Hi All, I searched through and did not find this question asked aleady. Yesterday I received my very first tcpdump.txt file - up to this point all my captures were .pcap so I did not know what to do with that. Some research shows we have text2pcap... and I thought OK GREAT I will convert it...The commands I have tried ..text2pcap tcpdump.txt tcpdump.pcap this actually returns Input from: tcpdump.txt Output to: tcpdump.pcap Output format: PCAP Read 170 potential packets, wrote 0 packets (24 bytes).
I have also tried adding in -a and some of the other options but nothing seems to work for me .. every time it returns a file it is 1KB. Can someone tell me if this is the correct tool to use for this and possibly how to use it? Or if there is a better way ..I have never worked with this type of file before.
asked 20 Jun '14, 04:55
edited 20 Jun '14, 17:24
Guy Harris ♦♦
text2pcap turns text in the form of hex dumps of packet contents into pcap files.
Unfortunately, that's probably not what you have; you probably have the result of tcpdump dissecting packets and, as the article that was suggested as possibly "[solving] your problem" says, the tcpdump dissection has probably permanently discarded data from the packet, so you probably will not be able to get a pcap file from it (i.e., it "solves" your problem by telling you it's insoluble).
In the future, make sure whoever makes captures with tcpdump for you to analyze uses the
In the present, learn the format of tcpdump output and see whether the text file tells you enough to let you analyze the problem.
answered 20 Jun '14, 17:28
Guy Harris ♦♦