OSQA is unmaintained. Help us figure out where to go from here.

There are many discussions on converting PCAP to TXT but nothing on TXT to PCAP. Let's establish the scenario. Discussion is based on Windows Platform. Router is a NETGEAR FVS318N. The logs can be sent to a "syslog server". Two examples are "Kiwi Syslog Server" and "TFTpd32 Syslog Server" Out of all the variations and preferences that the Syslog Server community may offer, the question is focused on how to get the information to "WireShark". So first we need to establish that the information that is captured from the Router to the Syslog Server is placed in a log folder that is in the form of "File.txt". There is nothing special about it. It is a simple "File.txt". It can be opened with a simple notepad. Here is where it gets difficult. It is said, that you should convert the "txt" file to a "pcap" file. So CMD is: text2pcap.exe file.txt file.pcap - resulting in the following:
Input from: file.txt
Output to: file.pcap
Output format: PCAP
Read 4 potential packets, wrote 0 packets (24 bytes)

The goal is to take the captured data that is in a .txt format and get it into a .pcap format so that the captured data can be opened in WireShark. What is the process?

asked 17 Nov '14, 01:14

SJISP's gravatar image

SJISP
11112
accept rate: 0%

edited 22 Aug '16, 21:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335194


This will only work (and make sense) if the text you have contains the hex bytes of the actual packet content. SysLog is usually text based stuff, like "port eth0 blocked packet from ip w.x.y.z" - Wireshark is not made for analyzing that kind of thing. You'd better be using logging systems like Splunk to store and search through those kinds of messages (they have filters that slightly remind of Wireshark display filters, too).

So unless your text file contains the packet bytes you're not going to have much luck with text2pcap.

permanent link

answered 17 Nov '14, 01:20

Jasper's gravatar image

Jasper ♦♦
23.6k551284
accept rate: 18%

Thanks Jasper. I have just warmed up to WireShark and like how you can search for specifics. I'll give Splunk a shot.

(17 Nov '14, 01:31) SJISP
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×232
×19
×10
×9

question asked: 17 Nov '14, 01:14

question was seen: 5,326 times

last updated: 22 Aug '16, 21:44

p​o​w​e​r​e​d by O​S​Q​A