I have spent some times to analyze the packet trace files which are freely available in Wireshark wiki and packet-level.com using HeX liveCD. While I'm having great fun with the packet traces, I encounter this -
shell>tshark -nr tcpshake.cap
1 0.000000 130.57.20.10 -> 130.57.20.1 TCP 1026 > 524 [SYN] Seq=0 Len=0 MSS=1460
2 0.004942 130.57.20.1 -> 130.57.20.10 TCP 524 > 1026 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=1460
3 0.005894 130.57.20.10 -> 130.57.20.1 TCP 1026 > 524 [ACK] Seq=1 Ack=1 Win=8760 Len=0
I want to compare the output of tshark and tcpdump, then I run -
shell>tcpdump -ttttnnr tcpshake.cap
tcpdump: bad dump file format
Fine, lets check what it is -
shell>file tcpshake.cap
tcpshake.cap: NetXRay capture file - version 002.001 (Ethernet)
It seems Wireshark suite supports NetXRay file format,
shell>man wireshak
Output truncated .....
Wireshark can read / import the following file formats:
* Cinco Networks NetXRay captures
Output truncated .....
Maybe I can convert it using editcap? Right click to launch the HeX main menu -> Pcap-Editor -> Editcap, to convert it from NetXRay capture format to libpcap format, I run -
shell>editcap -F libpcap tcpshake.cap tcpshake.pcap
shell>tcpdump -ttttnnr tcpshake.pcap
reading from file tcpshake.pcap, link-type EN10MB (Ethernet)
1999-11-08 06:31:23.090125 IP 130.57.20.10.1026 > 130.57.20.1.524: S 12952:12952(0) win 8192
1999-11-08 06:31:23.095067 IP 130.57.20.1.524 > 130.57.20.10.1026: S 2744080:2744080(0) ack 12953 win 32768
1999-11-08 06:31:23.096019 IP 130.57.20.10.1026 > 130.57.20.1.524: . ack 1 win 8760
That's great.
shell>ls -la tcpshake_cap.dmp tcpshake.pcap
-rw-r--r-- 1 geek00l geek00l 252 2007-10-10 14:41 tcpshake_cap.dmp
-rw-r--r-- 1 geek00l geek00l 252 2007-10-10 15:00 tcpshake.pcap
I haven't tried wine on HeX(FreeBSD), maybe it's about time to do it too.
Enjoy (;])
1 comment:
oh you bastard. you could do that only with wireshark, rather than run dirty windows blobs via wine.
Post a Comment