Displaying GDB dumped 802.15.4 buffer in WireShark

The 802.15.4 mac layer has these great headers with too many single-bit options; sufficient to make your head hurt after a while. Since I was debugging some code, I had access to the entire buffer containing the entire frame. It would be nice to show this in Wireshark, wouldn’t it?

It’s actually not that difficult:

In GDB, after breaking at the right spot

(gdb) dump binary memory dump.bin  _buf+1  _buf+len

Explained: dump binary memory [dump.bin] [_buf+1] [_buf+len]

  • [dump.bin] your output file
  • [_buf+1] the start address of the buffer (I had to skip the first byte)
  • [_buf+len] the end address of the buffer

With this python script, you do the rest of the magic

""" Original script: http://www.codeproject.com/Tips/612847/Generate-a-quick """
""" Modified by phalox.be                                                    """

import sys
import binascii

#Global header for pcap 2.4
pcap_global_header =   ('D4 C3 B2 A1'
'02 00'         #File format major revision (i.e. pcap <2>.4)
'04 00'         #File format minor revision (i.e. pcap 2.<4>)
'00 00 00 00'
'00 00 00 00'
'FF FF 00 00'
'C3 00 00 00')  #01 is ethernet, C3 is for 802.15.4. Check http://www.tcpdump.org/linktypes.html for all others

#pcap packet header that must preface every packet
pcap_packet_header =   ('AA 77 9F 47'
'90 A2 04 00'
'XX XX XX XX'   #Frame Size (little endian)
'YY YY YY YY')  #Frame Size (little endian)

def writeByteStringToFile(bytestring, filename):
bytelist = bytestring.split()
bytes = binascii.a2b_hex(''.join(bytelist))
bitout = open(filename, 'wb')

def generatePCAP(message, pcapfile):
pcap_len = len(message) / 3 # 1 byte is 3 characters e.g. "AB "
hex_str = "%08x" % pcap_len
reverse_hex_str = hex_str[6:] + hex_str[4:6] + hex_str[2:4] + hex_str[:2]
pcaph = pcap_packet_header.replace('XX XX XX XX', reverse_hex_str)
pcaph = pcaph.replace('YY YY YY YY', reverse_hex_str)

bytestring = pcap_global_header + pcaph + message
writeByteStringToFile(bytestring, pcapfile)

""" End of functions, execution starts here: """

if len(sys.argv) < 3:
print 'usage: pcapgen.py input_file output_file'

with open(sys.argv[1], 'r') as myfile:
data = myfile.read()

s = ""
for c in data:
s += format(ord(c), '02x')+" "

generatePCAP(s, sys.argv[2])

Since I wanted to make an 802.15.4 log, I hardcoded the ID for such frames in the code. Please modify if you need something else and for sure let me know if you refactor this code!

Share this post
Share on Facebook
0Tweet about this on Twitter
Share on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe now