There are a couple ways to edit the hex of a packet capture. For this scenario,
let’s say we want to change all instances of broadcast address 255.255.255.255
in our dhcp.pcap to something else. Let’s choose 255.0.255.0 because it’s a
funny-looking broadcast address. In hex, this is 0xffffffff => 0xff00ff00.
sed gives you the ability to munge filehex.
sed -Ei 's/([^\xff])\xff{4}([^\xff])/\1\xff\x00\xff\x00\2/g' dhcp.pcap
sed -i : Change in place.sed -E : Use extended regular expressions\x?? : Hex byte. E.g. echo -e '\x41' => A, just like an ASCII
table would suggest. Note that a hex byte is 8
bits and that in \xff, each f is 4 bits.1st [^\xff] : We know that the 32 bits before this regex will be the
client’s IP address, 0.0.0.0 (0x00000000), and the last byte, 0x00, will match.2nd [^\xff] : We know that the 32 bits after this regex are the UDP ports
for DHCP, 67 and 68. [^\xff] will math the source udp port 68 (00 in 0x0068).\xff{4}: Given that this packet capture is DHCP, the client
sends traffic to a MAC address of ffffffffffff. Thus, a
regex of \xff{4} will match the dest MAC as well.
Putting it all together, we get [^\xff]\xff{4}[^\xff].([^\xff]) Add parentheses (capturing group) to both preceding and trailing
byte, so they are included in the result\1, \2 : We cannot use lookaheand/lookbehind with sed, so use capture
groups (corresponding to previous) for preceding and trailing bytesExactly like sed, except we can use negative lookaheads and lookbehinds:
perl -pi -e 's/(?<!\xff)\xff{4}(?!\xff)/\xff\x00\xff\x00/g' dhcp.pcap
If you are using a *nix system (or WSL), vim and
xxd are built in and can be used in
conjunction to visually change file bytes. You will need to convert the file
bytes to something readable using xxd. xxd without options will provide offsets
and spaces between bytes while xxd -p will show you just the bytes, both in 16
byte lines. xxd -r converts ASCII hex back to the hex literals of your file.
The joke goes that
“emacs
is a great OS, if only it had a good text editor”. Where vim integrates better
with unixy tools like xxd, emacs tries to be your everything.
Case in point: hexl is a builtin that allows for hex literal editing. Open
with M-x hexl-find-file and use C-M-x to insert hex:
Piping is important to using many of these utilities. For example, it is not really possible to use rawshark without piping as it expects a FIFO or stream.
| Utility | stdin formats | input formats | stdout formats | output formats |
|---|---|---|---|---|
| capinfos | - | *pcaps1 | report2 | - |
| dumpcap | - | - | - | *pcaps |
| editcap | - | *pcaps | - | *pcaps |
| mergecap | - | *pcaps | - | *pcaps |
| randpkt | - | - | - | pcap |
| rawshark | raw pcap3 | - | report | - |
| reordercap | - | *pcaps | - | pcapng |
| text2pcap | hexdump4 | - | - | pcap, pcapng |
| tshark | raw pcap | *pcaps | report, raw pcap, hexdump | *pcaps |
tshark -F to list).cat $file | ..., read by piping to ... | tshark -r -, and saved with
... > $file.od -Ax -tx1 -v. As of
Wireshark v3.0.0, tshark -r <my.pcap> -x will
usually generate
this as well. If hexdump is stream, send to text2pcap as
<commands>... | text2pcap - <outfile>. Otherwise if it’s a file, use
text2pcap <infile> <outfile>.On bash, it’s possible to create temporary files to mimic passing in stdin. In this example, editcap can only read files, so create a temp file, send filtered tshark output to it, and then read it from editcap to make further alterations.
tempfile=$(mktemp)
tshark -r dhcp.pcap -Y "dhcp.type == 1" -w $tempfile
editcap $tempfile dhcp2.pcap -a 1:"Cool story bro!"