This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

protocol text file to pcap

0

Hi friends! I need to convert text to pcap, this is an example. Can you help me? Thanks! Julian

================================================================================

[No. ] 1 [TimeStamp ] 2012-06-13 11:49:03 [Msg Name ] <BYE [Module No ] 1407 [Remote Address] 172.26.2.65:9163 [Ticks ] 1561178745 [Hex Msg ] 42 59 45 20 73 69 70 3A 31 37 32 2E 32 36 2E 32 2E 36 35 3A …

BYE sip:172.26.2.65:9163;yop=00.00.B69D8639.0000.436A SIP/2.0 Via: SIP/2.0/UDP 172.26.1.164:5072;branch=z9hG4bK84ebbd18599de4fc4d25e1cd9;X-DispCookie=1000;X-DptMsg=1407 Route: <sip:172.26.2.65:9163;transport=udp;lr> Call-ID: [email protected] From: "33545314179"<sip:[email protected];transport=udp;user=phone>;tag=5e5fb6dc-CC-1000 To: "5114370684"<sip:[email protected];transport=udp;user=phone>;tag=sbc0503dg986A83Uc6ee_h0 CSeq: 2 BYE Max-Forwards: 70 Reason: Q.850;cause=16;text="Normal call clearing" Content-Length: 0

also I can obtain this other format

==========================================================================================
[No.           ] 1
[TimeStamp     ] 2012-06-13 11:49:03
[Msg Name      ] <BYE
[Module No     ] 1407
[Remote Address] 172.26.2.65:9163
[Ticks         ] 1561178745
[Hex Msg       ] 42 59 45 20 73 69 70 3A 31 37 32 2E 32 36 2E 32 2E 36 35 3A 39 31 36 33 3B 79 6F 70 3D 30 30 2E 30 30 2E 42 36 39 44 38 36 33 39 2E 30 30 30 30 2E 34 33 36 41 20 53 49 50 2F 32 2E 30 0A 56 69 61 3A 20 53 49 50 2F 32 2E 30 2F 55 44 50 20 31 37 32 2E 32 36 2E 31 2E 31 36 34 3A 35 30 37 32 3B 62 72 61 6E 63 68 3D 7A 39 68 47 34 62 4B 38 34 65 62 62 64 31 38 35 39 39 64 65 34 66 63 34 64 32 35 65 31 63 64 39 3B 58 2D 44 69 73 70 43 6F 6F 6B 69 65 3D 31 30 30 30 3B 58 2D 44 70 74 4D 73 67 3D 31 34 30 37 0A 52 6F 75 74 65 3A 20 3C 73 69 70 3A 31 37 32 2E 32 36 2E 32 2E 36 35 3A 39 31 36 33 3B 74 72 61 6E 73 70 6F 72 74 3D 75 64 70 3B 6C 72 3E 0A 43 61 6C 6C 2D 49 44 3A 20 64 39 38 30 31 62 61 34 65 33 62 37 35 63 31 62 37 39 36 39 61 33 34 31 66 35 65 31 30 32 30 66 40 31 30 2E 31 38 2E 35 2E 36 34 0A 46 72 6F 6D 3A 20 22 33 33 35 34 35 33 31 34 31 37 39 22 3C 73 69 70 3A 2B 33 33 35 34 35 33 31 34 31 37 39 40 31 37 32 2E 32 36 2E 31 2E 31 36 34 3B 74 72 61 6E 73 70 6F 72 74 3D 75 64 70 3B 75 73 65 72 3D 70 68 6F 6E 65 3E 3B 74 61 67 3D 35 65 35 66 62 36 64 63 2D 43 43 2D 31 30 30 30 0A 54 6F 3A 20 22 35 31 31 34 33 37 30 36 38 34 22 3C 73 69 70 3A 2B 35 31 31 34 33 37 30 36 38 34 40 31 37 32 2E 32 36 2E 32 2E 36 35 3B 74 72 61 6E 73 70 6F 72 74 3D 75 64 70 3B 75 73 65 72 3D 70 68 6F 6E 65 3E 3B 74 61 67 3D 73 62 63 30 35 30 33 64 67 39 38 36 41 38 33 55 63 36 65 65 5F 68 30 0A 43 53 65 71 3A 20 32 20 42 59 45 0A 4D 61 78 2D 46 6F 72 77 61 72 64 73 3A 20 37 30 0A 52 65 61 73 6F 6E 3A 20 51 2E 38 35 30 3B 63 61 75 73 65 3D 31 36 3B 74 65 78 74 3D 22 4E 6F 72 6D 61 6C 20 63 61 6C 6C 20 63 6C 65 61 72 69 6E 67 22 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0A 0A

asked 13 Jun ‘12, 13:29

chochi's gravatar image

chochi
1113
accept rate: 0%


2 Answers:

2

You could write a script that takes the second output and format that to something readable by text2pcap and then use text2pap to convert that to a libpcap format file.

answered 13 Jun '12, 22:12

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

The idea is to know if somebody known how to do that :) I don't know how to do what you said Anders. Thanks for your answer anyway.

(14 Jun '12, 21:34) chochi

1

just a few comments/thoughts:

  1. Why do you rely on a log file? Why don't you sniff the SIP traffic in the first place, if you need a pcap file?
  2. What do you expect to get if you convert the SIP log to pcap? You won't see more in wireshark than in the log.
  3. As it's SIP, you might be interested in RTP traffic as well. I doubt, that RTP traffic will be logged entirely, so that would be missing in the pcap file.

It would be possible to write a converter script to format your log into "something" that text2pcap can read. However, one would have to insert a lot of fake data (like ethernet frame, ip frame, tcp ports) that are not in your log.

The idea is to know if somebody known how to do that

  • Try to understand the text2pcap format first. Look at the source code
  • Use any programming language you know
  • Read your log and build the data structure that's needed for text2pcap
  • Write the output

Regards
Kurt

answered 15 Jun '12, 01:32

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt! I used Wireshark almost all days with SIP traffic, I don't really need the RTP traffic, only signalling. I work in a ISP provider and sometimes we have to analyse only errors on the network to know how the ASR goes. Unfortunately my company have new equipment (Huawei) and when you capture in a remote servers only capture SIP signalling, they export in proprietary format or in this two text options. They made my work harder because to find a complete call flow in all the SIP traces is a pain in the ass... Thanks anyway for your support!

(15 Jun '12, 06:44) chochi
1

they export in proprietary format or in this two text options...

I see. What is that proprietary format used for? Do they offer a protocol analyzer for it?

Please check Homer. It looks like it can talk to Huawei equipment and the capture agent on it. This is just a wild guess, as I don't know Homer personally!

http://www.sipcapture.org/

(15 Jun '12, 07:17) Kurt Knochner ♦