Ask Your Question
0

Decode a hexdump directly

asked 2018-10-29 23:45:06 +0000

a_ahmedin gravatar image

Hi is it possible to use tshark to decode a hexdump directly without the need of using text2cap first? Thanks

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-10-30 13:15:46 +0000

Jaap gravatar image

Short answer is: no.

The full answer may be easier to explain if you look at the command line options for text2pcap or the 'Import from Hex Dump' dialog in Wireshark. The raw data in the text file is not enough to make a dissection possible. There needs to be some more metadata added to do that. One thing is the encapsulation type, but also details about the actual formatting of the text file. All in all, this would required rolling text2pcap into tshark, something which could be done for Wireshark as an additional user interface component, but not so easy for a part reading capture files (which is in fact a separate part, called wiretap) shared between Wireshark and Tshark (which therefore can read the same capture files formats, as stated in the manual page).

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-10-29 23:45:06 +0000

Seen: 1,401 times

Last updated: Oct 30 '18

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark