Convert .txt into .pcap format

Question

I have the following from a cisco packet capture as a large text file.

00000000:  A1B2C3D4 00020004 00000000 00000000    !2CT .... .... .... 
00000010:  000005EE 0000000C 53F608E8 00074B1B    ...n .... Sv.h ..K. 
00000020:  000000C4 000000C4 450000C4 10160000    ...D ...D E..D ....

I see that there needs to be spaces between every hex set of characters like this for it to be recognized by wireshark.

00000000:  A1 B2 C3 D4 00 02 00 04 00 00 00 00 00 00 00 00    !2CT .... .... .... 
00000010:  00 00 05 EE 00 00 00 0C 53 F6 08 E8 00 07 4B 1B    ...n .... Sv.h ..K. 
00000020:  00 00 00 C4 00 00 00 C4 45 00 00 C4 10 16 00 00    ...D ...D E..D ....

I tested using text2pcap but it wont convert it correctly. The file is huge.

What do you recommend?

Answer 1

You'll probably have to write a small script to insert the space characters, or change the text2pcap code for your needs. It doesn't look complicated, should not be more than half an hour of coding (but I have to admit I'm not famous for getting code effort estimates right :-)).

Answer 2

I'm sure this can be made more efficient by all of you scripting gurus out there (you know who you are), but here's one solution that seems to work by using sed and xxd to convert the data back to a binary pcap file without the need for text2pcap, which probably wouldn't work anyway because the data looks like it's from a raw libpcap file, and not simply packet data which text2pcap expects:

sed 's/^[0-9:]*//' file.txt | sed 's/^  //g' | sed 's/    .*$//g' | xxd -r -p > file.pcap

The A1B2C3D4 pretty much gives it away as the magic number of a libpcap file.