I Smell Packets

In response to the request for more ways to convert hex dumps to pcap files, John Wohlbery (@jonw18 on twitter) wrote the following dirty little perl script. Basically, it follows the same steps that were discussed in the previous post.

wirehex.pl

#!/usr/bin/perl

($file = $ARGV[0]);

open (WH,"<$file") || die ("Could not open $!\nUSAGE: $0 <FILE_TO_OPEN>\n\n");
while (<WH>)
{
push(@everything,$_);
}

$size=$#everything;
print "000000 ";
for ($x=0; $size>=$x; $x++)
{
$everything[$x] =~ s/\r|\n/ /g;
print $everything[$x];
}


close (WH);

The command line syntax for the script is as follows:

wirehex.pl <NAME_OF_TEXT_FILE>

Everything can also be done on a single command-line like so:

wirehex.pl <NAME_OF_TEXT_FILE> | text2pcap - <OUTPUT.pcap>; tcpdump -v -r <OUTPUT.pcap>

The script can also be downloaded from the I Smell Packets Group on Google.

http://groups.google.com/group/ismellpackets

I guess it is just tcpdump that allows all 0’s for the offset, so I wrote a small program to develop offsets for this particular challenge to include offsets. It could be improved, say remove whitespace and reformat the strings, have a variable bytes per line, and better checking for a new packet

#!/usr/bin/perl
#Format for text2pcap, using dec offset and newline = new packet

#Open
my $filename = shift;
open( FILE, “< $filename" ) or die "Can't open $filename : $!";

$offset = 0;
foreach $line () {
$off = sprintf “%06d”, $offset;

if ($line =~ /^\s/) {
$offset = 0;
print “\n”;
} else {
print “$off $line”;
$offset = $offset + 16;
}
}
close (FILE);

Comment by Dave S June 3, 2009 @ 1:41 pm

Reply

That’s awesome. Thanks.

Comment by ismellpackets June 3, 2009 @ 3:14 pm

Reply

In better Perl (more modern, readable and reliable):

#!/usr/bin/perl

use strict;use warnings;
my $file = $ARGV[0];

open (my $wh,'<',<$file) || die ("Could not open $!\nUSAGE: $0 \n\n”);
my @everything=; #read whole file

print “000000 “;
for my $x (0..$#everything)
{
$everything[$x] =~ s/\r|\n/ /g;
print $everything[$x];
}

Comment by Alexandr Ciornii June 4, 2009 @ 10:22 am

Reply

Very nice.

Comment by ismellpackets June 4, 2009 @ 11:35 pm

Reply

I see that some of symbols where eaten. New attempt:

#!/usr/bin/perl

use strict;use warnings;
my $file = $ARGV[0];

open (my $wh,’<‘,$file) || die (“Could not open: $!\nUSAGE: $0 \n\n”);
my @everything=<$wh%gt;; #read whole file

print “000000 “;
for my $x (0..$#everything)
{
  $everything[$x] =~ s/\r|\n/ /g;
  print $everything[$x];
}

Comment by Alexandr Ciornii June 5, 2009 @ 12:30 am

Is that right now?

Comment by ismellpackets June 5, 2009 @ 2:04 am

Reply

Ok, I’m very late to the party. I’ve just began working on the challenges from the first one.

Here is the Python version, with a single file containing all packets.

#! /usr/bin/python
import sys

with open(sys.argv[1]) as f:
count = 0
for line in f:
if line==’\n’:
count = 0
else:
print “%06d” % count + ” ” + line
count += len(line.split())

If each packet dump is in it’s file, the script could be made smaller.

#! /usr/bin/python
import sys

with open(sys.argv[1]) as f:
count = 0
for line in f:
print “%06d” % count + ” ” + line
count += len(line.split())

Usage:
wirehex.py

cheers,
Hani.

Comment by Hani @kroosec Benhabiles August 12, 2011 @ 8:14 pm

Reply