I’m positive you ran into conditions the place you wanted to faux IP tackle in a seize file. This possibly required while you’re attempting to ship the seize file to somebody that you just don’t actually share your actual IP’s with otherwise you simply need to change trigger you possibly can. In case you’ve tried this and regarded across the interwebs, you’d absolutely know that there’s not many guides accessible and most of the people would simply inform casually “simply use sed” or use “WireEdit” and pay some charges for his or her license. Now, each works however I simply bought pissed off in a selected state of affairs the place sed wasn’t an choices (the file was actually few GB’s in dimension and most textual content editors would simply freeze) and to make issues worse, I wanted to filter a number of information and solely hold supply and vacation spot IP addresses in there for privateness’s sake. Yeah, meaning eradicating all these noises like DNS, UDP, Broadcast, Cisco ARP, Broadcast, MDNS (sure, that too), SSDP … sure, just about something besides TCP/UDP, HTTP and TLS trarffic between my server and the vacation spot server. So, in abstract I needed to filter all of those noises and alter IP tackle in packet seize file to cover supply IP tackle, that is much like faking IP tackle in packet captures. You can too use different instruments to do it on the fly however they require extra setup and all I simply wished to do is to cover my supply IP.
To make issues simpler for this information, I’ll simply use a browser and browse to https://www.blackmoreops.com. This is able to generate some TCP, HTTP and TLS site visitors together with another noises that I’ll filter in Wireshark after which change my workstation IP tackle (192.168.2.99) to Google DNS IP tackle (188.8.131.52).
(p.s. it is a tremendous fast dump of the method, so excuse the typos)
Step1: Filter pcap for supply and vacation spot
That is normal Wireshark filter. Merely filter for what you need to see in your pcap. In my case, it was IP tackle for https://www.blackmoreops.com and server.
ip.addr==184.108.40.206 && ip.addr == 192.168.2.99
It form of appears like this in Wireshark!
As you possibly can see, I’ve marked the IP filter and the supply vacation spot. I need to change my supply IP 192.168.2.99 to one thing else right here. I can very properly change my vacation spot IP tackle as properly however let’s simply hold it easy right here.
Step 2: hexdump the seize file
This isn’t actually needed however I wished to point out this in order that what we’re coping with right here. hexdump is a regular Linux instrument that exhibits the content material of information in hex.
See all that 0000 and ffff and so forth, that’s hex values of various fields in hex.
Step 3: Discovering your IP to Hex worth in seize file
I’m positive you already know the right way to discover your personal IP tackle in any machine however I simply wished to point out this within the packet seize file and what it appears like.
So, 192.168.2.99 is my non-public IP tackle on my server and in hex it’s C0 A8 02 63. I’ve confirmed it by highlighting Supply: 192.168.2.99 in Wireshark which then highlights the Hex values.
Step 4: Confirming your IP to Hex worth in pcap file
Now that I can’t actually translate IP to Hex on the fly (are you able to?) I made a decision to double test it in publicly accessible web sites that has such instruments i.e. https://ncalculators.com/digital-computation/ip-address-hex-decimal-binary.htm
This merely simply proves that after we noticed the Hex in packet seize, it was appropriate. We’ll use the identical web site to get Hex worth for the faux IP tackle we would like too.
Step 5: Confirming your IP to Hex worth in pcap file
I exploit HxD which is a quick free hex editor that may open information of any dimension (as much as 8EB), offers uncooked learn/write entry to disks and essential reminiscence (RAM), nonetheless being as simple to make use of as any text-editor. This solves a number of issues like textual content editors not having the ability to open giant information, Hex values proven in an excessive amount of gibberish format (HxD exhibits a pleasant format). HxD is a rigorously designed and quick hex editor which, moreover to uncooked disk modifying and modifying of essential reminiscence (RAM), handles information of any dimension. The straightforward to make use of interface gives options equivalent to looking out and changing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of information, statistics and far more.
Enhancing works like in a textual content editor with a deal with a easy and task-oriented operation, as such features have been streamlined to cover variations which can be purely technical.
For instance, drives and reminiscence are offered much like a file and are proven as a complete, in distinction to a sector/region-limited view that cuts off knowledge which probably belongs collectively. Drives and reminiscence could be edited the identical approach as an everyday file together with assist for undo. As well as memory-sections outline a foldable area and inaccessible sections are hidden by default.
Moreover a number of effort was put into making operations quick and environment friendly, as a substitute of forcing you to make use of specialised features for technical causes or arbitrarily limiting file sizes. This features a responsive interface and progress indicators for prolonged operations. I like this instrument and use it, you need to use something you need.
I used the transportable English model for this train: https://mh-nexus.de/en/downloads.php?product=HxD20
Merely open the seize file in HxD and seek for C0 A8 02 63 (which is the IP tackle in Hex worth). It finds it a complete of 363 instances (that matches with the captured pcap file I had).
Step 6: Select your new faux IP tackle to Hex Worth
Going again to https://ncalculators.com/digital-computation/ip-address-hex-decimal-binary.htm I merely put 8.8.8.Eight because the IP tackle and it gave me Hex = 8080808.
That is barely incorrect because it didn’t add the previous zero within the Hex. 8.8.8.Eight transformed to Hex is definitely 08080808 or 08 08 08 08 (units of two characters in fours). We’ll now use 08 08 08 08 to exchange 192.168.2.99 (Hex == C0 A8 02 63). In case you’re undecided about this, merely use one thing like 220.127.116.11 (some random IP)
Step 7: Changing IP tackle hex with new hex
Merely open HxD and search and exchange:
Yeap, that simple actually. Wants a little bit of practising when changing lengthy strings that breaks into a number of strains, however on the finish, it’s so simple as that. When you pressed “Change all” it provides you with one thing like this:
Save the file as a brand new file as .cap or .pcap or any Wireshark supported format. You would possibly get few errors like out of bounds, merely ignore these.
Step 8: New pCAP file with faux IP tackle
What good is a information when you didn’t affirm it? lo and behold your new pcap file with faux ip
I’ve chosen Supply: 8.8.8.Eight that highlights hex 08 08 08 08 in Wireshark.
Not that tough and could be achieved utilizing many various instruments. The sensible use for such substitute is sort of good. Clearly, in my case it was simply to cover my server IP tackle however think about when you captured community site visitors when somebody is attempting to sign-in to a web site and your pcap comprises the cookie. You possibly can edit the pcap file to alter their machine IP to yours and use tcpreplay, Colasoft Packet Participant or PlayCap to play the file once more in your pc and out of the blue you now have the cookie to sign-in! and naturally this course of can be utilized to do extra that simply that. Let me know the way you’d do the steps above! Similar instrument or one thing higher?
tcprewrite change ip address,tcpreplay randomize ip,how to convert ip address to hexadecimal,ip address converter,wireshark hide ip address,ip address encoding,pcapng viewer,network packet editor