How to change an IP address in a PCAP file to a string

0
votes

I need to archive and share some PCAP files with people who don't know what the various IP addresses in the pcap refer to.

So I want to find a way to edit the PCAP files and change IP addresses so they appear as the fqdn or a random string in wireshark. e.g. "server.a.some.domain" or "serverA" instead of 192.168.x.x. That way people will understand the traffic flow without having to ask what each IP is.

I can achieve this in wireshark manually with the Name Resolution function, but I want to automate changing the PCAP files before I share them.

I tried bittwiste and tcprewrite but they seem to only support changing an IP address to another IP address, not a string.

e.g. this works

$ bittwiste -I a.pcap.file.pcap -O test.pcap -T ip -s 192.168.0.0,192.168.0.2
input file: a.pcap.file.pcap
output file: test.pcap

1771 packets (665162 bytes) written

but this doesn't

$ bittwiste -I a.pcap.file.pcap -O test.pcap -T ip -s 192.168.0.0,serverA
bittwiste: invalid source IP address

Anyone know if this is possible and how to do it?

thanks

1
pcap

1 Answers

0
votes

This is not as trivial as it seems. The names you want to replace are only inside the application data, i.e. typically in DNS requests and responses, as part of the TLS handshake (SNI in ClientHello, CN/SAN in server certificate), in the Host field of a HTTP request header ...

While you might try to simply string-replace all such names with something else this would break the sequence numbers in the TCP connections unless you replace it with something of exactly the same length. Even then it would make the TCP checksums invalid, would make signatures on the certificates invalid, ... and in case of DNS a simple string replace would not even find all the names since they might be encoded in DNS and are not just inside the DNS packets as a plain string.