Need an easy way to locally modify a wireshark .pcap packet's data

Question

I've been giving Scapy a try, but the documentation is too sparse, and I can't get it to play nice for simple editing.

Essentially, I'm looking for a simple solution in Python to take each packet from a .pcap, read/modify some of the data/delete the packet and save it back as a .pcap.

For example:

Given an sACN packet, I need read/modify the priority octet (108) and the universe octet (113-114) and save it again.

Thanks!

Answer 1

To process ".pcap" files with scapy you need to import 'PcapWriter' from 'scapy.utils'. The following example demonstrates how to process ".pcap" files with scapy:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from scapy.all import *

# to process .pcap files we need to
# import 'PcapWriter' from 'scapy.utils'
from scapy.utils import PcapWriter

# initialize a 'net_old.pcap' file
old_cap = PcapWriter("net_old.pcap", append=True, sync=True)

# create a simple packet
packet = IP(dst = "www.google.com")/ICMP()/"hi"

# create a pcap with 5 such packets
for _ in range(5): old_cap.write(packet)

# now read the packets from 'net.pcap'
packets = rdpcap('net_old.pcap')

new_cap = PcapWriter("net_new.pcap", append=True)

# and modify each packet
for p in packets:
    # modify any packet field, e.g. IP's dst
    p[IP].dst = '8.8.8.8'
    # write new packets in the new pcap file
    new_cap.write(p)

Now if you view the ".pcap" files with wireshark you will see that the packets have been successfully modified:

---

• Old pcap file:

---

• New pcap file: