Sunday, April 19, 2009

Convert Cisco dumps into Wireshark's pcap format

Lately i've been experimenting a lot with the hidden "dump" option of "debug ip packet", trying to decode various protocols. Yesterday i wrote a post about decoding the tacacs communication, something that required a little bit of awkward text editing.

Tonight i created the following perl program in order to make the whole process easier.


#!/opt/perl/bin/perl

# ciscodump2text v0.1
#
# Convert Cisco hex dump format (captured through the "debug ip packet dump" command)
# to a special text format that can then be fed into text2pcap
# so a pcap file for Wireshark can be created at the end
#
# Copyright (C) 2009 Tassos (http://ccie-in-3-months.blogspot.com)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

@packets = ();
$junk_line = 1;
$i = 0;

while (<>) {
$line = $_;

if ( $line =~ /^[0-9A-F]{8}: / ) {

$hex_part = substr($line, 10, 36);
$hex_part =~ s/\s//g;

if ( $junk_line ) {
$i++;
$packets[$i] = "";
$junk_line = 0;
};

$packets[$i] .= $hex_part;
} else {
$junk_line = 1;
}
}

for ($i = 1; $i <= @packets; $i++) {

if ( exists $packets[$i] ) {

for ( $j = 0; $j < length($packets[$i]); $j += 2 ) {
if ( $j == 0 ) {
printf "# Packet $i\n%08X", $j/2;
} elsif ( $j % 32 == 0 ) {
printf " #\n%08X", $j/2;
}
print " ".substr($packets[$i], $j, 2);
}

print " #\n";
}
}

print "\n";


You just give it the cisco dump as input (only lines starting with an 8-char hex number are processed, so you don't have to worry about other lines) and it produces a text file that can be fed into text2pcap. Then you give text2pcap the new text file as input and it produces a pcap file as output, which can be opened with Wireshark.

i.e. we want to convert the following log produced by "debug ip packet dump" to a text file compatible with the "text2pcap" program.

*Apr 18 18:19:51.887: FIBipv4-packet-proc: route packet from (local) src 10.10.10.9 dst 10.10.10.10
*Apr 18 18:19:51.887: FIBipv4-packet-proc: packet routing succeeded
*Apr 18 18:19:51.887: IP: s=10.10.10.9 (local), d=10.10.10.10 (FastEthernet0/1), len 80, sending
*Apr 18 18:19:51.887: TCP src=20596, dst=49, seq=1187787226, ack=3815757335, win=4128 ACK
082D17D0: 45000050 678B0000 E..Pg...
082D17E0: FF062BF6 0A0A0A09 0A0A0A0A 50740031 ..+v........Pt.1
082D17F0: 46CC31DA E36FD617 50101020 9F960000 FL1ZcoV.P.. ....
082D1800: C0010100 99648E6A 0000001C B8145EC8 @....d.j....8.^H
082D1810: A8B3C2B9 3EC12A1F AA40DE66 D7429C89 (3B9>A*.*@^fWB..
082D1820: 0BF911F3 C7249F5F .y.sG$._
*Apr 18 18:19:51.887: IP: s=10.10.10.9 (local), d=10.10.10.10 (FastEthernet0/1), len 80, sending full packet
*Apr 18 18:19:51.887: TCP src=20596, dst=49, seq=1187787226, ack=3815757335, win=4128 ACK
082D17C0: 0200 4C4F4F50 ..LOOP
082D17D0: CA000CB8 00060800 45000050 678B0000 J..8....E..Pg...
082D17E0: FF062BF6 0A0A0A09 0A0A0A0A 50740031 ..+v........Pt.1
082D17F0: 46CC31DA E36FD617 50101020 9F960000 FL1ZcoV.P.. ....
082D1800: C0010100 99648E6A 0000001C B8145EC8 @....d.j....8.^H
082D1810: A8B3C2B9 3EC12A1F AA40DE66 D7429C89 (3B9>A*.*@^fWB..
082D1820: 0BF911F3 C7249F5F .y.sG$._
*Apr 18 18:19:52.103: FIBipv4-packet-proc: route packet from (local) src 10.10.10.9 dst 10.10.10.10
*Apr 18 18:19:52.107: FIBipv4-packet-proc: packet routing succeeded
*Apr 18 18:19:52.107: IP: s=10.10.10.9 (local), d=10.10.10.10 (FastEthernet0/1), len 40, sending
*Apr 18 18:19:52.111: TCP src=20596, dst=49, seq=1187787266, ack=3815757363, win=4100 ACK
080014D0: 45000028 678C0000 E..(g...
080014E0: FF062C1D 0A0A0A09 0A0A0A0A 50740031 ..,.........Pt.1
080014F0: 46CC3202 E36FD633 50101004 F4920000 FL2.coV3P...t...
08001500:
*Apr 18 18:19:52.127: IP: s=10.10.10.9 (local), d=10.10.10.10 (FastEthernet0/1), len 40, sending full packet
*Apr 18 18:19:52.131: TCP src=20596, dst=49, seq=1187787266, ack=3815757363, win=4100 ACK
080014C0: 0200 4C4F4F50 ..LOOP
080014D0: CA000CB8 00060800 45000028 678C0000 J..8....E..(g...
080014E0: FF062C1D 0A0A0A09 0A0A0A0A 50740031 ..,.........Pt.1
080014F0: 46CC3202 E36FD633 50101004 F4920000 FL2.coV3P...t...
08001500:


First we save it in a ascii/text file (i.e. "test.dump") and we give it as input to the "ciscodump2text" program.

tassos$ ciscodump2text test.dump > test.text

The created "test.text" file contains the following :

# Packet 1
00000000 45 00 00 50 67 8B 00 00 FF 06 2B F6 0A 0A 0A 09 #
00000010 0A 0A 0A 0A 50 74 00 31 46 CC 31 DA E3 6F D6 17 #
00000020 50 10 10 20 9F 96 00 00 C0 01 01 00 99 64 8E 6A #
00000030 00 00 00 1C B8 14 5E C8 A8 B3 C2 B9 3E C1 2A 1F #
00000040 AA 40 DE 66 D7 42 9C 89 0B F9 11 F3 C7 24 9F 5F #
# Packet 2
00000000 02 00 4C 4F 4F 50 CA 00 0C B8 00 06 08 00 45 00 #
00000010 00 50 67 8B 00 00 FF 06 2B F6 0A 0A 0A 09 0A 0A #
00000020 0A 0A 50 74 00 31 46 CC 31 DA E3 6F D6 17 50 10 #
00000030 10 20 9F 96 00 00 C0 01 01 00 99 64 8E 6A 00 00 #
00000040 00 1C B8 14 5E C8 A8 B3 C2 B9 3E C1 2A 1F AA 40 #
00000050 DE 66 D7 42 9C 89 0B F9 11 F3 C7 24 9F 5F #
# Packet 3
00000000 45 00 00 28 67 8C 00 00 FF 06 2C 1D 0A 0A 0A 09 #
00000010 0A 0A 0A 0A 50 74 00 31 46 CC 32 02 E3 6F D6 33 #
00000020 50 10 10 04 F4 92 00 00 #
# Packet 4
00000000 02 00 4C 4F 4F 50 CA 00 0C B8 00 06 08 00 45 00 #
00000010 00 28 67 8C 00 00 FF 06 2C 1D 0A 0A 0A 09 0A 0A #
00000020 0A 0A 50 74 00 31 46 CC 32 02 E3 6F D6 33 50 10 #
00000030 10 04 F4 92 00 00 #


Then, we convert this new text file into a pcap file by using the "text2pcap" program, which is included with Wireshark.

tassos$ text2pcap.exe" -d test.text test.pcap
Input from: test.text
Output to: test.pcap
Start new packet
Start new packet
Wrote packet of 80 bytes at 0
Start new packet
Wrote packet of 94 bytes at 80
Start new packet
Wrote packet of 40 bytes at 174
Wrote packet of 54 bytes at 214

-------------------------
Read 4 potential packets, wrote 4 packets


The resulting pcap file "test.pcap" can be opened for further processing with Wireshark.

That way you can very easily create pcap files of almost everything happening on your router.

Notes : The "dump" option is supported since 12.0 IOS. Latest IOS includes EPC, which makes the whole capture & convert-to-pcap process much easier.

PS : I'm not a very good perl programmer (although i have written a lot of custom perl scripts for my job), so someone playing with perl for years will probably produce a more compact "perlish" code. I just tried to interpret my logic into perl code.

8 comments:

  1. pls how an i learn perl programming, i can see it is also important for one to know it as a cisco guy.

    what books do you recommend?
    thanks

    ReplyDelete
  2. Generally scripting and text processing are like added value abilities for someone dealing with routers. Perl provides a very easy framework for text processing tasks and it's quite easy to learn the basics.
    I can't recommend a book because i haven't read any. I started experimenting with sample codes i found on the internet at the same time that i started creating advanced configurations on routers.
    Probably that's the reason my code cannot be considered optimized.

    ReplyDelete
  3. I recently came accross your blog and seems to be rreading along different post.I thoght leaving my first comments will be my efforts of thanking you for such good post. Thanks.

    ReplyDelete
  4. Hey Tassos

    I was playing around with your PERL script for a real case scenario. I had some errors using test2pcap with the output of the script.

    After removing the # sign from the end of each line, I was able to make it work flawless.

    I appreciate your work and time on that tool.

    Thanks

    ReplyDelete
  5. Vipin.K.Narayanan04 February, 2010 19:55

    Thanks a lot for this tip , never knew that ios had a dump feature

    ReplyDelete
  6. Thanks great info.
    I always find hard to troubleshoot SIP protocol on Cisco routers. This helps a lot.
    However I have some problems with response packets from far end. After conversion I can see that data is there but header is malformed
    MAC address starts with 0021 45 and protocol type IP 08 00 is missing in the header.

    0B004D90: 0021 450001EE 00004000 .!E..n..@.
    0B004DA0: 291138AE 5E4BF72D C0A80130 13C413C4 ).8.^Kw-@(.0.D.D
    0B004DB0: 01DA6A96 5349502F 322E3020 32303020 .Zj.SIP/2.0 200
    0B004DC0: 4F4B0D0A 5669613A 20534950 2F322E30 OK..Via: SIP/2.0

    I followed comments on other forums to turn off logging, ip route-cache and increase loggin buffer size but it seems something is missing.

    ReplyDelete
  7. Update on my SIP packets.
    I use at home ADSL with PPPoE.
    0x0021 indicates PPP

    I cut and paste packets starting with 0021 4500. into new file and ran this time
    text2pcap -l 9 test.text test.pcap

    It works but at this point it's not practical to split dump into incoming/outgoing parts.

    ReplyDelete
  8. Hi. I´m writing a packet analyzer for Cisco IOS. Can anyone tell me why some packets from the hexdump come with source and destinations MAC addresses and others don´t?

    Thanks
    Antonio

    ReplyDelete

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Greece License.