Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] regenerate pcap-format from tcpdump -r output

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 21 Jul 2009 22:50:51 -0700

On Jul 21, 2009, at 10:36 PM, Andrej van der Zee wrote:

I was wondering if it is possible to regenerate pcap from the
text-output from tcpdump. I mean something like this:

tcpdump  -r dump.pcap  -n  -q -e > dump.txt
some-tool dump.txt > dump2.pcap

And then dupm.pcap equals dump2.pcap.

No, not in general.

Tcpdump - like Wireshark/TShark - discards information; it summarizes the packet (and there can be information loss even in the packet detail pane of Wireshark and the output of TShark -V).

If you used "-xx" with tcpdump, so that you got a full hex dump of the raw packet data, it might be possible to reconstruct the pcap file, just as you could with TShark's output with "-x".