packet data intercept and modification

Question

I'd like to be able to intercept/ modify data in tcp flow, on the side of tcp client. Examples for pcap show how to parse tcp packet header/ payload. But suppose, i want to modify packet payload before tcp client reads it, or drop the packet entirely. How can i do that with pcap capure?

Basil · Answer 1 · 2012-05-07T08:39:50.373

6

As above, you can't do interception/modification with pcap. For this you need one of the following OS-dependent techniques:

Linux: libnetfilter_queue + iptables
MacOS, FreeBSD: divert sockets + ipfw
Windows: WinPkFilter (commercial), WinDivert (LGPL), or write your own NDIS IM or WFP call-out driver.

(usual disclosure: WinDivert is my project).

edited May 07 '12 at 08:39

answered May 07 '12 at 07:20

Basil

1,001
7
9

score 1 · Answer 2 · answered Oct 15 '12 at 07:26

1

Scapy used in conjunction with python is a very good tool cum library.

You can do all sorts of packet monitoring and editing via command line

Also you can build applications on top of scapy to do a specific task.

Scapy

answered Oct 15 '12 at 07:26

fkl

5,412
4
28
68

score 0 · Answer 3 · answered Apr 25 '12 at 19:22

0

You can't do that with libpcap or WinPcap; libpcap is built atop OS mechanisms that do not support that (those mechanisms exist to support passive packet capture and low-level packet capture and injection, not to support packet modification in the packet input and output path), and WinPcap's driver is built atop an OS mechanism of that sort.

You would have to find some mechanism, in whatever OS you're using, that supports tapping into the networking stack in a way that allows the tapping program to modify packets as they pass through the networking stack. Such a mechanism might not exist on some OSes; on OSes where it does exist, if there are any, it's probably very OS-dependent. (The mechanisms libpcap uses are also OS-dependent; libpcap exists, in part, to hide those differences from applications, to the maximum extend possible.)

answered Apr 25 '12 at 19:22

You would have to find some mechanism, in whatever OS you're using, that supports tapping into the networking stack in a way that allows the tapping program to modify packets as they pass through the networking stack. – user270398 Apr 25 '12 at 19:47
Thanks, i am still not quite clear however.. Seems as there are few frameworks for this, like "scapy", or "nemesis"... They can "craft" and "inject" the packet, although i couldn't find how to change payload for the existing packet, or inject tcp packet for existing connection. Do you think "netfilter" would provide such mechanism in Linux/BSD? – user270398 Apr 25 '12 at 19:57
You couldn't find that because they don't support that; they "inject" a packet by transmitting it on a network, not by catching a received packet before it reaches TCP and handing the modified packet to TCP. Netfilter might let you do what you want on Linux; ipfirewall or PF might let you do it on *BSD. – Apr 25 '12 at 22:50

packet data intercept and modification

3 Answers3

Linked