An Interactive Pcap Editor (based on Scapy)
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
HTTP.py
README.md
cmds.search.txt
cmds.searchreplace.txt
cmds.settcp.txt
cmds.setudp.txt
http.cap
pcapedit.py
requirements.txt
todo

README.md

pcapedit

This script will help you interactively search within and edit a pcap file. Check following sample output from included command files for more details.

Usage:

$ python pcapedit.py <cmds.search.txt 
PcapEdit - An Interactive Pcap Editor

Nothing to search! Use 'analyze' first.

Read 43 packets from http.cap

search for tcp packets
Found 41 matches for search query '6 in ip.proto': 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43

search for udp packets
Found 2 matches for search query '17 in ip.proto': 13, 17

search for raw string
Found 5 matches for search query '(?i)Google in pay.load': 8, 10, 18, 26, 36

search for raw string
Incorrect searchvalue 'test' for protofield 'dns.ns', expected <type 'int'>

search for raw string
Found 19 matches for search query '.* in pay.load': 4, 6, 8, 10, 11, 14, 16, 18, 20, 21, 23, 26, 27, 29, 31, 32, 34, 36, 38

search within ether packets
Found 20 matches for search query '00:00:01:00:00:00 in ether.src': 1, 3, 4, 7, 9, 12, 13, 15, 18, 19, 22, 25, 28, 30, 33, 35, 37, 39, 41, 42
$ 
$ python pcapedit.py <cmds.searchreplace.txt 
PcapEdit - An Interactive Pcap Editor

Read 43 packets from http.cap

Replacing IP.src to '1.1.1.1' where IP.src is '145.254.160.237'
     0: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
     2: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
     3: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
     6: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
     8: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    11: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    12: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    14: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    17: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    18: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    21: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    24: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    27: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    29: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    32: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    34: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    36: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    38: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    40: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    41: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
Replacing IP.dst to '1.1.1.1' where IP.dst is '145.254.160.237'
     1: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
     4: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
     5: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
     7: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
     9: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    10: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    13: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    15: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    16: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    19: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    20: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    22: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    23: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    25: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    26: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    28: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    30: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    31: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    33: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    35: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    37: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    39: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    42: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)

Replacing IP.src to '2.2.2.2' where IP.src is '65.208.228.223'
     1: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
     4: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
     5: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
     7: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
     9: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    10: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    13: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    15: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    19: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    20: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    22: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    28: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    30: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    31: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    33: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    37: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    39: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    42: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
Replacing IP.dst to '2.2.2.2' where IP.dst is '65.208.228.223'
     0: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
     2: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
     3: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
     6: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
     8: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    11: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    14: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    18: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    21: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    24: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    29: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    32: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    34: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    38: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    40: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    41: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)

     0: 2004/05/13 03:17:07            1.1.1.1:3372 -> 2.2.2.2:80              TCP S
     1: 2004/05/13 03:17:08              2.2.2.2:80 -> 1.1.1.1:3372            TCP SA
     2: 2004/05/13 03:17:08            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
     3: 2004/05/13 03:17:08            1.1.1.1:3372 -> 2.2.2.2:80              TCP PA (479 bytes)
     4: 2004/05/13 03:17:08              2.2.2.2:80 -> 1.1.1.1:3372            TCP A
     5: 2004/05/13 03:17:08              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
     6: 2004/05/13 03:17:09            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
     7: 2004/05/13 03:17:09              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
     8: 2004/05/13 03:17:09            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
     9: 2004/05/13 03:17:09              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    10: 2004/05/13 03:17:09              2.2.2.2:80 -> 1.1.1.1:3372            TCP PA (1380 bytes)
    11: 2004/05/13 03:17:09            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    12: 2004/05/13 03:17:09            1.1.1.1:3009 -> 145.253.2.203:53        UDP (47 bytes)
    13: 2004/05/13 03:17:09              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    14: 2004/05/13 03:17:10            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    15: 2004/05/13 03:17:10              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    16: 2004/05/13 03:17:10        145.253.2.203:53 -> 1.1.1.1:3009            UDP (146 bytes)
    17: 2004/05/13 03:17:10            1.1.1.1:3371 -> 216.239.59.99:80        TCP PA (721 bytes)
    18: 2004/05/13 03:17:10            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    19: 2004/05/13 03:17:10              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    20: 2004/05/13 03:17:10              2.2.2.2:80 -> 1.1.1.1:3372            TCP PA (1380 bytes)
    21: 2004/05/13 03:17:10            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    22: 2004/05/13 03:17:10              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    23: 2004/05/13 03:17:10        216.239.59.99:80 -> 1.1.1.1:3371            TCP A
    24: 2004/05/13 03:17:11            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    25: 2004/05/13 03:17:11        216.239.59.99:80 -> 1.1.1.1:3371            TCP PA (1430 bytes)
    26: 2004/05/13 03:17:11        216.239.59.99:80 -> 1.1.1.1:3371            TCP PA (160 bytes)
    27: 2004/05/13 03:17:11            1.1.1.1:3371 -> 216.239.59.99:80        TCP A
    28: 2004/05/13 03:17:11              2.2.2.2:80 -> 1.1.1.1:3372            TCP PA (1380 bytes)
    29: 2004/05/13 03:17:11            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    30: 2004/05/13 03:17:11              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    31: 2004/05/13 03:17:11              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    32: 2004/05/13 03:17:11            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    33: 2004/05/13 03:17:11              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    34: 2004/05/13 03:17:11            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    35: 2004/05/13 03:17:12        216.239.59.99:80 -> 1.1.1.1:3371            TCP PA (1430 bytes)
    36: 2004/05/13 03:17:12            1.1.1.1:3371 -> 216.239.59.99:80        TCP A
    37: 2004/05/13 03:17:12              2.2.2.2:80 -> 1.1.1.1:3372            TCP PA (424 bytes)
    38: 2004/05/13 03:17:12            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    39: 2004/05/13 03:17:25              2.2.2.2:80 -> 1.1.1.1:3372            TCP FA
    40: 2004/05/13 03:17:25            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    41: 2004/05/13 03:17:37            1.1.1.1:3372 -> 2.2.2.2:80              TCP FA
    42: 2004/05/13 03:17:37              2.2.2.2:80 -> 1.1.1.1:3372            TCP A

Wrote 43 packet(s) to http.mod.cap
$

Credits: