it was too late. Now, I want to generate a pcap file for the traffic I have captured with wrong setting. It is not important that the generated pcap file has some dummy value as a payload in my case, I just want that the packet size, timing, and header to be correct. I would appropriate it, if you give me some hint to do so.

Zahra gravatar imageZahra ( 2019-09-21 11:50:40 +0000 )edit

I already have. You need to write your own script to do so. You might find this pacp deconstruction helpful: http://www.kroosec.com/2012/10/a-look...

Ross Jacobs gravatar imageRoss Jacobs ( 2019-09-21 18:46:50 +0000 )edit

Thanks, I'll come back to you when I have written the script.

Zahra gravatar imageZahra ( 2019-09-22 06:52:56 +0000 )edit

I have updated my question with the code I have written, can you help me with that?

Zahra gravatar imageZahra ( 2019-09-23 20:08:11 +0000 )edit

Good work writing the script! Please make another post with this script (It looks like you're getting a scapy error). As this is now a programming question (and out of the scope of Wireshark), you will will want to post this on Stack Overflow. I would link to this post in your question and tag it with wireshark and scapy.

Ross Jacobs gravatar imageRoss Jacobs ( 2019-09-24 19:02:13 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-09-20 19:13:08 +0000

Seen: 2,288 times

Last updated: Sep 23 '19

Related questions

How to use rawshark to analyse a pcap file which is generated by tcpdump?

How to capture traffic of the device (router) I am connected with

Delay in GOOSE Subscription

How to capture USB packets please?

Capture incoming packets from remote web server

What is the syntax for wireshark custom column

Step by step SSL decrypt with wireshark

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark

Can I create a capture filter on a pcap file