tshark: Look-up and modify all IP fragments during capture from and writing to pipes?

asked 2020-06-16 07:06:16 +0000

Ankur Satle gravatar image

updated 2020-06-16 16:32:19 +0000


I am trying to customize tshark to modify bytes of received frames. Thus, I need to access and modify frame bytes. A similar previous question is currently unanswered: dissector access fragment bytes.

Target usage

$ tshark -r input_pipe -w output_pipe -f <filter> #Packets in output have modified bytes


For multiple protocols, bytes corresponding to specific fields need to be changed. I let the packets go through dissection instead of re-inventing the dissection wheel. Inside the dissector, bytes corresponding to some fields will be modified in the tvbuff_t *tvb;

With this approach, packets that are fully present in one frame are altered.

For fragmented packets though, changes do not reflect in the output for the constituent fragments. Obviously, dissection is changing the reassembled tvb here & not the frame tvb.

Thus, I added logic (to modify the input file itself):

  1. after dissect_packet().
  2. I iterate over packet_info.dependent_frames,
  3. find each frame_data from cfile.frames
  4. Then, fetch the bytes from capture file.
  5. overwrite them with bytes from the reassembled tvb_data (g_slist_last(edt->pi.data_src)->data;)
  6. and write back the file.

This works well when tshark is run with files:

$ tshark -r in_file.pcap  #Works well! Bytes in in_file.pcap are modified

But, while the above works well when input and output are files, the same does not when reading from and writing to pipes. Key observations:

  1. cfile.frames or cfile.provider.frames is NULL (tshark.c)
  2. global_capture_session.cf->frames or global_capture_session.cf->provider.frames is NULL (tshark.c)

NOTE: two-pass analysis would have helped as packets are revisited. But, 2-pass isn't possible with reading & writing from and to pipes! :( while it works perfectly fine with input and output files

Help needed

Could you please help me with:

  1. Where is the packets information (some data-structure for frame_data/packet_info) stored during a pipe/live capture
  2. Is a temporary file opened for capturing from pipes and, if so, where it was
  3. I am guessing that if a complex (capture or display) filter is specified that needs protocol dissection, where and how previously seen fragments are maintained and when they are output
  4. Is there another way worth exploring/trying to achieve modification of bytes across all fragments based on dissection

Partial answers/clarification of any of the aspects/hints are most welcome! Thanks very much in advance!!!

edit retag flag offensive close merge delete