Wednesday, October 10, 2007

HeX liveCD: Packet Trace File Conversion

I have spent some times to analyze the packet trace files which are freely available in Wireshark wiki and packet-level.com using HeX liveCD. While I'm having great fun with the packet traces, I encounter this -

shell>tshark -nr tcpshake.cap
1 0.000000 130.57.20.10 -> 130.57.20.1 TCP 1026 > 524 [SYN] Seq=0 Len=0 MSS=1460
2 0.004942 130.57.20.1 -> 130.57.20.10 TCP 524 > 1026 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=1460
3 0.005894 130.57.20.10 -> 130.57.20.1 TCP 1026 > 524 [ACK] Seq=1 Ack=1 Win=8760 Len=0

I want to compare the output of tshark and tcpdump, then I run -

shell>tcpdump -ttttnnr tcpshake.cap
tcpdump: bad dump file format

Fine, lets check what it is -

shell>file tcpshake.cap
tcpshake.cap: NetXRay capture file - version 002.001 (Ethernet)

It seems Wireshark suite supports NetXRay file format,

shell>man wireshak
Output truncated .....
Wireshark can read / import the following file formats:
* Cinco Networks NetXRay captures
Output truncated .....

Maybe I can convert it using editcap? Right click to launch the HeX main menu -> Pcap-Editor -> Editcap, to convert it from NetXRay capture format to libpcap format, I run -

shell>editcap -F libpcap tcpshake.cap tcpshake.pcap

shell>tcpdump -ttttnnr tcpshake.pcap
reading from file tcpshake.pcap, link-type EN10MB (Ethernet)
1999-11-08 06:31:23.090125 IP 130.57.20.10.1026 > 130.57.20.1.524: S 12952:12952(0) win 8192
1999-11-08 06:31:23.095067 IP 130.57.20.1.524 > 130.57.20.10.1026: S 2744080:2744080(0) ack 12953 win 32768
1999-11-08 06:31:23.096019 IP 130.57.20.10.1026 > 130.57.20.1.524: . ack 1 win 8760

That's great.

I figured that if you prefer gui, you can use the freeware which support more different capture formats - ProConvert. With wine, I have successfully installed in on Ubuntu 7.04. And here's the screenshot -


I try to compare both files that converted from different tools with diff command and they seems to have no differences, including both have same file size as well.

shell>ls -la tcpshake_cap.dmp tcpshake.pcap
-rw-r--r-- 1 geek00l geek00l 252 2007-10-10 14:41 tcpshake_cap.dmp
-rw-r--r-- 1 geek00l geek00l 252 2007-10-10 15:00 tcpshake.pcap

I haven't tried wine on HeX(FreeBSD), maybe it's about time to do it too.

Enjoy (;])

1 comment:

Anonymous said...

oh you bastard. you could do that only with wireshark, rather than run dirty windows blobs via wine.