Bittwiste: pcap Capture File Editor (by Joke Snelders)
Bit-Twist contains two programs: • bittwist.exe: the pcap based ethernet packet generator • bittwiste.exe: pcap capture file editor
More information -click here Bittwiste can currently edit fields in the Ethernet, ARP, IP, ICMP, TCP and UDP headers. Here you can download the latest development release of Bit-Twist for Windows. The next steps are: • unzip bittwist-win-1.1.zip • copy bittwiste.exe to C:/WINDOWS/system32 You need Cygwin to run bittwiste under Windows. Cygwin is: • a collection of tools which provide a Linux look and feel environment for Windows. • a DLL (cygwin1.dll) which acts as a Linux API layer providing substantial Linux API functionality. If you do not have Cygwin (click here) installed on your Windows machine or if you do not want to install Cygwin you can also follow these steps: • download and unzip cygwin1.zip (cygwin1.zip contains cygwin1.dll) • copy cygwin1.dll to C:/WINDOWS/system32.
In this article I will show you how to replace portnumbers, IP and MAC addresses. Continue reading, download the sample file and follow along.
Replace IP addresses You can download the sample file http.pcap here. This file contains 3 IP addresses: 192.168.108.2 192.168.108.128 22.214.171.124 Use these options to replace 192.168.108.128 (old IP address) with 10.0.0.128 (new IP address):
-I input file -O output file -T edit the specified header -s source IP address; specify the old and new IP addresses -d destination IP address; specify the old and new IP addresses
$ bittwiste -I http.pcap -O http_m1.pcap -T ip -s 192.168.108.128,10.0.0.128 -d 192.168.108.128,10.0.0.128 Click on the following screenshot to enlarge. The source and destination IP addresses have been replaced. You can see in the Packet Details pane, that bittwiste has also recalculate the IP, TCP and UDP checksums. But the ARP packets still contain the old IP address: 192.168.108.128. So move on to the next step to replace these addresses in the ARP header.
Use these options to replace the IP addresses in the ARP header:
-I input file -O output file -T edit the specified header -p sender IP address; specify the old and new IP addresses -q target IP address; specify the old and new IP addresses
$ bittwiste -I http_m1.pcap -O http_m2.pcap -T arp -p 192.168.108.128,10.0.0.128 –q 192.168.108.128,10.0.0.128
Note The following command will replace all source IP addresses with 10.0.0.128 and all destination IP addresses with 10.0.0.2. $ bittwiste -I http.pcap -O http_m3.pcap -T ip –s 10.0.0.128 –d 10.0.0.2
Replace MAC addresses Replace source and destination MAC addresses: $ bittwiste -I http_m2.pcap -O http_m3.pcap -T eth -s 00:0c:29:61:82:89,00:11:22:DD:EE:FF -d 00:0c:29:61:82:89,00:11:22:DD:EE:FF Replace MAC addresses in the ARP header: $ bittwiste -I http_m3.pcap -O http_m4.pcap -T arp -s 00:0c:29:61:82:89,00:11:22:AA:BB:CC -t 00:0c:29:61:82:89,00:11:22:AA:BB:CC
Replace port numbers TCP header $ bittwiste -I http_m4.pcap -O http_m5.pcap -T tcp -s 1047,5047 -d 1047,5047 $ bittwiste -I http_m5.pcap -O http_m6.pcap -T tcp -s 1048,5048 -d 1048,5048 UDP header $ bittwiste -I http_m6.pcap -O http_m7.pcap -T udp -s 53,530 -d 53,530 $ bittwiste -I http_m7.pcap -O http_m8.pcap -T udp -s 55005,5000 -d 55005,5000
Decode As: Looking at packets 3 and 4 you notice, that they are not decoded as DNS anymore. This is due to the change of port number 53 to 530. Use the following to decode the traffic on port 530 again as DNS: • right-click packet 3 • select Decode As... from the context menu • select DNS • hit Apply to see the result.
Author Profile - My name is Joke (pronounced \yo-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List.
What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.