Skip to content
master
Go to file
Code

Latest commit

Add print statement parentheses for Python 3, saving command history, and tab completion for 'analyze' command
356975d

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 

README.md

pcapedit

This script will help you interactively search within and edit a pcap file. Check following sample output from included command files for more details.

Usage:

$ python pcapedit.py <cmds.search.txt 
PcapEdit - An Interactive Pcap Editor

Nothing to search! Use 'analyze' first.

Read 43 packets from http.cap

search for tcp packets
Found 41 matches for search query '6 in ip.proto': 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43

search for udp packets
Found 2 matches for search query '17 in ip.proto': 13, 17

search for raw string
Found 5 matches for search query '(?i)Google in pay.load': 8, 10, 18, 26, 36

search for raw string
Incorrect searchvalue 'test' for protofield 'dns.ns', expected <type 'int'>

search for raw string
Found 19 matches for search query '.* in pay.load': 4, 6, 8, 10, 11, 14, 16, 18, 20, 21, 23, 26, 27, 29, 31, 32, 34, 36, 38

search within ether packets
Found 20 matches for search query '00:00:01:00:00:00 in ether.src': 1, 3, 4, 7, 9, 12, 13, 15, 18, 19, 22, 25, 28, 30, 33, 35, 37, 39, 41, 42
$ 
$ python pcapedit.py <cmds.searchreplace.txt 
PcapEdit - An Interactive Pcap Editor

Read 43 packets from http.cap

Replacing IP.src to '1.1.1.1' where IP.src is '145.254.160.237'
     0: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
     2: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
     3: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
     6: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
     8: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    11: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    12: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    14: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    17: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    18: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    21: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    24: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    27: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    29: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    32: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    34: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    36: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    38: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    40: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
    41: IP.src: 145.254.160.237 -> 1.1.1.1 (coz IP.src is 145.254.160.237)
Replacing IP.dst to '1.1.1.1' where IP.dst is '145.254.160.237'
     1: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
     4: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
     5: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
     7: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
     9: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    10: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    13: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    15: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    16: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    19: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    20: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    22: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    23: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    25: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    26: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    28: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    30: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    31: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    33: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    35: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    37: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    39: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)
    42: IP.dst: 145.254.160.237 -> 1.1.1.1 (coz IP.dst is 145.254.160.237)

Replacing IP.src to '2.2.2.2' where IP.src is '65.208.228.223'
     1: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
     4: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
     5: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
     7: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
     9: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    10: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    13: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    15: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    19: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    20: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    22: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    28: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    30: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    31: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    33: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    37: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    39: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
    42: IP.src: 65.208.228.223 -> 2.2.2.2 (coz IP.src is 65.208.228.223)
Replacing IP.dst to '2.2.2.2' where IP.dst is '65.208.228.223'
     0: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
     2: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
     3: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
     6: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
     8: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    11: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    14: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    18: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    21: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    24: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    29: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    32: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    34: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    38: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    40: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)
    41: IP.dst: 65.208.228.223 -> 2.2.2.2 (coz IP.dst is 65.208.228.223)

     0: 2004/05/13 03:17:07            1.1.1.1:3372 -> 2.2.2.2:80              TCP S
     1: 2004/05/13 03:17:08              2.2.2.2:80 -> 1.1.1.1:3372            TCP SA
     2: 2004/05/13 03:17:08            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
     3: 2004/05/13 03:17:08            1.1.1.1:3372 -> 2.2.2.2:80              TCP PA (479 bytes)
     4: 2004/05/13 03:17:08              2.2.2.2:80 -> 1.1.1.1:3372            TCP A
     5: 2004/05/13 03:17:08              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
     6: 2004/05/13 03:17:09            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
     7: 2004/05/13 03:17:09              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
     8: 2004/05/13 03:17:09            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
     9: 2004/05/13 03:17:09              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    10: 2004/05/13 03:17:09              2.2.2.2:80 -> 1.1.1.1:3372            TCP PA (1380 bytes)
    11: 2004/05/13 03:17:09            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    12: 2004/05/13 03:17:09            1.1.1.1:3009 -> 145.253.2.203:53        UDP (47 bytes)
    13: 2004/05/13 03:17:09              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    14: 2004/05/13 03:17:10            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    15: 2004/05/13 03:17:10              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    16: 2004/05/13 03:17:10        145.253.2.203:53 -> 1.1.1.1:3009            UDP (146 bytes)
    17: 2004/05/13 03:17:10            1.1.1.1:3371 -> 216.239.59.99:80        TCP PA (721 bytes)
    18: 2004/05/13 03:17:10            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    19: 2004/05/13 03:17:10              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    20: 2004/05/13 03:17:10              2.2.2.2:80 -> 1.1.1.1:3372            TCP PA (1380 bytes)
    21: 2004/05/13 03:17:10            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    22: 2004/05/13 03:17:10              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    23: 2004/05/13 03:17:10        216.239.59.99:80 -> 1.1.1.1:3371            TCP A
    24: 2004/05/13 03:17:11            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    25: 2004/05/13 03:17:11        216.239.59.99:80 -> 1.1.1.1:3371            TCP PA (1430 bytes)
    26: 2004/05/13 03:17:11        216.239.59.99:80 -> 1.1.1.1:3371            TCP PA (160 bytes)
    27: 2004/05/13 03:17:11            1.1.1.1:3371 -> 216.239.59.99:80        TCP A
    28: 2004/05/13 03:17:11              2.2.2.2:80 -> 1.1.1.1:3372            TCP PA (1380 bytes)
    29: 2004/05/13 03:17:11            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    30: 2004/05/13 03:17:11              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    31: 2004/05/13 03:17:11              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    32: 2004/05/13 03:17:11            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    33: 2004/05/13 03:17:11              2.2.2.2:80 -> 1.1.1.1:3372            TCP A (1380 bytes)
    34: 2004/05/13 03:17:11            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    35: 2004/05/13 03:17:12        216.239.59.99:80 -> 1.1.1.1:3371            TCP PA (1430 bytes)
    36: 2004/05/13 03:17:12            1.1.1.1:3371 -> 216.239.59.99:80        TCP A
    37: 2004/05/13 03:17:12              2.2.2.2:80 -> 1.1.1.1:3372            TCP PA (424 bytes)
    38: 2004/05/13 03:17:12            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    39: 2004/05/13 03:17:25              2.2.2.2:80 -> 1.1.1.1:3372            TCP FA
    40: 2004/05/13 03:17:25            1.1.1.1:3372 -> 2.2.2.2:80              TCP A
    41: 2004/05/13 03:17:37            1.1.1.1:3372 -> 2.2.2.2:80              TCP FA
    42: 2004/05/13 03:17:37              2.2.2.2:80 -> 1.1.1.1:3372            TCP A

Wrote 43 packet(s) to http.mod.cap
$

Credits: