Merge Hex Dump files

asked 2019-03-29

Sjoholm

Import by Hex Dump.

It is possible in the hex dump file to set a UTC timestamp on all packets. Is it possible to merge the hex dump files with respect to this UTC timestamp. Or is it only possible to merge .pcap files?

Regards, Tobias Sjoholm

Is this using text2pcap to convert the hex to a pcap?

grahamb ( 2019-03-29 12:49:53 +0000 )

Thanks for mentioning the text2pcap tool.

I was wondering if it's possible to directly merge the hex dump files without going through the conversion to pcap.

Sjoholm ( 2019-03-29 13:41:46 +0000 )

I keep forgetting that essentially the functionality of text2pcap was added to Wireshark.

grahamb ( 2019-03-29 13:46:15 +0000 )

answered 2019-03-29

grahamb

updated 2019-03-29

The hex dump import, like text2pcap can support a timestamp in front of each packet, using the format specified.

There seems to be a bug in Wireshark, in that if no individual packet timestamps are given, then there is no increment of the timestamp between packets, whereas text2pcap does do this.This now seems to be OK.

I'm not sure, but I think neither Wireshark or text2pcap make any adjustments from the time supplied to UTC, the time is copied verbatim, i.e. as the time in a pcapng file is UTC, then the input time is regarded as UTC.

answered 2019-03-29

Sjoholm

I just noticed that Wireshark will convert my hex dump file into pcap as I import it. (it auto run the text2pcap.exe in the background) Then I can just save the file as a .pcap file. And as a pcap file i can merge it!

Problem solved!

it auto run the text2pcap.exe in the background

Actually, it has its own copy of the text2pcap code, which has diverged from the text2pcap code a bit; that needs to be cleaned up.

Guy Harris ( 2019-03-29 22:11:18 +0000 )

