NETWORKING

  • 10/27/2015
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

Wireshark: Editing A Packet

In this video, Tony Fortunato shows how a new feature in the Wireshark network analysis tool allows you to sanitize the information in a trace file before sharing it.

There are many situations where you wish you could share a trace file with a vendor, but you can’t because the packets may contain sensitive data such as corporate identifying information, IP addresses, and passwords.

But now, Wireshark, the open source network analysis tool, has an experimental feature under Edit->Preferences called Enable Packet Editor which does exactly what is says. You can edit anything in the packet at any layer. In this video, I change a CDP device ID and CDP’s checksum.

This editing technique doesn’t scale well or isn’t practical if you need to modify 1,000 packets, but I still find it helpful and hope the Wireshark development team continues to build on this cool feature. I am surprised that Wireshark doesn’t have a more comprehensive packet edit tool, but happy it's making headway.

As I mention in the video, there are some tools out there that will change the MAC address or IP address in all your packets like TraceWrangler, which I have used for a while.

Please keep in mind that you should only share real corporate packets that you are familiar with and with vendors you trust.  In my network troubleshooting work, I’ve received many trace files that contained more information than the customer was aware of and wouldn't be too happy about them being shared.


Comments

Wireshark

Tony, thanks for demonstrating this feature -- it seems like a pretty essential capability, especially in this time of heightened corporate security concerns.

Re: Wireshark

My pleasure.  

I get a lot of questions about modifying the packet's contents.

 

Thanks for the feedback

 

Re: Wireshark

Sounds good to understand that Wireshark is not only a packet analyzer, but can work as packet generator also. Although i still doubt if it is feasible enough to be used in live environment.

Re: Wireshark

thanks for the feedback, but i just want to clarify.

I was using Wireshark as a packet editor to clean up the odd packet with sensitive payload. Wireshark can not generate packets.  For that you use something like bittwist http://bittwist.sourceforge.net/

Re: Wireshark

HI Tony,

Thanks for all these kind of posts. Really helpful.

Didn't know it :) this feature. Great.

Re: Wireshark

My pleasure.

Glad you found them helpful and appreciate you taking the time to send some feedback.

 

Regards

Re: Wireshark

Wireshark is a good packet analyzer. Its packet editing capabilities are below par. It wasn't designed for it. A huge redesign is required to make a good packet editor out of it.

Wireedit.com

Jasper from Tracewrangler suggested that you might want to try Wireedit https://wireedit.com/ .

I never heard of it and took a peek.  Looks very cool.

I love it when I learn something new.

Enjoy

There is a better way to do it.

If you are interested in editing packets, take a look at WireEdit. It's Free As In Beer. Just google it.