On Thu, Mar 08, 2001 at 01:17:57PM -0700, Jay Swan wrote:
> At 11:59 AM 3/8/2001 -0800, you wrote:
>
> >By "raw hex" do you mean "ASCII text in the form of a hex dump of packet
> >data", or "raw binary data"?
> >
> >In either case, Ethereal will probably work better if the packets have,
> >for example, packet-arrival time stamps in them.
> >
> >If the data is ASCII text, see the stuff in the Wiretap library for
> >reading Lucent/Ascend and Toshiba ASCII text packet dumps.
>
> I'm trying to find an easy way to decode the output of the undocumented
> Cisco command "debug ip packet dump", which gives results like this (it's
> an IGMP packet):
Some undocumented Cisco command was discussed on the ethereal-dev list
back in October 2000:
http://www.ethereal.com/lists/ethereal-dev/200010/msg00357.html
"I discovered some time ago that there is a undocumented command on
Cisco routers that lets one to "capture" ip packets in hex dump.
The command is: debug ip packet dump
The output is sent via the normal logging methods and can be stored on a
syslog server for further analisys.
Does anybody know a undocumented command that captures all packets on a
Cisco router?
Would be somebody interested to do some wiretap module for such a dump ?"
and
http://www.ethereal.com/lists/ethereal-dev/200010/msg00360.html
"I would *strongly* recommend against using this command unless you
really know what you're doing and/or don't mind a router reboot.
It is very easy to lose control of the router, because it can saturate
both the serial link and the CPU given sufficient load on the circuits,
and you may need physical access to the router to recover from this
condition. If you're lucky, the task gets killed by the executive, if
not, the router locks up.
I've seen someone do this to a router in South Africa. He didn't
appreciate my suggestion he should bike over there and fix it.
The SNMP capture has resource usage limitations built in; I'd suggest
using that if this functionality is required."
Nobody's done any Wiretap module for "debug ip packet dump" output.
> 02:27:15: IP: s=10.10.10.1 (local), d=224.0.0.1 (Serial0), len 28, sending
> broad/multicast
> 04030D00: 45C0001C E@..
> 04030D10: 01C00000 0102C354 0A0A0A01 E0000001 [email protected]....`...
> 04030D20: 1164EE .dn
>
> I figured I'd just write a script to strip out everything except the hex
> and feed it to a decoder.
>
> It sounds like the Wiretap library might be the way to go. Do you have a URL?
http://www.ethereal.com/
:-)
Wiretap is just the library that's part of Ethereal, which it uses to
read capture files. See the "wiretap" subdirectory of the Ethereal
source tree.
As per my earlier mail, see the source files with "ascend" and "toshiba"
in their names, for examples of Wiretap modules that read text files.
Unless the dump contains an absolute time/date stamp - the line you have
there seems to show only a time stamp - you won't be able to generate a
"real" time stamp; you'd probably want to do something along the lines
of what the Ascend code does - it uses the modification time of the
capture file as the starting time stamp, which is probably wrong, but
less wrong than using, say, 0.
The "len" value doesn't match the length shown in the example there; it
may include the link-layer header, even though it doesn't show the
link-layer header in the dump, as far as I can tell ("45" looks like the
beginning of an IP header).
