Re: help regarding altering the fields of a pcap

[Guy Harris <guy () alum mit edu>]

On Jun 21, 2010, at 12:58 PM, prashanth s wrote:

> I need to alter a few of the fields in the pcap for the higher level protocols such as MAPI and then write those 
> fields back to the pcap. Could any one please tell me how to do it?

Do it in Wireshark, or do it in some other tool?  We don't, and won't, support that in Wireshark dissectors; they are 
forever forbidden from modifying the data they're handed.  If you think you need to do it in Wireshark, please explain 
what you're trying to do, and we'll tell you the way it's done (which probably involves creating a new tvbuff with the 
modified data and handing that to subdissectors - that's how both decryption, decompression, and fragment reassembly 
are done, for example).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe