This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to change the fake ip addresses in text2pcap output?

0

Hi! I have an aplication level hex dump that I imported into wireshark successfully with text2pcap. I have what is sent and what is received, and I want to reflect that conversation in wireshark. So I created two hex dumps, one for reads and one for writes, and converted them to two pcap files, reversing the fake TCP port numbers.

But the problem I have is that text2pcap inserts 1.1.1.1 and 2.2.2.2 as origin and destination IP addresses, and I found no way to change this. I would need to reverse the IP addresses in the read hex dump import, or just use the same IP address for both origin and dest, as if the server and client are in the same machine.

Is there a way to change the fake ip addresses in text2pcap?

Thanks ! Best, Alf

asked 04 Oct '12, 06:55

arpena's gravatar image

arpena
0111
accept rate: 0%


2 Answers:

1

You said "application-level dump", so I assume you used -u or -T to add a fake UDP orTCP header. Unfortunately, text2pcap doesn't have an option to control the assignment of fake IP addresses (and I checked the code - they're hardwired to 10.1.1.1 and 10.2.2.2), so there isn't a way to change the IP addresses it assigns.

Bittwist might let you process the packets and rewrite the IP headers to have the same source and destination addresses.

answered 08 Oct '12, 15:24

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Excellent recomendation. I was able to change the read-pcap file with this command: ./bittwiste -I database-read.pcap -O database-read-mod.pcap -T ip -s 2.2.2.2 -d 1.1.1.1

(09 Oct '12, 12:04) arpena

0

text2pcap will add a dummy IP header (10.1.1.1 and 10.2.2.2) in these circumstances:

  1. you tell it to do so with option -i
  2. if you add a SCTP header with option: -s/-S
  3. if you add a UDP/TCP header with option: -u/-T

So, without information how you called text2pcap, it's hard to say which of the above conditions apply.

Regards
Kurt

answered 08 Oct '12, 12:06

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 Oct '12, 12:06