Re: How to edit a specific byte in a pcap file ?

["j.snelders" <j.snelders () telfort nl>]

Hi Abhijit,

You can use bittwiste to edit the file and recalculate the checksums.

http://bittwist.sourceforge.net/
http://bittwist.sourceforge.net/doc/bittwiste.1.html
<snip>
Bittwiste  can  currently  edit  Ethernet,  ARP, IP, ICMP, TCP, and UDP
       headers. If run with the -X flag, you can append your own payload
after
       any  of  these  headers;  specified using the -L and -T flag. Bittwiste
       will, if not run with the -C flag, recalculate the  checksums  for
 IP,
       ICMP,  TCP,  and  UDP  packets, except for the last fragment of a
frag-
       mented IP datagram; bittwiste does not currently support checksum
 cor-
       rection  for the last fragment of a fragmented IP datagram.
<snip>

Example:
$ bittwiste -I test.pcap -O test_outfile.pcap -T ip -s 192.168.1.3,192.168.11.33
-d 192.168.1.3,192.168.11.33
input file: test.pcap
output file: test_outfile.pcap

138 packets (119763 bytes) written

Best regards
Joan

On Sat, 27 Feb 2010 09:14:46 -0700 Abhijit Bare wrote:
> One other technique I used - I save the raw file in "K12 text file" format
> using wireshark. I can then open text file in an editor and make all the
> changes. When going back to raw format, there is no "pcap" option to
> directly save. Not sure why not. In current wireshark, I saw "pcapng"
> (experimental) format. Save as pcapng and then save as pcap.
>
> Also remember that generally the checksums go bad after editing bytes.
>
> - Abhijit
>
> On Fri, Feb 26, 2010 at 12:00 PM, j.snelders <j.snelders () telfort nl> wrote:
>
> > Hi Shashank,
> >
> > You can use HxD; a freeware hex and disk editor.
> >
> > You can download it here:
> > http://mh-nexus.de/en/hxd/
> >
> > Best regards
> > Joan
> >
> > On Fri, 26 Feb 2010 19:24:09 +0100 Jaap Keuter wrote:
> > > Hi,
> > >
> > > Sounds you could use a true hex editor. You'll have to target the byte
> by
> > > hand,
> > > but you seem to know what you're looking for.
> > >
> > > Thanks,
> > > Jaap
> > >
> > > Shashank Agarwal wrote:
> > > > Hi,
> > > > How can I modify a specific byte using WireShark or any of its tools.
> > I
> > > > tried bit-twiste, tcprewrite, tcpreplay-edit, but to no avail. These
> > > > tools provide predefined and limited editing capability like editing
> the
> > > > IP address or TCP port or changing timestamp etc.
> > > > E.g. I have the hex bytes from an ethernet broadcast packet -
> > > > ff  ff  ff  ff  ff  ff  00  0b  20  40  15  6d  19  02  40 ......
> > > > First six bytes is dest. address, next 6 bytes is source address, "19
> >
> > > > 02" is packet type and the 15th byte (0x40) contains a flag. I want
> to
> > > > turn on the second bit in this 15th byte. Essentially replacing 0x40
> > > > with 0x42.
> > > > Which tool can help me with this modification in the pcap file?
> > > >
> > > > Thanks


       


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe