text2pcap - Generate a capture file from an ASCII hexdump of packets
-=head1 SYNOPSYS
+=head1 SYNOPSIS
B<text2pcap>
+S<[ B<-h> ]>
S<[ B<-d> ]>
S<[ B<-q> ]>
-S<[ B<-o> hex|oct ]>
-S<[ B<-l> typenum ]>
-S<[ B<-e> l3pid ]>
-S<[ B<-i> proto ]>
-S<[ B<-u> srcport,destport ]>
-S<[ B<-s> srcport,destport,tag ]>
-S<[ B<-S> srcport,destport,tag ]>
-S<[ B<-t> timefmt ]>
-I<infile>
-I<outfile>
+S<[ B<-o> hex|oct|dec ]>
+S<[ B<-l> E<lt>typenumE<gt> ]>
+S<[ B<-e> E<lt>l3pidE<gt> ]>
+S<[ B<-i> E<lt>protoE<gt> ]>
+S<[ B<-m> E<lt>max-packetE<gt> ]>
+S<[ B<-u> E<lt>srcportE<gt>,E<lt>destportE<gt> ]>
+S<[ B<-T> E<lt>srcportE<gt>,E<lt>destportE<gt> ]>
+S<[ B<-s> E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>tagE<gt> ]>
+S<[ B<-S> E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>ppiE<gt> ]>
+S<[ B<-t> E<lt>timefmtE<gt> ]>
+S<[ B<-a> ]>
+E<lt>I<infile>E<gt>|-
+E<lt>I<outfile>E<gt>|-
=head1 DESCRIPTION
-B<Text2pcap> is a program that reads in an ASCII hex dump and writes
-the data described into a B<libpcap>-style capture file. B<text2pcap>
-can read hexdumps with multiple packets in them, and build a capture
-file of multiple packets. B<text2pcap> is also capable of generating
-dummy Ethernet, IP and UDP headers, in order to build fully
-processable packet dumps from hexdumps of application-level data
-only.
+B<Text2pcap> is a program that reads in an ASCII hex dump and writes the
+data described into a B<libpcap> capture file. B<text2pcap> can
+read hexdumps with multiple packets in them, and build a capture file of
+multiple packets. B<text2pcap> is also capable of generating dummy
+Ethernet, IP and UDP, TCP, or SCTP headers, in order to build fully
+processable packet dumps from hexdumps of application-level data only.
-B<Text2pcap> understands a hexdump of the form generated by I<od -t
-x1>. In other words, each byte is individually displayed and
+B<Text2pcap> understands a hexdump of the form generated by I<od -Ax -tx1 -v>.
+In other words, each byte is individually displayed and
surrounded with a space. Each line begins with an offset describing
the position in the file. The offset is a hex number (can also be
-octal - see B<-o>), of more than two hex digits. Here is a sample dump
-that B<text2pcap> can recognize:
+octal or decimal - see B<-o>), of more than two hex digits.
+Here is a sample dump that B<text2pcap> can recognize:
000000 00 e0 1e a7 05 6f 00 10 ........
000008 5a a0 b9 12 08 00 46 00 ........
ignored (e.g. the character dump). Any hex numbers in this text are
also ignored. An offset of zero is indicative of starting a new
packet, so a single text file with a series of hexdumps can be
-converted into a packet capture with multiple packets. Multiple
-packets are read in with timestamps differing by one second each. In
-general, short of these restrictions, B<text2pcap> is pretty liberal
+converted into a packet capture with multiple packets. Packets may be
+preceded by a timestamp. These are interpreted according to the format
+given on the command line (see B<-t>). If not, the first packet
+is timestamped with the current time the conversion takes place. Multiple
+packets are written with timestamps differing by one microsecond each.
+In general, short of these restrictions, B<text2pcap> is pretty liberal
about reading in hexdumps and has been tested with a variety of
mangled outputs (including being forwarded through email multiple
times, with limited line wrap etc.)
B<Text2pcap> also allows the user to read in dumps of
application-level data, by inserting dummy L2, L3 and L4 headers
before each packet. The user can elect to insert Ethernet headers,
-Ethernet and IP, or Ethernet, IP and UDP headers before each
-packet. This allows Ethereal or any other full-packet decoder to
+Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers before each
+packet. This allows Wireshark or any other full-packet decoder to
handle these dumps.
=head1 OPTIONS
=over 4
+=item -h
+
+Displays a help message.
+
=item -d
Displays debugging information during the process. Can be used
Be completely quiet during the process.
-=item -o hex|oct
+=item -o hex|oct|dec
-Specify the radix for the offsets (hex or octal). Defaults to
+Specify the radix for the offsets (hex, octal or decimal). Defaults to
hex. This corresponds to the C<-A> option for I<od>.
=item -l
complete hex dump of an encapsulated packet and you wish to specify
the exact type of encapsulation. Example: I<-l 7> for ARCNet packets.
-=item -e l3pid
+=item -e E<lt>l3pidE<gt>
Include a dummy Ethernet header before each packet. Specify the L3PID
for the Ethernet header in hex. Use this option if your dump has Layer
encapsulation. Example: I<-e 0x806> to specify an ARP packet.
For IP packets, instead of generating a fake Ethernet header you can
-also use I<-l 12> to indicate a raw IP packet to Ethereal. Note that
+also use I<-l 12> to indicate a raw IP packet to Wireshark. Note that
I<-l 12> does not work for any non-IP Layer 3 packet (e.g. ARP),
whereas generating a dummy Ethernet header with I<-e> works for any
sort of L3 packet.
-=item -i proto
+=item -i E<lt>protoE<gt>
Include dummy IP headers before each packet. Specify the IP protocol
for the packet in decimal. Use this option if your dump is the payload
of an IP packet (i.e. has complete L4 information) but does not have
-an IP header. Note that this automatically includes an appropriate
-Ethernet header as well. Example: I<-i 46> to specify an RSVP packet
-(IP protocol 46).
+an IP header with each packet. Note that an appropriate Ethernet header
+is automatically included with each packet as well.
+Example: I<-i 46> to specify an RSVP packet (IP protocol 46).
+
+=item -m E<lt>max-packetE<gt>
+
+Set the maximum packet length, default is 64000.
+Useful for testing various packet boundaries when only an application
+level datastream is available. Example:
-=item -u srcport,destport
+I<od -Ax -tx1 stream | text2pcap -m1460 -T1234,1234 - stream.pcap>
+
+will convert from plain datastream format to a sequence of Ethernet
+TCP packets.
+
+=item -u E<lt>srcportE<gt>,E<lt>destportE<gt>
Include dummy UDP headers before each packet. Specify the source and
destination UDP ports for the packet in decimal. Use this option if
your dump is the UDP payload of a packet but does not include any UDP,
-IP or Ethernet headers. Note that this automatically includes
-appropriate Ethernet and IP headers with each packet. Example: I<-u
-1000,69> to make the packets look like TFTP/UDP packets.
+IP or Ethernet headers. Note that appropriate Ethernet and IP headers
+are automatically also included with each packet.
+Example: I<-u1000,69> to make the packets look like TFTP/UDP packets.
+
+=item -T E<lt>srcportE<gt>,E<lt>destportE<gt>
-=item -s srcport,destport,tag
+Include dummy TCP headers before each packet. Specify the source and
+destination TCP ports for the packet in decimal. Use this option if
+your dump is the TCP payload of a packet but does not include any TCP,
+IP or Ethernet headers. Note that appropriate Ethernet and IP headers
+are automatically also included with each packet.
+Sequence numbers will start at 0.
-Include dummy SCTP headers before each packet. Specify the source and
-destination SCTP ports, and verification tag, for the packet in decimal.
-Use this option if your dump is the SCTP payload of a packet but does not
-include any SCTP, IP or Ethernet headers. Note that this automatically
-includes appropriate Ethernet and IP headers with each packet. A CRC32C
-checksum will be put into the SCTP header.
+=item -s E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>tagE<gt>
-=item -S srcport,destport,tag
+Include dummy SCTP headers before each packet. Specify, in decimal, the
+source and destination SCTP ports, and verification tag, for the packet.
+Use this option if your dump is the SCTP payload of a packet but does
+not include any SCTP, IP or Ethernet headers. Note that appropriate
+Ethernet and IP headers are automatically also included with each
+packet. A CRC32C checksum will be put into the SCTP header.
-Like B<-s>, but it also includes the DATA chunk header, for input files
-that contain only the SCTP payload.
+=item -S E<lt>srcportE<gt>,E<lt>destportE<gt>,E<lt>ppiE<gt>
-=item -t timefmt
+Include dummy SCTP headers before each packet. Specify, in decimal, the
+source and destination SCTP ports, and a verification tag of 0, for the
+packet, and prepend a dummy SCTP DATA chunk header with a payload
+protocol identifier if I<ppi>. Use this option if your dump is the SCTP
+payload of a packet but does not include any SCTP, IP or Ethernet
+headers. Note that appropriate Ethernet and IP headers are
+automatically included with each packet. A CRC32C checksum will be put
+into the SCTP header.
+
+=item -t E<lt>timefmtE<gt>
Treats the text before the packet as a date/time code; I<timefmt> is a
-format string of the sort supported by B<strptime(3)>.
+format string of the sort supported by strptime(3).
Example: The time "10:15:14.5476" has the format code "%H:%M:%S."
B<NOTE:> The subsecond component delimiter must be specified (.) but no
pattern is required; the remaining number is assumed to be fractions of
a second.
+B<NOTE:> Date/time fields from the current date/time are
+used as the default for unspecified fields.
+
+=item -a
+
+Enables ASCII text dump identification. It allows to identify the start of
+the ASCII text dump and not include it in the packet even if it looks like HEX.
+
+B<NOTE:> Do not enable it if the input file does not contain the ASCII text dump.
+
+=back
+
=head1 SEE ALSO
-L<tcpdump(8)>, L<pcap(3)>, L<ethereal(1)>, L<editcap(1)>, L<strptime(3)>.
+od(1), tcpdump(8), pcap(3), wireshark(1), tshark(1), dumpcap(1), mergecap(1),
+editcap(1), strptime(3).
=head1 NOTES
-B<Text2pcap> is part of the B<Ethereal> distribution. The latest version
-of B<Ethereal> can be found at B<http://www.ethereal.com>.
+B<Text2pcap> is part of the B<Wireshark> distribution. The latest version
+of B<Wireshark> can be found at L<http://www.wireshark.org>.
=head1 AUTHORS
- Ashok Narayanan <ashokn@cisco.com>
+ Ashok Narayanan <ashokn[AT]cisco.com>
git.samba.org / obnox / wireshark / wip.git / blobdiff