This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

pcap to txt

0

Hi !

If pcap can be converted to txt by using: "tshark -V -r original.pcap > file_to_convert.txt" and pcap can be converted to txt: "text2pcap.exe -e 0x800 file_to_convert.txt result.pcap", why does the resulted file have a different dimension from the original one?

Is there something that I could change in order to make it right ?

Thank you !

asked 20 Nov '12, 06:19

AvL's gravatar image

AvL
1224
accept rate: 0%

edited 20 Nov '12, 06:30

Jaap's gravatar image

Jaap ♦
11.7k16101


One Answer:

1

Because the output of tshark -V is not the input format of text2pcap. See the manual of text2pcap for the format requirements. These programs are not each others opposite.

answered 20 Nov '12, 06:33

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thank you !!

Is there a combination of programs that would result a file the same with the original ?

(20 Nov '12, 06:44) AvL

I've changed the commands , but i still don't get the expected result . Is it possible to get the original as final output ? Or am I searching something that can't be done ?

Thanks !

(20 Nov '12, 07:45) AvL

Sure. od the pcap file, run it through a Perl script to filter out the PCAP headers and construct a text dump file in the specified format. Better yet, have the Perl script read the PCAP file directly, using NET::TcpDumpLog. The Perl script you'll have to write though.

(21 Nov '12, 04:17) Jaap ♦

Thanks ! I'll try that .

(21 Nov '12, 05:35) AvL