First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Help needed converting text file from FortiGate to pcap

  • retag add tags

I need some help with TXT to PCAP conversion. Prefer to be able to inspect 2 packet captures I have that are formatted per attached rather then recapture, but if its not possible will have to recapture.

Have basically tried every script and exe avalible online for TXT to PCAP related to fortigate or otherwise. I know some people made their own. Anybody have ideas on getting this showing in Wireshark properlly?

Need to view time of packets, packet protocol etc. The basics, currently txt to pcap conversion works but they all show ethernet II as the protocol and are lacking information I need to inspect.

https://www.dropbox.com/s/ll0tq0c7951...

aLi3nZ's avatar
3
aLi3nZ
asked 2019-10-26 09:59:45 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2019-10-26 19:32:15 +0000
edit flag offensive 0 remove flag close merge delete

Comments

You mentioned fortigate. Is the fgt2eth.pl script not working?
https://kb.fortinet.com/kb/documentLi...
"Troubleshooting Tool: Using the FortiOS built-in packet sniffer"

Chuckc's avatar Chuckc (2019-10-26 14:11:14 +0000) edit
more
  • delete

Thank you so much everyone, I will try these solutions out tonight and report back.

aLi3nZ's avatar aLi3nZ (2019-10-27 06:45:03 +0000) edit
more
  • delete

I am facing this problem. please tell me, if you anyone know about this

posentred's avatar posentred (2019-10-29 12:13:52 +0000) edit
more
  • delete

I am facing this problem. please tell me, if you anyone know about this

If "this problem" is trying to read a pcap generated from a FortiGate packet text dump, read the answers given here.

Guy Harris's avatar Guy Harris (2019-10-29 19:24:11 +0000) edit
more
  • delete
add a comment see more comments

3 Answers

1

This script will convert your data to a format "Import hex dump" can understand:

cat albany.txt |\
awk '$1 ~ "0x" {match($0,/^0x(.... ..)(..) (..)(..) (..)(..) (..)(..) (..)(..) (..)(..) (..)(..) (..)(..)/,a);
                printf("%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s\n", a[1],a[2],a[3],a[4],a[5],a[6],a[7],a[8],a[9],a[10],a[11],a[12],a[13],a[14],a[15],a[16]);
                next
               }
     $1 ~ "[0-9].[0-9]+" {printf("%02d:%02d:%02d\n",($1%86400)/3600,($1%3600)/60,$1%60);next}
               {print}' > for-hex-import.txt

Then within "import from hexdump", use the following settings:

  • offsets: hexadecimal
  • Timestamp format: %H:%M:%S
  • Encapsulation type: Ethernet
  • Use a ethernet dummy header, with ethertype 0x800
SYN-bit's avatar
18.5k
SYN-bit
answered 2019-10-26 19:04:53 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Or set the encapsulation type to Raw IP or Raw IPv4, that doesn't require a fake Ethernet header.

Jaap's avatar Jaap (2019-10-26 19:42:37 +0000) edit
more
  • delete

The instructions outlined by SYN-bit to convert to Hexdump using the script then import to wireshark worked flawlessly.

Thank you so much for your help

aLi3nZ's avatar aLi3nZ (2019-10-28 22:26:05 +0000) edit
more
  • delete

You should post your comment as a comment to SYN-bit's answer rather than an answer in it's own right. Unfortunately the Ask software does't allow me to do that for you.

grahamb's avatar grahamb (2019-10-28 22:49:15 +0000) edit
more
  • delete

Unfortunately the Ask software does't allow me to do that for you.

It does, but it's kind of like playing Tower of Hanoi - if you convert enough items between comments and answers and comments again, in the right order, you eventually end up with the right results; I just did that.

Guy Harris's avatar Guy Harris (2019-10-29 03:19:28 +0000) edit
more
  • delete

The instructions outlined by SYN-bit to convert to Hexdump using the script then import to wireshark worked flawlessly.

Perfect!

Thank you so much for your help

You're very welcome :-)

SYN-bit's avatar SYN-bit (2019-10-29 06:58:13 +0000) edit
more
  • delete
add a comment see more comments
0

From the fortinet page

Also attached is the fgt2eth.pl script that will convert a verbose level 3 or 6 sniffer output, into a file readable and decodable by Ethereal/Wireshark.

Also:

Verbose levels in detail:
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name

And looking at the text dump, I only see the data from the IP layer up and no interface names, so I suspect 'level 2' was used dunring capturing. If you change your capture level, you will be able to convert the traces with fgt2eth.pl

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-10-26 19:00:30 +0000, updated 2019-10-29 22:47:02 +0000
edit flag offensive 0 remove flag delete link
more

Comments

You probably want to try level 3 or level 6, as that prints the header and data "from Ethernet", meaning that it presumably includes the Ethernet header, rather than printing "from IP", meaning it starts with the IP header and omits the Ethernet header.

Guy Harris's avatar Guy Harris (2019-10-29 19:24:57 +0000) edit
more
  • delete
add a comment see more comments
0

For whatever reason, whatever device wrote that file did not write out the Ethernet headers - the hex dumps start with the IP header. (If you see 0x45 in a packet hex dump, there's a good chance that it's the first byte of an IPv4 header.)

And, for whatever reason, it doesn't have an option to write out the pcap file with a link-layer header type other than Ethernet.

Fortunately, Wireshark comes with a program that can, among other things, read a capture file and write it out with a different link-layer header type, without changing the packet data, so you can fix an incorrect type; that's the editcap program.

If you run

editcap -T rawip -F pcap {output of fgt2eth.pl} {fixed file}

where "{output of fgt2eth.pl}" is the pathname of the file you wrote with fgt2eth.pl and "{fixed file}" is the pathname to which you want editcap to write the fixed file, and then read the fixed file, that should work. (I'm guessing from the "exe" in "Have basically tried every script and exe" that you're running on Windows; you will need to run editcap from a console window, and you may have to find out where editcap.exe is and run it with a full path.)

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-10-26 19:30:04 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer