This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Convert TCP streams only to pcap (or any Wireshark compatible format)

0

I'm writing a network application, and would like to add the ability for it to save all of its own sent/received data to disk. By itself, the problem is simple, I could just invent a file format that stores sent/received packets along with timestamps and network addresses... but I would like to use a format that's compatible with Wireshark, so I can use it to inspect the captures. I know I could also use libpcap and record a real packet capture, but I'd like to avoid the dependency + root privilege / system configuration requirement.

The problem with using formats such as pcap in this case is that these formats store the packets in their entirety, including Ethernet, IP and TCP headers. On the application level, I do not have this information - only data received by recv() and sent by send(). Writing .pcap files would mean faking Ethernet/IP/TCP headers, as well as TCP handshakes etc.

So, what's the easiest way to write a Wireshark-compatible format (or a format convertible to it) from within a network application?

asked 09 Sep '15, 04:36

CyberShadow's gravatar image

CyberShadow
6113
accept rate: 100%


One Answer:

0

Figured out a way - use text2pcap:

First, save or convert your captured data to the following text format (one file per connection / TCP stream):

O 2015-09-09 00:00:00.000001 00000000 01 02 03 04 05 I 2015-09-09 00:00:00.000002 00000000 01 02 03 04 05 O 2015-09-09 00:00:00.000003 00000000 02 03 04 05 06 I 2015-09-09 00:00:00.000004 00000000 02 03 04 05 06

Then, run:

text2pcap -t "%Y-%m-%d %H:%M:%S." -T 55555,1234 -4 127.0.0.1,1.2.3.4 -D -n input.txt output.pcapng

Replace ports and IPs with the real ones as appropriate.

answered 09 Sep '15, 06:54

CyberShadow's gravatar image

CyberShadow
6113
accept rate: 100%