109 lines
6.4 KiB
Plaintext
109 lines
6.4 KiB
Plaintext
Text2pcap (Wireshark) 4.1.0 (v4.1.0rc0-428-g517d2be1494f)
|
|
Generate a capture file from an ASCII hexdump of packets.
|
|
See https://www.wireshark.org for more information.
|
|
|
|
Usage: text2pcap [options] <infile> <outfile>
|
|
|
|
where <infile> specifies input filename (use - for standard input)
|
|
<outfile> specifies output filename (use - for standard output)
|
|
|
|
Input:
|
|
-o hex|oct|dec|none parse offsets as (h)ex, (o)ctal, (d)ecimal, or (n)one;
|
|
default is hex.
|
|
-t <timefmt> treat the text before the packet as a date/time code;
|
|
<timefmt> is a format string supported by strptime,
|
|
with an optional %f descriptor for fractional seconds.
|
|
Example: The time "10:15:14.5476" has the format code
|
|
"%H:%M:%S.%f"
|
|
The special format string ISO supports ISO-8601 times.
|
|
NOTE: Date/time fields from the current date/time are
|
|
used as the default for unspecified fields.
|
|
-D the text before the packet starts with an I or an O,
|
|
indicating that the packet is inbound or outbound.
|
|
This is used when generating dummy headers if the
|
|
output format supports it (e.g. pcapng).
|
|
-a enable ASCII text dump identification.
|
|
The start of the ASCII text dump can be identified
|
|
and excluded from the packet data, even if it looks
|
|
like a HEX dump.
|
|
NOTE: Do not enable it if the input file does not
|
|
contain the ASCII text dump.
|
|
-r <regex> enable regex mode. Scan the input using <regex>, a Perl
|
|
compatible regular expression matching a single packet.
|
|
Named capturing subgroups are used to identify fields:
|
|
<data> (mand.), and <time>, <dir>, and <seqno> (opt.)
|
|
The time field format is taken from the -t option
|
|
Example: -r '^(?<dir>[<>])\s(?<time>\d+:\d\d:\d\d.\d+)\s(?<data>[0-9a-fA-F]+)$'
|
|
could match a file with lines like
|
|
> 0:00:00.265620 a130368b000000080060
|
|
< 0:00:00.295459 a2010800000000000000000800000000
|
|
-b 2|8|16|64 encoding base (radix) of the packet data in regex mode
|
|
(def: 16: hexadecimal) No effect in hexdump mode.
|
|
|
|
Output:
|
|
-F <capture type> set the output file type; default is pcapng.
|
|
an empty "-F" option will list the file types.
|
|
-E <encap type> set the output file encapsulation type; default is
|
|
ether (Ethernet). An empty "-E" option will list
|
|
the encapsulation types.
|
|
-l <typenum> set the output file encapsulation type via link-layer
|
|
type number; default is 1 (Ethernet). See
|
|
https://www.tcpdump.org/linktypes.html for a list of
|
|
numbers.
|
|
Example: -l 7 for ARCNet packets.
|
|
-m <max-packet> max packet length in output; default is 262144
|
|
-N <intf-name> assign name to the interface in the pcapng file.
|
|
|
|
Prepend dummy header:
|
|
-e <l3pid> prepend dummy Ethernet II header with specified L3PID
|
|
(in HEX).
|
|
Example: -e 0x806 to specify an ARP packet.
|
|
-i <proto> prepend dummy IP header with specified IP protocol
|
|
(in DECIMAL).
|
|
Automatically prepends Ethernet header as well if
|
|
link-layer type is Ethernet.
|
|
Example: -i 46
|
|
-4 <srcip>,<destip> prepend dummy IPv4 header with specified
|
|
dest and source address.
|
|
Example: -4 10.0.0.1,10.0.0.2
|
|
-6 <srcip>,<destip> prepend dummy IPv6 header with specified
|
|
dest and source address.
|
|
Example: -6 2001:db8::b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334
|
|
-u <srcp>,<destp> prepend dummy UDP header with specified
|
|
source and destination ports (in DECIMAL).
|
|
Automatically prepends Ethernet & IP headers as well.
|
|
Example: -u 1000,69 to make the packets look like
|
|
TFTP/UDP packets.
|
|
-T <srcp>,<destp> prepend dummy TCP header with specified
|
|
source and destination ports (in DECIMAL).
|
|
Automatically prepends Ethernet & IP headers as well.
|
|
Example: -T 50,60
|
|
-s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified
|
|
source/dest ports and verification tag (in DECIMAL).
|
|
Automatically prepends Ethernet & IP headers as well.
|
|
Example: -s 30,40,34
|
|
-S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified
|
|
source/dest ports and verification tag 0.
|
|
Automatically prepends a dummy SCTP DATA
|
|
chunk header with payload protocol identifier ppi.
|
|
Example: -S 30,40,34
|
|
-P <dissector> prepend EXPORTED_PDU header with specified dissector
|
|
as the payload DISSECTOR_NAME tag.
|
|
Automatically sets link type to Upper PDU Export.
|
|
EXPORTED_PDU payload defaults to "data" otherwise.
|
|
|
|
Diagnostic output:
|
|
--log-level <level> sets the active log level ("critical", "warning", etc.)
|
|
--log-fatal <level> sets level to abort the program ("critical" or "warning")
|
|
--log-domains <[!]list> comma-separated list of the active log domains
|
|
--log-fatal-domains <list>
|
|
list of domains that cause the program to abort
|
|
--log-debug <[!]list> list of domains with "debug" level
|
|
--log-noisy <[!]list> list of domains with "noisy" level
|
|
--log-file <path> file to output messages to (in addition to stderr)
|
|
|
|
Miscellaneous:
|
|
-h display this help and exit
|
|
-v print version information and exit
|
|
-q don't report processed packet counts
|