Skip to content

Displaying GDB dumped 802.15.4 buffer in WireShark

Published by Toon on October 5, 2016

The 802.15.4 mac layer has these great headers with too many single-bit options; sufficient to make your head hurt after a while. Since I was debugging some code, I had access to the entire buffer containing the entire frame. It would be nice to show this in Wireshark, wouldn’t it?

It’s actually not that difficult:

In GDB, after breaking at the right spot

(gdb) dump binary memory dump.bin && _buf+1 && _buf+len

Explained: dump binary memory [dump.bin] [_buf+1] [_buf+len]

  • [dump.bin] your output file
  • [_buf+1] the start address of the buffer (I had to skip the first byte)
  • [_buf+len] the end address of the buffer

With this python script, you do the rest of the magic

"""--------------------------------------------------------------------------"""
""" Original script: http://www.codeproject.com/Tips/612847/Generate-a-quick """
""" Modified by phalox.be"""
"""--------------------------------------------------------------------------"""

import sys
import binascii

#Global header for pcap 2.4
pcap_global_header = ('D4 C3 B2 A1'
'02 00' #File format major revision (i.e. pcap <2 & >.4)
'04 00' #File format minor revision (i.e. pcap 2.< 4)
'00 00 00 00'
'00 00 00 00'
'FF FF 00 00'
'C3 00 00 00')&amp;amp;nbsp; #01 is ethernet, C3 is for 802.15.4. Check http://www.tcpdump.org/linktypes.html for all others

#pcap packet header that must preface every packet
pcap_packet_header = ('AA 77 9F 47'
'90 A2 04 00'
'XX XX XX XX' #Frame Size (little endian)
'YY YY YY YY') #Frame Size (little endian)

def writeByteStringToFile(bytestring, filename):
bytelist = bytestring.split()
bytes = binascii.a2b_hex(''.join(bytelist))
bitout = open(filename, 'wb')
bitout.write(bytes)

def generatePCAP(message, pcapfile):
pcap_len = len(message) / 3 # 1 byte is 3 characters e.g. "AB "
hex_str = "%08x" % pcap_len
reverse_hex_str = hex_str[6:] + hex_str[4:6] + hex_str[2:4] + hex_str[:2]
pcaph = pcap_packet_header.replace('XX XX XX XX', reverse_hex_str)
pcaph = pcaph.replace('YY YY YY YY', reverse_hex_str)

bytestring = pcap_global_header + pcaph + message
writeByteStringToFile(bytestring, pcapfile)

"""------------------------------------------"""
""" End of functions, execution starts here: """
"""------------------------------------------"""

if len(sys.argv) &amp;amp;lt; 3:
print 'usage: pcapgen.py input_file output_file'
exit(0)

with open(sys.argv[1], 'r') as myfile:
data = myfile.read()

s = ""
for c in data:
s += format(ord(c), '02x')+" "

generatePCAP(s, sys.argv[2])

Since I wanted to make an 802.15.4 log, I hard coded the ID for such frames in the code. Please modify if you need something else and for sure let me know if you refactor this code!

Share this article
Published inSoftware

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.