MAN page from RedHat 7.X ethereal-0.8.20-1.i386.rpm


Section: The Ethereal Network Analyzer (1)
Updated: 0.8.20


text2pcap - Generate a capture file from an ASCII hexdump of packets 


text2pcap-d ][ -q ][ -o hex|oct ][ -l typenum ][ -e l3pid ][ -i proto ][ -u srcport,destport ]infileoutfile 


Text2pcap is a program that reads in an ASCII hex dump and writesthe data described into a libpcap-style capture file. text2pcapcan read hexdumps with multiple packets in them, and build a capturefile of multiple packets. text2pcap is also capable of generatingdummy Ethernet, IP and UDP headers, in order to build fullyprocessable packet dumps from hexdumps of application-level dataonly.

Text2pcap understands a hexdump of the form generated by od -tx1. In other words, each byte is individually displayed andsurrounded with a space. Each line begins with an offset describingthe position in the file. The offset is a hex number (can also beoctal - see -o), of more than two hex digits. Here is a sample dumpthat text2pcap can recognize:

    000000 00 e0 1e a7 05 6f 00 10 ........    000008 5a a0 b9 12 08 00 46 00 ........    000010 03 68 00 00 00 00 0a 2e ........    000018 ee 33 0f 19 08 7f 0f 19 ........    000020 03 80 94 04 00 00 10 01 ........    000028 16 a2 0a 00 03 50 00 0c ........    000030 01 01 0f 19 03 80 11 01 ........
There is no limit on the width or number of bytes per line. Also thetext dump at the end of the line is ignored. Bytes/hex numbers can beuppercase or lowercase. Any text before the offset is ignored,including email forwarding characters '>'. Any lines of text betweenthe bytestring lines is ignored. The offsets are used to track thebytes, so offsets must be correct. Any line which has only byteswithout a leading offset is ignored. An offset is recognized as beinga hex number longer than two characters. Any text after the bytes isignored (e.g. the character dump). Any hex numbers in this text arealso ignored. An offset of zero is indicative of starting a newpacket, so a single text file with a series of hexdumps can beconverted into a packet capture with multiple packets. Multiplepackets are read in with timestamps differing by one second each. Ingeneral, short of these restrictions, text2pcap is pretty liberalabout reading in hexdumps and has been tested with a variety ofmangled outputs (including being forwarded through email multipletimes, with limited line wrap etc.)

There are a couple of other special features to note. Any line wherethe first non-whitespace character is '#' will be ignored as acomment. Any line beginning with #TEXT2PCAP is a directive and optionscan be inserted after this command to be processed bytext2pcap. Currently there are no directives implemented; in thefuture, these may be used to give more fine grained control on thedump and the way it should be processed e.g. timestamps, encapsulationtype etc.

Text2pcap also allows the user to read in dumps ofapplication-level data, by inserting dummy L2, L3 and L4 headersbefore each packet. The user can elect to insert Ethernet headers,Ethernet and IP, or Ethernet, IP and UDP headers before eachpacket. This allows Ethereal or any other full-packet decoder tohandle these dumps. 


Displays debugging information during the process. Can be usedmultiple times to generate more debugging information.
Be completely quiet during the process.
-o hex|oct
Specify the radix for the offsets (hex or octal). Defaults tohex. This corresponds to the `-A' option for od.
Specify the link-layer type of this packet. Default is Ethernet(1). See net/bpf.h for the complete list of possibleencapsulations. Note that this option should be used if your dump is acomplete hex dump of an encapsulated packet and you wish to specifythe exact type of encapsulation. Example: -l 7 for ARCNet packets.
-e l3pid
Include a dummy Ethernet header before each packet. Specify the L3PIDfor the Ethernet header in hex. Use this option if your dump has Layer3 header and payload (e.g. IP header), but no Layer 2encapsulation. Example: -e 0x806 to specify an ARP packet.

For IP packets, instead of generating a fake Ethernet header you canalso use -l 12 to indicate a raw IP packet to Ethereal. Note that-l 12 does not work for any non-IP Layer 3 packet (e.g. ARP),whereas generating a dummy Ethernet header with -e works for anysort of L3 packet.

-i proto
Include dummy IP headers before each packet. Specify the IP protocolfor the packet in decimal. Use this option if your dump is the payloadof an IP packet (i.e. has complete L4 information) but does not havean IP header. Note that this automatically includes an appropriateEthernet header as well. Example: -i 46 to specify an RSVP packet(IP protocol 46).
-u srcport,destport
Include dummy UDP headers before each packet. Specify the source anddestination UDP ports for the packet in decimal. Use this option ifyour dump is the UDP payload of a packet but does not include any UDP,IP or Ethernet headers. Note that this automatically includesappropriate Ethernet and IP headers with each packet. Example: -u1000,69 to make the packets look like TFTP/UDP packets.


tcpdump(8), pcap(3), ethereal(1), editcap(1) 


Text2pcap is part of the Ethereal distribution. The latest versionof Ethereal can be found at 


  Ashok Narayanan          <>




This document was created byman2html,using the manual pages.