Displaying GDB dumped 802.15.4 buffer in WireShark

The 802.15.4 mac layer has these great headers with too many single-bit options; sufficient to make your head hurt after a while. Since I was debugging some code, I had access to the entire buffer containing the entire frame. It would be nice to show this in Wireshark, wouldn’t it?

It’s actually not that difficult:

In GDB, after breaking at the right spot

(gdb) dump binary memory dump.bin  _buf+1  _buf+len

Explained: dump binary memory [dump.bin] [_buf+1] [_buf+len]

  • [dump.bin] your output file
  • [_buf+1] the start address of the buffer (I had to skip the first byte)
  • [_buf+len] the end address of the buffer

With this python script, you do the rest of the magic

""" Original script: http://www.codeproject.com/Tips/612847/Generate-a-quick """
""" Modified by phalox.be                                                    """

import sys
import binascii

#Global header for pcap 2.4
pcap_global_header =   ('D4 C3 B2 A1'
'02 00'         #File format major revision (i.e. pcap <2>.4)
'04 00'         #File format minor revision (i.e. pcap 2.<4>)
'00 00 00 00'
'00 00 00 00'
'FF FF 00 00'
'C3 00 00 00')  #01 is ethernet, C3 is for 802.15.4. Check http://www.tcpdump.org/linktypes.html for all others

#pcap packet header that must preface every packet
pcap_packet_header =   ('AA 77 9F 47'
'90 A2 04 00'
'XX XX XX XX'   #Frame Size (little endian)
'YY YY YY YY')  #Frame Size (little endian)

def writeByteStringToFile(bytestring, filename):
bytelist = bytestring.split()
bytes = binascii.a2b_hex(''.join(bytelist))
bitout = open(filename, 'wb')

def generatePCAP(message, pcapfile):
pcap_len = len(message) / 3 # 1 byte is 3 characters e.g. "AB "
hex_str = "%08x" % pcap_len
reverse_hex_str = hex_str[6:] + hex_str[4:6] + hex_str[2:4] + hex_str[:2]
pcaph = pcap_packet_header.replace('XX XX XX XX', reverse_hex_str)
pcaph = pcaph.replace('YY YY YY YY', reverse_hex_str)

bytestring = pcap_global_header + pcaph + message
writeByteStringToFile(bytestring, pcapfile)

""" End of functions, execution starts here: """

if len(sys.argv) < 3:
print 'usage: pcapgen.py input_file output_file'

with open(sys.argv[1], 'r') as myfile:
data = myfile.read()

s = ""
for c in data:
s += format(ord(c), '02x')+" "

generatePCAP(s, sys.argv[2])

Since I wanted to make an 802.15.4 log, I hardcoded the ID for such frames in the code. Please modify if you need something else and for sure let me know if you refactor this code!

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe now