Thank you all first for this good job.
I wan to make Wireshark showing and saving a false IP address in a replacement in a real one. In some words, we assume that Wireshark is sniffing traffic between my PC (IP1) and a server (IP2).
So is there a manner, in a low level file for example (winpcap? because I'm on Windows bad thinks...) where we can add some thing like this:
By this way, all the IP shown on the GUI interfaces, all the stored files, and all the filters, will work on the new IP (the FalseIP) each time the RealIP is detected.
The problem is to know where to make this changes.
If some one can help me by sending me the file to change (or the files to change) it will be very hopeful and helpful.
Good Christmas to every body.
asked 07 Dec '13, 16:01
edited 08 Dec '13, 05:08
Sounds like you just need a tool to change IP addresses in a capture file. If so, please check tracewrangler, a tool of @Jasper.
IP address changes can be done with an anonymization task (see the docs).
answered 07 Dec '13, 16:58
Kurt Knochner ♦
You could take a look at pktanon. It uses XML files to set the replacement directives, and it is possible to pipe captured traffic from tcpdump through pktanon to disk. I've tried that for my 2011 Sharkfest talk. One of the last slides shows an example of how to do this.
answered 14 Dec '13, 11:21
I agree with you kurt . To change your ip address, you need to contact your ISP . You can't replace your real ip to false ip without your ISP knowledge . After changing your ip address, use Ip-details.com to check whether it gets modified or not
answered 16 Dec '13, 04:26
"Could some one post the dumpcap.c modified with the right code to do this static change?"
Dumpcaps receives the entire packet from Libpcap and just adds pcap(ng) block headers and possibly trailers, it does not parse the packet data at all before writing it to file or a pipe to be read by wireshark or tshark, so you'd have to invent the code you want from scratch e.g read and modify the packet data before writing it out - the performance penalty is probabaly big and dumpcap is supposed to be slim as it runs with privileges. As pointed out to you, you should probably try other security measures than trying to change IP addresses on the fly.
answered 16 Dec '13, 06:03