Is it possible to directly dissect a hex data instead of a packet?

retag add tags

I'm not sure if this even makes sense, but I have a built in dissector inside of wireshark/tshark but I'm not gonna be parsing packets and dissecting it. Instead, I will receive the "data field" in hex format by another process, and I would like to dissect that.

Note: that if this data was part of a UDP payload, wireshark can dissect it

Text2pcap can be used for this, it can take in the hex data and prepend headers such as UDP and output a pcap (or pcapng) file that can be read by Wireshark allowing normal dissection to take place.

23.8k

grahamb

answered 2020-05-28 15:52:48 +0000

edit flag offensive 0 remove flag delete link

Comments

Or you can go into File|Import from Hex Dump which can do basically the same.

Jaap (2020-05-28 16:10:05 +0000) edit

Gosh these new features that I keep forgetting about!

grahamb (2020-05-28 16:36:34 +0000) edit

Thank you for Text2pcap. One last thing. If the protocol is a custom protocol ( not UDP ), how should I use text2pcap to allow for creation of the packet with that protocol?

aznboystride (2020-05-28 16:54:33 +0000) edit

By constructing headers for the custom protocol yourself, and prepending them to the data. See my answer to the question you asked about this.

Guy Harris (2020-05-28 18:38:51 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Is it possible to directly dissect a hex data instead of a packet? edit

Comments

1 Answer

Comments