This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

text2pcap “Inconsistent offset. Expecting 0, got 10”

0

I have the following data I'd like to convert to a pcap with text2pcap:

# cat ~/temp.argus
12:00:01.3214
  0000       2665 7547 4a0b c0f2 0fed 1a9b 9c1d b9f3        &euGJ...........
  0010       7096 d098 7a1f 6255 f92e d9b0 b202 6c03        p...z.bU......l.

I attempt to do this by executing the following:

# text2pcap -i 4 -T 65000,80 -d ~/temp.argus ~/test.pcap

But I receive the following error and conversion fails:

Input from: /root/temp.argus
Output to: /root/test.pcap
Generate dummy Ethernet header: Protocol: 0x800
Generate dummy IP header: Protocol: 6
Generate dummy TCP header: Source port: 65000. Dest port: 80
Start new packet
Inconsistent offset. Expecting 0, got 10. Ignoring rest of packet
-------------------------
Read 1 potential packet, wrote 0 packets

What is wrong with the syntax of the previous file? It's indicated that text2pcap recognizes the packet, as a packet, but doesn't like the 0010 offset? How do I resolve this issue?

Thanks,

Matt

[update]

Thanks guys. I think I also tried "%T.%f" originally (without the trailing .), but was not successful. I will test all three tomorrow and let you know. Thanks.

asked 02 Jul '13, 13:10

mbrownnyc's gravatar image

mbrownnyc
11113
accept rate: 0%

edited 02 Jul '13, 19:19

One Answer:

1

text2pcap needs a defined format as input, which is described here:

http://www.wireshark.org/docs/man-pages/text2pcap.html

In your input, text2pcap does not understand the date stamp. If you reformat the input like shown below, it will accept it.

0000 26 65 75 47 4a 0b c0 f2 0f ed 1a 9b 9c 1d b9 f3        &euGJ...........
0010 70 96 d0 98 7a 1f 62 55 f9 2e d9 b0 b2 02 6c 03        p...z.bU......l.

Regards
Kurt

answered 02 Jul '13, 14:04

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 02 Jul '13, 14:05

Thanks Kurt. I'll give this a shot tomorrow. It's stated in the docs that if no timestamp is provided, then each packet is stamped a second apart. How do I properly supply the timstamp? Thanks.

(02 Jul '13, 15:25) mbrownnyc

Ah, it was your intention to have the time stamp in the packets. So, then please use the following command:

text2pcap -i 4 -T 65000,80 -t "%H:%M:%S." -d input.txt output.pcap

with this input.txt

12:00:01.3214
  0000  26 65 75 47 4a 0b c0 f2 0f ed 1a 9b 9c 1d b9 f3        &euGJ...........
  0010  70 96 d0 98 7a 1f 62 55 f9 2e d9 b0 b2 02 6c 03        p...z.bU......l.
(02 Jul '13, 16:00) Kurt Knochner ♦
1

Or you can use the shorter form:

text2pcap -i 4 -T 65000,80 -t "%T." -d input.txt output.pcap

Refer to strptime for more details on the various time field descriptors.

Incidentally, Wireshark also supports importing a text file in this format to a pcap file. Use "File -> Import from Hex Dump" (or "File -> Import" for Wireshark 1.8).

(02 Jul '13, 18:08) cmaynard ♦♦