nexmon – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | |
| 2 | =head1 NAME |
||
| 3 | |||
| 4 | text2pcap - Generate a capture file from an ASCII hexdump of packets |
||
| 5 | |||
| 6 | =head1 SYNOPSIS |
||
| 7 | |||
| 8 | B<text2pcap> |
||
| 9 | S<[ B<-a> ]> |
||
| 10 | S<[ B<-d> ]> |
||
| 11 | S<[ B<-D> ]> |
||
| 12 | S<[ B<-e> E<lt>l3pidE<gt> ]> |
||
| 13 | S<[ B<-h> ]> |
||
| 14 | S<[ B<-i> E<lt>protoE<gt> ]> |
||
| 15 | S<[ B<-l> E<lt>typenumE<gt> ]> |
||
| 16 | S<[ B<-n> ]> |
||
| 17 | S<[ B<-m> E<lt>max-packetE<gt> ]> |
||
| 18 | S<[ B<-o> hex|oct|dec ]> |
||
| 19 | S<[ B<-q> ]> |
||
| 20 | S<[ B<-s> E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>tagE<gt> ]> |
||
| 21 | S<[ B<-S> E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>ppiE<gt> ]> |
||
| 22 | S<[ B<-t> E<lt>timefmtE<gt> ]> |
||
| 23 | S<[ B<-T> E<lt>srcportE<gt>,E<lt>destportE<gt> ]> |
||
| 24 | S<[ B<-u> E<lt>srcportE<gt>,E<lt>destportE<gt> ]> |
||
| 25 | S<[ B<-v> ]> |
||
| 26 | E<lt>I<infile>E<gt>|- |
||
| 27 | E<lt>I<outfile>E<gt>|- |
||
| 28 | |||
| 29 | =head1 DESCRIPTION |
||
| 30 | |||
| 31 | B<Text2pcap> is a program that reads in an ASCII hex dump and writes the |
||
| 32 | data described into a B<pcap> capture file. B<text2pcap> can |
||
| 33 | read hexdumps with multiple packets in them, and build a capture file of |
||
| 34 | multiple packets. B<text2pcap> is also capable of generating dummy |
||
| 35 | Ethernet, IP and UDP, TCP, or SCTP headers, in order to build fully |
||
| 36 | processable packet dumps from hexdumps of application-level data only. |
||
| 37 | |||
| 38 | B<Text2pcap> understands a hexdump of the form generated by I<od -Ax |
||
| 39 | -tx1 -v>. In other words, each byte is individually displayed, with |
||
| 40 | spaces separating the bytes from each other. Each line begins with an |
||
| 41 | offset describing the position in the file, with a space separating it |
||
| 42 | from the following bytes. The offset is a hex number (can also be octal |
||
| 43 | or decimal - see B<-o>), of more than two hex digits. Here is a sample |
||
| 44 | dump that B<text2pcap> can recognize: |
||
| 45 | |||
| 46 | 000000 00 0e b6 00 00 02 00 0e b6 00 00 01 08 00 45 00 |
||
| 47 | 000010 00 28 00 00 00 00 ff 01 37 d1 c0 00 02 01 c0 00 |
||
| 48 | 000020 02 02 08 00 a6 2f 00 01 00 01 48 65 6c 6c 6f 20 |
||
| 49 | 000030 57 6f 72 6c 64 21 |
||
| 50 | 000036 |
||
| 51 | |||
| 52 | There is no limit on the width or number of bytes per line. Also the |
||
| 53 | text dump at the end of the line is ignored. Bytes/hex numbers can be |
||
| 54 | uppercase or lowercase. Any text before the offset is ignored, |
||
| 55 | including email forwarding characters '>'. Any lines of text between |
||
| 56 | the bytestring lines is ignored. The offsets are used to track the |
||
| 57 | bytes, so offsets must be correct. Any line which has only bytes |
||
| 58 | without a leading offset is ignored. An offset is recognized as being |
||
| 59 | a hex number longer than two characters. Any text after the bytes is |
||
| 60 | ignored (e.g. the character dump). Any hex numbers in this text are |
||
| 61 | also ignored. An offset of zero is indicative of starting a new |
||
| 62 | packet, so a single text file with a series of hexdumps can be |
||
| 63 | converted into a packet capture with multiple packets. Packets may be |
||
| 64 | preceded by a timestamp. These are interpreted according to the format |
||
| 65 | given on the command line (see B<-t>). If not, the first packet |
||
| 66 | is timestamped with the current time the conversion takes place. Multiple |
||
| 67 | packets are written with timestamps differing by one microsecond each. |
||
| 68 | In general, short of these restrictions, B<text2pcap> is pretty liberal |
||
| 69 | about reading in hexdumps and has been tested with a variety of |
||
| 70 | mangled outputs (including being forwarded through email multiple |
||
| 71 | times, with limited line wrap etc.) |
||
| 72 | |||
| 73 | There are a couple of other special features to note. Any line where |
||
| 74 | the first non-whitespace character is '#' will be ignored as a |
||
| 75 | comment. Any line beginning with #TEXT2PCAP is a directive and options |
||
| 76 | can be inserted after this command to be processed by |
||
| 77 | B<text2pcap>. Currently there are no directives implemented; in the |
||
| 78 | future, these may be used to give more fine grained control on the |
||
| 79 | dump and the way it should be processed e.g. timestamps, encapsulation |
||
| 80 | type etc. |
||
| 81 | |||
| 82 | B<Text2pcap> also allows the user to read in dumps of |
||
| 83 | application-level data, by inserting dummy L2, L3 and L4 headers |
||
| 84 | before each packet. The user can elect to insert Ethernet headers, |
||
| 85 | Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers before each |
||
| 86 | packet. This allows Wireshark or any other full-packet decoder to |
||
| 87 | handle these dumps. |
||
| 88 | |||
| 89 | =head1 OPTIONS |
||
| 90 | |||
| 91 | =over 4 |
||
| 92 | |||
| 93 | =item -a |
||
| 94 | |||
| 95 | Enables ASCII text dump identification. It allows one to identify the start of |
||
| 96 | the ASCII text dump and not include it in the packet even if it looks like HEX. |
||
| 97 | |||
| 98 | B<NOTE:> Do not enable it if the input file does not contain the ASCII text dump. |
||
| 99 | |||
| 100 | =item -d |
||
| 101 | |||
| 102 | Displays debugging information during the process. Can be used |
||
| 103 | multiple times to generate more debugging information. |
||
| 104 | |||
| 105 | =item -D |
||
| 106 | |||
| 107 | The text before the packet starts either with an I or O indicating that |
||
| 108 | the packet is inbound or outbound. |
||
| 109 | This is only stored if the output format is PCAP-NG. |
||
| 110 | |||
| 111 | =item -e E<lt>l3pidE<gt> |
||
| 112 | |||
| 113 | Include a dummy Ethernet header before each packet. Specify the L3PID |
||
| 114 | for the Ethernet header in hex. Use this option if your dump has Layer |
||
| 115 | 3 header and payload (e.g. IP header), but no Layer 2 |
||
| 116 | encapsulation. Example: I<-e 0x806> to specify an ARP packet. |
||
| 117 | |||
| 118 | For IP packets, instead of generating a fake Ethernet header you can |
||
| 119 | also use I<-l 101> to indicate a raw IP packet to Wireshark. Note that |
||
| 120 | I<-l 101> does not work for any non-IP Layer 3 packet (e.g. ARP), |
||
| 121 | whereas generating a dummy Ethernet header with I<-e> works for any |
||
| 122 | sort of L3 packet. |
||
| 123 | |||
| 124 | =item -h |
||
| 125 | |||
| 126 | Displays a help message. |
||
| 127 | |||
| 128 | =item -i E<lt>protoE<gt> |
||
| 129 | |||
| 130 | Include dummy IP headers before each packet. Specify the IP protocol |
||
| 131 | for the packet in decimal. Use this option if your dump is the payload |
||
| 132 | of an IP packet (i.e. has complete L4 information) but does not have |
||
| 133 | an IP header with each packet. Note that an appropriate Ethernet header |
||
| 134 | is automatically included with each packet as well. |
||
| 135 | Example: I<-i 46> to specify an RSVP packet (IP protocol 46). See |
||
| 136 | L<http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml> for |
||
| 137 | the complete list of assigned internet protocol numbers. |
||
| 138 | |||
| 139 | =item -l |
||
| 140 | |||
| 141 | Specify the link-layer header type of this packet. Default is Ethernet |
||
| 142 | (1). See L<http://www.tcpdump.org/linktypes.html> for the complete list |
||
| 143 | of possible encapsulations. Note that this option should be used if |
||
| 144 | your dump is a complete hex dump of an encapsulated packet and you wish |
||
| 145 | to specify the exact type of encapsulation. Example: I<-l 7> for ARCNet |
||
| 146 | packets encapsulated BSD-style. |
||
| 147 | |||
| 148 | =item -m E<lt>max-packetE<gt> |
||
| 149 | |||
| 150 | Set the maximum packet length, default is 65535. |
||
| 151 | Useful for testing various packet boundaries when only an application |
||
| 152 | level datastream is available. Example: |
||
| 153 | |||
| 154 | I<od -Ax -tx1 -v stream | text2pcap -m1460 -T1234,1234 - stream.pcap> |
||
| 155 | |||
| 156 | will convert from plain datastream format to a sequence of Ethernet |
||
| 157 | TCP packets. |
||
| 158 | |||
| 159 | =item -n |
||
| 160 | |||
| 161 | Write PCAP-NG file instead of a PCAP. |
||
| 162 | |||
| 163 | =item -o hex|oct|dec |
||
| 164 | |||
| 165 | Specify the radix for the offsets (hex, octal or decimal). Defaults to |
||
| 166 | hex. This corresponds to the C<-A> option for I<od>. |
||
| 167 | |||
| 168 | =item -q |
||
| 169 | |||
| 170 | Be completely quiet during the process. |
||
| 171 | |||
| 172 | =item -s E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>tagE<gt> |
||
| 173 | |||
| 174 | Include dummy SCTP headers before each packet. Specify, in decimal, the |
||
| 175 | source and destination SCTP ports, and verification tag, for the packet. |
||
| 176 | Use this option if your dump is the SCTP payload of a packet but does |
||
| 177 | not include any SCTP, IP or Ethernet headers. Note that appropriate |
||
| 178 | Ethernet and IP headers are automatically also included with each |
||
| 179 | packet. A CRC32C checksum will be put into the SCTP header. |
||
| 180 | |||
| 181 | =item -S E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>ppiE<gt> |
||
| 182 | |||
| 183 | Include dummy SCTP headers before each packet. Specify, in decimal, the |
||
| 184 | source and destination SCTP ports, and a verification tag of 0, for the |
||
| 185 | packet, and prepend a dummy SCTP DATA chunk header with a payload |
||
| 186 | protocol identifier if I<ppi>. Use this option if your dump is the SCTP |
||
| 187 | payload of a packet but does not include any SCTP, IP or Ethernet |
||
| 188 | headers. Note that appropriate Ethernet and IP headers are |
||
| 189 | automatically included with each packet. A CRC32C checksum will be put |
||
| 190 | into the SCTP header. |
||
| 191 | |||
| 192 | =item -t E<lt>timefmtE<gt> |
||
| 193 | |||
| 194 | Treats the text before the packet as a date/time code; I<timefmt> is a |
||
| 195 | format string of the sort supported by strptime(3). |
||
| 196 | Example: The time "10:15:14.5476" has the format code "%H:%M:%S." |
||
| 197 | |||
| 198 | B<NOTE:> The subsecond component delimiter must be specified (.) but no |
||
| 199 | pattern is required; the remaining number is assumed to be fractions of |
||
| 200 | a second. |
||
| 201 | |||
| 202 | B<NOTE:> Date/time fields from the current date/time are |
||
| 203 | used as the default for unspecified fields. |
||
| 204 | |||
| 205 | =item -T E<lt>srcportE<gt>,E<lt>destportE<gt> |
||
| 206 | |||
| 207 | Include dummy TCP headers before each packet. Specify the source and |
||
| 208 | destination TCP ports for the packet in decimal. Use this option if |
||
| 209 | your dump is the TCP payload of a packet but does not include any TCP, |
||
| 210 | IP or Ethernet headers. Note that appropriate Ethernet and IP headers |
||
| 211 | are automatically also included with each packet. |
||
| 212 | Sequence numbers will start at 0. |
||
| 213 | |||
| 214 | =item -u E<lt>srcportE<gt>,E<lt>destportE<gt> |
||
| 215 | |||
| 216 | Include dummy UDP headers before each packet. Specify the source and |
||
| 217 | destination UDP ports for the packet in decimal. Use this option if |
||
| 218 | your dump is the UDP payload of a packet but does not include any UDP, |
||
| 219 | IP or Ethernet headers. Note that appropriate Ethernet and IP headers |
||
| 220 | are automatically also included with each packet. |
||
| 221 | Example: I<-u1000,69> to make the packets look like TFTP/UDP packets. |
||
| 222 | |||
| 223 | =item -v |
||
| 224 | |||
| 225 | Print the version and exit. |
||
| 226 | |||
| 227 | =item -4 E<lt>srcipE<gt>,E<lt>destipE<gt> |
||
| 228 | |||
| 229 | Prepend dummy IP header with specified IPv4 dest and source address. |
||
| 230 | This option should be accompanied by one of the following options: -i, -s, -S, -T, -u |
||
| 231 | Use this option to apply "custom" IP addresses. |
||
| 232 | Example: I<-4 10.0.0.1,10.0.0.2> to use 10.0.0.1 and 10.0.0.2 for all IP packets. |
||
| 233 | |||
| 234 | =item -6 E<lt>srcipE<gt>,E<lt>destipE<gt> |
||
| 235 | |||
| 236 | Prepend dummy IP header with specified IPv6 dest and source address. |
||
| 237 | This option should be accompanied by one of the following options: -i, -s, -S, -T, -u |
||
| 238 | Use this option to apply "custom" IP addresses. |
||
| 239 | Example: I<-6 fe80:0:0:0:202:b3ff:fe1e:8329, 2001:0db8:85a3:0000:0000:8a2e:0370:7334> to |
||
| 240 | use fe80:0:0:0:202:b3ff:fe1e:8329 and 2001:0db8:85a3:0000:0000:8a2e:0370:7334 for all IP packets. |
||
| 241 | |||
| 242 | =back |
||
| 243 | |||
| 244 | =head1 SEE ALSO |
||
| 245 | |||
| 246 | od(1), pcap(3), wireshark(1), tshark(1), dumpcap(1), mergecap(1), |
||
| 247 | editcap(1), strptime(3), pcap-filter(7) or tcpdump(8) |
||
| 248 | |||
| 249 | =head1 NOTES |
||
| 250 | |||
| 251 | B<Text2pcap> is part of the B<Wireshark> distribution. The latest version |
||
| 252 | of B<Wireshark> can be found at L<https://www.wireshark.org>. |
||
| 253 | |||
| 254 | =head1 AUTHORS |
||
| 255 | |||
| 256 | Ashok Narayanan <ashokn[AT]cisco.com> |