getting to the IP data encapsulated inside some strange protocol

An example of striping outside encapsulation from the 
packets to get to the IPv4 header inside the packet:

tcpdump -nxr input.pcap | \
perl -e '$i=0;while(<>){if (/^\d/){ $i=0 }; \
if (/0x0000: /) { $i=1;print "\n";}; \
if($i==1){s/^.+?: //;s/(..)(..)\s/$1 $2 /g;print $_;}}' \
| perl -npe 's/^.+? 45 /00000 45 /' | \
| text2pcap -e 0x800 - output.pcap

Nothing ground breaking but could be useful,
 
or a slightly shorter version (added 2012-10-25):
tcpdump -nxr input.pcap |\
perl -ne 'next if (not /^\s+0x0/);chomp;s/^/\n/ if (/0x0000/);\
s/\t+0x.+?:\s+//;s/\ //g;print' |\
perl -pe 's/^.+?4500/4500/;s/(..)/$1 /g;s/^/000000 /' |\
text2pcap -e 0x800 - output.pcap



No comments:

Post a Comment