Ask Your Question
0

Help needed converting text file from FortiGate to pcap

asked 2019-10-26 09:59:45 +0000

aLi3nZ gravatar image

updated 2019-10-26 19:32:15 +0000

Guy Harris gravatar image

I need some help with TXT to PCAP conversion. Prefer to be able to inspect 2 packet captures I have that are formatted per attached rather then recapture, but if its not possible will have to recapture.

Have basically tried every script and exe avalible online for TXT to PCAP related to fortigate or otherwise. I know some people made their own. Anybody have ideas on getting this showing in Wireshark properlly?

Need to view time of packets, packet protocol etc. The basics, currently txt to pcap conversion works but they all show ethernet II as the protocol and are lacking information I need to inspect.

https://www.dropbox.com/s/ll0tq0c7951...

edit retag flag offensive close merge delete

Comments

You mentioned fortigate. Is the fgt2eth.pl script not working?
https://kb.fortinet.com/kb/documentLi...
"Troubleshooting Tool: Using the FortiOS built-in packet sniffer"

Chuckc gravatar imageChuckc ( 2019-10-26 14:11:14 +0000 )edit

Thank you so much everyone, I will try these solutions out tonight and report back.

aLi3nZ gravatar imageaLi3nZ ( 2019-10-27 06:45:03 +0000 )edit

I am facing this problem. please tell me, if you anyone know about this

posentred gravatar imageposentred ( 2019-10-29 12:13:52 +0000 )edit

I am facing this problem. please tell me, if you anyone know about this

If "this problem" is trying to read a pcap generated from a FortiGate packet text dump, read the answers given here.

Guy Harris gravatar imageGuy Harris ( 2019-10-29 19:24:11 +0000 )edit
see more comments

3 Answers

Sort by ยป oldest newest most voted
1

answered 2019-10-26 19:04:53 +0000

SYN-bit gravatar image

This script will convert your data to a format "Import hex dump" can understand:

cat albany.txt |\
awk '$1 ~ "0x" {match($0,/^0x(.... ..)(..) (..)(..) (..)(..) (..)(..) (..)(..) (..)(..) (..)(..) (..)(..)/,a);
                printf("%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s\n", a[1],a[2],a[3],a[4],a[5],a[6],a[7],a[8],a[9],a[10],a[11],a[12],a[13],a[14],a[15],a[16]);
                next
               }
     $1 ~ "[0-9].[0-9]+" {printf("%02d:%02d:%02d\n",($1%86400)/3600,($1%3600)/60,$1%60);next}
               {print}' > for-hex-import.txt

Then within "import from hexdump", use the following settings:

  • offsets: hexadecimal
  • Timestamp format: %H:%M:%S
  • Encapsulation type: Ethernet
  • Use a ethernet dummy header, with ethertype 0x800
edit flag offensive delete link more

Comments

Or set the encapsulation type to Raw IP or Raw IPv4, that doesn't require a fake Ethernet header.

Jaap gravatar imageJaap ( 2019-10-26 19:42:37 +0000 )edit

The instructions outlined by SYN-bit to convert to Hexdump using the script then import to wireshark worked flawlessly.

Thank you so much for your help

aLi3nZ gravatar imageaLi3nZ ( 2019-10-28 22:26:05 +0000 )edit

You should post your comment as a comment to SYN-bit's answer rather than an answer in it's own right. Unfortunately the Ask software does't allow me to do that for you.

grahamb gravatar imagegrahamb ( 2019-10-28 22:49:15 +0000 )edit

Unfortunately the Ask software does't allow me to do that for you.

It does, but it's kind of like playing Tower of Hanoi - if you convert enough items between comments and answers and comments again, in the right order, you eventually end up with the right results; I just did that.

Guy Harris gravatar imageGuy Harris ( 2019-10-29 03:19:28 +0000 )edit

The instructions outlined by SYN-bit to convert to Hexdump using the script then import to wireshark worked flawlessly.

Perfect!

Thank you so much for your help

You're very welcome :-)

SYN-bit gravatar imageSYN-bit ( 2019-10-29 06:58:13 +0000 )edit
see more comments
0

answered 2019-10-26 19:30:04 +0000

Guy Harris gravatar image

For whatever reason, whatever device wrote that file did not write out the Ethernet headers - the hex dumps start with the IP header. (If you see 0x45 in a packet hex dump, there's a good chance that it's the first byte of an IPv4 header.)

And, for whatever reason, it doesn't have an option to write out the pcap file with a link-layer header type other than Ethernet.

Fortunately, Wireshark comes with a program that can, among other things, read a capture file and write it out with a different link-layer header type, without changing the packet data, so you can fix an incorrect type; that's the editcap program.

If you run

editcap -T rawip -F pcap {output of fgt2eth.pl} {fixed file}

where "{output of fgt2eth.pl}" is the pathname of the file you wrote with fgt2eth.pl and "{fixed file}" is the pathname to which you want editcap to write the fixed file, and then read the fixed file, that should work. (I'm guessing from the "exe" in "Have basically tried every script and exe" that you're running on Windows; you will need to run editcap from a console window, and you may have to find out where editcap.exe is and run it with a full path.)

edit flag offensive delete link more
add a comment
0

answered 2019-10-26 19:00:30 +0000

SYN-bit gravatar image

updated 2019-10-29 22:47:02 +0000

From the fortinet page

Also attached is the fgt2eth.pl script that will convert a verbose level 3 or 6 sniffer output, into a file readable and decodable by Ethereal/Wireshark.

Also:

Verbose levels in detail:
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name

And looking at the text dump, I only see the data from the IP layer up and no interface names, so I suspect 'level 2' was used dunring capturing. If you change your capture level, you will be able to convert the traces with fgt2eth.pl

edit flag offensive delete link more

Comments

You probably want to try level 3 or level 6, as that prints the header and data "from Ethernet", meaning that it presumably includes the Ethernet header, rather than printing "from IP", meaning it starts with the IP header and omits the Ethernet header.

Guy Harris gravatar imageGuy Harris ( 2019-10-29 19:24:57 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-10-26 09:59:45 +0000

Seen: 2,585 times

Last updated: Oct 29 '19

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2