This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hex Dump off slightly

0

Hello,

I am developing a program using libpcap to capture Beacon Frames, Probe Requests and Probe Responses from my wireless interface that I specify. When I try and hex dump the packet and look at the packet it is slightly off compared to what I am seeing in Wireshark, so I was wondering why this is and if you guys do something special to the hex dump before you dump it?

If you need to see anymore information let me know.

This what I am doing for the hexdump (just incase you want to see)

void hexdump(const void *ptr, int buflen) {
   unsigned char *buf = (unsigned char*)ptr;
   int i, j;
     for (i= 0; i< buflen; i+=16) {
       printf("%06x: ", i);
       for (j=0; j<16; j++)
         if (i+j < buflen)
           printf("%02x ", buf[i+j]);
         else
           printf("   ");
       printf(" ");
       for (j=0; j<16; j++)
         if (i+j < buflen)
           printf("%c", isprint(buf[i+j]) ? buf[i+j] : '.');
       printf("\n");
     }
   }

Thank you! DO

asked 02 Jun '13, 09:45

_Derko's gravatar image

_Derko
1111
accept rate: 0%


One Answer:

0

When you say "slightly off", what exactly is the difference you are seeing between a wireshark hex dump of the packet and your own output?

A Wireshark "Packet bytes" hex dump output is in the format of [offset] [bytes] [ascii], where those three sections are delimited by two spaces and each byte is delimited by one space.

As an example, this is how I generate a hex dump file from an array of packets in perl (each entry is a hex string representing an entire packet), where I want to read the output of this into Wireshark's text2pcap utility (not bothering with the ASCII piece):

foreach (@packets) { $packet = $_; $packet_length = $_ =~ tr/[0-9a-zA-Z]//; # The +0.999... is a cheap way to round up for the last line. $line_count = int(($packet_length/32) + 0.9999999999); for ($n=0; $n < $line_count; $n++){ $offset = sprintf("%x",($n*16)); # Assumes no offset greater than 4 hex characters. $lead_zeros = 4 - ($offset =~ tr/[0-9a-zA-Z]//); $lead_zeros = '0' x $lead_zeros; $bytes = substr($packet,$n*32,32); # Adds a space character after every byte. $bytes =~ s/([0-9a-zA-Z]{2})/$1 /g; print "$lead_zeros$offset $bytes\n"; }; };

answered 02 Jun '13, 12:44

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 02 Jun '13, 12:47