I want to alter the xml/pdml file, and then reloaded it in wireshark and resave it as a pcap file. Is this at all possible? asked 08 Jul '11, 07:11 ROCKSTARARTIST |
One Answer:
I don't think it is possible with the Wireshark tools, but I might be mistaken. But if you're trying to alter an xml/pdml file just to modify a pcap trace that you already have I would recommend avoiding the export to text and reimporting it - instead, I'd go for tools that can modify pcaps directly. I've shown a couple of tools in my talk on Sharkfest this year, so you can look the presentation (A-11) up in the review section here: http://sharkfest.wireshark.org/sharkfest.11/index.html If you're trying to modify layers beyond the transport layer those tools won't help you though; in that case you're probably going to have to edit them with a hex/text editor. answered 08 Jul '11, 08:11 Jasper ♦♦ edited 08 Jul '11, 08:13 |
Thank you for your answer and in linking an informative presentation. Unfortunately I am trying to modify layers beyond TCP/IP, and the majority of the tools that I have found do not assist me in that regard, and I am trying to avoid the hex/text editor approach. I am taking at look at SCAPY, which is a python PCAP editor that allows you to describe your own layers... we will see how that goes.
Besides scapy, you might also want to look into netexpect and packetfu. Packetfu was just presented at Sharkfest '11 by Tod Beardsley of the Metasploit project. Tod's presentation is listed as the "A-3 PacketFu by Example" presentation at the Sharkfest '11 retrospective page that Jasper referenced above.