ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] modifying strings in SSL streams possible, how?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Mon, 31 Oct 2016 19:53:54 +0100
I should have said in the title that also strings in plain TCP I need to
modify...

The below is for that second case. Solved, I think.

On 161028-07:19+0200, Miroslav Rovis wrote:
> Hi!
> 
> That is the short question. The strings would include passwords, serial
> numbers, and other.
> 
> I like to use my (simple) program https://github.com/miroR/uncenz to
> document what happened, and I want to keep tre traces as intact as
> possible without endangering myself of course but publishing stuff that
> needs not be public.
For that reason, I don't want too much changed, but just the critical
pieces... 
> I had even installed [can't remember now the package name] with the
> binary replay, but that program is used for more than just modifying
> traces, and I wasn't able to figure out how to do it, without investing
> more time that I have yet had for that purpose.
I remembered, actually found that program, at:
https://wiki.wireshark.org/Tools
It's tcpreplay:
http://tcpreplay.synfin.net/
(but read on)
> If anybody can give us a quicker way to learn how to do it, they will be
> appreciated!

I've done a little research. And I just don't see that tcprewrite or
tcpreplay-edit (apparently similar, somewhat overlapping the two) of the
tcpreplay program... I just don't see that these could modify strings
*inside* SSL streams... Maybe there is not such a thing that can do that
in the whole of *nixdom?

But while tcprewrite can rewrite PCAP files, and, in my case, has to
change DLT (data link type else it can not modify my PCAPs, I think for
what I need to modify, such as some serials, some MACs, Perl can do a
perfect job! And much better. In a perfect way!

First the source (lots of, but this one the simplest and very much to
the point):
http://www.atrixnet.com/in-line-search-and-replace-in-files-with-real-perl-regular-expressions/
where find:
perl -p -i -e 's/change this/to that/g' file1 file2 file3...

I checked it, it works perfectly!

I thought I'd share this since there surely are Wireshark users who will
find this useful!

But again, if anybody knows how strings *inside* SSL can be modified,
pls do tell us!

Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: Digital signature

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube