Weblog entry #55 for Utumno
See all weblog entries made by Utumno.
#55
Raw packet analyzer
Posted by Utumno on Thu 7 May 2009 at 08:40
Dear lazyweb,
I've got a log ( a .txt file) containing a loooong sequence of raw network packets. The log looks like this:
ff ff ff ff ff ff 00 03 91 4b 33 57 08 06 00 01 ..3W.... 08 00 06 04 00 01 00 03 91 4b 33 57 0a 27 f4 07 ........3W.'? 00 00 00 00 00 00 0a 27 f4 01 00 00 00 00 00 00 .......'?...... 00 00 00 00 00 00 00 00 00 00 00 00 ............ 00 13 11 e9 c3 e6 00 03 91 4b 33 57 08 00 45 00 ...橨?.3W..E. 00 2c 00 bc 00 00 40 06 8b 50 0a 27 f4 07 cb 61 .,.?.@..'?犿 25 30 1b 69 00 50 00 0f 72 25 00 00 00 00 60 02 %0.i.P..r%....`. 16 d0 04 a9 00 00 02 04 05 b4 .??....? (many more packets here)
I am looking for a tool which would let me import (perfectly the whole file, failing that - one packet at a time ) this data and analyze it. (in similar way Wireshark does it for its captures.)
I've searched the web and came up empty-handed. Any hints?
Comments on this Entry
Posted by Anonymous (90.230.xx.xx) on Thu 7 May 2009 at 19:11
Something like: http://www.wireshark.org/docs/man-pages/text2pcap.html
[ Parent | Reply to this comment ]
Posted by Anonymous (71.255.xx.xx) on Tue 12 May 2009 at 01:53
Will this do? Try saving this as log2t2p.awk :
BEGIN { printf "## translated to text2pcap format -- " ; system("date")
; print "## run as $ awk -f log2t2p.awk mylog.txt \n" ; hexoffset = 0 }
substr($0,1,1) ~ /[0-9a-fA-F]/ { printf "%04x %s ........\n"
, hexoffset, substr($0,1,24) ; hexoffset += 8}
substr($0,25,1) ~ /[0-9a-fA-F]/ { printf "%04x %s ........\n"
, hexoffset, substr($0,25,24) ; hexoffset += 8 }
substr($0,1,1) !~ /[0-9a-fA-F]/ { print "" ; hexoffset = 0 }
END { print "\n## finished \n" }
BEGIN { printf "## translated to text2pcap format -- " ; system("date")
; print "## run as $ awk -f log2t2p.awk mylog.txt \n" ; hexoffset = 0 }
substr($0,1,1) ~ /[0-9a-fA-F]/ { printf "%04x %s ........\n"
, hexoffset, substr($0,1,24) ; hexoffset += 8}
substr($0,25,1) ~ /[0-9a-fA-F]/ { printf "%04x %s ........\n"
, hexoffset, substr($0,25,24) ; hexoffset += 8 }
substr($0,1,1) !~ /[0-9a-fA-F]/ { print "" ; hexoffset = 0 }
END { print "\n## finished \n" }
[ Parent | Reply to this comment ]
Posted by Anonymous (71.255.xx.xx) on Tue 12 May 2009 at 01:58
Will this do? Try saving this as log2t2p.awk :
BEGIN { printf "## translated to text2pcap format -- " ; system("date")
; print "## run as $ awk -f log2t2p.awk mylog.txt \n" ; hexoffset = 0 }
substr($0,1,1) ~ /[0-9a-fA-F]/ { printf "%04x %s ........\n"
, hexoffset, substr($0,1,24) ; hexoffset += 8}
substr($0,25,1) ~ /[0-9a-fA-F]/ { printf "%04x %s ........\n"
, hexoffset, substr($0,25,24) ; hexoffset += 8 }
substr($0,1,1) !~ /[0-9a-fA-F]/ { print "" ; hexoffset = 0 }
END { print "\n## finished \n" }
BEGIN { printf "## translated to text2pcap format -- " ; system("date")
; print "## run as $ awk -f log2t2p.awk mylog.txt \n" ; hexoffset = 0 }
substr($0,1,1) ~ /[0-9a-fA-F]/ { printf "%04x %s ........\n"
, hexoffset, substr($0,1,24) ; hexoffset += 8}
substr($0,25,1) ~ /[0-9a-fA-F]/ { printf "%04x %s ........\n"
, hexoffset, substr($0,25,24) ; hexoffset += 8 }
substr($0,1,1) !~ /[0-9a-fA-F]/ { print "" ; hexoffset = 0 }
END { print "\n## finished \n" }
[ Parent | Reply to this comment ]