Getting started with Packet Editing
Recently, I have come across a question regarding editing a RADIUS packet with Wireshark on https://ask.wireshark.org/questions/. The user wanted to modify fields like source IP address, destination IP address etc. The answer to this question depends on what version of Wireshark you use. Newer Wireshark versions use QT (it is a cross-platform application development framework) based Graphical User Interface (GUI), while old versions of Wireshark use GTK (it is a free and open-source cross-platform widget toolkit for creating graphical user interfaces) based GUI. Even though the internal functions are mostly the same, the different GUIs may provide different features.
Unlike newer Wireshark, Legacy Wireshark supports an experimental feature that lets you to modify a packet fields. Newer Wireshark versions may not support it, which does not mean we can not find a workaround.
I will explain a couple of methods to modify packets through or with help of Wireshark.
Method-1: Using Packet Editor in legacy Wireshark
First thing first, although it took me some time to find a Wireshark version with GTK based GUI, here is the link (https://wireshark.en.uptodown.com/windows/versions) to download and install it. I installed 1.12.7 (32-bit) version on my virtual machine. To be honest, I thought I made a time travel when I saw the old GUI 😊
After installing the program, we will use a sample of RADIUS protocol for modifying packets. You can download the sample from here ( http://packetlife.net/media/captures/RADIUS.cap).
Step-1: Launch Wireshark and open the sample file.
Step-2: We need to check if the editing feature is enabled. Select the first packet from the list, then expand the Internet Protocol (IP) header tree. Next, right click on the source IP address and a menu appears. If you see "Edit Packet" is in a passive state which means packet editing is not enable, follow step 3 to enable it. Following screenshot shows that editing is not enable in my Wireshark.
Step-3: Navigate to Edit → Preferences.
Step-4: Click on "User Interface" and scroll down to the bottom. Tick "Enable Packet Editor (Experimental)", then click "OK" to finish.
Step-5: After step 4, you should be able to edit the packet. Follow the step 2 to modify source IP address.
When you double click on "Source" field, "Editing finfo" window pops up. We will change source IP address from 10.0.0.1 to 192.168.1.1. As you can see in the window, 10.0.0.1 is in hex form (0a 00 00 01). We need to convert 192.168.1.1 into hex form, which is (C0 A8 01 01). I used the calculator in Windows OS for conversion. Then I modified byte by byte like below.
Click "OK" and then "Export Specified packets" from "File" menu. Wireshark will not put the changes into effect unless you restart it. My output is below after restarting Wireshark.
Step-6: I would like to show you how to change a string field, which is a bit easier compared to changing a hex field. Select the first RADIUS packet from the list and expand the protocol tree like below.
We will try to modify the "User-Name" field from "John.McGuirk" to "Celal.Dogan" in the header. Right click on the field and edit the packet.
Step-7: Double click on "User-Name" field in the editing window. You should see something like below.
Since "User-Name" field is in a string form, we do not have to change byte by bye. Just delete the highlighted text and type "Celal.Dogan" instead. Then "Export Specified packets" from "File" menu. Then restart Wireshark and you should see the following output.
At the first glance, everting looks fine. However, there is a subtle modification to be done. Notice that there is a backslash with 3 zeros at the end of "Celal.Dogan" (\000
). It is because of we simply tried to replace a string with another one and we ignored to take Attribute Value Pair (AVP) length into account which is 14 bytes (l=14). "John.McGuirk" is one byte longer than "Celal.Dogan". We need to modify AVP length from 14 to 13.
Step-7: Open the editing window and change the length "0e" (14 in decimal) to "0d" (in decimal 13).
Click "OK", then "Export Specified packets" from "File" menu. Next, restart Wireshark and you should see the following output.
As you can see, everything looks great after modifying AVP length.
Method-2: Packet editing with a text editor
Unfortunately, new versions of Wireshark do not support packet editing. When I need to modify some fields for my articles, I convert Wireshark trace files into a text file, then modify the hex bytes. Compared to the first method, it is a bit more difficult.
Step-1: I assume you have the same Wireshark trace file (RADIUS.cap). After opening the trace file, then select "Menu" → "File" → "Export Specified Packets"
Step-2: A window pops out. We will save the trace file as text file. Select "K12 text file" from the drop-down list and name the file as it suits you. Then click on "Save" button.
Step-3: When you open your text file, you should see something like below.
Each line separated by "+" symbol is a packet while each byte of a packet is separated by "|" symbol. We will modify these bytes in the file and save the file.
Step-3: Before we make the changes, we need to specify which bytes to modify. Thus, I will open the trace file in Wireshark and find the bytes that match the source IP address.
Step-4: Open the text file again. Use "Ctrl +F" short cut to find the hex series we want to modify like below.
Step-5: Modify the source IP address from "0a|00|00|01
" to "C0|A8|01|01
" (10.0.0.1 → 192.168.1.1) and save the file. Next, open the text file from File → Open menu. You should see some output like below.
We have successfully made the modification. In the next step, we will modify the user name in the RADIUS packet.
Step-6: "User-Name" field is a string in ASCII format. I will convert "Celal.Dogan" into ASCII code which is equal to "67 101 108 97 108 46 68 111 103 97 110
". Then, I will convert the codes into hex format, which is "43 65 6c 61 6c 2e 44 6f 67 61 6e
". You can use this web site to do it automatically.
https://onlinestringtools.com/convert-string-to-ascii
Along with the "User-Name", we need to modify RADIUS packet length from 139 to 138 (00 8bà008a) and AVP length from 14 to 13 (0eà0d)
Step-7: After modifying the RADIUS packet length, search for "0e|4a|6f|68|6e|2e|4d|63|47|75|69|72|6b
". Then, replace it with "0d|43|65|6c|61|6c|2e|44|6f|67|61|6e
".
Step-8: When you have done it correctly, you should see something like below.
Notice that "Internet Protocol Version 4" and "User Datagram Protocol" are highlighted with red color. It is because both protocols carry the payload length. Since we modified the length in the RADIUS, now there is a mismatch. See the details below.
This is the difficulty we face when we modify packets with a text editor. After modifying the length in the IP and UDP headers, the red color and the alert will disappear.
Method-3: Packet Editing with Editcap
Editcap is a general-purpose utility for modifying trace files. You can use it to split a trace file that is too large to work with in Wireshark into multiple smaller files, extract a subset of a trace file based on a start and stop time, alter timestamps, remove duplicate packets, and a number of other useful functions. It is simply used to select or remove specific packets from a trace file and translate them into a given format. Unlike first two methods, you can not edit some fields in a specific packet. For sake of time, I will not cover it here. Because it will make the article huge.
Final thoughts
During a troubleshooting or study, we may need to share our production environment network trace files with our partners or some other people. It may pose a great risk if it contains some private data. We have to make sure that we will not cause an information leakage. Packet editing with Wireshark is the savior that we are looking for.
References
https://www.wireshark.org/docs/man-pages/editcap.html
https://subscription.packtpub.com/book/networking-and-servers/9781783554638/8/ch08lvl1sec57/editing-trace-files-with-editcap
Very Good Article.
Explanation is very very simple and detailed one.