importing hex stream into wireshark

Asked 17/5, 2014 at 9:57 Answered 24/6, 2017 at 13:23

I have a 64 byte hex stream of a frame-

000A959D6816000A959A651508004500002E000000004006AF160A010101C0A8000A11D71EC6000000000000000050000000AD840000000102030405CC904CE3

How can I import it into Wireshark and see the whole packet? The option of importing hex dump doesn't seems to work in my case, if I save this stream into a text file and load it.

Toy answered 17/5, 2014 at 9:57 Comment(0)

Since this hex stream is in hex, and for hex to hexdump conversion, od doesn't seems to work. So the solution would be to convert this hex back to binary, and then use od -Ax -tx1 -v [file] on that binary file.

xxd -r -p [hexfile] [binaryfile]
od -Ax -tx1 -v [binaryfile]

Note: Use the combination -r -p to read plain hexadecimal dumps without line number information and without a particular column layout.

Toy answered 17/5, 2014 at 11:3 Comment(2)

See the Wireshark docs where they talk about the od command wireshark.org/docs/wsug_html_chunked/ChIOImportSection.html – Ebonieebonite 21/11, 2016 at 20:18

This can be streamlined into one command: xxd -r -p [hexstringfile] | od -Ax -tx1 > [hexdumpfile]. Also omitting the filenames (and >) will make it use standard input and output. – Veroniqueverras 31/3, 2019 at 9:46

A hex stream can be transformed into an od-like format filtering through a couple coreutils. The output can be fed into text2pcap, for example, to also set a link-layer type.

{ echo -n "0000 "; echo $hex_stream | fold -w 2 | paste -sd ' '; } | text2pcap -l 147 - $file

hex_stream is the data to be dissected and file is the pcap file to be written by text2pcap. I use this as part of a script that generates a temporary pcap from a hex stream and invokes tshark to dissect it - this gives me the dissection result immediately with no manual intervention.

How to Dissect Anything page in the Wireshark wiki has further information on dissection of arbitrary data.

Simonton answered 24/6, 2017 at 13:23 Comment(0)

If you format your hex string as shown in this page, you should be able to use the Import from Hex Dump dialog to import the file you've created.

Pouncey answered 17/5, 2014 at 10:0 Comment(2)

Thanks, but this "od -Ax -tx1 -v [FILE]" command is dumping my hex stream in octal format. I tried all other options of "od" but no luck. So I manually formatted the stream by adding spaces and offsetting it by 8 bytes, which worked. It's a single frame so it's no worry but manually doing all this stuff on large hex data would be a pain. Please let me know if you know how to convert hex stream to hex dump. – Toy 17/5, 2014 at 10:44

@Toy Awesome. That's pretty much what I meant, sorry if that wasn't clear. – Pouncey 17/5, 2014 at 10:45

Recommended topics

Hot tags