Modify ip addresses in a socks capture pcap

3
votes

I have a pcap capture of socks traffic. The traffic goes like -

client_ip <-> 127.0.0.1:9050 <-> destination_ip

Looking at pcap in wireshark, thus, shows:

src_ip = 127.0.0.1 
dst_ip = 127.0.0.1

Is it possible to change src_ip and dst_ip addresses?

I tried bittwiste as:

bittwiste -I in.pcap -O out.pcap -T ip -p 6 -s 127.0.0.1,1.2.3.4 -d
127.0.0.1,4.3.2.1

But, only first packet gets modified. All packets from 2nd onwards remain the same.

I also tried tcprewrite as:

tcprewrite --seed=325 --infile=in.pcap --outfile=out.pcap

This changes all src_ip & dst_ip (127.0.0.1) to the same random IP, since it seems to find only one (same) endpoint IP.

How can I modify src & dst ip addresses in a socks traffic capture.?

Thanks

1
pcapsocks

1 Answers

3
votes

TL;DR. The --endpoints option of tcprewrite is what you're looking for. It requires a cachefile from tcpprep:

$ tcpprep --port --pcap=in.pcap --cachefile=in.cache
$ tcprewrite --cachefile=in.cache --endpoints=1.2.3.4:4.3.2.1  --infile=in.pcap --outfile=out.pcap
$
$ tshark -r out.pcap
1   0.000000     1.2.3.4 → 4.3.2.1     TCP 74 49870 → 80 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=10438137 TSecr=0 WS=128
2   0.000030     4.3.2.1 → 1.2.3.4     TCP 74 80 → 49870 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=10438137 TSecr=10438137 WS=128
3   0.000051     1.2.3.4 → 4.3.2.1     TCP 66 49870 → 80 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=10438137 TSecr=10438137
4   0.000101     1.2.3.4 → 4.3.2.1     HTTP 139 GET / HTTP/1.1 
5   0.000121     4.3.2.1 → 1.2.3.4     TCP 66 80 → 49870 [ACK] Seq=1 Ack=74 Win=43776 Len=0 TSval=10438137 TSecr=10438137
6   0.023045     4.3.2.1 → 1.2.3.4     HTTP 11642 HTTP/1.1 200 OK  (text/html)
7   0.023094     1.2.3.4 → 4.3.2.1     TCP 66 49870 → 80 [ACK] Seq=74 Ack=11577 Win=174720 Len=0 TSval=10438143 TSecr=10438143
8   0.023517     1.2.3.4 → 4.3.2.1     TCP 66 49870 → 80 [FIN, ACK] Seq=74 Ack=11577 Win=174720 Len=0 TSval=10438143 TSecr=10438143
9   0.023547     4.3.2.1 → 1.2.3.4     TCP 66 80 → 49870 [FIN, ACK] Seq=11577 Ack=75 Win=43776 Len=0 TSval=10438143 TSecr=10438143
10   0.023560     1.2.3.4 → 4.3.2.1     TCP 66 49870 → 80 [ACK] Seq=75 Ack=11578 Win=174720 Len=0 TSval=10438143 TSecr=10438143

Explanations

According to the documentation for tcprewrite, --endpoints=ip1:ip2 rewrites all packets to appear to be between ip1 and ip2. However, this option requires the --cachefile option.

The tcpprep cache file is used to split traffic in two sides depending on ports, IP addresses, MAC addresses, etc. Here, according to the tcpprep wiki, we want to use the --port option.