importing hex stream into wireshark

Question

I have a 64 byte hex stream of a frame-

000A959D6816000A959A651508004500002E000000004006AF160A010101C0A8000A11D71EC6000000000000000050000000AD840000000102030405CC904CE3

How can I import it into Wireshark and see the whole packet? The option of importing hex dump doesn't seems to work in my case, if I save this stream into a text file and load it.

Answer 1

Since this hex stream is in hex, and for hex to hexdump conversion, od doesn't seems to work. So the solution would be to convert this hex back to binary, and then use od -Ax -tx1 -v [file] on that binary file.

xxd -r -p [hexfile] [binaryfile]
od -Ax -tx1 -v [binaryfile]

Note: Use the combination -r -p to read plain hexadecimal dumps without line number information and without a particular column layout.

Answer 2

A hex stream can be transformed into an od-like format filtering through a couple coreutils. The output can be fed into text2pcap, for example, to also set a link-layer type.

{ echo -n "0000 "; echo $hex_stream | fold -w 2 | paste -sd ' '; } | text2pcap -l 147 - $file

hex_stream is the data to be dissected and file is the pcap file to be written by text2pcap. I use this as part of a script that generates a temporary pcap from a hex stream and invokes tshark to dissect it - this gives me the dissection result immediately with no manual intervention.

How to Dissect Anything page in the Wireshark wiki has further information on dissection of arbitrary data.

Answer 3

If you format your hex string as shown in this page, you should be able to use the Import from Hex Dump dialog to import the file you've created.