This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi friends! I need to convert text to pcap, this is an example. Can you help me? Thanks! Julian

================================================================================

[No.           ] 1
[TimeStamp     ] 2012-06-13 11:49:03
[Msg Name      ] <BYE
[Module No     ] 1407
[Remote Address] 172.26.2.65:9163
[Ticks         ] 1561178745
[Hex Msg       ] 42 59 45 20 73 69 70 3A 31 37 32 2E 32 36 2E 32 2E 36 35 3A ...

BYE sip:172.26.2.65:9163;yop=00.00.B69D8639.0000.436A SIP/2.0
Via: SIP/2.0/UDP 172.26.1.164:5072;branch=z9hG4bK84ebbd18599de4fc4d25e1cd9;X-DispCookie=1000;X-DptMsg=1407
Route: <sip:172.26.2.65:9163;transport=udp;lr>
Call-ID: [email protected]
From: "33545314179"<sip:[email protected];transport=udp;user=phone>;tag=5e5fb6dc-CC-1000
To: "5114370684"<sip:[email protected];transport=udp;user=phone>;tag=sbc0503dg986A83Uc6ee_h0
CSeq: 2 BYE
Max-Forwards: 70
Reason: Q.850;cause=16;text="Normal call clearing"
Content-Length: 0

also I can obtain this other format

==========================================================================================
[No.           ] 1
[TimeStamp     ] 2012-06-13 11:49:03
[Msg Name      ] <BYE
[Module No     ] 1407
[Remote Address] 172.26.2.65:9163
[Ticks         ] 1561178745
[Hex Msg       ] 42 59 45 20 73 69 70 3A 31 37 32 2E 32 36 2E 32 2E 36 35 3A 39 31 36 33 3B 79 6F 70 3D 30 30 2E 30 30 2E 42 36 39 44 38 36 33 39 2E 30 30 30 30 2E 34 33 36 41 20 53 49 50 2F 32 2E 30 0A 56 69 61 3A 20 53 49 50 2F 32 2E 30 2F 55 44 50 20 31 37 32 2E 32 36 2E 31 2E 31 36 34 3A 35 30 37 32 3B 62 72 61 6E 63 68 3D 7A 39 68 47 34 62 4B 38 34 65 62 62 64 31 38 35 39 39 64 65 34 66 63 34 64 32 35 65 31 63 64 39 3B 58 2D 44 69 73 70 43 6F 6F 6B 69 65 3D 31 30 30 30 3B 58 2D 44 70 74 4D 73 67 3D 31 34 30 37 0A 52 6F 75 74 65 3A 20 3C 73 69 70 3A 31 37 32 2E 32 36 2E 32 2E 36 35 3A 39 31 36 33 3B 74 72 61 6E 73 70 6F 72 74 3D 75 64 70 3B 6C 72 3E 0A 43 61 6C 6C 2D 49 44 3A 20 64 39 38 30 31 62 61 34 65 33 62 37 35 63 31 62 37 39 36 39 61 33 34 31 66 35 65 31 30 32 30 66 40 31 30 2E 31 38 2E 35 2E 36 34 0A 46 72 6F 6D 3A 20 22 33 33 35 34 35 33 31 34 31 37 39 22 3C 73 69 70 3A 2B 33 33 35 34 35 33 31 34 31 37 39 40 31 37 32 2E 32 36 2E 31 2E 31 36 34 3B 74 72 61 6E 73 70 6F 72 74 3D 75 64 70 3B 75 73 65 72 3D 70 68 6F 6E 65 3E 3B 74 61 67 3D 35 65 35 66 62 36 64 63 2D 43 43 2D 31 30 30 30 0A 54 6F 3A 20 22 35 31 31 34 33 37 30 36 38 34 22 3C 73 69 70 3A 2B 35 31 31 34 33 37 30 36 38 34 40 31 37 32 2E 32 36 2E 32 2E 36 35 3B 74 72 61 6E 73 70 6F 72 74 3D 75 64 70 3B 75 73 65 72 3D 70 68 6F 6E 65 3E 3B 74 61 67 3D 73 62 63 30 35 30 33 64 67 39 38 36 41 38 33 55 63 36 65 65 5F 68 30 0A 43 53 65 71 3A 20 32 20 42 59 45 0A 4D 61 78 2D 46 6F 72 77 61 72 64 73 3A 20 37 30 0A 52 65 61 73 6F 6E 3A 20 51 2E 38 35 30 3B 63 61 75 73 65 3D 31 36 3B 74 65 78 74 3D 22 4E 6F 72 6D 61 6C 20 63 61 6C 6C 20 63 6C 65 61 72 69 6E 67 22 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0A 0A

asked 13 Jun '12, 13:29

chochi's gravatar image

chochi
1113
accept rate: 0%


You could write a script that takes the second output and format that to something readable by text2pcap and then use text2pap to convert that to a libpcap format file.

permanent link

answered 13 Jun '12, 22:12

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

The idea is to know if somebody known how to do that :) I don't know how to do what you said Anders. Thanks for your answer anyway.

(14 Jun '12, 21:34) chochi

just a few comments/thoughts:

  1. Why do you rely on a log file? Why don't you sniff the SIP traffic in the first place, if you need a pcap file?
  2. What do you expect to get if you convert the SIP log to pcap? You won't see more in wireshark than in the log.
  3. As it's SIP, you might be interested in RTP traffic as well. I doubt, that RTP traffic will be logged entirely, so that would be missing in the pcap file.

It would be possible to write a converter script to format your log into "something" that text2pcap can read. However, one would have to insert a lot of fake data (like ethernet frame, ip frame, tcp ports) that are not in your log.

The idea is to know if somebody known how to do that

  • Try to understand the text2pcap format first. Look at the source code
  • Use any programming language you know
  • Read your log and build the data structure that's needed for text2pcap
  • Write the output

Regards
Kurt

permanent link

answered 15 Jun '12, 01:32

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.7k1037236
accept rate: 15%

Hi Kurt! I used Wireshark almost all days with SIP traffic, I don't really need the RTP traffic, only signalling. I work in a ISP provider and sometimes we have to analyse only errors on the network to know how the ASR goes. Unfortunately my company have new equipment (Huawei) and when you capture in a remote servers only capture SIP signalling, they export in proprietary format or in this two text options. They made my work harder because to find a complete call flow in all the SIP traces is a pain in the ass... Thanks anyway for your support!

(15 Jun '12, 06:44) chochi
1

they export in proprietary format or in this two text options...

I see. What is that proprietary format used for? Do they offer a protocol analyzer for it?

Please check Homer. It looks like it can talk to Huawei equipment and the capture agent on it. This is just a wild guess, as I don't know Homer personally!

http://www.sipcapture.org/

(15 Jun '12, 07:17) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×31
×19
×19

question asked: 13 Jun '12, 13:29

question was seen: 6,254 times

last updated: 29 Jun, 07:10

p​o​w​e​r​e​d by O​S​Q​A