This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Parsing a binary data packets file

0

I have a file that contains the binary data of the packets (that came from my network interface), without any pcap header or any packet header. The file has no delimiter between each packet. Is there a way to parse this file and convert it to be readable by wireshark\tshark\tcpdump?

Thanks!

asked 17 Nov '16, 01:09

wires-hark's gravatar image

wires-hark
6112
accept rate: 0%

When you say there is no packet header, do you mean that there is nothing but the raw frame as it came from the network (starting from the six bytes of the destination MAC address) or that even the Ethernet, IP, (TCP) headers are missing and you only have the payload?

(17 Nov '16, 01:26) sindy

can you put the file somewhere to take a look at?

(17 Nov '16, 01:29) Jasper ♦♦

Yes, I have only the raw frames

(17 Nov '16, 01:50) wires-hark

If there are just raw frames, and all of them contain IP packets, you should be able to recognize frame boundaries by looking for the MAC address and IP address of the interface (which you should know) and one of two Ethertype values. So you would look for the following patterns in the data (mm:mm:mm:mm:mm:mm is your interface's MAC address, ii:ii:ii:ii is your interface's IPv4 address, and bb:bb:bb:bb is your interface subnet's broadcast address):

(any six bytes):mm:mm:mm:mm:mm:mm:08:00:(any 12 bytes):ii:ii:ii:ii

this is the beginning of an IPv4 packet sent by your interface,

mm:mm:mm:mm:mm:mm:(any six bytes):08:00:(any 16 bytes):ii:ii:ii:ii

this is the beginning of an IPv4 packet sent to the individual address of your interface,

ff:ff:ff:ff:ff:ff:(any six bytes):08:00:(any 16 bytes):bb:bb:bb:bb

this is the beginning of an IPv4 packet sent to a broadcast address of your interface,

ff:ff:ff:ff:ff:ff:(any six bytes):08:06:(any 24 bytes):ii:ii:ii:ii

or

mm:mm:mm:mm:m:mm:(any six bytes):08:06:(any 24 bytes):ii:ii:ii:ii

these are ARP request sent to your interface,

(any six bytes):mm:mm:mm:mm:mm:mm:08:06(any 14 bytes):ii:ii:ii:ii

this is an ARP request sent by your interface,

etc.

The longer patterns you are able to check, the higher the chance that you can determine the frame beginnings properly.

It may not be simple to provide a full list of expressions if you use multicast, if there are some other protocols than IPv4 and ARP for IPv4, ..., so it may be quite an iterative process.

The easiest way to get the result into Wireshark is to print each frame as a line beginning with a 0000 followed by space-separated hexadecimal values of the frame bytes. A space must follow the last byte, and I think the lines should be separated from each other by an empty one.

A hex dump file formatted like this can be imported using the File -> Import from Hex Dump... function of Wireshark, choosing "no dummy header" and "Encapsulation type: Ethernet".

(17 Nov '16, 02:09) sindy

One Answer:

0

Wireshark has the ability to read hex dumps which is described at https://www.wireshark.org/docs/wsug_html_chunked/ChIOImportSection.html. If you create a script that converts your binary data into a hex dump that looks like this:

000000 00 e0 1e a7 05 6f 00 10 ........
000008 5a a0 b9 12 08 00 46 00 ........
000010 03 68 00 00 00 00 0a 2e ........
000018 ee 33 0f 19 08 7f 0f 19 ........
000020 03 80 94 04 00 00 10 01 ........
000028 16 a2 0a 00 03 50 00 0c ........
000030 01 01 0f 19 03 80 11 01 ........

000000 00 e0 1e a7 05 6f 00 10 …….. 000008 5a a0 b9 12 08 00 46 00 …….. 000010 03 68 00 00 00 00 0a 2e …….. 000018 ee 33 0f 19 08 7f 0f 19 …….. 000020 03 80 94 04 00 00 10 01 …….. 000028 16 a2 0a 00 03 50 00 0c …….. 000030 01 01 0f 19 03 80 11 01 ……..

Then you can import it by using “File -> Import from hexdump…"

Whether or not it is doable to convert your binary data into the hexdump depends mostly on the complexity of the network traffic and your scripting skills.

answered 17 Nov ‘16, 02:10

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

There’s no need to add the “ASCII” …….. part.

(17 Nov ‘16, 03:03) grahamb ♦