This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can this tcpdump file be converted to pcap?

0

This command:

tcpdump -vv -x -X -s 1500 -i eth0 'port 8080' > /var/tmp/tcpdump_port_8080

produces

17:49:45.461651 IP (tos 0x0, ttl  61, id 39983, offset 0, flags [DF], proto: TCP (6), length: 986) ack.com.57004 > ack.com.webcache: P, cksum 0xde66 (correct), 300:1234(934) ack 1 win 46  nop,nop,timestamp 2475621520 2475152160

0x0000:  4500 03da 9c2f 4000 3d06 39b7 c129 1156  E…./@.=.9..).V
0x0350:  7261 6e73 6163 7469 6f6e 4964 3e30 6231  ransactionId>0b1
0x0360:  6163 3666 372d 3638 3432 2d34 3436 382d  ac6f7-6842-4468-
0x0370:  6166 6631 2d63 3063 3530 3635 6362 3235  aff1-c0c5065cb25
0x0380:  313c 2f74 7261 6e73 6163 7469 6f6e 4964  1</transactionId

asked 26 Feb ‘15, 13:44

Urnst66's gravatar image

Urnst66
1112
accept rate: 0%

edited 26 Feb ‘15, 14:42

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Note that if you had done

tcpdump -vv -x -X -s 1500 -i eth0 -w /var/tmp/tcpdump_port_8080.pcap  'port 8080'

you would have had a pcap file, and wouldn’t have to do the conversion.

Note also that -s 1500 is wrong for Ethernet; the “snapshot length” specified by the -s flag is the total length of the packet, including the Ethernet header, not the MTU! The latest versions of tcpdump default to a large snapshot length; versions before that allow you to say -s 0 to get a large snapshot length, and, for versions older than that, you’d have to do something such as -s 262144.

(26 Feb ‘15, 19:39) Guy Harris ♦♦

One Answer:

2

Yes, you can use text2pcap to convert it to a pcap file, but you will first need to massage the data into a format that text2pcap accepts, because the depicted format is currently not supported by text2pcap.

So first, you can convert the data into a suitable format by using Kurt Knochner's perl script, given as an answer to this question and copied here for convenience:

#!/usr/bin/perl

$| = 1;


my $regexp_time = '(\d\d:\d\d:\d\d.\d+ )';
my $regexp_hex = '(0x\d+:\s+)([0-9a-f ]+)+  ';


while (<STDIN>) {


my $input = $_;


if ($input =~ /^$regexp_time/) {
print "$1\n";
}


if ($input =~ /$regexp_hex/) {
my $counter = $1;
my $line = $2;


  $line =~ s/ //g;
  $counter =~ s/(0x|:)//g;

  print $counter . join(&#39; &#39;, ( $line =~ m/../g )) . &quot;\n&quot;;



}
}

Assuming the output of tcpdump is saved in a file called, tcpdump.txt, and Kurt’s perl script is saved as convert.pl, run:

cat tcpdump.txt | convert.pl > tcpdump_converted.txt

Once that’s done, run text2pcap on the converted file:

 text2pcap -l 101 tcpdump_converted.txt tcpdump_converted.pcap

Note that here I’m specifying “Raw IP” encapsulation. See http://www.tcpdump.org/linktypes.html for link types.

answered 26 Feb ‘15, 15:16

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 27 Feb ‘15, 00:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

Note that here I’m specifying “Raw IP” encapsulation.

…because the packet data, in the tcpdump output, starts with the IP header, not with an Ethernet header.

(26 Feb ‘15, 19:35) Guy Harris ♦♦

Thank you! That worked great.

(27 Feb ‘15, 06:37) Urnst66

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(27 Feb ‘15, 06:47) grahamb ♦