[RADIATOR] MessageLog Format text2pcap, missing tool in goodies

Karl Gaissmaier karl.gaissmaier at uni-ulm.de
Thu Aug 10 18:00:28 UTC 2017 

Hi Heikki,

Am 10.08.2017 um 12:04 schrieb Heikki Vatiainen:
> On 9.8.2017 20.11, Karl Gaissmaier wrote:
> 
>> is there already a wrapper in your toolbox to feed the msglog to 
>> text2pcap, using the proper directives per packet and collecting all 
>> packets in one pcap file?
> 
> No, there is not. If I remember correctly, the idea was to have the 
> directives more or less ready for text2pcap so that it could do the 
> processing when it creates the pcap file. As you probably noticed from 
> text2pcap documentation, line starting with '#TEXT2PCAP' is a special 
> directive but it looks like it does nothing yet (and currently Radiator 
> adds ##TEXT2PCAP).
> 
> The only, slightly, related thing in goodies is hexdump2wireshark.pl 
> which creates similar output from Trace 5 messages dumps.
> 
> In case someone wants to try this now, running text2pcap against the 
> file with one set of command line options does create a valid pcap file. 
> However, the ports and IPs are all the same, so the direction needs to 
> be deduced from the message contents.
> 
> Please let us know how it goes if you decide to do a script,Hi Heikki,

yes, I'll do, but before, please inspect the following patches:

1.) Please add a dot as delimiter between seconds and microseconds, then 
  text2pcap can parse the timestamp with the option flag '-t %s.'

> diff --git a/Radius/MessageLogFILE.pm b/Radius/MessageLogFILE.pm
> index f86362a..656377f 100644
> --- a/Radius/MessageLogFILE.pm
> +++ b/Radius/MessageLogFILE.pm
> @@ -140,7 +140,7 @@ sub format_radius_text2pcap
>      $from_ip = Radius::Util::inet_ntop($from_ip);
>      $to_ip   = Radius::Util::inet_ntop($to_ip);
>      my $t = "##TEXT2PCAP -i 17 -4 $to_ip,$from_ip -u $to_port,$from_port\n";
> -    $t .= $sec . $usec . " 0000 ";
> +    $t .= "$sec.$usec" . " 0000 ";
>      $t .= join ' ', map {sprintf "%02x", $_} unpack('C*', $data);
>  
>      return "$t\n";


2.) and if we already patch and change the output format, we should also 
trim the directive line to meet promised text2pcap enhancements:

> diff --git a/Radius/MessageLogFILE.pm b/Radius/MessageLogFILE.pm
> index 656377f..68619ff 100644
> --- a/Radius/MessageLogFILE.pm
> +++ b/Radius/MessageLogFILE.pm
> @@ -139,7 +139,7 @@ sub format_radius_text2pcap
>  
>      $from_ip = Radius::Util::inet_ntop($from_ip);
>      $to_ip   = Radius::Util::inet_ntop($to_ip);
> -    my $t = "##TEXT2PCAP -i 17 -4 $to_ip,$from_ip -u $to_port,$from_port\n";
> +    my $t = "#TEXT2PCAP -i 17 -4 $to_ip,$from_ip -u $to_port,$from_port\n";
>      $t .= "$sec.$usec" . " 0000 ";
>      $t .= join ' ', map {sprintf "%02x", $_} unpack('C*', $data);
>  

Regards
    Charly
-- 
Karl Gaissmaier
Universität Ulm
kiz, Kommunikations und Informationszentrum
89069 Ulm
Tel.: 49(0)731/50-22499
Fax : 49(0)731/50-12-22499

More information about the radiator mailing list