 In my packet class wireshark training there is an exercise we do where we learn how to create Hexdom files that can be imported in wireshark because wireshark has an Hexdom import function and it's a completely manual exercise where we format this by hand by looking at the Heartbleed Proof of Concept code SSLTest.py that contains Hexdoms of a couple of packets and so we are going to look at that. But recently I wrote a 010 editor script to Automatis and that's what I'm going to show you here. So let me edit SSLTest. So as you can see here we have our first packet, a second one and if we look at the code you can see here socket is created for a socket stream so TCP connection and the hello bytes are sent and after the hello bytes you can see the HB, the heartbeat bytes being sent. So we are now going to use my 010 editor script to analyze these packets without having to run the Proof of Concept code. I select the bytes here and I launch my script, wireshark export, I recognize that I select Hexbytes so I ask me to convert them to bytes which I want to, oh yes. And then you can see here that the bytes have been dumped with a counter starting 00 and ending at E0 with a command telling you from where the data comes from. And now let's select the second packet here and my script rerun it again so it detects it as Hex, yes, convert. So my script now detects that we already exported one packet and the second packet here is appended with a counter again starting at 00. So we can save this file to be imported in wireshark so let's call it import like this and now in wireshark you can do file import from Hexdump and let's select this file that we just created import here. So and since these bytes here are the content of a TCP stream we are going to have to create a dummy header, a dummy TCP header, let's say that the source port is 51,000 and since we are dealing with SSL the destination port is 443, okay and now as you can see those two packets have been imported so you can see that they are SSL, TLS version 1.0 so that is hard coded and all the data here a lot of cipher suites and then extensions, elliptic curve and at the end you will see that we have the heartbeat extension and the second packet is a heartbeat request you can see here, TLS 1.0 it's a heartbeat message request with a payload length and then without any data and that is actually the malformed packet which causes the heartbeat vulnerability to be exploited.