Decode a hexdump directly
Hi is it possible to use tshark to decode a hexdump directly without the need of using text2cap first? Thanks
Short answer is: no.
The full answer may be easier to explain if you look at the command line options for text2pcap or the 'Import from Hex Dump' dialog in Wireshark. The raw data in the text file is not enough to make a dissection possible. There needs to be some more metadata added to do that. One thing is the encapsulation type, but also details about the actual formatting of the text file. All in all, this would required rolling text2pcap into tshark, something which could be done for Wireshark as an additional user interface component, but not so easy for a part reading capture files (which is in fact a separate part, called wiretap) shared between Wireshark and Tshark (which therefore can read the same capture files formats, as stated in the manual page).
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2018-10-29 23:45:06 +0000
Seen: 1,286 times
Last updated: Oct 30 '18
Deduplication in tshark -T ek [closed]
filtering out protocol, sequence number, and ack using tshark
Using tshark filters to extract only interesting traffic from 12GB trace
Any way to use cmd tshark for a gns3 wire?
How do I change the interface on Tshark?