I Smell Packets


Wirehex.pl – A Perl Script
June 2, 2009, 9:13 pm
Filed under: perl, wirehex.pl

In response to the request for more ways to convert hex dumps to pcap files, John Wohlbery (@jonw18 on twitter) wrote the following dirty little perl script. Basically, it follows the same steps that were discussed in the previous post.

wirehex.pl

#!/usr/bin/perl

($file = $ARGV[0]);

open (WH,"<$file") || die ("Could not open $!\nUSAGE: $0 <FILE_TO_OPEN>\n\n");
while (<WH>)
{
push(@everything,$_);
}

$size=$#everything;
print "000000 ";
for ($x=0; $size>=$x; $x++)
{
$everything[$x] =~ s/\r|\n/ /g;
print $everything[$x];
}


close (WH);

The command line syntax for the script is as follows:

wirehex.pl <NAME_OF_TEXT_FILE>

Everything can also be done on a single command-line like so:

wirehex.pl <NAME_OF_TEXT_FILE> | text2pcap - <OUTPUT.pcap>; tcpdump -v -r <OUTPUT.pcap>

The script can also be downloaded from the I Smell Packets Group on Google.

http://groups.google.com/group/ismellpackets

Advertisements

7 Comments so far
Leave a comment

I guess it is just tcpdump that allows all 0’s for the offset, so I wrote a small program to develop offsets for this particular challenge to include offsets. It could be improved, say remove whitespace and reformat the strings, have a variable bytes per line, and better checking for a new packet

#!/usr/bin/perl
#Format for text2pcap, using dec offset and newline = new packet

#Open
my $filename = shift;
open( FILE, “< $filename" ) or die "Can't open $filename : $!";

$offset = 0;
foreach $line () {
$off = sprintf “%06d”, $offset;

if ($line =~ /^\s/) {
$offset = 0;
print “\n”;
} else {
print “$off $line”;
$offset = $offset + 16;
}
}
close (FILE);

Comment by Dave S

That’s awesome. Thanks.

Comment by ismellpackets

In better Perl (more modern, readable and reliable):

#!/usr/bin/perl

use strict;use warnings;
my $file = $ARGV[0];

open (my $wh,'<',<$file) || die ("Could not open $!\nUSAGE: $0 \n\n”);
my @everything=; #read whole file

print “000000 “;
for my $x (0..$#everything)
{
$everything[$x] =~ s/\r|\n/ /g;
print $everything[$x];
}

Comment by Alexandr Ciornii

Very nice.

Comment by ismellpackets

I see that some of symbols where eaten. New attempt:

#!/usr/bin/perl

use strict;use warnings;
my $file = $ARGV[0];

open (my $wh,’<‘,$file) || die (“Could not open: $!\nUSAGE: $0 \n\n”);
my @everything=<$wh%gt;; #read whole file

print “000000 “;
for my $x (0..$#everything)
{
  $everything[$x] =~ s/\r|\n/ /g;
  print $everything[$x];
}

Comment by Alexandr Ciornii

Is that right now?

Comment by ismellpackets

Ok, I’m very late to the party. I’ve just began working on the challenges from the first one.

Here is the Python version, with a single file containing all packets.

#! /usr/bin/python
import sys

with open(sys.argv[1]) as f:
count = 0
for line in f:
if line==’\n’:
count = 0
else:
print “%06d” % count + ” ” + line
count += len(line.split())

If each packet dump is in it’s file, the script could be made smaller.

#! /usr/bin/python
import sys

with open(sys.argv[1]) as f:
count = 0
for line in f:
print “%06d” % count + ” ” + line
count += len(line.split())

Usage:
wirehex.py

cheers,
Hani.

Comment by Hani @kroosec Benhabiles




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: