Wireshark-dev: Re: [Wireshark-dev] help regarding altering the fields of a pcap
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 21 Jun 2010 15:25:08 -0700
On Jun 21, 2010, at 12:58 PM, prashanth s wrote:

> I need to alter a few of the fields in the pcap for the higher level protocols such as MAPI and then write those fields back to the pcap. Could any one please tell me how to do it?

Do it in Wireshark, or do it in some other tool?  We don't, and won't, support that in Wireshark dissectors; they are forever forbidden from modifying the data they're handed.  If you think you need to do it in Wireshark, please explain what you're trying to do, and we'll tell you the way it's done (which probably involves creating a new tvbuff with the modified data and handing that to subdissectors - that's how both decryption, decompression, and fragment reassembly are done, for example).