Extract ASCII from a packet capture Hex dump (BASH)
Just occasionally, you'll ask someone for a packet capture, and rather than being sent a PCAP you'll get sent pasted output like this:
< 2019/10/10 09:01:12.589497 length=250 from=0 to=249
48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d HTTP/1.0 200 OK.
0a .
53 65 72 76 65 72 3a 20 67 75 6e 69 63 6f 72 6e Server: gunicorn
2f 31 39 2e 39 2e 30 0d 0a /19.9.0..
44 61 74 65 3a 20 54 68 75 2c 20 31 30 20 4f 63 Date: Thu, 10 Oc
74 20 32 30 31 39 20 30 39 3a 30 31 3a 31 32 20 t 2019 09:01:12
47 4d 54 0d 0a GMT..
43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 Connection: clos
65 0d 0a e..
43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 Content-Type: te
78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 xt/html; charset
3d 75 74 66 2d 38 0d 0a =utf-8..
58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f 6e 73 3a X-Frame-Options:
20 44 45 4e 59 0d 0a DENY..
43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-Length:
32 0d 0a 2..
58 2d 43 6f 6e 74 65 6e 74 2d 54 79 70 65 2d 4f X-Content-Type-O
70 74 69 6f 6e 73 3a 20 6e 6f 73 6e 69 66 66 0d ptions: nosniff.
0a .
58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e X-XSS-Protection
3a 20 31 3b 20 6d 6f 64 65 3d 62 6c 6f 63 6b 0d : 1; mode=block.
0a .
0d 0a ..
6f 6b ok
Whilst readable, it can be less than helpful if you wanted to just extract the payload (for example)
This snippet details how to extract the Hex values and then convert to ASCII to give you a plain ASCII dump. You will get a few unprintable chars at the beginning from the TCP headers.
Details
- Language: BASH
Snippet
cat f.txt | cut -d\ -f1-18 | grep -P '[0-9,a-f][0-9,a-f] ' | xxd -r -ps
Usage Example
cat f.txt | cut -d\ -f1-18 | grep -P '[0-9,a-f][0-9,a-f] ' | xxd -r -ps
HTTP/1.0 200 OK
Server: gunicorn/19.9.0
Date: Thu, 10 Oct 2019 09:01:12 GMT
Connection: close
Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
Content-Length: 2
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
ok