Friday, August 12, 2011

Convert hex dump into pcap

Recently, I've come across an old packet challenge on ismellpackets blog which consists of finding a secret in a 4 packets capture. The problem is that they were given as a hex dump of this form:
00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
00 f6 04 38 40 00 80 06 b7 77 c0 a8 5e 80 c0 a8
5e 81 0d 0d 01 bd 42 d0 33 b5 d2 64 26 85 50 18
fa 97 0e ae 00 00 00 00 00 ca ff 53 4d 42 73 00
...
One possible way to convert it to pcap file format is to use text2pcap.
But we should first modify it into an appropriate format, adding the offset at the beginning of each line. (man text2pcap and man od for more info)
000000 00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
000016 00 f6 04 38 40 00 80 06 b7 77 c0 a8 5e 80 c0 a8
000032 5e 81 0d 0d 01 bd 42 d0 33 b5 d2 64 26 85 50 18
000048 fa 97 0e ae 00 00 00 00 00 ca ff 53 4d 42 73 00
...
The offset could be in decimal, hexadecimal or octal.

Not a very hard task. I copied all the packets in a text file named input and made the changes with a quick Python script.
with open("input") as f:
    count = 0
    for line in f:
        if line=='\n':
            count = 0
        else:
            print "%06d" % count + " " + line
            count += len(line.split())
the if line=='\n' is used to reset the offset to 000000 as there are 4 packets separated with a blank line.
We can now pipe the result into text2pcap:
text2pcap <options> <infile> <outfile>
$python myscript.py | text2pcap -o dec - output.pcap
The default offset format for text2pcap is hexadecimal. In our case, it would
have been 000000 000010 000020 000030 etc...
We use -o dec to precise that the offset is in decimal.
the - is to precise that the input is provided through the stdin.
output.pcap is the output file. We can open it in Wireshark.


we could have piped the output into tcpdump for instance to see:
$python myscript.py | text2pcap -o dec - - | tcpdump -Xnnr -
That's it. There are many other ways and already existing scripts that could do the same job.

Update:
I came across another challenge in which the packet dump was given in this format:
4500 0527 0001 4000 4006 0000 c0a8 0102
c0a8 0101 2b67 0014 0000 006f 0000 006f
5018 0200 aa32 0000 ffd8 ffe0 0010 4a46
here's the modified version of the script which supports this format:
import sys
with open(sys.argv[1]) as f:
    count = 0
    for line in f:
        if line == '\n': pass
        else:
            string = [i[:2] for i in line.split()]
            for i in range(len(string)):
                string.insert(i*2+1, line.split()[i][2:])
            print "%06d" % count + " " + ' '.join(string)
            count += len(string)

2 comments:

  1. Hi ..I was trying to decode CREATE_PDP_Req generated in my system in HEX to PCAP..Pls help if you have any idea..

    0x0000 3210 00e1 0000 0000 d24b 0000 0204 0415 2........K......
    0x0010 1280 6231 f403 04f4 50ff feff 0eed 0ffc ..b1....P.......
    0x0020 1002 baad ca11 02ba adc8 1405 1a02 0080 ................
    0x0030 0002 f121 8300 0403 7777 7784 005e 80c2 ...!....www..^..
    0x0040 2323 0101 0023 10f8 b54c a40c 013f a81e ##...#...L...?..
    0x0050 115e c03c 2bb6 5f55 4d54 535f 4348 4150 .^.<+._UMTS_CHAP
    0x0060 5f53 5256 52c2 2315 0201 0015 10b4 6dad _SRVR.#.......m.
    0x0070 693e d414 b952 a690 b7fc c698 4e80 211c i>...R......N.!.
    0x0080 0100 001c 8106 0000 0000 8206 0000 0000 ................
    0x0090 8306 0000 0000 8406 0000 0000 8500 04cb ................
    0x00a0 5804 5085 0004 cb58 0475 8600 0791 1909 X.P....X.u......
    0x00b0 9990 4775 8700 0f02 0b92 1f73 96fe fe74 ..Gu.......s...t
    0x00c0 8178 7800 4a00 9700 0101 9800 0801 04f4 .xx.J...........
    0x00d0 500b b933 7e99 0002 2220 9a00 0853 0690 P..3~..."....S..
    0x00e0 3051 0987 00bf 0001 49 0Q......I

    ReplyDelete
  2. I have .dump file and want to convert to pcap

    ReplyDelete