Ask Your Question

How to edit radius protocol packet in Wireshark?

asked 2018-10-31 11:23:07 +0000

cilzzz gravatar image

updated 2018-10-31 16:47:59 +0000

Jaap gravatar image

hey all

i have snoop pcap file and i need to modify some radius packets. what i need to change is ip source, ip destination, name and the password is there a way to do this with wireshark tools?or this is impossible for radius protocol or do i need another tool to create my new pcap file.

internet protocol version 4, src....., dst .... header: source: destination

radius protocol AVP (attribute values pair user-name: chap-password

thanks in advance

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-10-31 14:03:02 +0000

cmaynard gravatar image

Wireshark doesn't provide any packet editing capabilities.

(Older versions of the Legacy (Gtk) Wireshark (such as 2.2.x) included a basic packet editor feature that you could enable at the bottom of the Edit -> Preferences page, which will allow you to edit packets by right-clicking on the packet details pane and choosing Edit packet, but that feature has since been removed.)

If you're on the Windows platform, then your best bet might be to try tools like TraceWrangler or WireEdit. If you're on another platform, then have a look at the Capture file anonymization section of the Wireshark wiki Tools page for a list of some other tools that could possibly help you.

edit flag offensive delete link more


thank you i've already tried wireshark 1.12.8 with the edit experimental feature but it doesn't work for the ip and password and also wireEdit but it doesn't works for radius there a method to create a new pcap file with 5 to 10 packets where i can insertthe values i want.

thank you!

cilzzz gravatar imagecilzzz ( 2018-10-31 14:19:57 +0000 )edit

Have you tried TraceWrangler?

If none of those tools work for you, I suppose you could always use the old-school hex-editor method of modifying packets as needed, but this is usually tedious, error-prone and difficult to do properly. If you're not careful, you'll end up with malformed packets, so you really have to understand the pcap or pcapng file formats well before you attempt something like that. I would highly recommend working with pcap files instead of pcapng files, as they are much simpler. And even then, you'll probably end up with checksum errors, which can be fixed (or ignored if you wish) later through multiple iterations. Did I mention this can be tedious?

Rather than using a binary hex-editor though, it might be easier to convert a pcap file using tshark (e.g., tshark -r file.pcap -x > file.txt and then use a normal ...(more)

cmaynard gravatar imagecmaynard ( 2018-10-31 15:15:23 +0000 )edit

Ok thanks that's so nice from you, I will test with the tshark plus text2pcap approach first, if this does not work I will try the other two methods you merntioned (tcpwrangler, hex editor) since I have some doubts concerning checksum issues but it might be that checksum could be deactivated (e.g. "validation disabled" under wireshark view ?) to avoid network rejects (?).

cilzzz gravatar imagecilzzz ( 2018-10-31 16:05:21 +0000 )edit

Yes, you can certainly disable checksum validation or simply disregard the checksum errors if you don't feel like fixing them.

cmaynard gravatar imagecmaynard ( 2018-10-31 16:22:04 +0000 )edit

I would also go with TraceWrangler for IP header etc. For editing Radius fields I would use Scapy. => Read pcap file, edit fields in packet X, write a new pcap file.

Uli gravatar imageUli ( 2018-11-01 07:10:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-10-31 11:23:07 +0000

Seen: 5,018 times

Last updated: Oct 31 '18