Wireshark Related : Option to take packet and modify contents - wireshark

Is there any option to capture a packet eg(Http) , modify certains aspects of it (Checksum-validate False to True ) and resend it using Wireshark ?

Ettercap NG filters can do such a job properly, here is example on link

I don't think that is possible using wireshark. Wireshark is a packet analyzer.
Perhaps iptables could help you there.

No, WireShark doesn't do this. What you are looking for is Fiddler which allows you to monitor HTTP traffic and "fiddle" with incoming or outgoing traffic. So you can capture HTTP traffic, modify it and resend.
Find it here: http://fiddler2.com/fiddler2/
Check out the demonstration videos for more info, especially:
Using the Fiddler AutoResponder
Replaying Modified Responses with AutoResponder

try the free version of Colasoft ( http://www.colasoft.com/download/products/download_packet_builder.php ). the only hitch is you'll have to save the capture stream into a "xxx.cap" format but no worries wirshark can handle it...

Related

modifying an existing RTP stream to play in VLC

I have an incoming RTP stream on one computer (called, "server1") connected to another computer (called, "client1") over a LAN. However, the Ethernet header (MACDA/MACSA), IPv4 header (IPDA/IPSA), and UDP header (dstport/srcport) for all of the packets belong to another network and different computers. Furthermore, the client computer did not request or initiate the stream. It is "just there"! :)
I am not interested in controlling (stopping, starting, track jumping, etc.) the stream. I just want to see and hear it in a VLC client.
I have complete control over the packets, so that I can change all of the header info as it leaves the server.
How can I modify the packets, so that VLC will play them? I can point VLC at my server, and I can mangle the packets, so they appear to have been sourced by the server and destined for the client. But, I do not know the destination port opened by VLC on the client. What am I missing?
Thanks!
I may not have the best answer, but here's a little something that might help...
"I was trying vlc player and I says, Sdp required, cannot play rtp with dynamic payload type. Is it possible to play rtp with dynamic payload type by other player, or somehow create sdp protocol using libjitsi. Thanks a lot."
Reply:
"You need an SDP description.
I found on stackoverflow a minimal SDP description. Minimum SDP for making a H264 RTP stream?.
You can try to replace the IP address, port number and payload type by the ones you’re using, maybe that’ll work."

Edit tcp packets in pcap file

I need to make tcpdump using wireshark or tcpdump
For some tcp streams in log I need full packet info.
But for tcp streams in log I need to remove all info except full uri info.
For this I'am going to use regular expressions.
If URI, http.request or http.response match some of regular expressions
then I need to store full tcp stream info.
If doesn't match --- then I need to remove all tcp stream info except full uri info.
I need it to reduce log size.
What tool do you advise for this ?
Or may be some php/python library will be helpful to create script that will filter log ?
tcpick and tcpxtract are two tools available to filter and extract information from a tcpdump file. They are both open-source and available at sourceforge.net. You will have to write your own routine for how and what information you would like to extract. tcpick is fairly flexible regarding what parts of a packet you can view/extract.
I use TraceWrangler in my projects, which despite being beta, works very well. It allows, in addition to editing the L2/L3 headers, to sanitize the packets.

How do I find what program initiated a download using wireshark?

I have a packet capture and I'm trying to find out which program a download was made with, where would I go in the packet to find this information?
Thanks all!
Instead of looking for answers within the packet, you may want to look at which port the download was done through. That could give you more information, and faster
I assume you know the destination ip address from where the file is downloaded. If it's something that you can catch while it's happening or you can trigger it then you could use netstat to determine the PID of the program that is handling that socket after filtering the netstat output based on the destination ip address.
Then you could use ps on Linux or TaskManager on Windows to know which program has that PID.
On windows: How to determine which program uses or blocks specific transmission control protocol ports in Windows
Alternative if the packet capture it's all you got and it's not a recurring event then if the download was done via HTTP you could check the headers of the HTTP request for info about the client in the User-Agent header.
Hope it helps.

cocoaAsync:udp sendto success but Wireshark can't capture out data

I'm using cocoaAsync to handle udp communication.
When i use the sendData API of cocoaAsync ,I'm sure sendto is success,from the log. But I can't see any output data from Wireshark .
This is not 100% reproducible, but very probably.
I can't figure out what could be the problem.
Thanks very much for any tips.
If you are sure that you are sending the packets right then following can be possibilites,
If you are sending and receiving on same machine then it is possible that your Wireshark do not capture. Try sending to some different destination than your machine.
Also there can be multiple network interfaces on your machine (e.g: eth0, eth1 etc...) for Wifi and Network-Card. Please make sure you are capturing packets on the right interface. You can select interface when you press the Capture button on Wireshark.
I hope this helps.

Localhost packet analyzer for Mac

Packet sniffers generally do not capture localhost traffic. I need to inspect some post data in a localhost environment (being generated from a Ruby on Rails development). Do you know of any programs that expose localhost packets?
I use fiddler on my Windows box for http sniffing. Since its only looking at http traffic you don't get nearly the amount of noise you get with something like WireShark.
The trick to getting it to work with data sent and received locally is to use a different endpoint for your urls. Using http://127.0.0.1./YourServiceName instead of http://localhost/YourServiceName has always worked for me. Its important to include the trailing 'dot' in the IP address. Don't ask me why though.
If you use Firefox, you could use the HTTP Logging feature:
https://developer.mozilla.org/en/HTTP_Logging
If you just change your address from localhost to an assigned IP address (like 192.168.12.34 or whatever you may have), your packet sniffer should be able to see the packets.
These packets probably do not exist. There is no reason to packetize data when it is not leaving the host. The data should just go from socket to socket.
You might use something like Instruments or Dtrace to monitor the send system call.
I'm a satisfied user of HTTPScoop: http://www.tuffcode.com/
It's similar to the HTTP traffic analyzer addons you'll see for firefox etc. but works systemwide which is convenient and can be switched to observe any of your available network interfaces.
It is not free, nor does it observe HTTPS traffic, but other than that it's a worthwhile addition to your toolbox.

Resources