Ask Your Question
0

How to redact some information in packets

asked 2023-04-14 16:57:13 +0000

pac122 gravatar image

updated 2023-04-15 07:53:05 +0000

In Wireshark 4.0.5 I have captured some problem with login into server and saved the capture to .pcapng file. I need to send this file to external services company, but I don't want them to know the password.

Is there a way I can redact the package containing password?

I know I can select a packet and select "Ignore Packet" and export packet without it, but I actually don't want to do that, because other info in this packet are useful for diagnosing.

I would just like to change "password" text in file to "xxxxx".

Is it possible to redact info this way or something similar, that would not expose my password to external services company.

EDIT: In 7 years old video there is Wireshark edit packets feature presented as experimental feature. Was this feature removed from Wireshark?

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2023-04-15 16:27:51 +0000

pac122 gravatar image

updated 2023-04-15 16:28:52 +0000

I have done the following:

  1. Open .pcapng file in Wireshark and in Packet Details right click on password I needed to change and "Copy | as Hex stream" to copy the HEX value.

  2. On my Ubuntu 22.10 laptop I have installed Okteta hex editor.

  3. In Okteta from menu File | Open and select .pcapng file.

  4. Menu Edit | Replace. In Find field I have pasted the hex string from step one and in Replace sting I typed in hex string of desired changed news password.

  5. Menu File | Save to save a file.

  6. Opened changed file in Wireshark and file opens without an issue and password is successfully changed.

edit flag offensive delete link more
0

answered 2023-04-15 14:04:12 +0000

Chuckc gravatar image

Current open issue: 11840: Qt version of Wireshark doesn't have the edit packet option

From the wiki: Capture file editors and/or anonymizers
Look at TraceWrangler and WireEdit.

edit flag offensive delete link more
0

answered 2023-04-14 20:10:36 +0000

Jaap gravatar image

First up, if a password comes up in clear text in network traffic, there are bigger problems.

That being said, telnet is still a thing, so there's that.

In this case there's little else to do than to go into (a copy of) the file with a hex editor, search for the password, replace the characters and save the file. Now when loaded back into Wireshark, there will be complaints about checksums that are incorrect. You either make a note in the packet saying that the packet is tweaked, or you may go into the file again, and touch up the checksums as well.

edit flag offensive delete link more

Comments

I have now edited my post. I have found old video with Wireshark edit package experimental feature. Is this feature still available in Wireshark?

pac122 gravatar imagepac122 ( 2023-04-15 07:54:05 +0000 )edit

Nope, it was always an experimental feature, which never made it to maturity.

Jaap gravatar imageJaap ( 2023-04-15 15:23:49 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-04-14 16:57:13 +0000

Seen: 723 times

Last updated: Apr 15 '23