First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

how can i read the raw packet data from my /dev/nvme0n1p with wireshark

I have raw packet packet which has been stored in device of my linux sytem. Below is 1 of my packet content- ff ff ff ff ff ff 00 00 00 00 00 02 81 00 ab ab ab ab ab ab ab ab ab ab like that i have n no of packet which has been stored in my /dev/nvme0n1p.

problem which i am facing now is when i convert this raw data from device with below command- od -Ax -tx1 -v /dev/nvme0n1p1 [file_name]

and when i import this data with wireshark , wireshark doesn't understand where does my packet end. so i see ónly one packet with large no of byte in data.

any idea how can i read all my packets with wireshark ?

rkprabhatk's avatar
1
rkprabhatk
asked 2019-07-16 08:55:25 +0000
edit flag offensive 0 remove flag close merge delete

Comments

  1. By "stored in device" do you mean that there's a file system on that device, or just raw data?

  2. Is there one packet or are there multiple packets?

  3. Is it just raw packet data or are there any headers, such as pcap packet headers, giving information such as the packet length and packet time stamps?

Guy Harris's avatar Guy Harris (2019-07-16 22:39:50 +0000) edit
more
  • delete

Please find below ans to your question->

  1. By "stored in device" do you mean that there's a file system on that device, or just raw data? -> I have not created the file inside the device , I am just dumping my packet raw data into the device.

  2. Is there one packet or are there multiple packets? -> there are multiple packets.

  3. Is it just raw packet data or are there any headers, such as pcap packet headers, giving information such as the packet length and packet time stamps?-> Now this is important point. I have tried both way.. By including packet header along with packet data and also by storing only packet data. But did not help.

when i include packet header, wireshark thought my pcap header as my starting of my packet data and think first byte as a destination mac address.

problem which i am suspecting ... (more)

rkprabhatk's avatar rkprabhatk (2019-07-17 07:17:42 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

If you read the text2pcap manual carefully it says: "An offset of zero is indicative of starting a new packet, so a single text file with a series of hexdumps can be converted into a packet capture with multiple packets."

Jaap's avatar
13.7k
Jaap
answered 2019-07-16 13:53:39 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Yes you are perfectly right according to text2pcap manual. But if you read carefully my question ,the situation here is not exactly same.

Let me clarify my question again- I am storing the raw packet directly to Linux based system device like /dev/nvme0n1p1. every device has index no of storing the data and since i have large no of packets , It will keep on storing the data and increment index according to byte per length.

Now the problem comes after first packet , new packet data will be stored with increment index not with index zero. which is real problem here while importing hex data into wireshark.

rkprabhatk's avatar rkprabhatk (2019-07-17 07:35:25 +0000) edit
more
  • delete
add a comment see more comments
0

In order for Wireshark to be able to read your packets, they need to be stored in one of the file formats Wireshark understands. The oldest and simplest format Wireshark can read is the pcap format, as outlined on https://wiki.wireshark.org/Development/LibpcapFileFormat.

Simply put, you need to have the following elements:

  1. A pcap file header
  2. Per packet:
    1. A pcap packet header
    2. The raw packet data

You can also use the newer and more versatile pcapng format as described on https://github.com/pcapng/pcapng

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-07-19 10:12:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for your ans here. But This is not what exactly i am looking for, I tried the way you are telling me it did not help here.

Important point which we have to understand here is -> I am dumping my data directly to device (/dev/dev/nvme0n1p block device) not as a normal file like (.pcap).

So even if i dump my data including the pcap format But when i read back from device to one file(like .pcap) ,it will be having device index no and that's where data will be disturbed. Basically i need to read the same data which i dumped into the device. I hope you understood my point.

Thanks and have a good day.

rkprabhatk's avatar rkprabhatk (2019-07-19 10:30:06 +0000) edit
more
  • delete

OK, good that you are aware of the need for a file header and a packet header per packet. I have no experience with reading from a device and so I do not know about device indices being added in the read output. If this is always the case with your device, you can't just read from the device, you will have to write some software to read from the device, strip the inserted indices (restoring the pcap format) and then pass the data to Wireshark or Tshark

SYN-bit's avatar SYN-bit (2019-07-19 15:02:48 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer