This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

command to replace all different IP addresses in pcap file with single IP address

0

I have a pcap file which has multiple IP addresses, I want to replace those multiple IP addresses with single address, is there any command to do so?

asked 04 Mar '14, 02:20

shubhangi's gravatar image

shubhangi
1111
accept rate: 0%

edited 04 Mar '14, 02:32

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

Why do you want to replace all IP addresses with a single address? That would lead to a file with the IP talking to itself, which is not seen on networks and doesn't make any sense (except for localhost stuff, but you don't see that in a pcap usually).

If you want to replace IP addresses you can use tcprewrite, bittwiste or TraceWrangler.

answered 04 Mar '14, 02:42

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

sorry, I mean I want to replace multiple SOURCE IP addresses with a single SOURCE IP address using tcprewrite, can you help me out?

(04 Mar '14, 03:59) shubhangi

Hm.. that can lead to 'collisions' if different clients (different IPs) are using the same source port to one destination address. The resulting capture file will be useless, as you cannot distinguish the former differing streams.

So, why do you want to do that?

(04 Mar '14, 09:43) Kurt Knochner ♦

Not to mention most protocols are bi-directional, so you'd change from this:

A->B B->A A->B B->A

To this:

C->B B->A C->B B->A

(or C->A and C->B depending on whether all source addresses are changed or not)

Kinda silly. :)

(04 Mar '14, 10:16) Hadriel