Skip to main content

Posts

Showing posts from 2015

Convert "monitor capture" hex dump to pcap (Wireshark format)

If you've used Cisco's " Monitor Capture " feature you've seen that you can capture packets and dump them in hex format on your console/syslog server. The output looks roughly like this (for one packet): 87526540:                            45C0004C              E@.L 87526550: 00000000 FD11C63E 0A303001 AC1F1052  ....}.F>.00.,..R 87526560: 007B007B 00385EBF 24040AEE 00000DEA  .{.{.8^?$..n...j 87526570: 000028A4 C1E767CD D8E48CD6 519D50B0  ..($AggMXd.VQ.P0 87526580: D8E48CD9 A9855D94 D8E48CD9 C161FAF9  Xd.Y).].Xd.YAazy 87526590: 00  It's a bit difficult to read, but you can see that it's an IP packet (the first 4 is the IPv4 version nibble). If you want to decode this packet in Wireshark, you can technically use wireshark's text2pcap converter. The problem is text2pcap expects input in a specific format. The following script will do the format conversion between Cisco's dump format and what text2pcap expects: https://github.com/mad-ady/cisco