Recently, I’ve come across an old packet challenge on ismellpackets blog which consists of finding a secret in a 4 packets capture. The problem is that they were given as a hex dump of this form:

00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
00 f6 04 38 40 00 80 06 b7 77 c0 a8 5e 80 c0 a8
5e 81 0d 0d 01 bd 42 d0 33 b5 d2 64 26 85 50 18
fa 97 0e ae 00 00 00 00 00 ca ff 53 4d 42 73 00
…

One possible way to convert it to pcap file format is to use text2pcap.
But we should first modify it into an appropriate format, adding the offset at the beginning of each line. (man text2pcap and man od for more info)

000000 00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
000016 00 f6 04 38 40 00 80 06 b7 77 c0 a8 5e 80 c0 a8
000032 5e 81 0d 0d 01 bd 42 d0 33 b5 d2 64 26 85 50 18
000048 fa 97 0e ae 00 00 00 00 00 ca ff 53 4d 42 73 00
…

The offset could be in decimal, hexadecimal or octal.

Not a very hard task. I copied all the packets in a text file named input and made the changes with a quick Python script.

with open(“input”) as f:
    count = 0
    for line in f:
        if line==’\n’:
            count = 0
        else:
            print “%06d” % count + " " + line
            count += len(line.split())

the if line==’\n’ is used to reset the offset to 000000 as there are 4 packets separated with a blank line.
We can now pipe the result into text2pcap:
text2pcap

$python myscript.py | text2pcap -o dec - output.pcap

The default offset format for text2pcap is hexadecimal. In our case, it would
have been 000000 000010 000020 000030 etc…
We use -o dec to precise that the offset is in decimal.
the - is to precise that the input is provided through the stdin.
output.pcap is the output file. We can open it in Wireshark.

we could have piped the output into tcpdump for instance to see:

$python myscript.py | text2pcap -o dec - - | tcpdump -Xnnr -

That’s it. There are many other ways and already existing scripts that could do the same job.

Update:
I came across another challenge in which the packet dump was given in this format:

4500 0527 0001 4000 4006 0000 c0a8 0102
c0a8 0101 2b67 0014 0000 006f 0000 006f
5018 0200 aa32 0000 ffd8 ffe0 0010 4a46

here’s the modified version of the script which supports this format:

import sys
with open(sys.argv[1]) as f:
    count = 0
    for line in f:
        if line == ‘\n’: pass
        else:
            string = [i[:2] for i in line.split()]
            for i in range(len(string)):
                string.insert(i*2+1, line.split()[i][2:])
            print “%06d” % count + " " + ’ ‘.join(string)
            count += len(string)