Easy Packet Modification for Real World Testing
Whether in network trouble-shooting or in security investigations, network packets play an important role. Typically, these professionals need to analyze packets to uncover important information. In some other cases, though, it is useful to be able to modify packets. This is particularly important for a NEM (Network Equipment Manufacturer) when performing networking testing or when sanitizing a pcap before distributing to the public or other organizations. In this blog, we will describe a powerful and useful technique for packet modification and how this is both interesting and challenging in the real world.
There are many tools for modifying packets. Some of these are open source and some are commercial. Most of the tools allow a user to make changes to a packet or a group of packets by specifying some parameters either in the command line or in the GUI. While this works for some network scenarios for which the tools are designed, the particular tools are often not applicable in other scenarios at all.
At CapStar, we believe that the ever-changing real world will present many challenging network scenarios where the problem involves analyzing packets or modify packets. Instead of creating a tool that works for only some limited cases, CapStar is designed to be open and flexible so it can be effective in networking scenarios that were not even thought of even a few years ago. To date, CapStar has created 200 scripts for packet analysis and dozens of scripts for packet modification for the CapStar Packet Analyzer platform. Users can either use or tweak the existing ones, create new ones, or ask CapStar to create scripts for them (we are always happy to hear new requirements).
What can CapStar do with respect to modifying packets? Let's first look at modifying the server ports of packets in a pcap file. Here, the challenge is one doesn't want to blindly change all the destination ports to a new port number, instead, we want to change the ports in a consistent way: for the packets sent to the server, we need to change the destination port; for the packets sent from the server, we need to change the source port to the new server port.
This is not necessarily easy for many other tools that can change one packet at a time but this action is very trivial for CapStar: