This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem with import of Hex Dump!

0

Hi,

I hope there is someone, that can answer my question/ problem, and sorry if my English isn't the best.

First I would like to describe what I want to do: I want to capture packets/ protocols, but with the addition of an imported packet/ protocol that should show up in the captured packets. The package I want to add is special: I want it to have a string for example "12345" in the payload or in the protocol headers [using ASCII to translate it] and to be able to find the packet under: String, "12345", Packet Bytes.

Now the problems: I don't get the import from Hex Dump right whatever I try, the program always complains about errors/ mistakes, or just doesn't find the string "12345" when I want to find the packet. When importing I never change anything in the import menu, should I maybe change something there, for example other headers, instead of "no dummy header"? Or am I doing the package/ packet itself wrong? I already tried many different combinations of numbers, maybe I miss something important? I would be really glad if someone could help me out about the packet itself (the numbers and stuff). Maybe someone could explain it for me/ give me an answer for an example: 991199

If I wanted this sting to show up in the payload/ headers as described before, how would the packet lock like? What is important?

I would appretiate help a lot!

Thanks!

asked 17 Jun '16, 11:34

Maximal99334's gravatar image

Maximal99334
6112
accept rate: 0%

edited 18 Jun '16, 10:49

Jasper's gravatar image

Jasper ♦♦
23.8k551284


One Answer:

1

First things first, your hex dump file must match the format as described in the text2pcap manual page.

So lets test this, lets try an import.

Put this in a text file:

0000 31 32 33 34 35 12345

Go to Wireshark, select import from hex dump. Select this file you just saved, select UDP and fill in both ports, eg. '1000'. Then click import. Now you should see the packet you're looking for in Wireshark.

Export this packet dissection (via the file menu) to a plain text file and select as packet format only 'Bytes'.

This file you can import from the hex dump again, without the need to add a dummy header any more, it's a complete packet now. So this file can be inserted into your other file before you import that.

PS: This assumes you're talking about Ethernet packets, but I hope my guess is right.

answered 17 Jun '16, 14:58

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks a lot Jaap, but it still doesn't work :(

Let me explain where I still have problems:

I did everything as described by you. I imported with UDP 1000 and below I filled 1000 as well. Before the packet dissection export this was my packet: 0000 31 32 33 34 35 12345

I did the packet dissection export with these steps: -file menu -packet dissection export -as plain text -then I just selected Packet Bytes in the Packet Format Box, but didn't change anything else -then I chose the original file and saved it on it (I did overwrite it)

Is that correct?

Then the text file looked like this:

      1 0.000000       1.1.1.1               2.2.2.2               UDP      60     1000 → 1000  Len=5
Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: Send_00 (20:53:45:4e:44:00), Dst: Receive_00 (20:52:45:43:56:00)
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
User Datagram Protocol, Src Port: 1000 (1000), Dst Port: 1000 (1000)
Data (5 bytes)
0000  20 52 45 43 56 00 20 53 45 4e 44 00 08 00 45 00    RECV. SEND...E.
0010  00 21 12 34 00 00 ff 11 a3 92 01 01 01 01 02 02   .!.4............
0020  02 02 03 e8 03 e8 00 0d 58 98 31 32 33 34 35 00   ........X.12345.
0030  00 00 00 00 00 00 00 00 00 00 00 00               ............

Then I imported that file from hex dump without choosing a dummy header this time, as you said.

But when I want to find the string 12345 in "find packet", with the search options (Packet Bytes, narrow and wide, string, 12345) it still doesn't work and wireshark says: "Search reached the end. Continuing from beginning".

What is the problem?

And when I click on "Start capture Packets", it still doesn't work and wireshark says, that it couln#t find that string in the core files/ packet files, bytes.

I hope you can help me (or someone else that is online).

(18 Jun '16, 03:22) Maximal99334

Oh and my text documents that I use are type .txt and are created by PSPad (if that matters).

And what exactly did you mean with: "So this file can be inserted into your other file before you import that."

Oh and what may be important as well, is that I want to use a string that consists of 6 numbers, like for example 991199.

I really hope that these infos in addition to the ones in my comment above help you, help me ;)

(18 Jun '16, 03:52) Maximal99334

One additional question:

How can I include the packet to show up in the capture of the communication protocols, if I start capturing protocols. Because right now I have the feeling that the packet doesn't show up in the caputured packets/ protocols.

I would be thankful for a fast answer, it is really important!

(18 Jun '16, 06:20) Maximal99334

Oh okay, I was under the impression what wanted to add your special packets after the capture was done. Now I understand you want to do that while the capture is happening?

If so have a look at the Tools wiki page, like PackETH, or Ostinato

(18 Jun '16, 10:32) Jaap ♦