This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Need to convert a tcpdump text file to pcap file

0

Hi All, I searched through and did not find this question asked aleady. Yesterday I received my very first tcpdump.txt file - up to this point all my captures were .pcap so I did not know what to do with that. Some research shows we have text2pcap... and I thought OK GREAT I will convert it...The commands I have tried ..text2pcap tcpdump.txt tcpdump.pcap this actually returns Input from: tcpdump.txt Output to: tcpdump.pcap Output format: PCAP Read 170 potential packets, wrote 0 packets (24 bytes).

I have also tried adding in -a and some of the other options but nothing seems to work for me .. every time it returns a file it is 1KB. Can someone tell me if this is the correct tool to use for this and possibly how to use it? Or if there is a better way ..I have never worked with this type of file before.

asked 20 Jun '14, 04:55

bz6djs's gravatar image

bz6djs
0112
accept rate: 0%

edited 20 Jun '14, 17:24

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Hi,please look at this article, it may solve your problem ,http://ask.wireshark.org/questions/19054/tcpdump-to-pcap.

(20 Jun '14, 06:41) kishan pandey

One Answer:

0

text2pcap turns text in the form of hex dumps of packet contents into pcap files.

Unfortunately, that's probably not what you have; you probably have the result of tcpdump dissecting packets and, as the article that was suggested as possibly "[solving] your problem" says, the tcpdump dissection has probably permanently discarded data from the packet, so you probably will not be able to get a pcap file from it (i.e., it "solves" your problem by telling you it's insoluble).

In the future, make sure whoever makes captures with tcpdump for you to analyze uses the -w flag, so that tcpdump writes a pcap file with raw packet data rather than a text file with dissected packets.

In the present, learn the format of tcpdump output and see whether the text file tells you enough to let you analyze the problem.

answered 20 Jun '14, 17:28

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%