This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi!

I wonder if it is possible for Wireshark (or any compatible extension for Win7) to modify the packets being sent to the server based on some conditions (like checking the POST field value and taking action upon that)?

For example, when sending an application/x-www-form-urlencoded with a field like "login=user", is there a way to script it to change that to something like "login=otheruser"?

asked 19 Apr '12, 10:56

detariael's gravatar image

detariael
6113
accept rate: 0%


No, there isn't any way to do that.

Wireshark is an application for passively capturing network traffic, and the mechanisms it uses for capturing network traffic do not offer any ability to "edit" network traffic sent by or received by the machine on which it's running.

You'd have to find another tool to do that.

permanent link

answered 19 Apr '12, 11:19

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

No. Wireshark is a packet analyzer, not a packet generator. See the Wiki page on tools for some traffic generators that might help you.

permanent link

answered 19 Apr '12, 11:22

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

2

A traffic generator might not help here, if the goal is to modify traffic sent by the machine on the fly. There may be tools that can insert themselves into the networking stack (meaning they'll need a kernel-mode driver) and do that sort of rewriting - but that sort of rewriting is a bit difficult, as it involves changing the size of a TCP segment.

(19 Apr '12, 12:21) Guy Harris ♦♦

It sounds like what you are asking for is a general purpose man-in-the-middle security attack tool! Wireshark will not even show you the HTTP packets if they are going over HTTPS, as should be the case for anything for which the user identity makes a difference. (OK, Wireshark will decrypt the packets if you know the private key of the server's SSS/TLS certificate and capture the entire handshake.) If you control the browser being used, you can edit the values on the fly with a browser plugin.

permanent link

answered 19 Apr '12, 16:45

inetdog's gravatar image

inetdog
16717
accept rate: 14%

It's HTTP only, so SSL encryption is not a problem in that case. Your comment about trying browser plugins is interesting though, I'll look into that (I'm not sure, however, if there is a one that'd let me modify the content of a POST request send through Flash, but maybe I'm dead wrong)!

(19 Apr '12, 16:48) detariael

Going a little far afield for this forum, but try Charles Proxy which inserts itself as a man-in-the-middle HTTP proxy and can do scripted modification, or a tool like TamperData or Firebug in the browser. Only the Proxy approach can guarantee capturing the traffic originating within Flash, IMHO.

(19 Apr '12, 16:51) inetdog
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×248
×15
×8
×6

question asked: 19 Apr '12, 10:56

question was seen: 18,941 times

last updated: 19 Apr '12, 16:51

p​o​w​e​r​e​d by O​S​Q​A