Hello, I need to modify a pcap file. For example, I need to edit the IP address, timestamp, URL, ... fields. How can I do it? Do I have to write a new software application, or is one available in the network?

Thanks Paolino

asked 17 Feb '12, 05:25

Paolino's gravatar image

Paolino
1111
accept rate: 0%

edited 26 Feb '12, 20:37

cmaynard's gravatar image

cmaynard ♦
6.8k731113


What you need are tools that are usually used for anonymization and/or packet replay of trace files. You might want to take a look at tcprewrite, bittwiste, pktanon and other tools. You can also download the Sharkfest 2011 presentation (A-11) I did at the retrospective page:

http://sharkfest.wireshark.org/sharkfest.11/index.html

Update: since 2013, you can also use TraceWrangler.

link

answered 17 Feb '12, 05:31

Jasper's gravatar image

Jasper ♦♦
18.6k443230
accept rate: 17%

edited 18 Mar, 01:58

Try WireEdit (wireedit.com). You can edit any field on any network layer for supported protocols.

link

answered 15 Mar, 07:51

msukhar's gravatar image

msukhar
61
accept rate: 0%

If it's for a single packet and you want to edit some of the deeper application stuff, there's actually a custom compile option for wireshark that enables you to do that within Wireshark itself. That is, in a manual compile you can add "--enable-packet-editor" when doing a ./configure, allowing you to edit the packet fields in the GUI after Wireshark has decoded them: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9234

The catch there is that it's per-packet, GUI-based, so if you need to change many headers you're much better off with the other tools suggested. Only advantage to this method is that you have the power of Wireshark's dissectors to decode down into the application-specific field values for editing.

link

answered 15 Mar, 10:43

Quadratic's gravatar image

Quadratic
1.4k5723
accept rate: 12%

edited 15 Mar, 10:43

Also, the last time I checked, edited packets could not be saved. So it's use case was mainly to test how dissectors respond. Has that been changed since then and can edited packets be saved now?

(15 Mar, 12:05) SYN-bit ♦♦

Ah, that's a good point. I just tested it, and while it will let you edit and save it won't reflect the actual edits in the new saved file.

(15 Mar, 13:31) Quadratic

I use scapy (http://www.secdev.org/projects/scapy/). It's an extensible python tool that can capture and modify packets. However, tcprewrite is also a great choice, albeit more limited.

link

answered 17 Mar, 12:22

howlingcat's gravatar image

howlingcat
61
accept rate: 0%

if you want to write new application,you can write a c# program using pcap.net library.

link

answered yesterday

Fateme's gravatar image

Fateme
61
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×144
×4

Asked: 17 Feb '12, 05:25

Seen: 5,870 times

Last updated: yesterday

p​o​w​e​r​e​d by O​S​Q​A