Skip to content
/ modify-pcap-pkt-layers Public

Created this tool to make changes on pcap packet layers.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

x00itachi/modify-pcap-pkt-layers

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
README.md
README.md
 
 
lib_natrajPcapUtil.py
lib_natrajPcapUtil.py
 
 
modify_layers.py
modify_layers.py
 
 

Repository files navigation

Pcap packet layer modification tool

HOW TO

> python modify_layers.py -h
usage: modify_layers.py [-h] [-i PCAP] [-j] [-d] [-l (START,END)] [-e] [-6] [-4] [-f]

A script for modifying PCAP files.

options:
  -h, --help            show this help message and exit
  -i PCAP, --input PCAP
                        Input pcap file.
  -j, --rmjnprlayer     Remove the Juniper Ethernet layer, located 12 bytes from the beginning of the packet.
  -d, --dot1q           Remove the VLAN 802.1Q layer.
  -l (START,END), --rmlayer (START,END)
                        Remove layers/bytes using start and end offsets
  -e, --addeth          Add an Ethernet layer and utilize random MAC addresses.
  -6, --toipv6          Converting the IPv4 pcap to IPv6. Utilize random IPv6 addresses.
  -4, --toipv4          Converting the IPv6 pcap to IPv4. Utilize random IPv4 addresses.
  -f, --fixchksum       Explicitly fix the checksum of the pcap. Implicitly, this fix applies to all other
                        features/arguments.
>

Usage Examples

[Example 1]: Removing VLAN 801.1Q layer

> python modify_layers.py -i 802.1q.vlans.pcap -d

Input pcap:

image

Output pcap:

image

[Example 2]: Removing Juniper Ethernet layer

> python modify_layers.py -i jnpr-ethernet-layer.pcap -j

Input pcap:

image

Output pcap:

image

[Example 3]: Removing Juniper Ethernet layer and VLAN 801.1Q layers together

> python modify_layers.py -i jnpr-ethernet-layer.pcap -j -d

Input pcap:

image

Output pcap:

image

[Example 4]: Removing layer based on offsets (Removing Juniper Ethernet layer using offsets)

> python modify_layers.py -i jnpr-ethernet-layer.pcap -l "(0,12)"

Input pcap:

image

Output pcap:

image

[Example 5]: Add an Ethernet layer and utilize random MAC addresses

> python modify_layers.py -i .\unittest_cases\no_ethernet.pcap -e

Input pcap: no_ethernet.pcap

  • By default, Wireshark will attempt to decode it as Ethernet, which is why you're seeing Ethernet at that layer, but it is invalid. no-ethernet

Output pcap: modified_no_ethernet.pcap (PCAP with a valid Ethernet layer added)

added_ethernet

[Example 6]: Converting the IPv4 pcap to IPv6. Utilize random IPv6 addresses

> python modify_layers.py -i .\unittest_cases\valid_ipv4_http.pcap -6

Input pcap: valid_ipv4_http.pcap

valid_ipv4_http

Output pcap: modified_valid_ipv4_http.pcap (IPv6)

modified_valid_ipv4_http

[Example 7]: Converting the IPv6 pcap to IPv4. Utilize random IPv4 addresses

> python modify_layers.py -i .\unittest_cases\valid_ipv6_http.pcap -4

Input pcap: valid_ipv6_http.pcap

valid_ipv6_http

Output pcap: modified_valid_ipv6_http.pcap (IPv4)

modified_valid_ipv6_http

[Example 8]: Explicitly fix the checksum of the pcap. Implicitly, this fix applies to all other features/arguments.

> python modify_layers.py -i .\unittest_cases\invalid_tcp_chksum.pcap -f

Input pcap: invalid_tcp_chksum.pcap

invalid_tcp_chksum

Output pcap: modified_invalid_tcp_chksum.pcap (valid TCP chksum)

modified_invalid_tcp_chksum

Tested Env

  • Windows 11
  • Python 3.12
  • Visual Studio Code 1.84

About

Created this tool to make changes on pcap packet layers.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages