Insert, Remove and Modify bytes from packet of Pcap file in linux

Question

I require a way to insert, remove or modify the hex data bytes in the packet of a pcap file. Is there a tshark command or any other method to do this.

00292c0: 900b 0000 0018 5a82 5a82 a57e 5a82 a57e  ......Z.Z..~Z..~
00292d0: a57e a57e 5a82 5a82 a57e 5a82 a57e 5a82  .~.~Z.Z..~Z..~Z.
00292e0: a57e 5a82 5a82 5a82 a57e a57e 5a82 a57e  .~Z.Z.Z..~.~Z..~

Suppose I want to modify the first 4 bytes of data from 900b 0000 to 801b 0101 or remove first bytes or add an extra set of bytes at the end after a57e? How shall I do that?

Answer 1

There are a number of ways to modify packet data. For example:

• You can use a hex editor. There are many so search for and use whichever one that works for you. Maybe have a look at this Comparison of hex editors to help guide you. I'll also note that Notepad++ has a hex editor plugin available in case that's of any interest to you.
• You can use a tool such as WireEdit.
• From Wireshark, you can export your packets to a Plain Text file via "File -> Export Packet Dissections -> As Plain Text..." with the Packet Format options set so that only the Packet Bytes are exported, and then use any text editor to modify the packet data as needed. After that, you can use text2pcap to convert the modified text file back to a binary pcap file that can then be loaded back into Wireshark, or you can use Wireshark's built-in functionality to directly import the text file containing the modified hex dump of the packets you previously exported via "File -> Import From Hex Dump...". NOTE that when editing packets, especially when adding/removing bytes, you will likely need to make other adjustments as well in order for the packets to still make sense. This is because there are often length fields embedded in the packet data, so you need to be sure that the new length matches the data. And you might have to make changes in several places. And if you care about correct checksums/CRCs, then you may have to adjust those fields as well.
• Other possible solutions from the Wireshark Tools wiki page in the Capture file editors and/or anonymizers section.