This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to capture TCPDUMP logging and import into Wireshark?

0

Hello,

Is it possible to capture tcpdump data from the screen (not a file) and then import into Wireshark? For example, I want to run the following tcpdump command:

./tcpdump -vvvvv -i eth0

Then I want to be able to import this into Wireshark (Window GuI version) for analysis.

Thanks in advance

asked 13 Aug '12, 13:51

gil_happy's gravatar image

gil_happy
1111
accept rate: 0%


4 Answers:

1

OK, I did some testing, you can use the following also. Dump the packet data with '-xx' (double x to get the link layer data too) like this:

$ tcpdump -nli en1 -xx -s0 -c 3 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
23:06:22.515580 IP 192.168.1.22 > 8.8.8.8: ICMP echo request, id 44623, seq 0, length 64
    0x0000:  0012 1ebb d132 f81e dfd8 8748 0800 4500
    0x0010:  0054 153e 0000 4001 939d c0a8 0116 0808
    0x0020:  0808 0800 72d6 ae4f 0000 502a bdce 0007
    0x0030:  ddd6 0809 0a0b 0c0d 0e0f 1011 1213 1415
    0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
    0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
    0x0060:  3637
23:06:22.538398 IP 8.8.8.8 > 192.168.1.22: ICMP echo reply, id 44623, seq 0, length 64
    0x0000:  f81e dfd8 8748 0012 1ebb d132 0800 4500
    0x0010:  0054 5a72 0000 3701 5769 0808 0808 c0a8
    0x0020:  0116 0000 7ad6 ae4f 0000 502a bdce 0007
    0x0030:  ddd6 0809 0a0b 0c0d 0e0f 1011 1213 1415
    0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
    0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
    0x0060:  3637
23:06:23.515979 IP 192.168.1.22 > 8.8.8.8: ICMP echo request, id 44623, seq 1, length 64
    0x0000:  0012 1ebb d132 f81e dfd8 8748 0800 4500
    0x0010:  0054 4543 0000 4001 6398 c0a8 0116 0808
    0x0020:  0808 0800 714b ae4f 0001 502a bdcf 0007
    0x0030:  df5f 0809 0a0b 0c0d 0e0f 1011 1213 1415
    0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
    0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
    0x0060:  3637
3 packets captured
62 packets received by filter
0 packets dropped by kernel
$

Then copy the output and process it with sed like this:

$ cat screendump.txt | sed -e 's/ \([^ ][^ ]\)\([^ ][^ ]\)/ \1 \2/g' -e 's/^\(..:..:..\).*$/\1/' -e 's/^.*0x\(....\): /\1/' 
23:06:22
0000 00 12 1e bb d1 32 f8 1e df d8 87 48 08 00 45 00
0010 00 54 15 3e 00 00 40 01 93 9d c0 a8 01 16 08 08
0020 08 08 08 00 72 d6 ae 4f 00 00 50 2a bd ce 00 07
0030 dd d6 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35
0060 36 37
23:06:22
0000 f8 1e df d8 87 48 00 12 1e bb d1 32 08 00 45 00
0010 00 54 5a 72 00 00 37 01 57 69 08 08 08 08 c0 a8
0020 01 16 00 00 7a d6 ae 4f 00 00 50 2a bd ce 00 07
0030 dd d6 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35
0060 36 37
23:06:23
0000 00 12 1e bb d1 32 f8 1e df d8 87 48 08 00 45 00
0010 00 54 45 43 00 00 40 01 63 98 c0 a8 01 16 08 08
0020 08 08 08 00 71 4b ae 4f 00 01 50 2a bd cf 00 07
0030 df 5f 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35
0060 36 37
$

If you redirect that output to a file, it can be imported in Wireshark with "File -> Import...", just make sure you enable timestamps and give "%T" as time format.

(if you're on Windows, you might want to consider installing a sed program or cygwin)

answered 14 Aug '12, 14:12

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Fabulous... I will give this a go tomorrow.

However, if I just want to sniff everything on a particular interface, e.g. eth0, what would the syntax be? Note, there is not a lot of traffic on this interface.

Thanks

(14 Aug '12, 16:21) gil_happy

Then the syntax would be:

tcpdump -s0 -nn -l -xx -i eth0
(15 Aug '12, 07:46) SYN-bit ♦♦

0

Unfortunately that is not possible, as the packet bytes get lost. You might be able to use some scripting to be able to import "tcpdump -s0 -x -i eth0" output.

If the problem is that you can only copy screen output, you might want to save the trace locally with "tcpdump -s0 -w tmp.cap" and then use uuencode to create ascii text on the screen which you can copy & paste and uudecode.

Or do it in one go: "tcpdump -s0 -i en1 -w - -c 10 2>/dev/null | uuencode tmp.cap"

answered 13 Aug '12, 15:14

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for the info... Unfortunately the problem is that if I save it to a file (which is a remote device), I have no way to pull the pcap file off the unit. That is why I was wondering if there was a way to dump the screen output into Wireshark.

Thanks for the help.

(14 Aug '12, 12:43) gil_happy

That's why I suggested to uuencode the binary file, you can copy the output from the console/terminal/screen and paste it into a file on your own system to uudecode it back to a binary file.

I have used this when I only had a 9600 bps serial console available, it takes time, but at least you get all the data :-)

(if the box does not have uuencode but does have perl, you can paste this code to it to do the encoding :-)

(14 Aug '12, 13:34) SYN-bit ♦♦

0

There are some other options as well.

xxd
xxd is available (per default) on many Linux distributions and there is also a windows version (e.g. as part of vim - http://www.vim.org)

tcpdump -ni eth0 -s0 -w /var/tmp/dump.pcap
xxd /var/tmp/dump.pcap /var/tmp/dump.hex
cat /var/tmp/dump.hex

Copy the output and save it as dump.hex on another system. Then use xxd on that system to revert the hex dump back to a binary.

xxd -r dump.hex dump.pcap

You can now open dump.pcap in Wireshark.

remote capture with ssh
I assume, you are able to connect to the system with ssh to run the tcpdump command. However, if that is possible, you could also just copy the binary data with scp through that channel, and the whole HEX -> binary conversion would not be necessary !??!

ssh -l root 192.168.0.1 "tcpdump -ni eth0 -s0 -w -" > dump.pcap

Then open dump.pcap in Wireshark.

UPDATE:
If you don't have xxd on your system, you can also use hexdump and then convert the output to something xxd understands.

HOWTO:

  • run this command

    hexdump -C input.cap | awk '{$1 = substr($1,2) ":"; gsub(/\|/," "); gsub(/[0-9a-f]+:$/,""); print}' > capture.hex

  • copy/paste the output of capture.hex to your windows system
  • install vim from http://www.vim.org
  • run the following commands

    cd %PROGRAMFILES%\vim\vim73
    xxd -r c:\temp\capture.hex c:\temp\capture.pcap

  • open c:\temp\capture.pcap in Wireshark

Regards
Kurt

answered 14 Aug '12, 17:47

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Aug '12, 02:44

I did not know about xxd, we learn everyday :-)

However, for this purpose, I think uuencode is a lot more efficient:

$ wc bug4716.cap 
  12      19     498 bug4716.cap
$ uuencode bug4716.cap bug4716.cap | wc
  15      17     716
$ xxd bug4716.cap | wc
  32     313    2130
$

But if xxd is available and uuencode is not... :-)

UPDATE: OK, when using xxd, you might want to use -p to reduce the size:

$ xxd -p bug4716.cap | wc
  17      17    1013
$
(15 Aug '12, 00:10) SYN-bit ♦♦

But if xxd is available and uuencode is not... :-)

That's the only good reason to use xxd, as uuencode tends to be missing on some linux systems ;-)

(15 Aug '12, 01:17) Kurt Knochner ♦

0

I recently used a remote command over ssh to pipe back into a local copy of tshark which then wrote into local files.

ssh [email protected] "tcpdump -i eth0 -w -" | tshark -i - -b filesize:50000 -w dump.pcap

Note that I had installed a public key for the user on the remote system so no user input was required on the ssh connection.

answered 15 Aug '12, 02:23

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for all suggestions to date.. unfortunately the SSH suggestion is not an option.

Here is what I have done so far.

  • I captured DHCP logs on the remote device using the following: ./tcpdump -v -i br0 -s 65535 -w dhcp.pcap
  • Then I did, ‘hexdump -C dhcp.pcap’

I then copied and pasted the output on my screen and saved it to Notepad. Now I'm trying to figure out how to Import back to Wireshark or even 'Packet Dump Decode'. I don't know if I'm doing something incorrectly, or if I need to make minor edit to the pasted output?

(15 Aug '12, 07:32) gil_happy

hexdump does not seem to have a 'reverse' option. Do you have uuencode or xdd on the box?

(15 Aug '12, 07:46) SYN-bit ♦♦

if you don't have uuencode (preferred) or xxd, did you try the option posted by SYN-bit (tcpdump -xxx ...)? That will work.

Another option would be to convert the output of hexdump to a format that xxd (windows version) accepts. See the UPDATE in my answer above.

(16 Aug '12, 02:33) Kurt Knochner ♦