Sukshith Shetty
Reputation: 31
Insert, Remove and Modify bytes from packet of Pcap file in linux
I require a way to insert, remove or modify the hex data bytes in the packet of a pcap file. Is there a tshark command or any other method to do this.
00292c0: 900b 0000 0018 5a82 5a82 a57e 5a82 a57e ......Z.Z..~Z..~
00292d0: a57e a57e 5a82 5a82 a57e 5a82 a57e 5a82 .~.~Z.Z..~Z..~Z.
00292e0: a57e 5a82 5a82 5a82 a57e a57e 5a82 a57e .~Z.Z.Z..~.~Z..~
Suppose I want to modify the first 4 bytes of data from 900b 0000 to 801b 0101 or remove first bytes or add an extra set of bytes at the end after a57e? How shall I do that?
Upvotes: 1
Views: 11049
Answers (1)
Christopher Maynard
Reputation: 6254
There are a number of ways to modify packet data. For example:
- You can use a hex editor. There are many so search for and use whichever one that works for you. Maybe have a look at this Comparison of hex editors to help guide you. I'll also note that Notepad++ has a hex editor plugin available in case that's of any interest to you.
- You can use a tool such as WireEdit.
- From Wireshark, you can export your packets to a Plain Text file via "File -> Export Packet Dissections -> As Plain Text..." with the Packet Format options set so that only the Packet Bytes are exported, and then use any text editor to modify the packet data as needed. After that, you can use
text2pcapto convert the modified text file back to a binary pcap file that can then be loaded back into Wireshark, or you can use Wireshark's built-in functionality to directly import the text file containing the modified hex dump of the packets you previously exported via "File -> Import From Hex Dump...". NOTE that when editing packets, especially when adding/removing bytes, you will likely need to make other adjustments as well in order for the packets to still make sense. This is because there are often length fields embedded in the packet data, so you need to be sure that the new length matches the data. And you might have to make changes in several places. And if you care about correct checksums/CRCs, then you may have to adjust those fields as well. - Other possible solutions from the Wireshark Tools wiki page in the Capture file editors and/or anonymizers section.
Upvotes: 2
Related Questions
- Edit tcp packets in pcap file
- How to modify the timestamp range of a .pcap file?
- Wireshark Related : Option to take packet and modify contents
- modify captured pcap and write back
- Need an easy way to locally modify a wireshark .pcap packet's data
- Append Packet to Current PCAP file
- How to manipulate packet and write to pcap file using pcap4j
- Wireshark - programatically modify packets from pcap file
- packet data intercept and modification
- how to modify packets using winpcap