This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Empty pcap file from converting a syslog server text file to pcap

0

There are many discussions on converting PCAP to TXT but nothing on TXT to PCAP. Let's establish the scenario. Discussion is based on Windows Platform. Router is a NETGEAR FVS318N. The logs can be sent to a "syslog server". Two examples are "Kiwi Syslog Server" and "TFTpd32 Syslog Server" Out of all the variations and preferences that the Syslog Server community may offer, the question is focused on how to get the information to "WireShark". So first we need to establish that the information that is captured from the Router to the Syslog Server is placed in a log folder that is in the form of "File.txt". There is nothing special about it. It is a simple "File.txt". It can be opened with a simple notepad. Here is where it gets difficult. It is said, that you should convert the "txt" file to a "pcap" file. So CMD is: text2pcap.exe file.txt file.pcap - resulting in the following:
Input from: file.txt
Output to: file.pcap
Output format: PCAP
Read 4 potential packets, wrote 0 packets (24 bytes)

The goal is to take the captured data that is in a .txt format and get it into a .pcap format so that the captured data can be opened in WireShark. What is the process?

asked 17 Nov '14, 01:14

SJISP's gravatar image

SJISP
11112
accept rate: 0%

edited 22 Aug '16, 21:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

0

This will only work (and make sense) if the text you have contains the hex bytes of the actual packet content. SysLog is usually text based stuff, like "port eth0 blocked packet from ip w.x.y.z" - Wireshark is not made for analyzing that kind of thing. You'd better be using logging systems like Splunk to store and search through those kinds of messages (they have filters that slightly remind of Wireshark display filters, too).

So unless your text file contains the packet bytes you're not going to have much luck with text2pcap.

answered 17 Nov '14, 01:20

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper. I have just warmed up to WireShark and like how you can search for specifics. I'll give Splunk a shot.

(17 Nov '14, 01:31) SJISP