Edit PCAP using Ostinato
A popular use case for Ostinato is to import and replay PCAP (packet capture) files - and that’s one reason why Ostinato is Wireshark in Reverse!
Sometimes you need to edit the packet contents before you replay e.g. changing IP or MAC addresses, TCP/UDP port numbers etc. You can do that with Ostinato after you import the PCAP file.
However, you need to edit each imported packet individually (each PCAP packet is imported as a Ostinato stream). This is doable if you have only a few packets to edit, but quickly gets painful and downright impossible if you have hundreds or thousands of packets that you need to rewrite.
Here’s where tools like bittwiste and tcprewrite can help rewrite all packets as per your requirement. But they have their own limitations.
Starting Ostinato v1.2, you can do this bulk rewrite of protocol fields directly within Ostinato using the new Find & Replace Feature. And you can rewrite ALL fields of ALL protocols natively supported by Ostinato.
The first thing to ensure though is that the Recalculate Checksums option is selected when importing the PCAP file. Without this, when you replay edited packets, you will end up with packets being dropped due to incorrect checksums.
Once your packets are imported as Ostinato streams, select Find & Replace from the streams context-menu to open the Find & Replace Dialog -
The above image should be pretty much self-evident. You select the protocol and field that you want to change, enter the find and replace values and you are good to go. You can use match/replace masks for partial rewrites. See the Ostinato find & replace documentation for further details.
💎 Find & Replace works not only for PCAP editing but also for Ostinato streams created from scratch
Once you’ve rewritten the protocol fields, you can replay and transmit the edited packets or save them as a PCAP file.
Here’s a video showing how Find & Replace works -
For more Ostinato related content, subscribe for email updates.
Leave a Comment