As can be seen in the image above, in Wireshark, we can click any hexadecimal byte, and we will get which part it represents in the Packet Layer data.
I am trying to achieve the same effect but in Python. I have a Pcap file and its Hex Dump. I also have an array with the packet layer information that looks like the following:
Array: Packet Layer Information:
[ { "layer_name" : "eth", "layer_len" : 14, "layer_start" : 0 }, { . . . } ... { . . . } ]
The array that contains the hexadecimal bytes I wish to link with the Packet Layer Data looks like this:
Array: Highlighted Bytes:
[ { "layer" : "ip", "position_in_layer" : 10, "byte" : "e0" }, { } ... { } ]
I am trying to link these hexadecimal bytes and print out what data they represent in the layer, however, from what I have seen, the Layers' structures are not always fixed, and there are a lot of layer and network protocol types.
I have tried using libraries like Pyshark and Scapy, but they do not have the functionalities that I am looking for. In Scapy, I can convert a Hex Dump to a Network Packet, however, when I print the layers, they are always only Eth followed by Raw. The layers after the Eth are a part of its payload.
I want to find a way, whether in Python, or by integrating another language, to be able to print what any byte in a packet layer represents.
I received an answer from another source, so I'll submit it in case anyone else needs it.
There is a tshark command that can convert a pcap file into a pdml file. The command is as follows:
In this pdml file, there is all types of information regarding the pcap file, including information about the hexdump, and what each Packet Layer Data represents in the hexdump.
Therefore, the solution is to do the following: