This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I modify a value within the 802.11 header of a captured packet?

0
1

I would like to change some byte values in the 802.11 header of a captured packet and then SAVE the new modified packet. I did some research and found some programs that modify a PCAP file but these programs cannot change values in the 802.11 header and/or the program does not allow the user to save the modified frame.

I also tried the following:

  1. Use tshark to convert the PCAP file to text
  2. Modify the text file
  3. Use text2pcap to convert the text back to PCAP

However, text2pcap expects the text file to be in Ethernet 802.3 format and not 802.11. Using text2pcap would then remove all the modification made in the 802.11 section.

asked 07 May '15, 11:58

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%


2 Answers:

2

Use a hex editor.

answered 07 May '15, 13:29

Roland's gravatar image

Roland
7642415
accept rate: 13%

2

In Wireshark 1.12 and later, the packet editor feature is enabled by default, although it's currently only in the GTK+ version, not the Qt version.

Select "Edit Packet" from the Edit menu, and it'll pop up the currently-selected packet in a new window.

Open up the 802.11 protocol and double-click the field you want to edit, and modify the hex bytes you want to change.

The "Save" menu item in the File menu should let you overwrite the file you have open; the "Save As" menu item in the File menu should let you save the new version to a different file. If you try to quit Wireshark, it should let you save the modified file.

Note that this is a somewhat experimental feature, so you may run into bugs, but I've successfully used it on a couple of occasions. If you find any bugs, please report them on the Wireshark Bugzilla (rather than reporting them here).

answered 07 May '15, 14:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 07 May '15, 14:42

That feature is greyed out. Below is the Wireshark version I am using:

Version 1.12.4 (v1.12.4-0-gb4861da from master-1.12)

Compiled (32-bit) with GTK+ 2.24.23, with Cairo 1.10.2, with Pango 1.34.0, with GLib 2.38.0, with WinPcap (4_1_3), with libz 1.2.5, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, without Python, with GnuTLS 3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Mar 4 2015), with AirPcap.

Running on 32-bit Windows 7 Service Pack 1, build 7601, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 3.2.15, Gcrypt 1.6.2, without AirPcap

(07 May '15, 17:56) Amato_C

The feature is also greyed out on my Ubuntu machine:

Version 1.12.4

Compiled (64-bit) with GTK+ 3.10.8, with Cairo 1.13.1, with Pango 1.36.3, with GLib 2.40.2, with libpcap, with libz 1.2.8, with POSIX capabilities (Linux), with libnl 1, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, without Python, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Feb 25 2014 21:09:53), without AirPcap.

Running on Linux 4.0.0-040000-generic, with locale en_US.UTF-8, with libpcap version 1.5.3, with libz 1.2.8, GnuTLS 2.12.23, Gcrypt 1.5.3.

(08 May '15, 07:07) Amato_C
1

Check the preferences setting, Preferences > User Interface > "Enable Packet Editor (Experimental)".

(12 May '15, 10:18) grahamb ♦

@grahamb = That worked! I can now edit in Wireshark. Thanks!

(12 May '15, 11:39) Amato_C