UDP hex dump to pcap converter
Ruby Python
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LICENSE
README.rst
sample_input.txt
sample_output.pcap
udpdump_to_pcap.py
udpdump_to_pcap.rb

README.rst

UDP hex dump to pcap converter

This is a small utility script which converts UDP hex dump strings to pcap format.

See below about libpcap file format. http://wiki.wireshark.org/Development/LibpcapFileFormat

Usage

Read hex dump packet data from STDIN, write pcap format to STDOUT.

Ruby version:

$ ./udpdump_to_pcap.rb < hexdump.txt > out.pcap

Python version:

$ ./udpdump_to_pcap.py < hexdump.txt > out.pcap

Input file should be of comma-separated format, with column order as follows:

  1. Date and time, ISO 8601 with 6 digits microsecond, 2011-08-26T12:48:52.904486 for example
  2. Ignored (Maybe host name comes here)
  3. Ignored (Maybe process ID comes here)
  4. Source IP address
  5. Source UDP port
  6. Destination IP address
  7. Destination UDP port
  8. Hex dump string of UDP payload

See sample_input.txt for example.

API

Ruby

If your input data is not as above file format, you can use the packet function directly, after require 'udpdump_to_pcap'.

The arguments are as follows:

  1. Output stream
  2. Date and time, ISO 8601 with 6 digits microsecond, 2011-08-26T12:48:52.904486 for example
  3. Source IP address
  4. Source UDP port
  5. Destination IP address
  6. Destination UDP port
  7. Hex dump string of UDP payload

See debug_main() in udpdump_to_pcap.rb for example.

Python

If your input data is not as above file format, you can use the packet function directly, after import udpdump_to_pcap.

The arguments are as follows:

  1. Date and time, ISO 8601 with 6 digits microsecond, 2011-08-26T12:48:52.904486 for example
  2. Source IP address
  3. Source UDP port
  4. Destination IP address
  5. Destination UDP port
  6. Hex dump string of UDP payload

Some notes

  1. I try this script only at little-endian environments. There may be bugs on big-endian environments or cross environments.
  2. UDP checksum is NOT calculated (just Zeros). If you use viewer software such as Wireshark, I recommend disabling checksum validation.
  3. Also IP headers are passable hard-coded values. Don't take them seriously.
  4. Assumes IPv4. Don't work with IPv6.
  5. In pcap files, L2(MAC) is skipped by specifying Link-Layer Header to IPv4. So now support IPv4 only.

Copyright

  • Copyright 2012 by Shunichi Shinohara.
  • Copyright 2012 by Shoji KUMAGAI (Python version).

License

Apache License v2.

See LICENSE file for detail.