convert txt packet data to pcap format to open it by Wireshark

Question

Hi I am working on application where I have to read live packets from network work on it. And display it in sophisticated way.

But problem is I have packet but it is in text file, so to open it by Wireshark I have to convert it in .pcap format.

So how can I convert packet in text to pcap format.

My text file format is like this shown below,

Frame:
Frame:          number = 0
Frame:       timestamp = 2014-02-13 09:39:11.288
Frame:     wire length = 174 bytes
Frame: captured length = 174 bytes
Frame:
Eth:  ******* Ethernet - "Ethernet" - offset=0 (0x0) length=14 
Eth: 
Eth:      destination = 01:00:5e:7f:ff:fa
Eth:                    .... ..0. .... .... = [0] LG bit
Eth:                    .... ...0 .... .... = [0] IG bit
Eth:           source = ec:9a:74:4d:8e:03
Eth:                    .... ..0. .... .... = [0] LG bit
Eth:                    .... ...0 .... .... = [0] IG bit
Eth:             type = 0x800 (2048) [ip version 4]
Eth: 
Ip:  ******* Ip4 - "ip version 4" - offset=14 (0xE) length=20 protocol suite=NETWORK
Ip: 
Ip:          version = 4
Ip:             hlen = 5 [5 * 4 = 20 bytes, No Ip Options]
Ip:         diffserv = 0x0 (0)
Ip:                    0000 00.. = [0] code point: not set
Ip:                    .... ..0. = [0] ECN bit: not set
Ip:                    .... ...0 = [0] ECE bit: not set
Ip:           length = 160
Ip:               id = 0x4CD1 (19665)
Ip:            flags = 0x0 (0)
Ip:                    0.. = [0] reserved
Ip:                    .0. = [0] DF: do not fragment: not set
Ip:                    ..0 = [0] MF: more fragments: not set
Ip:           offset = 0
Ip:              ttl = 0 [time to live]
Ip:             type = 17 [next: User Datagram]
Ip:         checksum = 0xB0AA (45226) [correct]
Ip:           source = 124.125.80.90
Ip:      destination = 239.255.255.250
Ip: 
Udp:  ******* Udp offset=34 (0x22) length=8 
Udp: 
Udp:           source = 58845
Udp:      destination = 1900
Udp:           length = 140
Udp:         checksum = 0x5154 (20820) [correct]
Udp: 
Data:  ******* Payload offset=42 (0x2A) length=132 
Data: 
002a: 4d 2d 53 45  41 52 43 48  20 2a 20 48  54 54 50 2f    M-SEARCH * HTTP/
003a: 31 2e 31 0d  0a 48 6f 73  74 3a 32 33  39 2e 32 35    1.1..Host:239.25
004a: 35 2e 32 35  35 2e 32 35  30 3a 31 39  30 30 0d 0a    5.255.250:1900..
005a: 53 54 3a 75  72 6e 3a 73  63 68 65 6d  61 73 2d 75    ST:urn:schemas-u
006a: 70 6e 70 2d  6f 72 67 3a  64 65 76 69  63 65 3a 57    pnp-org:device:W
007a: 41 4e 43 6f  6e 6e 65 63  74 69 6f 6e  44 65 76 69    ANConnectionDevi
008a: 63 65 3a 31  0d 0a 4d 61  6e 3a 22 73  73 64 70 3a    ce:1..Man:"ssdp:
009a: 64 69 73 63  6f 76 65 72  22 0d 0a 4d  58 3a 33 0d    discover"..MX:3.
00aa: 0a 0d 0a 00 

Answer 1

If you have raw packets captured you can write them directly to pcap file format (see man 5 pcap-savefile) or use hexdump/xxd+text2pcap utility as ahkcoder recommends. Text2pcap also supports generation of dummy L2-4 headers (ethernet, ip, tcp/udp/sctp).

If you have only text representation, you can either reconstruct packet from it (so, generate all appropriate headers for each protocol used in your system) or adjust hex dump part offsets (to begin from 0000) and feed it to text2pcap.

Answer 2

Wireshark provides a command line pcap converter for Text Files:

https://www.wireshark.org/docs/man-pages/text2pcap.html

AutoHotkey solution:

; Change appropriate file locations
Run, %A_ProgramFiles%\ethereal\text2pcap.exe c:\test.txt c:\testconv.cap,%A_ProgramFiles%\ethereal

If you want to do a fully automated solution you can modify this function which actively watches a directory for file changes/creation.

http://www.autohotkey.com/board/topic/41653-watchdirectory/