Hello, I need to modify a pcap file. For example, I need to edit the IP address, timestamp, URL, ... fields. How can I do it? Do I have to write a new software application, or is one available in the network?

Thanks Paolino

asked 17 Feb '12, 05:25

Paolino's gravatar image

accept rate: 0%

edited 26 Feb '12, 20:37

cmaynard's gravatar image

cmaynard ♦

What you need are tools that are usually used for anonymization and/or packet replay of trace files. You might want to take a look at tcprewrite, bittwiste, pktanon and other tools. You can also download the Sharkfest 2011 presentation (A-11) I did at the retrospective page:


Update: since 2013, you can also use TraceWrangler.


answered 17 Feb '12, 05:31

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

edited 18 Mar, 01:58

Try WireEdit (wireedit.com). You can edit any field on any network layer for supported protocols.


answered 15 Mar, 07:51

msukhar's gravatar image

accept rate: 0%

If it's for a single packet and you want to edit some of the deeper application stuff, there's actually a custom compile option for wireshark that enables you to do that within Wireshark itself. That is, in a manual compile you can add "--enable-packet-editor" when doing a ./configure, allowing you to edit the packet fields in the GUI after Wireshark has decoded them: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9234

The catch there is that it's per-packet, GUI-based, so if you need to change many headers you're much better off with the other tools suggested. Only advantage to this method is that you have the power of Wireshark's dissectors to decode down into the application-specific field values for editing.


answered 15 Mar, 10:43

Quadratic's gravatar image

accept rate: 13%

edited 15 Mar, 10:43

Also, the last time I checked, edited packets could not be saved. So it's use case was mainly to test how dissectors respond. Has that been changed since then and can edited packets be saved now?

(15 Mar, 12:05) SYN-bit ♦♦

Ah, that's a good point. I just tested it, and while it will let you edit and save it won't reflect the actual edits in the new saved file.

(15 Mar, 13:31) Quadratic

I use scapy (http://www.secdev.org/projects/scapy/). It's an extensible python tool that can capture and modify packets. However, tcprewrite is also a great choice, albeit more limited.


answered 17 Mar, 12:22

howlingcat's gravatar image

accept rate: 0%

if you want to write new application,you can write a c# program using pcap.net library.


answered 22 Apr, 23:23

Fateme's gravatar image

accept rate: 0%

You can also use packet crafting libraries. I can recommend a library I'm developing: PcapPlusPlus. It's a C++ library where you can open a pcap file, parse and edit the packets ini it and save them back to the pcap file. You didn't say which OS you'd like to use, but this library supports Windows, Linux and Mac OS


answered 24 Jul, 14:40

seladb's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 17 Feb '12, 05:25

Seen: 7,491 times

Last updated: 24 Jul, 14:40

p​o​w​e​r​e​d by O​S​Q​A