I have a file that contains the binary data of the packets (that came from my network interface), without any pcap header or any packet header. The file has no delimiter between each packet. Is there a way to parse this file and convert it to be readable by wireshark\tshark\tcpdump? Thanks! asked 17 Nov '16, 01:09  wires-hark |
One Answer:
Wireshark has the ability to read hex dumps which is described at https://www.wireshark.org/docs/wsug_html_chunked/ChIOImportSection.html. If you create a script that converts your binary data into a hex dump that looks like this: Then you can import it by using “File -> Import from hexdump…" Whether or not it is doable to convert your binary data into the hexdump depends mostly on the complexity of the network traffic and your scripting skills. answered 17 Nov ‘16, 02:10  SYN-bit ♦♦ There’s no need to add the “ASCII” …….. part. (17 Nov ‘16, 03:03) grahamb ♦ |
When you say there is no packet header, do you mean that there is nothing but the raw frame as it came from the network (starting from the six bytes of the destination MAC address) or that even the Ethernet, IP, (TCP) headers are missing and you only have the payload?
can you put the file somewhere to take a look at?
Yes, I have only the raw frames
If there are just raw frames, and all of them contain IP packets, you should be able to recognize frame boundaries by looking for the MAC address and IP address of the interface (which you should know) and one of two Ethertype values. So you would look for the following patterns in the data (
mm:mm:mm:mm:mm:mmis your interface's MAC address,ii:ii:ii:iiis your interface's IPv4 address, and bb:bb:bb:bb is your interface subnet's broadcast address):(any six bytes):mm:mm:mm:mm:mm:mm:08:00:(any 12 bytes):ii:ii:ii:ii
this is the beginning of an IPv4 packet sent by your interface,
mm:mm:mm:mm:mm:mm:(any six bytes):08:00:(any 16 bytes):ii:ii:ii:ii
this is the beginning of an IPv4 packet sent to the individual address of your interface,
this is the beginning of an IPv4 packet sent to a broadcast address of your interface,
or
these are ARP request sent to your interface,
this is an ARP request sent by your interface,
etc.
The longer patterns you are able to check, the higher the chance that you can determine the frame beginnings properly.
It may not be simple to provide a full list of expressions if you use multicast, if there are some other protocols than IPv4 and ARP for IPv4, ..., so it may be quite an iterative process.
The easiest way to get the result into Wireshark is to print each frame as a line beginning with a
0000followed by space-separated hexadecimal values of the frame bytes. A space must follow the last byte, and I think the lines should be separated from each other by an empty one.A hex dump file formatted like this can be imported using the
File -> Import from Hex Dump...function of Wireshark, choosing "no dummy header" and "Encapsulation type: Ethernet".