 A feature in Wireshark that is not well known is the import from HexDump feature. You can find it in the file menu here, import from HexDump. And Wireshark will then import an HexDump like this one. So I have a HexDump here, here with the index and then the bytes. And so this is the Ethernet packet framework. So the destination MAC address, the source MAC address. And then here 0800 to indicate that the payload of the Ethernet frame is an IPv4 packet. And here 45, that's the start of the IPv4 header. So that is something you can import in Wireshark. And then Wireshark will dissect this for you. Import from HexDump. You browse to the folder and we import the HexDump like this and then click OK. And then here you have the breakdown. And now you can see that this indeed is an IPv4 which is a new DP packet and which contains a DNS query. So sometimes you get data like that, Hex information like that. And then you can analyze that with Wireshark. But it's not always easy to transform it in the format that Wireshark will accept. So to help you with that, I've written a 101 editor script. So let's quit this and install this editor. This editor here I'm running on the windows, but it also exists for Mac and for Linux. OK, this is the installation. And now we are going to define our script, so the script that I wrote to create those HexDumps for Wireshark. And you go in Edit Script List, New. Here you click on the file name folder button and in the folder Wireshark.exe port here you select a script like this. And now the script will appear in the list and you can run it by clicking here. So let's open a binary file here. So let's work with this file here assuming that this is a memory dump. So we open this with zero 10 editor and you can see all zeros and then here some bytes. So this is actually a packet that we want to analyze with Wireshark. So you select all the data like this and then you run the script Wireshark.exe port. And this will create a new text file with the bytes that you selected dumped in hex format and also with a command that indicates from where you got that dump. So when we save this, so export 1.txt. Now we can launch Wireshark and import this hex dump. So export 1.txt and we import the packet. So this zero 10 editor script allows you to quickly create the necessary dumps for Wireshark. Now here I selected bytes but it also recognizes hexadecimal data and this is quite handy and for example you want to analyze some proof of concept code. So let's close this and let's take a look here at ssltest.py. This is the Python program that was distributed as a proof of concept for CVE 2014.0.1.60 or the hard-read vulnerability. And if you look into that Python program, you can see two sets of hex data, this one here and this one here. And if you search for hello here, you can see that hello, this packet will be transmitted via a socket that is the internet protocol and TCP. So this is actually data that is sent through a TCP pipe. And we know here that it is for SSL so it will be connecting by default to port 443. So let's analyze this. You select in this text file, you select the hex dump and you run the script Wireshark export. Now Wireshark export recognizes that the data that you selected is hexadecimal content and it tasks you if you want to convert it to byte. So yes, that is what we want to do. And then here we have our dump with the command from which file it comes. Now such a dump can contain more than one packet and my script also supports that. So let's select the second set of hex data and run the script again. Wireshark export, yes, we want to convert to bytes and now you can see that second entry was created in the same file here for that packet data. So let's save this. I will call this export2.txt and now we can import this in Wireshark file, import from hexdump, so export2.txt like this. Now what we are importing here is not an internet frame. It is TCP data. So we need to create dummy header and the dummy header that we have to create is all the way up to TCP. And when you select TCP you have to provide a source port and a destination port because that information is not present in the data that we exported. So I'm going to say 52000 and destination port 443 for TLS. Okay, and now you can see that two packets were imported to SSL data packets. So if we look in the first one here SSL, you can see that this is actually a client hello. So the start of the configuration of the setup of the SSL TLS connection with all the suits that are supported. So this is actually hardcoded in the proof of concept code. And also the version 0302 which is TLS 1.1, this is also hardcoded. So this means if you run this proof of concept on a server that does not support this version then it will not work. Now let's look at the second packet. And this second packet is a heartbeat request. Here we have our SSL data. First exadismal 18 that is the type heartbeat. Then again the version 0302, so TLS 1.1 and a record length of 3 bytes. Then the 3 bytes here make up the heartbeat message. And the heartbeat message is a request with a payload length 16384 bytes. But then as you can see we are at the end of the packet. So the payload itself is not included. So this is a malformed packet and this is how the SSL heartbeat vulnerability was exploited. You send it a heartbeat message request with a payload like for example this length but you don't give it any data. And then you will receive back data. So my script here Wireshark export allows you to easily convert bytes or exadismal data into a format that you can import in Wireshark.