summaryrefslogtreecommitdiffstats
path: root/doc/text2pcap.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'doc/text2pcap.adoc')
-rw-r--r--doc/text2pcap.adoc421
1 files changed, 421 insertions, 0 deletions
diff --git a/doc/text2pcap.adoc b/doc/text2pcap.adoc
new file mode 100644
index 00000000..ab894747
--- /dev/null
+++ b/doc/text2pcap.adoc
@@ -0,0 +1,421 @@
+include::../docbook/attributes.adoc[]
+= text2pcap(1)
+:doctype: manpage
+:stylesheet: ws.css
+:linkcss:
+:copycss: ../docbook/{stylesheet}
+
+== NAME
+
+text2pcap - Generate a capture file from an ASCII hexdump of packets
+
+== SYNOPSIS
+
+[manarg]
+*text2pcap*
+[ *-a* ]
+[ *-b* 2|8|16|64 ]
+[ *-D* ]
+[ *-e* <l3pid> ]
+[ *-E* <encapsulation type> ]
+[ *-F* <file format> ]
+[ *-i* <proto> ]
+[ *-l* <typenum> ]
+[ *-N* <intf-name> ]
+[ *-m* <max-packet> ]
+[ *-o* hex|oct|dec|none ]
+[ *-q* ]
+[ *-r* <regex> ]
+[ *-s* <srcport>,<destport>,<tag> ]
+[ *-S* <srcport>,<destport>,<ppi> ]
+[ *-t* <timefmt> ]
+[ *-T* <srcport>,<destport> ]
+[ *-u* <srcport>,<destport> ]
+[ *-4* <srcip>,<destip> ]
+[ *-6* <srcip>,<destip> ]
+<__infile__>|-
+<__outfile__>|-
+
+[manarg]
+*text2pcap*
+*-h|--help*
+
+[manarg]
+*text2pcap*
+*-v|--version*
+
+== DESCRIPTION
+
+*Text2pcap* is a program that reads in an ASCII hex dump and writes the
+data described into a capture file. *text2pcap* can read hexdumps with
+multiple packets in them, and build a capture file of multiple packets.
+*Text2pcap* is also capable of generating dummy Ethernet, IP, and UDP, TCP
+or SCTP headers, in order to build fully processable packet dumps from
+hexdumps of application-level data only.
+
+*Text2pcap* can write the file in several output formats.
+The *-F* flag can be used to specify the format in which to write the
+capture file, *text2pcap -F* provides a list of the available output
+formats. By default, it writes the packets to __outfile__ in the *pcapng*
+file format.
+
+*Text2pcap* understands a hexdump of the form generated by __od -Ax
+ -tx1 -v__. In other words, each byte is individually displayed, with
+spaces separating the bytes from each other. Hex digits can be upper
+or lowercase.
+
+In normal operation, each line must begin with an offset describing the
+position in the packet, followed a colon, space, or tab separating it from
+the bytes. There is no limit on the width or number of bytes per line, but
+lines with only hex bytes without a leading offset are ignored (in other words,
+line breaks should not be inserted in long lines that wrap.) Offsets are more
+than two digits; they are in hex by default, but can also be in octal or
+decimal - see *-o*. Each packet must begin with offset zero, and an offset
+zero indicates the beginning of a new packet. Offset values must be correct;
+an unexpected value causes the current packet to be aborted and the next
+packet start awaited. There is also a single packet mode with no offsets;
+see *-o*.
+
+Packets may be preceded by a direction indicator ('I' or 'O') and/or a
+timestamp if indicated by the command line (see *-D* and *-t*). If both are
+present, the direction indicator precedes the timestamp. The format of the
+timestamps is specified as a mandatory parameter to *-t*. If no timestamp is
+parsed, in the case of the first packet the current system time is used, while
+subsequent packets are written with timestamps one microsecond later than that
+of the previous packet.
+
+Other text in the input data is ignored. Any text before the offset is
+ignored, including email forwarding characters '>'. Any text on a line
+after the bytes is ignored, e.g. an ASCII character dump (but see *-a* to
+ensure that hex digits in the character dump are ignored). Any line where
+the first non-whitespace character is a '#' will be ignored as a comment.
+Any lines of text between the bytestring lines are considered preamble;
+the beginning of the preamble is scanned for the direction indicator and
+timestamp as mentioned above and otherwise ignored.
+
+Any line beginning with #TEXT2PCAP is a directive and options
+can be inserted after this command to be processed by *text2pcap*.
+Currently there are no directives implemented; in the future, these may
+be used to give more fine grained control on the dump and the way it
+should be processed e.g. timestamps, encapsulation type etc.
+
+In general, short of these restrictions, *text2pcap* is pretty liberal
+about reading in hexdumps and has been tested with a variety of
+mangled outputs (including being forwarded through email multiple
+times, with limited line wrap etc.)
+
+Here is a sample dump that *text2pcap* can recognize, with optional
+directional indicator and timestamp:
+
+ I 2019-05-14T19:04:57Z
+ 000000 00 0e b6 00 00 02 00 0e b6 00 00 01 08 00 45 00
+ 000010 00 28 00 00 00 00 ff 01 37 d1 c0 00 02 01 c0 00
+ 000020 02 02 08 00 a6 2f 00 01 00 01 48 65 6c 6c 6f 20
+ 000030 57 6f 72 6c 64 21
+ 000036
+
+*Text2pcap* is also capable of scanning a text input file using a custom Perl
+compatible regular expression that matches a single packet. *text2pcap*
+searches the given file (which must end with '\n') for non-overlapping non-empty
+strings matching the regex. Named capturing subgroups, which must match
+exactly once per packet, are used to identify fields to import. The following
+fields are supported in regex mode, one mandatory and three optional:
+
+ "data" Actual captured frame data to import
+ "time" Timestamp of packet
+ "dir" Direction of packet
+ "seqno" Arbitrary ID of packet
+
+The 'data' field is the captured data, which must be in a selected encoding:
+hexadecimal (the default), octal, binary, or base64 and containing no
+characters in the data field outside the encoding set besides whitespace.
+The 'time' field is parsed according to the format in the *-t* parameter.
+The first character of the 'dir' field is compared against a set of characters
+corresponding to inbound and outbound that default to "iI<" for inbound and
+"oO>" for outbound to assign a direction. The 'seqno' field is assumed to
+be a positive integer base 10 used for an arbitrary ID. An optional field's
+information will only be written if the field is present in the regex and if
+the capture file format supports it. (E.g., the pcapng format supports all
+three fields, but the pcap format only supports timestamps.)
+
+Here is a sample dump that the regex mode can process with the regex
+'^(?<dir>[<>])\s(?<time>\d+:\d\d:\d\d.\d+)\s(?<data>[0-9a-fA-F]+)$' along
+with timestamp format '%H:%M:%S.%f', directional indications of '<' and '>',
+and hex encoding:
+
+ > 0:00:00.265620 a130368b000000080060
+ > 0:00:00.280836 a1216c8b00000000000089086b0b82020407
+ < 0:00:00.295459 a2010800000000000000000800000000
+ > 0:00:00.296982 a1303c8b00000008007088286b0bc1ffcbf0f9ff
+ > 0:00:00.305644 a121718b0000000000008ba86a0b8008
+ < 0:00:00.319061 a2010900000000000000001000600000
+ > 0:00:00.330937 a130428b00000008007589186b0bb9ffd9f0fdfa3eb4295e99f3aaffd2f005
+ > 0:00:00.356037 a121788b0000000000008a18
+
+The regex is compiled with multiline support, and it is recommended to use
+the anchors '^' and '$' for best results.
+
+*Text2pcap* also allows the user to read in dumps of application-level
+data and insert dummy L2, L3 and L4 headers before each packet. This allows
+Wireshark or any other full-packet decoder to handle these dumps.
+If the encapsulation type is Ethernet, the user can elect to insert Ethernet
+headers, Ethernet and IP, or Ethernet, IP and UDP/TCP/SCTP headers before
+each packet. The fake headers can also be used with the Raw IP, Raw IPv4,
+or Raw IPv6 encapsulations, with the Ethernet header omitted. These
+encapsulation options can be used in both hexdump mode and regex mode.
+
+When <__infile__> or <__outfile__> are '-', standard input or standard
+output, respectively, are used.
+
+== OPTIONS
+
+-a::
++
+--
+Enables ASCII text dump identification. It allows one to identify the start of
+the ASCII text dump and not include it in the packet even if it looks like HEX.
+This parameter has no effect in regex mode.
+
+*NOTE:* Do not enable it if the input file does not contain the ASCII text dump.
+--
+
+-b 2|8|16|64::
++
+--
+Specify the base (radix) of the encoding of the packet data in regex mode.
+The supported options are 2 (binary), 8 (octal), 16 (hexadecimal), and 64
+(base64 encoding), with hex as the default. This parameter has no effect
+in hexdump mode.
+--
+
+-D::
++
+--
+Indicates that the text before each input packet may start either with an I
+or O indicating that the packet is inbound or outbound. If both this flag
+and the __t__ flag are used, the directional indicator is expected before
+the time code.
+This parameter has no effect in regex mode, where the presence of the `<dir>`
+capturing group determines whether direction indicators are expected.
+
+Direction indication is stored in the packet headers if the output format
+supports it (e.g. pcapng), and is also used when generating dummy headers
+to swap the source and destination addresses and ports as appropriate.
+--
+
+-e <l3pid>::
++
+--
+Include a dummy Ethernet header before each packet. Specify the L3PID
+for the Ethernet header in hex. Use this option if your dump has Layer
+3 header and payload (e.g. IP header), but no Layer 2
+encapsulation. Example: __-e 0x806__ to specify an ARP packet.
+
+For IP packets, instead of generating a fake Ethernet header you can
+also use __-E rawip__ or __-l 101__ to indicate raw IP encapsulation.
+Note that raw IP encapsulation does not work for any non-IP Layer 3 packet
+(e.g. ARP), whereas generating a dummy Ethernet header with __-e__ works
+for any sort of L3 packet.
+--
+
+-E <encapsulation type>::
++
+--
+Sets the packet encapsulation type of the output capture file.
+*text2pcap -E* provides a list of the available types; note that not
+all file formats support all encapsulation types. The default type is
+ether (Ethernet).
+
+*NOTE:* This sets the encapsulation type of the output file, but does
+not translate the packet headers or add additional headers. It is used
+to specify the encapsulation that matches the input data.
+--
+
+-F <file format>::
++
+--
+Sets the file format of the output capture file. *Text2pcap* can write
+the file in several formats; *text2pcap -F* provides a list of the
+available output formats. The default is the *pcapng* format.
+--
+
+-h|--help::
+Print the version number and options and exit.
+
+-i <proto>::
++
+--
+Include dummy IP headers before each packet. Specify the IP protocol
+for the packet in decimal. Use this option if your dump is the payload
+of an IP packet (i.e. has complete L4 information) but does not have
+an IP header with each packet. Note that an appropriate Ethernet header
+is automatically included with each packet as well if the link-layer
+type is Ethernet.
+Example: __-i 46__ to specify an RSVP packet (IP protocol 46). See
+https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml for
+the complete list of assigned internet protocol numbers.
+--
+
+-l <typenum>::
++
+--
+Sets the packet encapsulation type of the output capture file, using
+pcap link-layer header type numbers. Default is Ethernet (1).
+See https://www.tcpdump.org/linktypes.html for the complete list
+of possible encapsulations.
+Example: __-l 7__ for ARCNet packets encapsulated BSD-style.
+--
+
+-m <max-packet>::
++
+--
+Set the maximum packet length, default is 262144.
+Useful for testing various packet boundaries when only an application
+level datastream is available. Example:
+
+__od -Ax -tx1 -v stream | text2pcap -m1460 -T1234,1234 - stream.pcap__
+
+will convert from plain datastream format to a sequence of Ethernet
+TCP packets.
+--
+
+-N <intf-name>::
+Specify a name for the interface included when writing a pcapng format file.
+
+-o hex|oct|dec|none::
++
+--
+Specify the radix for the offsets (hex, octal, decimal, or none). Defaults to
+hex. This corresponds to the `-A` option for __od__. This parameter has no
+effect in regex mode.
+
+*NOTE:* With __-o none__, only one packet will be created, ignoring any
+direction indicators or timestamps after the first byte along with any offsets.
+--
+
+-P <dissector>::
++
+--
+Include an EXPORTED_PDU header before each packet. Specify, as a
+string, the dissector to be called for the packet (DISSECTOR_NAME tag).
+Use this option if your dump is the payload for a single upper layer
+protocol (so specifying a link layer type would not work) and you wish
+to create a capture file without a full dummy protocol stack.
+Automatically sets the link layer type to Wireshark Upper PDU export.
+Without this option, if the Upper PDU export link layer type (252) is
+selected the dissector defaults to "data".
+--
+
+-q::
+Don't display the summary of the options selected at the beginning, or the count of packets processed at the end.
+
+-r <regex>::
++
+--
+Process the file in regex mode using __regex__ as described above.
+
+*NOTE:* The regex mode uses memory-mapped I/O and does not work on
+streams that do not support seeking, like terminals and pipes.
+--
+
+-s <srcport>,<destport>,<tag>::
++
+--
+Include dummy SCTP headers before each packet. Specify, in decimal, the
+source and destination SCTP ports, and verification tag, for the packet.
+Use this option if your dump is the SCTP payload of a packet but does
+not include any SCTP, IP or Ethernet headers. Note that appropriate
+Ethernet and IP headers are automatically also included with each
+packet. A CRC32C checksum will be put into the SCTP header.
+--
+
+-S <srcport>,<destport>,<ppi>::
++
+--
+Include dummy SCTP headers before each packet. Specify, in decimal, the
+source and destination SCTP ports, and a verification tag of 0, for the
+packet, and prepend a dummy SCTP DATA chunk header with a payload
+protocol identifier if __ppi__. Use this option if your dump is the SCTP
+payload of a packet but does not include any SCTP, IP or Ethernet
+headers. Note that appropriate Ethernet and IP headers are
+automatically included with each packet. A CRC32C checksum will be put
+into the SCTP header.
+--
+
+-t <timefmt>::
++
+--
+Treats the text before the packet as a date/time code; __timefmt__ is a
+format string supported by strftime(3), supplemented with the field
+descriptor '%f' for fractional seconds up to nanoseconds.
+Example: The time "10:15:14.5476" has the format code "%H:%M:%S.%f"
+The special format string __ISO__ indicates that the string should be
+parsed according to the ISO-8601 specification. This parameter is used
+in regex mode if and only if the `<time>` capturing group is present.
+
+*NOTE:* Date/time fields from the current date/time are
+used as the default for unspecified fields.
+--
+
+-T <srcport>,<destport>::
++
+--
+Include dummy TCP headers before each packet. Specify the source and
+destination TCP ports for the packet in decimal. Use this option if
+your dump is the TCP payload of a packet but does not include any TCP,
+IP or Ethernet headers. Note that appropriate Ethernet and IP headers
+are automatically also included with each packet.
+Sequence numbers will start at 0.
+--
+
+-u <srcport>,<destport>::
++
+--
+Include dummy UDP headers before each packet. Specify the source and
+destination UDP ports for the packet in decimal. Use this option if
+your dump is the UDP payload of a packet but does not include any UDP,
+IP or Ethernet headers. Note that appropriate Ethernet and IP headers
+are automatically also included with each packet.
+Example: __-u1000,69__ to make the packets look like TFTP/UDP packets.
+--
+
+-v|--version::
+Print the full version information and exit.
+
+-4 <srcip>,<destip>::
++
+--
+Prepend dummy IP header with specified IPv4 dest and source address.
+This option should be accompanied by one of the following options: -i, -s, -S, -T, -u
+Use this option to apply "custom" IP addresses.
+Example: __-4 10.0.0.1,10.0.0.2__ to use 10.0.0.1 and 10.0.0.2 for all IP packets.
+--
+
+-6 <srcip>,<destip>::
++
+--
+Prepend dummy IP header with specified IPv6 dest and source address.
+This option should be accompanied by one of the following options: -i, -s, -S, -T, -u
+Use this option to apply "custom" IP addresses.
+Example: __-6 2001:db8::b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334__ to
+use 2001:db8::b3ff:fe1e:8329 and 2001:0db8:85a3::8a2e:0370:7334 for all IP packets.
+--
+
+include::diagnostic-options.adoc[]
+
+== SEE ALSO
+
+od(1), xref:https://www.tcpdump.org/manpages/pcap.3pcap.html[pcap](3), xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:mergecap.html[mergecap](1),
+xref:editcap.html[editcap](1), strftime(3), xref:https://www.tcpdump.org/manpages/pcap-filter.7.html[pcap-filter](7) or xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](8)
+
+== NOTES
+
+This is the manual page for *Text2pcap* {wireshark-version}.
+*Text2pcap* is part of the *Wireshark* distribution.
+The latest version of *Wireshark* can be found at https://www.wireshark.org.
+
+== AUTHORS
+
+.Original Author
+[%hardbreaks]
+Ashok Narayanan <ashokn[AT]cisco.com>