Ask Your Question
0

Decode a hexdump directly

asked 2018-10-29 23:45:06 +0000

a_ahmedin gravatar image

Hi is it possible to use tshark to decode a hexdump directly without the need of using text2cap first? Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-10-30 13:15:46 +0000

Jaap gravatar image

Short answer is: no.

The full answer may be easier to explain if you look at the command line options for text2pcap or the 'Import from Hex Dump' dialog in Wireshark. The raw data in the text file is not enough to make a dissection possible. There needs to be some more metadata added to do that. One thing is the encapsulation type, but also details about the actual formatting of the text file. All in all, this would required rolling text2pcap into tshark, something which could be done for Wireshark as an additional user interface component, but not so easy for a part reading capture files (which is in fact a separate part, called wiretap) shared between Wireshark and Tshark (which therefore can read the same capture files formats, as stated in the manual page).

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2018-10-29 23:45:06 +0000

Seen: 1,286 times

Last updated: Oct 30 '18