1

Does anyone know of a tool to open a packet capture saved as a .bin file? That or how to convert it to pcap or something wireshark can open.

I took a packet capture from a thin client and when I download it its a .bin file type. I have not been able to find out who to open it to view it.

veel84
  • 288
  • 1
  • 4
  • 14
  • The problem is that .bin is a generic file type - it could be any format. Can you post some more details? – Dan Mar 28 '17 at 15:59
  • @Dan the packet capture is from a wyse 5030 thin client – veel84 Mar 28 '17 at 16:00
  • And what option did you use to acquire it? "Network capture to USB" should give you a pcap file according to this: https://www.manualslib.com/manual/854562/Dell-Wyse-Thinos-C10le.html?page=64 Though I confess to never having actually tried it myself. Your firmware OS may be different though - I'm not sure what exactly those run – Dan Mar 28 '17 at 16:04
  • @Dan yea this model does not have that option, it's just a web admin page with an option to start the capture then download it. – veel84 Mar 28 '17 at 16:05
  • Is this definitely a network capture - some of them have a feature where you're capturing a video of the screen. Try opening your bin file in VLC... – Dan Mar 28 '17 at 16:06
  • @Dan nope VLC could not read it, didn't find video or audio – veel84 Mar 28 '17 at 17:53
  • Does `capinfos` (https://www.wireshark.org/docs/man-pages/capinfos.html) recognize it? Did you try asking Dell support what the format is? – Christopher Maynard Mar 31 '17 at 17:55

1 Answers1

1

I had to create an account at the teradici website, their website just says its in binary format, but they do provide a script in python to convert it to a pcap. KB2484.

The script says i'm not allowed to post publicly so I wont do that. Link

veel84
  • 288
  • 1
  • 4
  • 14
  • It's too bad that the conversion process involves running the convert_to_pcap.py script, which utilizes an intermediate text file that is then run through text2pcap in order to save the data into a pcap file. This isn't particularly efficient. Ideally, Wireshark could be modified to be able to directly read the file without requiring any conversion at all, and you might consider opening a Wireshark bug report for this, but barring that, it would be much better if the conversion tool was able to directly generate a pcap file instead of using an intermediate step. Can you post a capture file? – Christopher Maynard Apr 07 '17 at 16:45
  • here it is [Example bin pcap](https://lift-allcompanyinc.box.com/s/zp9sx3ae94mf00xcn8ablo2rhvh18x9k) – veel84 Apr 26 '17 at 13:05
  • I think it should be possible to modify the script to write pcap files directly. The bin file format contains no global header, only a packet header of the following format (all multi-byte fields are little-endian): - Hour: 1 byte - Day: 1 byte - Month: 1 byte - Unused: 1 byte - Milliseconds: 2 bytes - Seconds: 1 byte - Minutes: 1 byte - Length: 4 bytes - "Length" bytes of packet data follows If month is 0, assume June 1, 1999. To convert, use the libpcap format, documented here: https://wiki.wireshark.org/Development/LibpcapFileFormat – Christopher Maynard Apr 27 '17 at 20:47