0

If i have a packet capture in the below text format, which is a cli packet capture in fortigate or fortimail

FortiMail # diag sniffer packet port1 'tcp port 443' 3
interfaces=[port1]
filters=[tcp port 443]
10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898
0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E.
0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W....
0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........
0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............
0x0040 86bb 0000 0000 0103 0303 ..........

how to convert it to this format, to be able to use text2pcap to convert it to pcap. So could be easily opened in wireshark.

FortiMail # diag sniffer packet port1 'tcp port 443' 3
interfaces=[port1]
filters=[tcp port 443]
10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898
0000 00 09 0f 09 00 01 00 09 0f 89 29 14 08 00 45 00 ..........)...E.
0010 00 3c 73 d1 40 00 40 06 3b c6 d1 57 fe de ac 16 .<s.@.@.;..W....
0020 0e d8 c4 42 01 bb 2d 66 d8 d2 00 00 00 00 a0 02 ...B..-f........
0030 16 d0 4f 72 00 00 02 04 05 b4 04 02 08 0a 03 ab ..Or............
0040 86 bb 00 00 00 00 01 03 03 03 ..........
msadek
  • 1
  • 3
  • You know initial format, desired format, so what is the problem? You can write your own tool on favorite programming language or use text editor with regex support to do smart text adjustment. Or use text editor with macro support to apply identical actions on multiple lines. – nnovich-OK Dec 29 '17 at 14:29

2 Answers2

0

A very similar question was asked and answered on the old Wireshark Ask Q&A site. Here's a link to that question with my answer posted verbatim below for convenience:

Yes, you can use text2pcap to convert it to a pcap file, but you will first need to massage the data into a format that text2pcap accepts, because the depicted format is currently not supported by text2pcap.

So first, you can convert the data into a suitable format by using Kurt Knochner's perl script, given as an answer to this question and copied here for convenience:

#!/usr/bin/perl

$| = 1;

my $regexp_time = '(\d\d:\d\d:\d\d\.\d+ )';
my $regexp_hex = '(0x\d+:\s+)([0-9a-f ]+)+  ';

while (<STDIN>) {

   my $input = $_;

   if ($input =~ /^$regexp_time/) {
      print "$1\n";
   }

   if ($input =~ /$regexp_hex/) {
      my $counter = $1;
      my $line = $2;

      $line =~ s/ //g;
      $counter =~ s/(0x|:)//g;

      print $counter . join(' ', ( $line =~ m/../g )) . "\n";
   }
}

Assuming the output of tcpdump is saved in a file called, tcpdump.txt, and Kurt's perl script is saved as convert.pl, run:

cat tcpdump.txt | convert.pl > tcpdump_converted.txt

Once that's done, run text2pcap on the converted file:

text2pcap -l 101 tcpdump_converted.txt tcpdump_converted.pcap

Note that here I'm specifying "Raw IP" encapsulation. See http://www.tcpdump.org/linktypes.html for link types.

I realize your output wasn't generated from tcpdump, so the script may not work exactly as is in your case, but it shouldn't be too difficult to tailor it to meet your needs if it doesn't do what you need it to do out of the box.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
0

I solved the issue by 2 VIM replace commands

this one to replace all 4 digit hex to 2 digit hex

%s/\s\([0-9a-f]\{2}\)\([0-9a-f]\{2}\)/ \1 \2 /g

and this one to remove 0x from the beginning of the line 

%s/^0x//

Then run:

 text2pcap in-mod.txt out.pcap
msadek
  • 1
  • 3