This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Editing the packet live?

0

Hi!

I wonder if it is possible for Wireshark (or any compatible extension for Win7) to modify the packets being sent to the server based on some conditions (like checking the POST field value and taking action upon that)?

For example, when sending an application/x-www-form-urlencoded with a field like "login=user", is there a way to script it to change that to something like "login=otheruser"?

asked 19 Apr '12, 10:56

detariael's gravatar image

detariael
6113
accept rate: 0%


3 Answers:

2

No, there isn't any way to do that.

Wireshark is an application for passively capturing network traffic, and the mechanisms it uses for capturing network traffic do not offer any ability to "edit" network traffic sent by or received by the machine on which it's running.

You'd have to find another tool to do that.

answered 19 Apr '12, 11:19

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

2

No. Wireshark is a packet analyzer, not a packet generator. See the Wiki page on tools for some traffic generators that might help you.

answered 19 Apr '12, 11:22

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

2

A traffic generator might not help here, if the goal is to modify traffic sent by the machine on the fly. There may be tools that can insert themselves into the networking stack (meaning they'll need a kernel-mode driver) and do that sort of rewriting - but that sort of rewriting is a bit difficult, as it involves changing the size of a TCP segment.

(19 Apr '12, 12:21) Guy Harris ♦♦

1

It sounds like what you are asking for is a general purpose man-in-the-middle security attack tool! Wireshark will not even show you the HTTP packets if they are going over HTTPS, as should be the case for anything for which the user identity makes a difference. (OK, Wireshark will decrypt the packets if you know the private key of the server's SSS/TLS certificate and capture the entire handshake.) If you control the browser being used, you can edit the values on the fly with a browser plugin.

answered 19 Apr '12, 16:45

inetdog's gravatar image

inetdog
16717
accept rate: 14%

It's HTTP only, so SSL encryption is not a problem in that case. Your comment about trying browser plugins is interesting though, I'll look into that (I'm not sure, however, if there is a one that'd let me modify the content of a POST request send through Flash, but maybe I'm dead wrong)!

(19 Apr '12, 16:48) detariael

Going a little far afield for this forum, but try Charles Proxy which inserts itself as a man-in-the-middle HTTP proxy and can do scripted modification, or a tool like TamperData or Firebug in the browser. Only the Proxy approach can guarantee capturing the traffic originating within Flash, IMHO.

(19 Apr '12, 16:51) inetdog