I often run across capture data that would make excellent teaching aids, but (for obvious reasons) I am not allowed to use "real customer" data for such purposes. Does anyone know of a pcap editor that would allow me to do things like arbitrary search-and-replace of IP/MAC addresses, obfuscate URLs (like changing "GET /real/file/path/here.htm" to "GET /dead/beef/feed/blah.htm", and the like? I REALLY don't want to break out the old binary file editor... asked 06 Nov '10, 22:45  wesmorgan1 |
One Answer:
For Ethernet, IP, and TCP portion, you can use "bittwist" The only thing it can't handle is dot1q headers. So for that, I actually just use UltraEdit (or any other hex capable editor) to nuke the dot1q header. I can't help you on munging the HTTP part, though. answered 07 Nov '10, 09:06  hansangb |
I think bittwiste (note the 'e' at the end) is what Hansang is referring to. See bittwist.sourceforge.net for both Bittwist and Bittwiste information.
I'd avoid a binary file editor, but consider a hex editor - if you don't care about the checksums being recalculated you can do some search/replace operations throughout the trace file and catch the IP addresses embedded past the IP header as well.