Wireshark-users: Re: [Wireshark-users] How to edit a specific byte in a pcap file ?

From: Abhijit Bare <abhibare@xxxxxxxxx>
Date: Mon, 1 Mar 2010 11:10:26 -0700
Thanks! Good information for next time...

On Sun, Feb 28, 2010 at 2:22 AM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
Hi Abhijit,

You can use bittwiste to edit the file and recalculate the checksums.

http://bittwist.sourceforge.net/
http://bittwist.sourceforge.net/doc/bittwiste.1.html
<snip>
Bittwiste  can  currently  edit  Ethernet,  ARP, IP, ICMP, TCP, and UDP
      headers. If run with the -X flag, you can append your own payload
after
      any  of  these  headers;  specified using the -L and -T flag. Bittwiste
      will, if not run with the -C flag, recalculate the  checksums  for
 IP,
      ICMP,  TCP,  and  UDP  packets, except for the last fragment of a
frag-
      mented IP datagram; bittwiste does not currently support checksum
 cor-
      rection  for the last fragment of a fragmented IP datagram.
<snip>

Example:
$ bittwiste -I test.pcap -O test_outfile.pcap -T ip -s 192.168.1.3,192.168.11.33
-d 192.168.1.3,192.168.11.33
input file: test.pcap
output file: test_outfile.pcap

138 packets (119763 bytes) written

Best regards
Joan

On Sat, 27 Feb 2010 09:14:46 -0700 Abhijit Bare wrote:
>
>One other technique I used - I save the raw file in "K12 text file" format
>using wireshark. I can then open text file in an editor and make all the
>changes. When going back to raw format, there is no "pcap" option to
>directly save. Not sure why not. In current wireshark, I saw "pcapng"
>(experimental) format. Save as pcapng and then save as pcap.
>
>Also remember that generally the checksums go bad after editing bytes.
>
>- Abhijit
>
>On Fri, Feb 26, 2010 at 12:00 PM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
>
>> Hi Shashank,
>>
>> You can use HxD; a freeware hex and disk editor.
>>
>> You can download it here:
>> http://mh-nexus.de/en/hxd/
>>
>> Best regards
>> Joan
>>
>> On Fri, 26 Feb 2010 19:24:09 +0100 Jaap Keuter wrote:
>> >Hi,
>> >
>> >Sounds you could use a true hex editor. You'll have to target the byte
>by
>> >hand,
>> >but you seem to know what you're looking for.
>> >
>> >Thanks,
>> >Jaap
>> >
>> >Shashank Agarwal wrote:
>> >> Hi,
>> >> How can I modify a specific byte using WireShark or any of its tools.
>> I
>> >
>> >> tried bit-twiste, tcprewrite, tcpreplay-edit, but to no avail. These
>> >> tools provide predefined and limited editing capability like editing
>the
>> >
>> >> IP address or TCP port or changing timestamp etc.
>> >> E.g. I have the hex bytes from an ethernet broadcast packet -
>> >> ff  ff  ff  ff  ff  ff  00  0b  20  40  15  6d  19  02  40 ......
>> >> First six bytes is dest. address, next 6 bytes is source address, "19
>>
>> >> 02" is packet type and the 15th byte (0x40) contains a flag. I want
>to
>> >
>> >> turn on the second bit in this 15th byte. Essentially replacing 0x40
>> >> with 0x42.
>> >> Which tool can help me with this modification in the pcap file?
>> >>
>> >> Thanks





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe