Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11602
Views
0
Helpful
2
Replies

Embedded Packet capture hex dump conversion to pcap files for wireshark

les_davis
Level 1
Level 1

‎08-09-2012 11:41 AM

We are troubleshooting some issues with secure device provisioning and we do not have remote FTP or TFTP over the public internet with our problem sites.  We are using embedded packet capture to capture the traffic on the router and on the WAN interface.  We are unable to export normally without ftp or tftp and are left with doing a hex dump on the router using the following command.

sho monitor capture buffer <buffer name> dump

This provides an output that we are logging using putty log feature. 

The big question is can we convert the hex output to a file that wireshark can read?

Example of the output.

17:54:34.102 UTC Aug 9 2012 : IPv4 LES CEF    : Fa0/1 None

47E12ED0:          001B0CC2 ACA97444 01AD68F1      ...B,)tD.-hq

47E12EE0: 08004520 0058DAF4 40003006 FCCDA750  ..E .XZt@.0.|M'P

47E12EF0: F6C1451D 8F8ECEBD 00168656 9BD474B3  vAE...N=...V.Tt3

47E12F00: 63F15018 F710ABA0 00006753 32B229D0  cqP.w.+ ..gS22)P

47E12F10: 99C5AA42 460C6CEE AA4B9302 F449D891  .E*BF.ln*K..tIX.

47E12F20: E7B0E389 61E9846E 57BBDC4F 32C5E6CE  g0c.ai.nW;\O2EfN

47E12F30: DE448226 C3E8815C 66A4D2             ^D.&Ch.\f$R

17:54:34.102 UTC Aug 9 2012 : IPv4 Process    : Fa0/1 None

47E12ED0:          001B0CC2 ACA97444 01AD68F1      ...B,)tD.-hq

47E12EE0: 08004520 0058DAF4 40003006 FCCDA750  ..E .XZt@.0.|M'P

47E12EF0: F6C1451D 8F8ECEBD 00168656 9BD474B3  vAE...N=...V.Tt3

47E12F00: 63F15018 F710ABA0 00006753 32B229D0  cqP.w.+ ..gS22)P

47E12F10: 99C5AA42 460C6CEE AA4B9302 F449D891  .E*BF.ln*K..tIX.

47E12F20: E7B0E389 61E9846E 57BBDC4F 32C5E6CE  g0c.ai.nW;\O2EfN

47E12F30: DE448226 C3E8815C 66A4D2             ^D.&Ch.\f$R

Labels:
0 Helpful
2 Replies 2

mwinnett
Level 3
Level 3

‎08-13-2012 03:03 AM

You might have to do some pre-processing first, but text2pcap should be able to do what you want. Check the man pages for details.

http://www.wireshark.org/docs/man-pages/text2pcap.html

Matthew

0 Helpful

les_davis
Level 1
Level 1
In response to mwinnett

‎08-13-2012 06:17 AM

We discovered the text2cap function but the formatting proved to be a very time consuming process.  We found another method that is much easier.

We used SCP to transfer the files over port 22

1. Export the capture buffer to the router flash

  monitor capture buffer export flash:/

2. Enable the SCP server on the remote router

ip scp-server enable

3. Configure a level 15 ID and Password

username PASS privilege 15 password XXX

4. From a local machine that has SSH access to the remote router public IP perform the following

scp -v (userID)@pubIP:flash:

the -v is the verbose switch.  It can be turned off.

This worked much better than trying to format the data

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents