Sign in to follow this  
Followers 0
Dial Tone

hex editing

15 posts in this topic

So I have a packet I need to analyze in wireshark.

Actually, what I have is the hex data... the only problem is when I paste it into vim and save it, it doesn't save the hex code, just an ascii representation of it... how can I take the hex, and save it exactly as written (NOT ASCII) so I can open it in wireshark?

0

Share this post


Link to post
Share on other sites

$ whatis xxd
xxd (1) - make a hexdump or do the reverse

HTH

0

Share this post


Link to post
Share on other sites

Thanks... so just save it as a text file, then run xxd on the text file?

0

Share this post


Link to post
Share on other sites

Are you trying to save data from wireshark?

If so use the export function, and if you're just looking to save a frame or less use the export Selected Packet Bytes in File > Export > Selected Packet Bytes, after you have this saved it will be a binary file so as a previous poster suggested use xxd to get a hex dump to standard out or use redirection to save the output of the xxd hex dump into a text file.

I think this is what you're asking, if not my apologies.

EDIT:

Also there is usually a hexdump command, using no flags, on most Linux installs that will give you just hex, no ascii, which I think is pretty much the same output of od -x <filename>.

Edited by rocky
0

Share this post


Link to post
Share on other sites
Are you trying to save data from wireshark?

If so use the export function, and if you're just looking to save a frame or less use the export Selected Packet Bytes in File > Export > Selected Packet Bytes, after you have this saved it will be a binary file so as a previous poster suggested use xxd to get a hex dump to standard out or use redirection to save the output of the xxd hex dump into a text file.

I think this is what you're asking, if not my apologies.

EDIT:

Also there is usually a hexdump command, using no flags, on most Linux installs that will give you just hex, no ascii, which I think is pretty much the same output of od -x <filename>.

The opposite: I have text data I want to be hex. Think of it as if in programming, you stored "12345" as a string instead of an integer.

0

Share this post


Link to post
Share on other sites
Are you trying to save data from wireshark?

If so use the export function, and if you're just looking to save a frame or less use the export Selected Packet Bytes in File > Export > Selected Packet Bytes, after you have this saved it will be a binary file so as a previous poster suggested use xxd to get a hex dump to standard out or use redirection to save the output of the xxd hex dump into a text file.

I think this is what you're asking, if not my apologies.

EDIT:

Also there is usually a hexdump command, using no flags, on most Linux installs that will give you just hex, no ascii, which I think is pretty much the same output of od -x <filename>.

The opposite: I have text data I want to be hex. Think of it as if in programming, you stored "12345" as a string instead of an integer.

Cool, so you if have a text file use xxd as a previous poster noted(sorry for being overzealous). But because I'm kind of thick skulled, is this what you're aiming for?

$ cat file.txt
This is example text.
$ xxd file.txt file.out
$ cat file.out
0000000: 5468 6973 2069 7320 6578 616d 706c 6520 This is example
0000010: 7465 7874 2e0a text..

0

Share this post


Link to post
Share on other sites

Yeah I think. I have a homework assignment where the prof is like "here's some hex code, what operating system is the packet from"

(Here it is copied and pasted directly from the pdf below)

000fdbcb066a000393ed1d8308004518 
0047307d0000ff11075ec0a80161c0a80
10114e90035003396ce4c24010000010
00000000000023937013103313638033
1393207696e2d6164647204617270610
0000c0001

I wanna save that as raw hex, so I can open it in wireshark

0

Share this post


Link to post
Share on other sites
Yeah I think. I have a homework assignment where the prof is like "here's some hex code, what operating system is the packet from"

(Here it is copied and pasted directly from the pdf below)

000fdbcb066a000393ed1d8308004518 
0047307d0000ff11075ec0a80161c0a80
10114e90035003396ce4c24010000010
00000000000023937013103313638033
1393207696e2d6164647204617270610
0000c0001

I wanna save that as raw hex, so I can open it in wireshark

Try text2pcap which comes with wireshark. It can save ascii to hex, or vice versa (which can then be opened with wireshark). I tried it, and I got a malformed ethernet packet. Perhaps that isn't the exact hex code? Anyway, maybe I did it wrong.

0

Share this post


Link to post
Share on other sites

Now I'm probably wrong but here's what I got:

IP packet

Unix like operating system

UDP

source address 192.168.1.197

destination address 192.168.1.1

source port 5353

destination port 53/DNS

Here's what the data portion says:

?97?1?168?192?in-addr?arpa??

Edited by rocky
0

Share this post


Link to post
Share on other sites

Here's what I found from analyzing the information:

000fdbcb066a000393ed1d830800[iP packet]4518

0047307d0000ff[TTL]11[udp]075ec0a80161[source address]c0a80

101[destination address]14e9[source port]0035[destination port]003396ce4c24010000010

00000000000023937013103313638033

1393207696e2d6164647204617270610

00[data]00c0001

List of TTL by operating system:

http://members.cox.net/~ndav1/self_published/TTL_values.html

Edited by rocky
0

Share this post


Link to post
Share on other sites

I think his professor is trying to get him to take an IP packet, analyze the data, then deduce what operating system it came from. It's already in hex and only the data portion would produce useful information from an ascii conversion.

00 1a 70 fb f7 77 00 13  02 a9 97 97 08 00 45 00
00 45 c7 98 00 00 80 11 25 f9 c0 a8 01 65 4a dc
40 2d d6 08 00 35 00 31 d0 9e 1c 86 01 00 00 01
00 00 00 00 00 00 03 77 77 77 0f 74 68 65 66 65
64 6f 72 61 6c 6f 75 6e 67 65 03 63 6f 6d 00 00
01 00 01

Above is a DNS request from a Windows XP laptop I have to the DNS server of my ISP that I took directly from Wireshark. The TTL is 0x80 or 128, which is a clear indicator that's it's a Windows machine. I think in the above case, the hex data that Dial Tone posted, it was just a matter of fingerprinting by determining the TTL.

Edited by rocky
0

Share this post


Link to post
Share on other sites

Ok I tried text2pcap... no luck.

Here's the output I get:

~/wiresharkLab$ text2pcap hexSource hexFinal
Input from: hexSource
Output to: hexFinal
Read 0 potential packets, wrote 0 packets

Here's the exact contents of my "hexSource" file...

~/wiresharkLab$ cat hexSource
000fdbcb066a00039ed1d830800458
0047307d0000ff11075ec0a80161c0a80
10114e90035003396ce4c24010000010
00000000000023937013103313638033
1393207696ed6164647204617270610
0000c0002

Is there some syntax thing I'm doing wrong? I appreciate the answer rocky but I wanna make sure I can do it on my own...

0

Share this post


Link to post
Share on other sites

Dial Tone,

Cool man I can respect that.

Try this:

First you have to format the hex data you have to the format that text2pcap wants:

000000 00 0f db cb 06 6a 00 03 93 ed 1d 83 08 00 45 18 
000010 00 47 30 7d 00 00 ff 11 07 5e c0 a8 01 61 c0 a8
000020 01 01 14 e9 00 35 00 33 96 ce 4c 24 01 00 00 01
000030 00 00 00 00 00 00 02 39 37 01 31 03 31 36 38 03
000040 31 39 32 07 69 6e 2d 61 64 64 72 04 61 72 70 61
000050 00 00 0c 00 01

next use text2pcap on the file you have saved this data into. Try that; it totally worked for me, I was able to open the file in wireshark and everything.

0

Share this post


Link to post
Share on other sites

Yeah, that worked. Thanks.

What does the stuff you added do, let text2pcap know what data is on what line?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0