Text2pcap

Previous page
Table of content
Next page

  < Day Day Up > 


Text2pcap generates capture files by reading ASCII hexadecimal dump captures and writing the data to a libpcap output file. It is capable of reading a hexdump of single or multiple packets, and building capture files from it. Text2pcap can also read hexdumps of application level data only, by creating dummy Ethernet, IP, and User Datagram Protocol (UDP) or TCP headers so Ethereal and other sniffers can read the full data. The user can specify which of these headers to add.

Text2pcap uses the octal dump (od) format of hexadecimal output. Octal dump is a UNIX command that is used to output a file or standard input to a specified form, such as octal, decimal, or hexadecimal format. The format is specified by the parameters given to the –t option. The command od –t x1 will generate output that text2pcap can understand (the x1 describes the format of hexadecimal). The following is an example of the type of hexadecimal dump that text2pcap can read:

0000  00 05 5d ee 7e 53 08 00 20 cf 5b 39 08 00 45 00   ..].~S.. .[9..E. 0010  00 9a 13 9e 40 00 3c 06 e0 70 c0 a8 64 7a c0 a8   ....@.<..p..dz.. 0020  64 84 00 17 05 49 0e a9 91 43 8e d8 e3 6a 50 18   d....I...C...jP. 0030  c1 e8 ba 7b 00 00 4c 61 73 74 20 6c 6f 67 69 6e   ...{..Last login 0040  3a 20 53 75 6e 20 4e 6f 76 20 20 32 20 31 37 3a   : Sun Nov  2 17: 0050  30 36 3a 35 33 20 66 72 6f 6d 20 31 39 32 2e 31   06:53 from 192.1 0060  36 38 2e 31 30 30 2e 31 33 32 0d 0a 53 75 6e 20   68.100.132..Sun 0070  4d 69 63 72 6f 73 79 73 74 65 6d 73 20 49 6e 63   Microsystems Inc 0080  2e 20 20 20 53 75 6e 4f 53 20 35 2e 39 20 20 20   .   SunOS 5.9 0090  20 20 20 20 47 65 6e 65 72 69 63 20 4d 61 79 20       Generic May 00a0  32 30 30 32 0d 0a 23 20                           2002..#

The beginning of each line has an offset of more than two hexadecimal, or octal, digits that is used to track the bytes in the output. If the offset is 0, this indicates the beginning of a new packet. If there are multiple packets in a file they will be output to the packet capture file with one second between each packet. If a line doesn’t have this offset it is ignored. The text output at the end of the line is also ignored. Text files can also contain comments that begin with the # character. Text2pcap has the ability to support commands and options by using the #TEXT2PCAP command at the beginning of the line. Text2pcap currently doesn’t have any commands and options supported, but future development could incorporate methods to control the way the hexadecimal dump is processed.

The following is the usage output for the text2pcap program:

Usage: text2pcap [-h] [-d] [-q] [-o h|o] [-l typenum] [-e l3pid] [-i proto]          [-m max-packet] [-u srcp,destp] [-T srcp,destp] [-s srcp,destp,tag]          [-S srcp,destp,tag] [-t timefmt] <input-filename> <output-filename> where <input-filename> specifies input filename (use - for standard input)       <output-filename> specifies output filename (use - for standard       output) [options] are one or more of the following  -h              : Display this help message  -d              : Generate detailed debug of parser states  -o hex|oct      : Parse offsets as (h)ex or (o)ctal. Default is hex  -l typenum      : Specify link-layer type number. Default is 1 (Ethernet).                    See net/bpf.h for list of numbers.  -q              : Generate no output at all (automatically turns off -d)  -e l3pid        : Prepend dummy Ethernet II header with specified L3PID (in HEX)                    Example: -e 0x800  -i proto        : Prepend dummy IP header with specified IP protocol (in                    DECIMAL).                    Automatically prepends Ethernet header as well.                    Example: -i 46  -m max-packet   : Max packet length in output, default is 64000  -u srcp,destp   : Prepend dummy UDP header with specified dest and source                    ports (in DECIMAL).                    Automatically prepends Ethernet and IP headers as well                    Example: -u 30,40  -T srcp,destp   : Prepend dummy TCP header with specified dest and source                    ports (in DECIMAL).                    Automatically prepends Ethernet and IP headers as well                    Example: -T 50,60  -s srcp,dstp,tag: Prepend dummy SCTP header with specified dest/source                    ports and verification tag (in DECIMAL).                    Automatically prepends Ethernet and IP headers as well                    Example: -s 30,40,34  -S srcp,dstp,ppi: Prepend dummy SCTP header with specified dest/source                    ports and verification tag 0. It also prepends a dummy                    SCTP DATA chunk header with payload protocol identifier                    ppi.                    Example: -S 30,40,34  -t timefmt      : Treats the text before the packet as a date/time code;                    the specified argument is a format string of the sort                    supported by strptime.                    Example: The time "10:15:14.5476" has the format code                    "%H:%M:%S."                    NOTE:    The subsecond component delimiter must be                             specified (.) but no pattern is required; the                             remaining number is assumed to be fractions of a second.

The following command line options are used to control text2pcap’s data processing and output:

  • –h This option prints the help options of text2pcap, then exits.

  • –d This option displays debugging information during the processing. Like verbose options it can be used several times for more information.

  • –q This option causes text2pcap to be quiet while processing.

  • –o h|o This option specifies either hexadecimal or octal formats for the offset of the output. The default is hexadecimal.

  • –l typenum This option lets you specify the data link layer type of encapsulation for the packet. This option is used when your hexdump is a complete, encapsulated packet. The encapsulation type is specified as a number using the typenum parameter. A complete list of encapsulation types and their associated numbers can be found in the /libpcap-0.7.2/bpf/net/bpf.h file included in the libpcap source distribution. For example Point-to-Point Protocol (PPP) is encapsulation type 9. The default is Ethernet, encapsulation type 1.

  • e l3pid This option allows you to include a dummy Ethernet header for each packet. You would use this option when your dump file has any type of layer 3 header, such as IP, but no layer 2 information.

  • i proto This option allows you to include a dummy IP header for each packet. The proto parameter allows you to specify the IP protocol in decimal format. You would use this option when your dump file has complete layer 4 information, but no layer 3 IP information. This option will also include the necessary Ethernet information. For example, –i 88 will set the set the protocol to Enhanced Interior Gateway Routing Protocol (EIGRP).

  • m max-packet This option will allow you to set the maximum packet length with the max-packet parameter. The default is 64000.

  • u srcport, destport This option allows you to include a dummy UDP header for each packet. The srcport and destport parameters allow you to specify the source and destination UDP ports in decimal format. You would use this option when your dump file has does not contain any UDP layer 4 or below information. This option will also include the necessary IP and Ethernet information.

  • T srcport, destport This option allows you to include a dummy TCP header for each packet. The srcport and destport parameters allow you to specify the source and destination TCP ports in decimal format. You would use this option when your dump file has does not contain any TCP layer 4 or below information. This option will also include the necessary IP and Ethernet information.

  • s srcport, destport, tag This option allows you to include a dummy Stream Control Transmission Protocol (SCTP) header for each packet. The srcport and destport parameters allow you to specify the source and destination SCTP ports in decimal format. The tag parameter allows you to specify a verification tag. You would use this option when your dump file has does not contain any SCTP layer 4 or below information. This option will also include the necessary IP, Ethernet, and CRC32C checksum information.

  • S srcport, destport, ppi This option allows you to include a dummy SCTP header for each packet. The srcport and destport parameters allow you to specify the source and destination SCTP ports in decimal format. The ppi parameter allows you to specify a payload protocol identifier for a dummy SCTP DATA chunk header. The verification tag will automatically be set to 0. You would use this option when your dump file has does not contain any SCTP layer 4 or below information. This option will also include the necessary IP, Ethernet, and CRC32C checksum information.

  • t timefmt This option allows you to specify a time format for the text before the packet. The timefmt parameter follows the format of strptime(3), such as “%H:%M:%S.”, which converts a character string to a time value.

The following is an example of using text2pcap to read a hexadecimal dump, hex_sample.txt, and output it to the libpcap_output file:

C:\Program Files\Ethereal>text2pcap hex_sample.txt libpcap_output Input from: hex_sample.txt Output to: libpcap_output Wrote packet of 168 bytes at 0 Read 1 potential packets, wrote 1 packets

The next example uses text2pcap to read a file with multiple hexadecimal packets, hex_sample2.txt, and output the format as Telnet/TCP packets to the libpcap_output2 file:

C:\Program Files\Ethereal>text2pcap -T 1297,23 hex_sample2.txt libpcap_output2 Input from: hex_sample2.txt Output to: libpcap_output2 Generate dummy Ethernet header: Protocol: 0x800 Generate dummy IP header: Protocol: 6 Generate dummy TCP header: Source port: 1297. Dest port: 23 Wrote packet of 62 bytes at 0 Wrote packet of 62 bytes at 62 Wrote packet of 60 bytes at 124 Wrote packet of 69 bytes at 184 output removed Read 76 potential packets, wrote 76 packets

The od command can also be piped into the text2pcap program. Text2pcap will then read the output of the od command as standard input. The next example uses text2pcap to read a data stream as input and output the format as HTTP/TCP packets to the output.pcap file. The –Ax parameter to the od command prints the offsets as hexadecimal. The –m1460 parameter to text2pcap specifies a maximum packet size of 1460 bytes. The maximum Ethernet packet size is 1500 bytes, minus the 20 bytes for each the IP and TCP header, leaves 1460 bytes for the data. By default the –T parameter will create TCP, IP, and Ethernet dummy headers. The following shows the command and associated output:

[root@localhost root]# od -Ax -tx1 input | text2pcap -m1460 -T1234,80 - output.pcap Input from: Standard input Output to: output.pcap Generate dummy Ethernet header: Protocol: 0x800 Generate dummy IP header: Protocol: 6 Generate dummy TCP header: Source port: 1234. Dest port: 80 Wrote packet of 1460 bytes at 0 Wrote packet of 1460 bytes at 1460 Wrote packet of 1460 bytes at 2920 Wrote packet of 788 bytes at 4380 Read 4 potential packets, wrote 4 packets


  < Day Day Up > 


Previous page
Table of content
Next page
Ethereal Packet Sniffing
Ethereal Packet Sniffing (Syngress)
ISBN: 1932266828
EAN: 2147483647
Year: 2004
Pages: 105
Authors: Syngress
BUY ON AMAZON
Developing Tablet PC Applications (Charles River Media Programming)
Competency-Based Human Resource Management
GO! with Microsoft Office 2003 Brief (2nd Edition)
Microsoft VBScript Professional Projects
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy