Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\\\\\\\\\\\\\\\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.

1. Capture file manipulation Part II : changing packets September 2008

5. Change the snap length of packets $ $ editcap -s 68 test.cap tmp.cap $ $ tshark -c1 -r test.cap -V | grep "^Frame" Frame 1 (110 bytes on wire, 110 bytes captured) $ tshark -c1 -r tmp.cap -V | grep "^Frame" Frame 1 (110 bytes on wire, 68 bytes captured) $ $ capinfos -csd test.cap File name: test.cap Number of packets: 27 File size: 5740 bytes Data size: 5284 bytes $ capinfos -csd tmp.cap File name: tmp.cap Number of packets: 27 File size: 2154 bytes Data size: 5284 bytes $

10. Change the timestamps of packets $ tshark -ta -r client.cap "tcp.flags.syn==1" 1 22:31:59.246452 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 2 22:31:59.248515 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7 $ tshark -ta -r server.cap "tcp.flags.syn==1" 1 22:31:49.548529 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 2 22:31:49.548556 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7 $ correction = (59.246452-49.548529 + 59.248515-49.548556)/2 = 9.698941 $ editcap -t 9.698941 server.cap server-corrected.cap $ tshark -ta -r server-corrected.cap "tcp.flags.syn==1" 1 22:31:59.247470 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 2 22:31:59.247497 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7 $

11. Change the file type of a capture file $ $ editcap -F netmon1 test.cap tmp.cap $ $ capinfos -tsd *cap File name: test.cap File type: Wireshark/tcpdump/... - libpcap File size: 5740 bytes Data size: 5284 bytes File name: tmp.cap File type: Microsoft NetMon 1.x File size: 5736 bytes Data size: 5284 bytes $