In response to the request for more ways to convert hex dumps to pcap files, John Wohlbery (@jonw18 on twitter) wrote the following dirty little perl script. Basically, it follows the same steps that were discussed in the previous post.
wirehex.pl
#!/usr/bin/perl
($file = $ARGV[0]);
open (WH,"<$file") || die ("Could not open $!\nUSAGE: $0 <FILE_TO_OPEN>\n\n");
while (<WH>)
{
push(@everything,$_);
}
$size=$#everything;
print "000000 ";
for ($x=0; $size>=$x; $x++)
{
$everything[$x] =~ s/\r|\n/ /g;
print $everything[$x];
}
close (WH);
The command line syntax for the script is as follows:
wirehex.pl <NAME_OF_TEXT_FILE>
Everything can also be done on a single command-line like so:
wirehex.pl <NAME_OF_TEXT_FILE> | text2pcap - <OUTPUT.pcap>; tcpdump -v -r <OUTPUT.pcap>
The script can also be downloaded from the I Smell Packets Group on Google.
http://groups.google.com/group/ismellpackets
In case you missed it, here is a link to Jim Clausing’s (@jclausing on twitter) solution to last week’s challenge:
http://isc.sans.org/diary.html?storyid=6352
Awesome use of perl and text2pcap!
I Smell Packets 