Tool 18: Reassemble IP packets of a record, and reorder TCP flow
Description:
A record is a capture file. It contains several packets captured
during a sniff. It can also be created by hand. There are 7 formats
for records: pcap (tcpdump compatible), bin (binary, unreadable by
humans but fast) and mixed/mixed_wrap/dump/hexa/hexa_wrap (easy to
read and edit). A record also has an associated DLT (Data Link Type),
indicating at which level a packet start: raw (start at IP header) and
ether (start at Ethernet header) are the 2 most common DLT. Tool 13
displays DLT of each device.
This tool reads packet from one record, tries to reassemble IP packets
and reorder TCP sequences. Please note, packets may be lost.
Parameter --src-file indicates the input record filename.
Parameter --input-dlt defines the DLT of packets in input record (it
depends on how it was sniffed, generally 'ether' (for Ethernet) or
'raw' (if packet starts at IP header)). Full list is available through
netwag or running tool 12.
Parameter --dst-file indicates the output record filename.
Parameter --recordencode defines how to encode data in this record
(suggested values: bin, pcap and mixed_wrap).
Parameter --tcpreord tries to reorder TCP flow (seqnum increments).
This might miss packets.
Synonyms:
capture
Usage:
netwox 18 -f file [-t dlt] -F file [-r recordencode] [-o|+o]
Parameters:
| parameter |
description |
example |
| -f|--src-file file |
input record file |
srcfile.txt |
| -t|--input-dlt dlt |
dlt type of input record |
ether |
| -F|--dst-file file |
output record file |
dstfile.txt |
| -r|--recordencode recordencode |
encoding type for output record |
bin |
| -o|--tcpreord|+o|--no-tcpreord |
also reorder TCP packets |
|
Examples:
netwox 18 -f "srcfile.txt" -F "dstfile.txt"
netwox 18 --src-file "srcfile.txt" --dst-file "dstfile.txt"