Wireshark mailing list archives
Re: text2pcap - strange packets after converting a Hex-dump
From: "Ullmann, Robert" <robert.ullmann () sap com>
Date: Fri, 22 Jul 2011 15:23:18 +0200
Also tried with -x. The result is the same. @ Shaineel: to answer your question: we use the first "tshark" with ssl-decryption. Writing this output to stdout or a simple text file gives the decrypted ssl-http-traffic. But writing the decrypted traffic with "-w" as a pcap-file results in just recording the ENCRYPTED traffic to this pcap-file. So the decryption seems to be only something like a "display filter". Isn't tshark able to write this decrypted traffic to a pcap directly??? -----Original Message----- From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Chris Maynard Sent: Dienstag, 28. Juni 2011 22:11 To: wireshark-users () wireshark org Subject: Re: [Wireshark-users] text2pcap - strange packets after converting a Hex-dump Ullmann, Robert <robert.ullmann@...> writes:
we need to convert a hex dump written with tshark to a pcap-file to replay the
packets.
We’re capturing http-streams and write them as hex. When we use text2pcap to convert it to pcap format, the output of text2pcap is
with no error – the packets got written successfully.
The strange thing happens, when we replay the pcap or just let tshark read the
pcap file.
The most packets are told to be malformed. Sometimes we also find f.e.
hsrp-packets.
What are we doing wrong ? Capturing packets with: “tshark -i eth1 –n port 443 –V –R http” (we see the
http stream/ packets)
Writing to file: “tshark -i eth1 –n port 443 –V –R http | grep -e
"^[0-9a-f][0-9a-f][0-9a-f][0-9a-f]" > file_hex.dump” Maybe you already solved this yourself by now or no longer have the need for a solution, but it looks to me like you're missing the tshark -x option. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: text2pcap - strange packets after converting a Hex-dump Ullmann, Robert (Jul 22)