There are many discussions on converting PCAP to TXT but nothing on TXT to PCAP. Let's establish the scenario. Discussion is based on Windows Platform. Router is a NETGEAR FVS318N. The logs can be sent to a "syslog server". Two examples are "Kiwi Syslog Server" and "TFTpd32 Syslog Server" Out of all the variations and preferences that the Syslog Server community may offer, the question is focused on how to get the information to "WireShark". So first we need to establish that the information that is captured from the Router to the Syslog Server is placed in a log folder that is in the form of "File.txt". There is nothing special about it. It is a simple "File.txt". It can be opened with a simple notepad. Here is where it gets difficult. It is said, that you should convert the "txt" file to a "pcap" file. So CMD is: text2pcap.exe file.txt file.pcap - resulting in the following: asked 17 Nov '14, 01:14  SJISP edited 22 Aug '16, 21:44  Guy Harris ♦♦ |
One Answer:
This will only work (and make sense) if the text you have contains the hex bytes of the actual packet content. SysLog is usually text based stuff, like "port eth0 blocked packet from ip w.x.y.z" - Wireshark is not made for analyzing that kind of thing. You'd better be using logging systems like Splunk to store and search through those kinds of messages (they have filters that slightly remind of Wireshark display filters, too). So unless your text file contains the packet bytes you're not going to have much luck with text2pcap. answered 17 Nov '14, 01:20  Jasper ♦♦ |
Thanks Jasper. I have just warmed up to WireShark and like how you can search for specifics. I'll give Splunk a shot.