Using tcprewrite seed only with source IP

Question

Hi, I use tcprewrite command to randomize the IPs of different pcaps:

tcprewrite --seed=$RANDOM --infile=a.pcap --outfile=B.pcap

This changes IPs of both source of destination. Is there anyway I can limit this change to source IPs or destination IPs alone and not both?

Answer 1

2

I don't think it is possible. Also, the source address in one packet is the destination address in the answer packet, so keeping only half and replacing the other doesn't make any sense I think.

If you're not bound to Linux tools and need more control over your replacements check out TraceWrangler.

answered 12 Feb '14, 02:01

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

And of course tcprewrite isn't part of the Wireshark suite so you may got more focused help over at the help specifically for that application.

(12 Feb '14, 02:04) grahamb ♦

The problem of source IP becoming dest IP can be solved if rewrite is occurring only on src IPs in case of request packets and dest ip in case of response packet

(12 Feb '14, 02:07) rorolia

In the case of UDP (and other protocols), how do you identify what is a request and what is a response packet, who is 'client' and who is 'server', as there is no session establishment protocol like TCP 3-way handshake??

(12 Feb '14, 02:21) Kurt Knochner ♦

As long as you know the subenets in your capture file, you could use --pnat instead of --seed

Changing Networks via Pseudo-NAT, Source/Destination IP Map Pseudo-NAT works very much like network address translation. It allows you to map IP addresses in one subnet to IP addresses in another subnet. Each source and destination subnet is expressed in CIDR notation, and needn't be the same size. You can specify multiple CIDR pairs and use the –pnat flag twice if you use a cache file. The format is: <match_cidr>:<rewrite_cidr>,… $ tcprewrite --pnat=10.0.0.0/8:172.16.0.0/12,192.168.0.0/16:172.16.0.0/12 --infile=input.pcap --outfile=output.pcap --skipbroadcast would rewrite any IP in either 10.0.0.0/8 or 192.168.0.0/16 to be in the 172.16.0.0/12 subnet. You could also rewrite IP's differently depending on the direction of the packet: $ tcprewrite --pnat=10.0.0.0/8:192.168.0.0/24 --pnat=10.0.0.0/8:192.168.1.0/24 --cachefile=input.cache --infile=input.pcap --outfile=output.pcap --skipbroadcast Would cause traffic in 10.0.0.0/8 to be remapped to different subnets depending on the classification of the node as client or server. The result is that both source and destination IP's will be remapped properly to maintain the session.

Alternatively to the –pnat option you can use –srcipmap and/or –dstipmap to apply different rules to the source and destination IP addresses in packets. –srcipmap and –dstipmap work just like –pnat and use the same <match_cidr>:<rewrite_cidr>,… format.

(12 Feb ‘14, 02:21) Kurt Knochner ♦

Answer 2

I am not sure if this is what you want. I used to change source IP to something else or destination IP to something else. And, this is how I am doing it.

tcprewrite --srcipmap=a.a.a.a/32:c.c.c.c/32 --infile=file1.pcap --outfile=file1_temp.pcap
tcprewrite --srcipmap=b.b.b.b/32:d.d.d.d/32 --infile=file1_temp.pcap --outfile=file1_new.pcap

request:
a.a.a.a(src),b.b.b.b(dst) -> c.c.c.c(src),b.b.b.b(dst)
response:
b.b.b.b(src),a.a.a.a(dst) -> d.d.d.d(src),a.a.a.a(dst)

tcprewrite --dstipmap=a.a.a.a/32:d.d.d.d/32 --infile=file2.pcap --outfile=file2_temp.pcap
tcprewrite --dstipmap=b.b.b.b/32:c.c.c.c/32 --infile=file2_temp.pcap --outfile=file2_new.pcap

request:
a.a.a.a(src),b.b.b.b(dst) -> a.a.a.a(src),c.c.c.c(dst)
response:
b.b.b.b(src),a.a.a.a(dst) -> b.b.b.b(src),d.d.d.d(dst)