Can Wireshark be used to change the content of packets

networking wireshark sniffer
Mihul picture Mihul · Jan 8, 2011 · Viewed 15.2k times · Source

Wireshark doesn't seem to be able to change the content of filtered packets in real time.

Does anyone know a symilar software which can change packet content that is filtered.

Finding something like this will really be a life saver

Thanks.

Answer

user562374 picture user562374 · Jan 8, 2011

At least on Unices and -like where raw sockets are used, this is not possible, since the packet is copied to userspace and you only work on that copy. Furthermore, sending a packet back through the raw socket may be considered an "outgoing" packet so that it is, in fact, not reinjected to the input path where it should be. Raw sockets were — according to the Linux manpage — designed to implement new protocols, IOW, raw sockets are an "endpoint", not a "passthrough station".

For packet modification in the input path (passthrough-like), each OS has its own set of interfaces. In Linux (you were sort of unspecific as to which you target), that would be the nfqueue mechanism, usable through libnetfilter_queue. And of course, that is how wireshark, if it wanted to (I don't see it doing packet alteration last time I checked), would go about doing this.

Related questions

Wireshark filter for filtering both destination-source IP address and the protocol

I want to filter Wireshark's monitoring results according to a filter combination of source, destination ip addresses and also the protocol. So, right now I'm able to filter out the activity for a destination and source ip address using this …

Read More
Capturing mobile phone traffic on Wireshark

How can I capture mobile phone traffic on Wireshark?

Read More
Wireshark localhost traffic capture

I wrote a simple server app in C which runs on localhost. How to capture localhost traffic using Wireshark?

Read More