Python modify packet on the fly. (dpkt and pcap)

Question

I have a piece of code that I am using to sniff packets. It works great and I get the raw data without any problem.

Now I would like to modify the content of the packets that are going through my interface. For example modify the dest IP or the data in the packet. How can I do it?

Here is the code I'm using to sniff the traffic that is directed to the port 22 (SSH):

import dpkt, pcap, time


pc = pcap.pcap()
pc.setfilter('tcp')
pc.setfilter("port 22")
for ts, pkt in pc:
    a= dpkt.ethernet.Ethernet(pkt)
    print time.time(), repr(a)
    print "----------------------------------------------------------------"

And this is the response I get:

> 1406580959.72 Ethernet(src='\x00\x0c)\x1d\x86\xc7', dst='\xb8\xca:\xab\xe2\xed', data=IP(src='\n\x01\x91;', off=16384,
> dst='\n\x01\x91P', sum=63108, len=52, p=6, id=3506,
> data=TCP(seq=321409681, off_x2=128, ack=3806515902L, win=247,
> sum=38669, flags=20, dport=22, sport=36999)))
> ----------------------------------------------------------------
> 1406580960.7 Ethernet(src='\x00\x0c)\x1d\x86\xc7', dst='\xb8\xca:\xab\xe2\xed', data=IP(src='\n\x01\x91;', off=16384,
> dst='\n\x01\x91P', sum=4207, len=60, p=6, id=62399,
> data=TCP(seq=4079882711L, off_x2=160, win=29200, sum=5504, dport=22,
> sport=37000)))
> ----------------------------------------------------------------
> 1406580960.7 Ethernet(src='\xb8\xca:\xab\xe2\xed', dst='\x00\x0c)\x1d\x86\xc7', data=IP(src='\n\x01\x91P', off=16384,
> dst='\n\x01\x91;', len=60, p=6, ttl=128, id=16575,
> data=TCP(seq=3804512442L, off_x2=160, ack=4079882712L, win=8192,
> sum=14012, flags=18, dport=37000, sport=22)))
> ----------------------------------------------------------------
> 1406580960.7 Ethernet(src='\x00\x0c)\x1d\x86\xc7', dst='\xb8\xca:\xab\xe2\xed', data=IP(src='\n\x01\x91;', off=16384,
> dst='\n\x01\x91P', sum=4214, len=52, p=6, id=62400,
> data=TCP(seq=4079882712L, off_x2=128, ack=3804512443L, win=229,
> sum=24436, flags=16, dport=22, sport=37000)))
> ----------------------------------------------------------------
> 1406580960.7 Ethernet(src='\xb8\xca:\xab\xe2\xed', dst='\x00\x0c)\x1d\x86\xc7', data=IP(src='\n\x01\x91P', off=16384,
> dst='\n\x01\x91;', len=152, p=6, ttl=128, id=16576,
> data=TCP(seq=3804512443L, off_x2=128, ack=4079882712L, win=260,
> sum=14104, flags=24, dport=37000, sport=22, data='SSH-2.0-5.25
> FlowSsh: Bitvise SSH Server (WinSSHD) 6.07: free only for personal
> non-commercial use\r\n')))
> ----------------------------------------------------------------

Just net to modify the packets on the fly.

Thank you for your help

You mean, before consumers of those packets on the machine gets to see it? — Santa, Jul 28 '14 at 23:36
That packet is going to me but the real destination is other machine. So I want to change some data from the packet and forward it to the other machine — user1618465, Jul 28 '14 at 23:40
I'm not sure how you can do this without implementing a filter that injects itself in the system's network stack. `pcap` lets you sniff packets that are already on the way out/in. By the time you get a packet to be able to `print()` it, it's already too late to replace it. — Santa, Jul 28 '14 at 23:49
There is. But I'm not sure using pcap is sufficient for the task. — Santa, Jul 29 '14 at 17:17
"That packet is going to me but the real destination is other machine." Unless I just misread your intent. If what you were trying to do is stage a MITM attack, pcap might be able to do it, after all. — Santa, Jul 29 '14 at 17:25
Yes, the situation is a kind of MITM but I need to modyfy the packets not doint the ARPSpoof itself. — user1618465, Jul 29 '14 at 17:27
Have you looked into [scapy](http://www.secdev.org/projects/scapy/)? It's a great tool for things like that. — Santa, Jul 29 '14 at 17:31

Python modify packet on the fly. (dpkt and pcap)

0 Answers0