Re: [Wireshark-users] text2pcap - strange packets after converting a Hex-dump

[Chris Maynard <Chris.Maynard () gtech com>]

Ullmann, Robert <robert.ullmann@...> writes:

> we need to convert a hex dump written with tshark to a pcap-file to replay the
packets.
> We’re capturing http-streams and write them as hex.
> When we use text2pcap to convert it to pcap format, the output of text2pcap is
with no error – the packets got written successfully.
>  
> The strange thing happens, when we replay the pcap or just let tshark read the
pcap file.
> The most packets are told to be malformed. Sometimes we also find f.e.
hsrp-packets.
> What are we doing wrong ?
>  
> Capturing packets with: “tshark  -i eth1 –n port 443 –V –R http” (we see the
http stream/ packets)
> Writing to file: “tshark  -i eth1 –n port 443 –V –R http | grep -e
"^[0-9a-f][0-9a-f][0-9a-f][0-9a-f]" > file_hex.dump”

Maybe you already solved this yourself by now or no longer have the need for a
solution, but it looks to me like you're missing the tshark -x option.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe