On Fri, Sep 18, 2009 at 11:47:26AM -0500, Richard wrote:
>
> I believe this has been asked before but I'm unable to find what I'm
> looking for in the archives. I would like to change the src or dst
> address of just one conversation in a particular pcap capture file. I've
> looked at Bit-Twist and tcpwrite and they both appear to be an all or none
> type of thing. Can you tell me if I'm missing a particular argument in
> one or both of those apps that will do what I want or if there's another
> way. I'm hoping there's another option other than filtering my
> conversation, saving to a new file, making changes and then importing back
> into the original file. However, if that's my only option then that's
> what I'll do.
I haven't used tcpreplay mayself, but bittwiste can do it. If the hosts
of the conversation that you want to edit do not communicate with other
hosts, just to each other, you could use:
bittwiste -I infile.cap -O tmp.cap -T ip -s ip1,new-ip1 -d ip1,new-ip1
bittwiste -I tmp.cap -O outfile.cap -T ip -s ip2,new-ip2 -d ip2,new-ip2
If you want to keep the addresses ip1 and ip2 in other conversations,
you need to do some scripting:
tshark -r infile.cap -w conv.cap -R "ip.addr==ip1 && ip.addr==ip2"
tshark -r infile.cap -w other.cap -R "!(ip.addr==ip1 && ip.addr==ip2)"
bittwiste -I conv.cap -O tmp.cap -T ip -s ip1,new-ip1 -d ip1,new-ip1
bittwiste -I tmp.cap -O newconv.cap -T ip -s ip2,new-ip2 -d ip2,new-ip2
mergecap -w outfile.cap other.cap newconv.cap
Hope this helps,
Cheers,
Sake
