Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] How to edit a specific byte in a pcap file ?

From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Sun, 28 Feb 2010 09:08:26 +0100
Hi Abhijit,

After editing the file, use Save As and "quotes" to save the file as .pcap
file:
"outfile.pcap"

I've tested Notepad and UltraEdit.

Best regards
Joan

On: Sat, 27 Feb 2010 09:14:46 -0700 Abhijit Bare wrote:
>
>One other technique I used - I save the raw file in "K12 text file" format
>using wireshark. I can then open text file in an editor and make all the
>changes. When going back to raw format, there is no "pcap" option to
>directly save. Not sure why not. In current wireshark, I saw "pcapng"
>(experimental) format. Save as pcapng and then save as pcap.
>
>Also remember that generally the checksums go bad after editing bytes.
>
>- Abhijit
>
>On Fri, Feb 26, 2010 at 12:00 PM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
>
>> Hi Shashank,
>>
>> You can use HxD; a freeware hex and disk editor.
>>
>> You can download it here:
>> http://mh-nexus.de/en/hxd/
>>
>> Best regards
>> Joan
>>
>> On Fri, 26 Feb 2010 19:24:09 +0100 Jaap Keuter wrote:
>> >Hi,
>> >
>> >Sounds you could use a true hex editor. You'll have to target the byte
>by
>> >hand,
>> >but you seem to know what you're looking for.
>> >
>> >Thanks,
>> >Jaap
>> >
>> >Shashank Agarwal wrote:
>> >> Hi,
>> >> How can I modify a specific byte using WireShark or any of its tools.
>> I
>> >
>> >> tried bit-twiste, tcprewrite, tcpreplay-edit, but to no avail. These
>> >> tools provide predefined and limited editing capability like editing
>the
>> >
>> >> IP address or TCP port or changing timestamp etc.
>> >> E.g. I have the hex bytes from an ethernet broadcast packet -
>> >> ff  ff  ff  ff  ff  ff  00  0b  20  40  15  6d  19  02  40 ......
>> >> First six bytes is dest. address, next 6 bytes is source address, "19
>>
>> >> 02" is packet type and the 15th byte (0x40) contains a flag. I want
>to
>> >
>> >> turn on the second bit in this 15th byte. Essentially replacing 0x40
>> >> with 0x42.
>> >> Which tool can help me with this modification in the pcap file?
>> >>
>> >> Thanks