-1

I require a linux command to display a Hexdump of PCAP File. Currently I am using xxd PcapFile.pcap command. With this I am getting a hexdump of pcap file along with other bytes inserted in between and end which do not belong to the pcap file. These bytes are of carriage return, new line, new page, null characters etc. I do not want the hexdump to display these characters. Is there a proper command which can only display the data bytes from pcap file.

eg:

0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000  ................
0000010: 0000 0400 0100 0000 590d 9d60 abe9 0700  ........Y..`....
0000020: 3c00 0000 3c00 0000 0010 f393 8870 000c  <...<........p..
0000030: 2998 7ecb aefe 1002 0014 0000 0080 9000  ).~.............
0000040: 0000 0101 0000 0000 0019 fffe 0000 0000  ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 590d 9d60 abe9 0700 3c00 0000  ....Y..`....<...

The bytes I get in the end and between are:

END: 0000 f404 0000
BETWEEN Each Packet: 0000 f404 0000 0600 0000 f404 0000 0000 0000 0000 0000 dc56 2d01 d204 0000 d204
Sukshith Shetty
  • 21
  • 2
  • 4
  • If xxd prints the characters in the hexdump, then they exist in the file. If this is the highly unlikely case that xxd is printing characters not in the file, that would be a bug. – Ross Jacobs Jun 05 '21 at 06:31
  • @RossJacobs Can I share the pcap file with you so you can take a look at what is exactly going wrong here ??? – Sukshith Shetty Jun 05 '21 at 09:34

2 Answers2

0

If you're looking for a hexdump of the entire file, then you can use hexdump, as in:

hexdump -vC PcapFile.pcap
Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
0

If by "the data bytes" you mean the raw hex bytes of the packets, so that the 24-byte file header and the 16-byte packet headers aren't printed, one command that will print the hex data along with a dissection of the packet's contents is

tcpdump -xx -n -r {file name}

which will print information such as

17:48:39.708517 ARP, Request who-has 10.120.4.255 tell 10.120.4.1, length 46
        0x0000:  ffff ffff ffff 00e0 5280 7600 0806 0001
        0x0010:  0800 0604 0001 00e0 5280 7600 0a78 0401
        0x0020:  0000 0000 0000 0a78 04ff 0000 0000 0000
        0x0030:  0000 0000 0000 0000 0000 0000

That requires that you have tcpdump installed.

Another command, that will print only a hex+text dump of each packet, without the dissection, is

tshark -Q -x -r {file name}

(It will print both hex and text; there's no way to suppress the text part of the dump. The text shows the printable ASCII characters, unless the packet is for some IBM protocol where the data is in EBCDIC, in which case the output is ASCII but it's translated from EBCDIC.)

That requires that you have Wireshark installed (although, if you're installing from a package supplied by your OS, it might have separate "Wireshark core" and "Wireshark GUI" packages, and, if so, it doesn't require the "Wireshark GUI" package).

user16139739
  • 862
  • 3
  • 5
  • tcpdump -xx -n -r {file name} => This command doesn't work with pcap file. There is no output display of any kind of data. – Sukshith Shetty Jun 09 '21 at 16:56
  • You typed in the pathname of the pcap file, rather than the literal string "{file name}", right? The output I pasted into the answer for that command was copied and pasted from my terminal emulator window after running that command on a pcap file I have. – user16139739 Jun 10 '21 at 01:22
  • I typed the filename as I was in the same directory. It is not displaying any data. – Sukshith Shetty Jun 11 '21 at 05:11
  • What is the exact command you typed? And was any output produced whatsoever? If so, what was the output? – user16139739 Jun 12 '21 at 19:27