Hello, I need to modify a pcap file. For example, I need to edit the IP address, timestamp, URL, ... fields. How can I do it? Do I have to write a new software application, or is one available in the network? Thanks Paolino asked 17 Feb '12, 05:25 Paolino edited 26 Feb '12, 20:37 cmaynard ♦♦ |
6 Answers:
What you need are tools that are usually used for anonymization and/or packet replay of trace files. You might want to take a look at tcprewrite, bittwiste, pktanon and other tools. You can also download the Sharkfest 2011 presentation (A-11) I did at the retrospective page: http://sharkfest.wireshark.org/sharkfest.11/index.html Update: since 2013, you can also use TraceWrangler. answered 17 Feb '12, 05:31 Jasper ♦♦ edited 18 Mar '15, 01:58 |
Try WireEdit (wireedit.com). You can edit any field on any network layer for supported protocols. answered 15 Mar '15, 07:51 msukhar |
If it's for a single packet and you want to edit some of the deeper application stuff, there's actually a custom compile option for wireshark that enables you to do that within Wireshark itself. That is, in a manual compile you can add "--enable-packet-editor" when doing a ./configure, allowing you to edit the packet fields in the GUI after Wireshark has decoded them: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9234 The catch there is that it's per-packet, GUI-based, so if you need to change many headers you're much better off with the other tools suggested. Only advantage to this method is that you have the power of Wireshark's dissectors to decode down into the application-specific field values for editing. answered 15 Mar '15, 10:43 Quadratic edited 15 Mar '15, 10:43 |
I use scapy (http://www.secdev.org/projects/scapy/). It's an extensible python tool that can capture and modify packets. However, tcprewrite is also a great choice, albeit more limited. answered 17 Mar '15, 12:22 howlingcat |
if you want to write new application,you can write a c# program using pcap.net library. answered 22 Apr '15, 23:23 Fateme |
You can also use packet crafting libraries. I can recommend a library I'm developing: PcapPlusPlus. It's a C++ library where you can open a pcap file, parse and edit the packets ini it and save them back to the pcap file. You didn't say which OS you'd like to use, but this library supports Windows, Linux and Mac OS answered 24 Jul '15, 14:40 seladb |
Also, the last time I checked, edited packets could not be saved. So it's use case was mainly to test how dissectors respond. Has that been changed since then and can edited packets be saved now?
Ah, that's a good point. I just tested it, and while it will let you edit and save it won't reflect the actual edits in the new saved file.