Re: [Wireshark-users] How to edit a specific byte in a pcap file ?

From: Abhijit Bare <abhibare@xxxxxxxxx>
Date: Mon, 1 Mar 2010 11:10:26 -0700
Thanks! Good information for next time...

On Sun, Feb 28, 2010 at 2:22 AM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
Hi Abhijit,

You can use bittwiste to edit the file and recalculate the checksums.
Bittwiste  can  currently  edit  Ethernet,  ARP, IP, ICMP, TCP, and UDP
      headers. If run with the -X flag, you can append your own payload
      any  of  these  headers;  specified using the -L and -T flag. Bittwiste
      will, if not run with the -C flag, recalculate the  checksums  for
      ICMP,  TCP,  and  UDP  packets, except for the last fragment of a
      mented IP datagram; bittwiste does not currently support checksum
      rection  for the last fragment of a fragmented IP datagram.

$ bittwiste -I test.pcap -O test_outfile.pcap -T ip -s,
input file: test.pcap
output file: test_outfile.pcap

138 packets (119763 bytes) written

Best regards

On Sat, 27 Feb 2010 09:14:46 -0700 Abhijit Bare wrote:
>One other technique I used - I save the raw file in "K12 text file" format
>using wireshark. I can then open text file in an editor and make all the
>changes. When going back to raw format, there is no "pcap" option to
>directly save. Not sure why not. In current wireshark, I saw "pcapng"
>(experimental) format. Save as pcapng and then save as pcap.
>Also remember that generally the checksums go bad after editing bytes.
>- Abhijit
>On Fri, Feb 26, 2010 at 12:00 PM, j.snelders <j.snelders@xxxxxxxxxx> wrote:
>> Hi Shashank,
>> You can use HxD; a freeware hex and disk editor.
>> You can download it here:
>> Best regards
>> Joan
>> On Fri, 26 Feb 2010 19:24:09 +0100 Jaap Keuter wrote:
>> >Hi,
>> >
>> >Sounds you could use a true hex editor. You'll have to target the byte
>> >hand,
>> >but you seem to know what you're looking for.
>> >
>> >Thanks,
>> >Jaap
>> >
>> >Shashank Agarwal wrote:
>> >> Hi,
>> >> How can I modify a specific byte using WireShark or any of its tools.
>> I
>> >
>> >> tried bit-twiste, tcprewrite, tcpreplay-edit, but to no avail. These
>> >> tools provide predefined and limited editing capability like editing
>> >
>> >> IP address or TCP port or changing timestamp etc.
>> >> E.g. I have the hex bytes from an ethernet broadcast packet -
>> >> ff  ff  ff  ff  ff  ff  00  0b  20  40  15  6d  19  02  40 ......
>> >> First six bytes is dest. address, next 6 bytes is source address, "19
>> >> 02" is packet type and the 15th byte (0x40) contains a flag. I want
>> >
>> >> turn on the second bit in this 15th byte. Essentially replacing 0x40
>> >> with 0x42.
>> >> Which tool can help me with this modification in the pcap file?
>> >>
>> >> Thanks

