This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Edit PCAP file

0

Hello, I need to modify a pcap file. For example, I need to edit the IP address, timestamp, URL, ... fields. How can I do it? Do I have to write a new software application, or is one available in the network?

Thanks Paolino

asked 17 Feb '12, 05:25

Paolino's gravatar image

Paolino
1111
accept rate: 0%

edited 26 Feb '12, 20:37

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


6 Answers:

1

What you need are tools that are usually used for anonymization and/or packet replay of trace files. You might want to take a look at tcprewrite, bittwiste, pktanon and other tools. You can also download the Sharkfest 2011 presentation (A-11) I did at the retrospective page:

http://sharkfest.wireshark.org/sharkfest.11/index.html

Update: since 2013, you can also use TraceWrangler.

answered 17 Feb '12, 05:31

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 18 Mar '15, 01:58

0

Try WireEdit (wireedit.com). You can edit any field on any network layer for supported protocols.

answered 15 Mar '15, 07:51

msukhar's gravatar image

msukhar
61
accept rate: 0%

0

If it's for a single packet and you want to edit some of the deeper application stuff, there's actually a custom compile option for wireshark that enables you to do that within Wireshark itself. That is, in a manual compile you can add "--enable-packet-editor" when doing a ./configure, allowing you to edit the packet fields in the GUI after Wireshark has decoded them: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9234

The catch there is that it's per-packet, GUI-based, so if you need to change many headers you're much better off with the other tools suggested. Only advantage to this method is that you have the power of Wireshark's dissectors to decode down into the application-specific field values for editing.

answered 15 Mar '15, 10:43

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 15 Mar '15, 10:43

Also, the last time I checked, edited packets could not be saved. So it's use case was mainly to test how dissectors respond. Has that been changed since then and can edited packets be saved now?

(15 Mar '15, 12:05) SYN-bit ♦♦

Ah, that's a good point. I just tested it, and while it will let you edit and save it won't reflect the actual edits in the new saved file.

(15 Mar '15, 13:31) Quadratic

0

I use scapy (http://www.secdev.org/projects/scapy/). It's an extensible python tool that can capture and modify packets. However, tcprewrite is also a great choice, albeit more limited.

answered 17 Mar '15, 12:22

howlingcat's gravatar image

howlingcat
61
accept rate: 0%

0

if you want to write new application,you can write a c# program using pcap.net library.

answered 22 Apr '15, 23:23

Fateme's gravatar image

Fateme
6223
accept rate: 0%

0

You can also use packet crafting libraries. I can recommend a library I'm developing: PcapPlusPlus. It's a C++ library where you can open a pcap file, parse and edit the packets ini it and save them back to the pcap file. You didn't say which OS you'd like to use, but this library supports Windows, Linux and Mac OS

answered 24 Jul '15, 14:40

seladb's gravatar image

seladb
11
accept rate: 0%