1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
Text2pcap (Wireshark) 4.4.0 (v4.4.0rc1-11-g13699b5b3e78)
Generate a capture file from an ASCII hexdump of packets.
See https://www.wireshark.org for more information.
Usage: text2pcap [options] <infile> <outfile>
where <infile> specifies input filename (use - for standard input)
<outfile> specifies output filename (use - for standard output)
Input:
-o hex|oct|dec|none parse offsets as (h)ex, (o)ctal, (d)ecimal, or (n)one;
default is hex.
-t <timefmt> treat the text before the packet as a date/time code;
<timefmt> is a format string supported by strptime,
with an optional %f descriptor for fractional seconds.
Example: The time "10:15:14.5476" has the format code
"%H:%M:%S.%f"
The special format string ISO supports ISO-8601 times.
NOTE: Date/time fields from the current date/time are
used as the default for unspecified fields.
-D the text before the packet starts with an I or an O,
indicating that the packet is inbound or outbound.
This is used when generating dummy headers if the
output format supports it (e.g. pcapng).
-a enable ASCII text dump identification.
The start of the ASCII text dump can be identified
and excluded from the packet data, even if it looks
like a HEX dump.
NOTE: Do not enable it if the input file does not
contain the ASCII text dump.
-r <regex> enable regex mode. Scan the input using <regex>, a Perl
compatible regular expression matching a single packet.
Named capturing subgroups are used to identify fields:
<data> (mand.), and <time>, <dir>, and <seqno> (opt.)
The time field format is taken from the -t option
Example: -r '^(?<dir>[<>])\s(?<time>\d+:\d\d:\d\d.\d+)\s(?<data>[0-9a-fA-F]+)$'
could match a file with lines like
> 0:00:00.265620 a130368b000000080060
< 0:00:00.295459 a2010800000000000000000800000000
-b 2|8|16|64 encoding base (radix) of the packet data in regex mode
(def: 16: hexadecimal) No effect in hexdump mode.
Output:
if the output file(s) have the .gz extension, then
gzip compression will be used.
-F <capture type> set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-E <encap type> set the output file encapsulation type; default is
ether (Ethernet). An empty "-E" option will list
the encapsulation types.
-l <typenum> set the output file encapsulation type via link-layer
type number; default is 1 (Ethernet). See
https://www.tcpdump.org/linktypes.html for a list of
numbers.
Example: -l 7 for ARCNet packets.
-m <max-packet> max packet length in output; default is 262144
-N <intf-name> assign name to the interface in the pcapng file.
--compress <type> Compress the output file using the type compression format.
Prepend dummy header:
-e <ethertype> prepend dummy Ethernet II header with specified EtherType
(in HEX).
Example: -e 0x806 to specify an ARP packet.
-i <proto> prepend dummy IP header with specified IP protocol
(in DECIMAL).
Automatically prepends Ethernet header as well if
link-layer type is Ethernet.
Example: -i 46
-4 <srcip>,<destip> prepend dummy IPv4 header with specified
source and destination addresses.
Example: -4 10.0.0.1,10.0.0.2
-6 <srcip>,<destip> prepend dummy IPv6 header with specified
source and destination addresses.
Example: -6 2001:db8::b3ff:fe1e:8329,2001:0db8:85a3::8a2e:0370:7334
-u <srcp>,<destp> prepend dummy UDP header with specified
source and destination ports (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -u 1000,69 to make the packets look like
TFTP/UDP packets.
-T <srcp>,<destp> prepend dummy TCP header with specified
source and destination ports (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -T 50,60
-s <srcp>,<dstp>,<tag> prepend dummy SCTP header with specified
source/destination ports and verification tag (in DECIMAL).
Automatically prepends Ethernet & IP headers as well.
Example: -s 30,40,34
-S <srcp>,<dstp>,<ppi> prepend dummy SCTP header with specified
source/destination ports and verification tag 0.
Automatically prepends a dummy SCTP DATA
chunk header with payload protocol identifier ppi.
Example: -S 30,40,34
-P <dissector> prepend EXPORTED_PDU header with specified dissector
as the payload DISSECTOR_NAME tag.
Automatically sets link type to Upper PDU Export.
EXPORTED_PDU payload defaults to "data" otherwise.
Diagnostic output:
--log-level <level> sets the active log level ("critical", "warning", etc.)
--log-fatal <level> sets level to abort the program ("critical" or "warning")
--log-domains <[!]list> comma-separated list of the active log domains
--log-fatal-domains <list>
list of domains that cause the program to abort
--log-debug <[!]list> list of domains with "debug" level
--log-noisy <[!]list> list of domains with "noisy" level
--log-file <path> file to output messages to (in addition to stderr)
Miscellaneous:
-h, --help display this help and exit
-v, --version print version information and exit
-q don't report processed packet counts
|