Pinpointing your Networks Root Troubles - Compass from Wildpackets (by Chris Bloom)
Fluke Network Aircheck Wifi Tester Review (by Tony Fortunato)

Bittwiste: pcap Capture File Editor (by Joke Snelders)

Bit-Twist contains two programs:
bittwist.exe: the pcap based ethernet packet generator
bittwiste.exe: pcap capture file editor

Bittwiste can currently edit fields in the Ethernet, ARP, IP, ICMP, TCP and UDP headers.

Here you can download the latest development release of Bit-Twist for Windows.

The next steps are:
• unzip bittwist-win-1.1.zip
• copy bittwiste.exe to C:/WINDOWS/system32

You need Cygwin to run bittwiste under Windows.
Cygwin is:
• a collection of tools which provide a Linux look and feel environment for Windows.
• a DLL (cygwin1.dll) which acts as a Linux API layer providing substantial Linux API functionality.

If you do not have Cygwin installed on your Windows machine or if you do not want to install Cygwin, you can also follow these steps:
download and unzip cygwin1.zip (cygwin1.zip contains cygwin1.dll)
• copy cygwin1.dll to C:/WINDOWS/system32.

In this article I will show you how to replace portnumbers, IP and MAC addresses.
Continue reading, download the sample file and follow along.

Bittwiste-h
Click on image to enlarge

 

Replace IP addresses
You can download the sample file http.pcap here.

This file contains 3 IP addresses:
192.168.108.2
192.168.108.128
64.186.152.93

Use these options to replace 192.168.108.128 (old IP address) with 10.0.0.128 (new IP address):

-I	input file
-O output file
-T edit the specified header
-s source IP address; specify the old and new IP addresses
-d destination IP address; specify the old and new IP addresses

$ bittwiste -I http.pcap -O http_m1.pcap -T ip -s 192.168.108.128,10.0.0.128 -d 192.168.108.128,10.0.0.128

Click on the following screenshot to enlarge.
The source and destination IP addresses have been replaced.
You can see in the Packet Details pane, that bittwiste has also recalculate the IP, TCP and UDP checksums.
But the ARP packets still contain the old IP address: 192.168.108.128.
So move on to the next step to replace these addresses in the ARP header.

Bittwiste_ip01
Click on image to enlarge


Use these options to replace the IP addresses in the ARP header:

-I	input file
-O output file
-T edit the specified header
-p sender IP address; specify the old and new IP addresses
-q target IP address; specify the old and new IP addresses

$ bittwiste -I http_m1.pcap -O http_m2.pcap -T arp -p 192.168.108.128,10.0.0.128 –q 192.168.108.128,10.0.0.128

Bittwiste_arp02
Click on image to enlarge


Note
The following command will replace all source IP addresses with 10.0.0.128 and all destination IP addresses with 10.0.0.2.

$ bittwiste -I http.pcap -O http_m3.pcap -T ip –s 10.0.0.128 –d 10.0.0.2

Bittwiste_ip03
Click on image to enlarge


Replace MAC addresses
Replace source and destination MAC addresses:
$ bittwiste -I http_m2.pcap -O http_m3.pcap -T eth -s 00:0c:29:61:82:89,00:11:22:DD:EE:FF -d 00:0c:29:61:82:89,00:11:22:DD:EE:FF

Replace MAC addresses in the ARP header:
$ bittwiste -I http_m3.pcap -O http_m4.pcap -T arp -s 00:0c:29:61:82:89,00:11:22:AA:BB:CC -t 00:0c:29:61:82:89,00:11:22:AA:BB:CC

Bittwiste_04
Click on image to enlarge


Replace port numbers
TCP header
$ bittwiste -I http_m4.pcap -O http_m5.pcap -T tcp -s 1047,5047 -d 1047,5047
$ bittwiste -I http_m5.pcap -O http_m6.pcap -T tcp -s 1048,5048 -d 1048,5048

UDP header
$ bittwiste -I http_m6.pcap -O http_m7.pcap -T udp -s 53,530 -d 53,530
$ bittwiste -I http_m7.pcap -O http_m8.pcap -T udp -s 55005,5000 -d 55005,5000

Bittwiste_05
Click on image to enlarge


Decode As
Looking at packets 3 and 4 you notice, that they are not decoded as DNS anymore.
This is due to the change of port number 53 to 530.

Use the following to decode the traffic on port 530 again as DNS:
• right-click packet 3
• select Decode As... from the context menu
• select DNS
• hit Apply to see the result.

Bittwiste_06
Click on image to enlarge


Happy Modifying:)

 

Joke_snelders Author Profile - My name is Joke (pronounced \yo-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List.

What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.

 

Continue reading other exclusive posts by Joke Snelders »

Comments