The 802.15.4 mac layer has these great headers with too many single-bit options; sufficient to make your head hurt after a while. Since I was debugging some code, I had access to the entire buffer containing the entire frame. It would be nice to show this in Wireshark, wouldn’t it?
It’s actually not that difficult:
In GDB, after breaking at the right spot
(gdb) dump binary memory dump.bin _buf+1 _buf+len
Explained: dump binary memory [dump.bin] [_buf+1] [_buf+len]
- [dump.bin] your output file
- [_buf+1] the start address of the buffer (I had to skip the first byte)
- [_buf+len] the end address of the buffer
With this python script, you do the rest of the magic
"""--------------------------------------------------------------------------""" """ Original script: http://www.codeproject.com/Tips/612847/Generate-a-quick """ """ Modified by phalox.be """ """--------------------------------------------------------------------------""" import sys import binascii #Global header for pcap 2.4 pcap_global_header = ('D4 C3 B2 A1' '02 00' #File format major revision (i.e. pcap <2>.4) '04 00' #File format minor revision (i.e. pcap 2.<4>) '00 00 00 00' '00 00 00 00' 'FF FF 00 00' 'C3 00 00 00') #01 is ethernet, C3 is for 802.15.4. Check http://www.tcpdump.org/linktypes.html for all others #pcap packet header that must preface every packet pcap_packet_header = ('AA 77 9F 47' '90 A2 04 00' 'XX XX XX XX' #Frame Size (little endian) 'YY YY YY YY') #Frame Size (little endian) def writeByteStringToFile(bytestring, filename): bytelist = bytestring.split() bytes = binascii.a2b_hex(''.join(bytelist)) bitout = open(filename, 'wb') bitout.write(bytes) def generatePCAP(message, pcapfile): pcap_len = len(message) / 3 # 1 byte is 3 characters e.g. "AB " hex_str = "%08x" % pcap_len reverse_hex_str = hex_str[6:] + hex_str[4:6] + hex_str[2:4] + hex_str[:2] pcaph = pcap_packet_header.replace('XX XX XX XX', reverse_hex_str) pcaph = pcaph.replace('YY YY YY YY', reverse_hex_str) bytestring = pcap_global_header + pcaph + message writeByteStringToFile(bytestring, pcapfile) """------------------------------------------""" """ End of functions, execution starts here: """ """------------------------------------------""" if len(sys.argv) < 3: print 'usage: pcapgen.py input_file output_file' exit(0) with open(sys.argv[1], 'r') as myfile: data = myfile.read() s = "" for c in data: s += format(ord(c), '02x')+" " generatePCAP(s, sys.argv[2])
Since I wanted to make an 802.15.4 log, I hardcoded the ID for such frames in the code. Please modify if you need something else and for sure let me know if you refactor this code!