[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-users
Subject: Re: [Wireshark-users] How to edit a specific byte in a pcap file ?
From: "j.snelders" <j.snelders () telfort ! nl>
Date: 2010-02-28 9:22:13
Message-ID: 4A542FF7000CFCE4 () mail-5-nl ! mail ! tiscali ! sys
[Download RAW message or body]
Hi Abhijit,
You can use bittwiste to edit the file and recalculate the checksums.
http://bittwist.sourceforge.net/
http://bittwist.sourceforge.net/doc/bittwiste.1.html
<snip>
Bittwiste can currently edit Ethernet, ARP, IP, ICMP, TCP, and UDP
headers. If run with the -X flag, you can append your own payload
after
any of these headers; specified using the -L and -T flag. Bittwiste
will, if not run with the -C flag, recalculate the checksums for
IP,
ICMP, TCP, and UDP packets, except for the last fragment of a
frag-
mented IP datagram; bittwiste does not currently support checksum
cor-
rection for the last fragment of a fragmented IP datagram.
<snip>
Example:
$ bittwiste -I test.pcap -O test_outfile.pcap -T ip -s 192.168.1.3,192.168.11.33
-d 192.168.1.3,192.168.11.33
input file: test.pcap
output file: test_outfile.pcap
138 packets (119763 bytes) written
Best regards
Joan
On Sat, 27 Feb 2010 09:14:46 -0700 Abhijit Bare wrote:
>
>One other technique I used - I save the raw file in "K12 text file" format
>using wireshark. I can then open text file in an editor and make all the
>changes. When going back to raw format, there is no "pcap" option to
>directly save. Not sure why not. In current wireshark, I saw "pcapng"
>(experimental) format. Save as pcapng and then save as pcap.
>
>Also remember that generally the checksums go bad after editing bytes.
>
>- Abhijit
>
>On Fri, Feb 26, 2010 at 12:00 PM, j.snelders <j.snelders@telfort.nl> wrote:
>
>> Hi Shashank,
>>
>> You can use HxD; a freeware hex and disk editor.
>>
>> You can download it here:
>> http://mh-nexus.de/en/hxd/
>>
>> Best regards
>> Joan
>>
>> On Fri, 26 Feb 2010 19:24:09 +0100 Jaap Keuter wrote:
>> >Hi,
>> >
>> >Sounds you could use a true hex editor. You'll have to target the byte
>by
>> >hand,
>> >but you seem to know what you're looking for.
>> >
>> >Thanks,
>> >Jaap
>> >
>> >Shashank Agarwal wrote:
>> >> Hi,
>> >> How can I modify a specific byte using WireShark or any of its tools.
>> I
>> >
>> >> tried bit-twiste, tcprewrite, tcpreplay-edit, but to no avail. These
>> >> tools provide predefined and limited editing capability like editing
>the
>> >
>> >> IP address or TCP port or changing timestamp etc.
>> >> E.g. I have the hex bytes from an ethernet broadcast packet -
>> >> ff ff ff ff ff ff 00 0b 20 40 15 6d 19 02 40 ......
>> >> First six bytes is dest. address, next 6 bytes is source address, "19
>>
>> >> 02" is packet type and the 15th byte (0x40) contains a flag. I want
>to
>> >
>> >> turn on the second bit in this 15th byte. Essentially replacing 0x40
>> >> with 0x42.
>> >> Which tool can help me with this modification in the pcap file?
>> >>
>> >> Thanks
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic