Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: text2pcap - strange packets after converting a Hex-dump

From: "Ullmann, Robert" <robert.ullmann () sap com>
Date: Fri, 22 Jul 2011 15:23:18 +0200
Also tried with -x. The result is the same.

@ Shaineel: to answer your question: we use the first "tshark" with ssl-decryption. Writing this output to stdout or a 
simple text file gives the decrypted ssl-http-traffic. But writing the decrypted traffic with "-w" as a pcap-file 
results in just recording the ENCRYPTED traffic to this pcap-file. So the decryption seems to be only something like a 
"display filter". Isn't tshark able to write this decrypted traffic to a pcap directly???

-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Chris 
Maynard
Sent: Dienstag, 28. Juni 2011 22:11
To: wireshark-users () wireshark org
Subject: Re: [Wireshark-users] text2pcap - strange packets after converting a Hex-dump

Ullmann, Robert <robert.ullmann@...> writes:


we need to convert a hex dump written with tshark to a pcap-file to replay the

packets.

We’re capturing http-streams and write them as hex.
When we use text2pcap to convert it to pcap format, the output of text2pcap is

with no error – the packets got written successfully.

 
The strange thing happens, when we replay the pcap or just let tshark read the

pcap file.

The most packets are told to be malformed. Sometimes we also find f.e.

hsrp-packets.

What are we doing wrong ?
 
Capturing packets with: “tshark  -i eth1 –n port 443 –V –R http” (we see the

http stream/ packets)

Writing to file: “tshark  -i eth1 –n port 443 –V –R http | grep -e

"^[0-9a-f][0-9a-f][0-9a-f][0-9a-f]" > file_hex.dump”

Maybe you already solved this yourself by now or no longer have the need for a
solution, but it looks to me like you're missing the tshark -x option.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: