This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can Replay be disabled in Wireshark? I need a version of Wireshark or I need to modify Wireshark so that packets can not be replayed. Is this possible? If so, how?

asked 06 Mar '12, 10:41

Balthazar2007's gravatar image

Balthazar2007
1111
accept rate: 0%


Assuming you mean you want Wireshark to make a capture file non-replayable by a third party, I don't think there's a feature for that. If your pcap contains src and dst IPs, it can be replayed, so you simply need to anonymize your pcap to prevent replay to the actual endpoints (the anonymization rewrites the IPs). You can do that with a variety of packet-rewrite tools, including bittwiste or tcprewrite. For tcprewrite, see Randomizing IP addresses.

permanent link

answered 06 Mar '12, 10:55

bstn's gravatar image

bstn
3751415
accept rate: 14%

I can think of two mechanisms to prevent replaying VoIP/VTC, filtering and slicing.

  • Filtering. You can create a capture filter that will not capture VoIP/VTC traffic, but will capture all the rest for your intrusion analysis. However, it might be difficult to achieve this when random ports are used.
  • Slicing. You can slice off the RTP data by setting a snap length. You might want to try 96 which will keep the Ethernet, IP, TCP and UDP layer and a few bytes of payload, so reconstructing a VoIP or VTC call will not be possible anymore. However, you might also lose the information that you are after.

The best way to deal with this is to capture all traffic and make sure that only certain people are able to access the capture files. There will need to be trust in those people that the files will not be used for replaying. You can then discuss some procedures on how to access, filter and delete the data.

permanent link

answered 06 Mar '12, 12:11

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Basically: If someone can capture (and save) all the bits, then (obviously) there's enough to be able to decipher a conversation (assuming no encryption).

Blog entry on VOIP encryption

(06 Mar '12, 12:43) Bill Meier ♦♦

Wireshark doesn't have a "replay" (send packets from a capture file to the network) capability.

Please explain in a bit more detail what you are trying to disable.

permanent link

answered 06 Mar '12, 10:49

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

My system is used for corporate communications and the bosses are afraid that someone could use Wireshark to reconstruct VoIP calls or TeleConferences and actually replay the conversations. I need the wireshark to help in investigating intrusion attempts/events. Is there a middle ground where I can still view packets but not be able to reconstruct an actual phone call or VTC?

(06 Mar '12, 11:32) Balthazar2007
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×6

question asked: 06 Mar '12, 10:41

question was seen: 2,397 times

last updated: 06 Mar '12, 12:44

p​o​w​e​r​e​d by O​S​Q​A