Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] How to use text2pcap to convert the output of '> monitor traffic interface' into a .pcap file

0

0

Article ID: KB23952 KB Last Updated: 24 Jul 2012Version: 2.0
Summary:
This article provides information on how to use text2pcap to convert the output of > monitor traffic interface into a .pcap file for viewing in Wireshark.
Symptoms:
How to use text2pcap to convert the output of > monitor traffic interface into a .pcap file for viewing in Wireshark:
user@switch> monitor traffic interface ae0.1241
size 9999 no-resolve print-ascii matching tcp 09:52:06.473671 In IP 1.2.4.2.63625 > 1.2.4.1.179: .
ack 931 win 16384 0x0000 0000 0002 45c0 0034 69b1 0000 0106 454d ....E..4i.....EM 0x0010 0102 0402 0102 0401 f889 00b3 bb10 ca31
...............1 0x0020 19da cef6 8010 4000 8475 0000 0101 080a......@..u...... 0x0030 1dfc 82ae 1dfc 824a .......J
Cause:
text2pcap requires the following changes to the above output:

  • Remove or use # at the beginning of the first line, so that only hexadecimal values are included in the .txt file.

  • Remove the leading 0x from the rest of the lines.

  • Put a space after each of the two hex characters, so they are not interpreted as hex offsets.
Solution:
The final text file is as follows:
C:\Program Files\Wireshark>more bgp.txt
0000   00 00 00 02 45 c0 00 34 69 b1 00 00 01 06 45 4d        ....E..4i.....EM
0010   01 02 04 02 01 02 04 01 f8 89 00 b3 bb 10 ca 31        ...............1
0020   19 da ce f6 80 10 40 00 84 75 00 00 01 01 08 0a        ......@..u......
0030   1d fc 82 ae 1d fc 82 4a                            .......J
The syntax and expected output are as follows:
C:\Program Files\Wireshark>text2pcap.exe bgp.txt bgp.pcap -l l2
Input from: bgp.txt
Output to: bgp.pcap
Wrote packet of 56 bytes at 0
Read 1 potential packet, wrote 1 packet
The bgp.pcap file should be in C:\Program Files\Wireshark and viewable in Wireshark.

Note: If the opened .pcap file says 'Expert Info (Error/Malformed): Length field value goes past the end of the payload', then use '-l l2' on the text2pcap.exe command line. This is necessary as the routing engine does not form or receive the layer two information. This knob works only on IP packets; not ARP packets.

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search