网络安全与技术
Highlighted
网络安全与技术

推荐wireshark自带的改包小工具text2pcap

修改时间 ‎06-21-2011 05:46 PM

感谢FengGang同学发现这个小工具。一个直接将文本文件转变为pcap的工具。

在一个H323 customer bug的验证过程中需要packet replay,需要replay抓的包,包的格式如附件info_request1.pcap所示。

包的层次在wireshark中显示如下:

Frame1

Juniper Ethernet

Ethernet 2

IP

UDP

H323 payload

 

直接用tcprewrite修改包由于不认识”Juniper Ethernet“这一层, 无法做任何修改,肿么办?

Steps:

1.先将info_request1.pcap存为文本文件test_info.txt 如下:

0000   4d 47 43 81 00 06 04 04 45 00 00 00 00 22 83 97  MGC.....E...."..
0010   6d 02 00 23 47 f3 2b 00 08 00 45 c0 00 c0 63 39  m..#G.+...E...c9
0020   00 00 1c 11 74 c8 ac 0f c8 03 cf eb 81 6d 06 b7  ....t........m..
0030   06 b7 00 ac 7b e1 5a c0 a8 5e 22 c0 82 01 01 00  ....{.Z..^".....
0040   07 54 61 6e 64 62 65 72 67 01 32 36 50 82 01 01  .Tandberg.26P...
0050   00 08 54 61 6e 64 62 65 72 67 04 00 00 35 00 33  ..Tandberg...5.3
0060   00 39 00 31 00 5f 00 65 00 6e 00 64 00 70 00 ac  .9.1._.e.n.d.p..
0070   0f c8 03 06 b7 01 00 ac 0f c8 03 06 b8 02 40 0a  ..............@.
0080   00 52 00 6f 00 79 00 73 00 65 00 43 00 69 00 74  .R.o.y.s.e.C.i.t
0090   00 79 00 48 00 53 05 00 4c cc 35 33 53 40 01 a0  .y.H.S..L.53S@..
00a0   6f 46 3d 39 2d 60 dc 61 11 df b5 95 00 0d 7c 02  oF=9-`.a......|.
00b0   0b 0c 04 00 cf eb 81 6d b2 50 08 1e 00 43 c8 00  .......m.P...C..
00c0   11 00 3d 39 2d 60 dc 61 11 df b5 94 00 0d 7c 02  ..=9-`.a......|.
00d0   0b 0c 01 00 0e 24 01 00 01 80                    .....$....

 

2.去掉”Juniper Ethernet“中所有的内容,再存为test_info.txt,内容如下:

0000   00 22 83 97 6d 02 00 23 47 f3 2b 00 08 00 45 c0
0010   00 c0 63 39 00 00 1c 11 74 c8 ac 0f c8 03 cf eb
0020   81 6d 06 b7 06 b7 00 ac 7b e1 5a c0 a8 5e 22 c0
0030   82 01 01 00 07 54 61 6e 64 62 65 72 67 01 32 36
0040   50 82 01 01 00 08 54 61 6e 64 62 65 72 67 04 00
0050   00 35 00 33 00 39 00 31 00 5f 00 65 00 6e 00 64
0060   00 70 00 ac 0f c8 03 06 b7 01 00 ac 0f c8 03 06
0070   b8 02 40 0a 00 52 00 6f 00 79 00 73 00 65 00 43
0080   00 69 00 74 00 79 00 48 00 53 05 00 4c cc 35 33
0090   53 40 01 a0 6f 46 3d 39 2d 60 dc 61 11 df b5 95
00a0   00 0d 7c 02 0b 0c 04 00 cf eb 81 6d b2 50 08 1e
00b0   00 43 c8 00 11 00 3d 39 2d 60 dc 61 11 df b5 94
00c0   00 0d 7c 02 0b 0c 01 00 0e 24 01 00 01 80

 

3.再用text2pcap将.txt文件转变为pcap文件。

C:\Program Files\Wireshark>text2pcap test_info.txt test_info.pcap

 

 

 

 

附件

11 条回复11
Highlighted
网络安全与技术
解决方案
已被 JanisW (Juniper Employee) 接受
‎08-26-2015 04:27 PM

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎06-21-2011 05:49 PM

更多text2pcap的介绍。

=======================================================

NAME
text2pcap - Generate a capture file from an ASCII hexdump of packets

 

--------------------------------------------------------------------------------

SYNOPSIS
text2pcap [ -h ] [ -d ] [ -q ] [ -o hex|oct|dec ] [ -l <typenum> ] [ -e <l3pid> ] [ -i <proto> ] [ -m <max-packet> ] [ -u <srcport>,<destport> ] [ -T <srcport>,<destport> ] [ -s <srcport>,<destport>,<tag> ] [ -S <srcport>,<destport>,<ppi> ] [ -t <timefmt> ] <infile>|- <outfile>|-

 

--------------------------------------------------------------------------------

DESCRIPTION
Text2pcap is a program that reads in an ASCII hex dump and writes the data described into a libpcap capture file. text2pcap can read hexdumps with multiple packets in them, and build a capture file of multiple packets. text2pcap is also capable of generating dummy Ethernet, IP and UDP, TCP, or SCTP headers, in order to build fully processable packet dumps from hexdumps of application-level data only.

Text2pcap understands a hexdump of the form generated by od -Ax -tx1 -v. In other words, each byte is individually displayed and surrounded with a space. Each line begins with an offset describing the position in the file. The offset is a hex number (can also be octal or decimal - see -o), of more than two hex digits. Here is a sample dump that text2pcap can recognize:

    000000 00 e0 1e a7 05 6f 00 10 ........
    000008 5a a0 b9 12 08 00 46 00 ........
    000010 03 68 00 00 00 00 0a 2e ........
    000018 ee 33 0f 19 08 7f 0f 19 ........
    000020 03 80 94 04 00 00 10 01 ........
    000028 16 a2 0a 00 03 50 00 0c ........
    000030 01 01 0f 19 03 80 11 01 ........
There is no limit on the width or number of bytes per line. Also the text dump at the end of the line is ignored. Bytes/hex numbers can be uppercase or lowercase. Any text before the offset is ignored, including email forwarding characters '>'. Any lines of text between the bytestring lines is ignored. The offsets are used to track the bytes, so offsets must be correct. Any line which has only bytes without a leading offset is ignored. An offset is recognized as being a hex number longer than two characters. Any text after the bytes is ignored (e.g. the character dump). Any hex numbers in this text are also ignored. An offset of zero is indicative of starting a new packet, so a single text file with a series of hexdumps can be converted into a packet capture with multiple packets. Packets may be preceded by a timestamp. These are interpreted according to the format given on the command line (see -t). If not, the first packet is timestamped with the current time the conversion takes place. Multiple packets are written with timestamps differing by one microsecond each. In general, short of these restrictions, text2pcap is pretty liberal about reading in hexdumps and has been tested with a variety of mangled outputs (including being forwarded through email multiple times, with limited line wrap etc.)

There are a couple of other special features to note. Any line where the first non-whitespace character is '#' will be ignored as a comment. Any line beginning with #TEXT2PCAP is a directive and options can be inserted after this command to be processed by text2pcap. Currently there are no directives implemented; in the future, these may be used to give more fine grained control on the dump and the way it should be processed e.g. timestamps, encapsulation type etc.

Text2pcap also allows the user to read in dumps of application-level data, by inserting dummy L2, L3 and L4 headers before each packet. The user can elect to insert Ethernet headers, Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers before each packet. This allows Wireshark or any other full-packet decoder to handle these dumps.

 

--------------------------------------------------------------------------------

OPTIONS
-h
Displays a help message.

-d
Displays debugging information during the process. Can be used multiple times to generate more debugging information.

-q
Be completely quiet during the process.

-o hex|oct|dec
Specify the radix for the offsets (hex, octal or decimal). Defaults to hex. This corresponds to the -A option for od.

-l
Specify the link-layer type of this packet. Default is Ethernet (1). See net/bpf.h for the complete list of possible encapsulations. Note that this option should be used if your dump is a complete hex dump of an encapsulated packet and you wish to specify the exact type of encapsulation. Example: -l 7 for ARCNet packets.

-e <l3pid>
Include a dummy Ethernet header before each packet. Specify the L3PID for the Ethernet header in hex. Use this option if your dump has Layer 3 header and payload (e.g. IP header), but no Layer 2 encapsulation. Example: -e 0x806 to specify an ARP packet.

For IP packets, instead of generating a fake Ethernet header you can also use -l 12 to indicate a raw IP packet to Wireshark. Note that -l 12 does not work for any non-IP Layer 3 packet (e.g. ARP), whereas generating a dummy Ethernet header with -e works for any sort of L3 packet.

-i <proto>
Include dummy IP headers before each packet. Specify the IP protocol for the packet in decimal. Use this option if your dump is the payload of an IP packet (i.e. has complete L4 information) but does not have an IP header with each packet. Note that an appropriate Ethernet header is automatically included with each packet as well. Example: -i 46 to specify an RSVP packet (IP protocol 46).

-m <max-packet>
Set the maximum packet length, default is 64000. Useful for testing various packet boundaries when only an application level datastream is available. Example:

od -Ax -tx1 stream | text2pcap -m1460 -T1234,1234 - stream.pcap

will convert from plain datastream format to a sequence of Ethernet TCP packets.

-u <srcport>,<destport>
Include dummy UDP headers before each packet. Specify the source and destination UDP ports for the packet in decimal. Use this option if your dump is the UDP payload of a packet but does not include any UDP, IP or Ethernet headers. Note that appropriate Ethernet and IP headers are automatically also included with each packet. Example: -u1000,69 to make the packets look like TFTP/UDP packets.

-T <srcport>,<destport>
Include dummy TCP headers before each packet. Specify the source and destination TCP ports for the packet in decimal. Use this option if your dump is the TCP payload of a packet but does not include any TCP, IP or Ethernet headers. Note that appropriate Ethernet and IP headers are automatically also included with each packet. Sequence numbers will start at 0.

-s <srcport>,<destport>,<tag>
Include dummy SCTP headers before each packet. Specify, in decimal, the source and destination SCTP ports, and verification tag, for the packet. Use this option if your dump is the SCTP payload of a packet but does not include any SCTP, IP or Ethernet headers. Note that appropriate Ethernet and IP headers are automatically also included with each packet. A CRC32C checksum will be put into the SCTP header.

-S <srcport>,<destport>,<ppi>
Include dummy SCTP headers before each packet. Specify, in decimal, the source and destination SCTP ports, and a verification tag of 0, for the packet, and prepend a dummy SCTP DATA chunk header with a payload protocol identifier if ppi. Use this option if your dump is the SCTP payload of a packet but does not include any SCTP, IP or Ethernet headers. Note that appropriate Ethernet and IP headers are automatically included with each packet. A CRC32C checksum will be put into the SCTP header.

-t <timefmt>
Treats the text before the packet as a date/time code; timefmt is a format string of the sort supported by strptime(3). Example: The time "10:15:14.5476" has the format code "%H:%M:%S."

NOTE: The subsecond component delimiter must be specified (.) but no pattern is required; the remaining number is assumed to be fractions of a second.

NOTE: Date/time fields from the current date/time are used as the default for unspecified fields.

Highlighted
网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎06-29-2011 01:39 PM

这工具不错啊。

装wireshark的时候会自动安装这个么?

网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎06-29-2011 01:46 PM

是的,装wireshark时自动装上的,在C:\Program Files\Wireshark目录下的text2pcap.exe可执行文件。在Windows的cmd下cd到该目录就可以执行。

Highlighted
网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎06-29-2011 01:50 PM

双击 一闪就没了?

Highlighted
网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎06-29-2011 01:54 PM

不用直接双击那个exe文件。你进入dos提示符状态(开始=》Run=》敲cmd),然后cd 到C:\Program Files\Wireshark,然后你敲 text2pcap就可以看到对参数的一些说明。

Highlighted
网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎06-29-2011 01:55 PM

我再试一下

Highlighted
网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎06-29-2011 02:23 PM

我抓的包里共有6个packet, 存成txt文件的,我删掉了一个packet。再用text2pcap程序还原成pcap文件,结果转化成的只有一个packet,这是怎么回事?

Highlighted
网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎06-29-2011 02:32 PM

搞定了。刚才有错误。谢谢

Highlighted
网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎07-24-2011 04:42 PM

不错啊,以前还真没注意。

 

btw,里面还有dumpcap,rawshark,tshark,editcap好几个小工具。听名字都挺有用的,有空可以研究一下

Highlighted
网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎07-24-2011 07:25 PM

皮特你赶紧研究啊!等你的分享。高兴表情

Highlighted
网络安全与技术

回复: 推荐wireshark自带的改包小工具text2pcap

修改时间 ‎12-29-2011 06:24 PM

text2pcap这个工具确实非常有用。

 

我现在测试的SCTP,都是用该工具生成报文, 再用tcpreplay来回放报文的。

 

贴一小段当时Champagne用python语言编写,通过调用此功能来生成pcap文件的代码。

#-----------将数据包转换成PCAP文件--------------------------------

    curdir = os.getcwd()    #获取当前目录

    tool_flag = True
    t2p = 'text2pcap.exe'

    print '\n'
    print "Creating pcap files, please wait..."
    print '\n'

    while tool_flag:

        ethereal_dir = "c:\program files\wireshark"
        if os.path.isdir(ethereal_dir):
            t2p_ = "%s\\%s" %(ethereal_dir,t2p)
            if os.path.exists(t2p_):
                tool_flag = False
                continue

        ethereal_dir = "c:\program files\ethereal"
        if os.path.isdir(ethereal_dir):
            t2p_ = "%s\\%s" %(ethereal_dir,t2p)
            if os.path.exists(t2p_):
                tool_flag = False
                continue
       
        ethereal_dir = raw_input("Can't find ethereal or wireshark on your computer. Please install ethereal or wireshark, or input the right directory :")

            
        if os.path.isdir(ethereal_dir):
            t2p_ = "%s\\%s" %(ethereal_dir,t2p)
            if os.path.exists(t2p_):
                tool_flag = False                 

    #----------------定义bat文件,用来调用cmd和ethereal生成pcap--------------
    text2pcap = file("text2pcap.bat", 'w') 

 

 

JNCIE-SEC