Wireshark-users: Re: [Wireshark-users] Changing timestamps
From: John Bartas <jbartas@xxxxxxxxxxxxxxxx>
Date: Thu, 03 Jan 2008 13:45:33 -0800
Hi,

In case you need yet another way to do this, here's a write-up I did on how to manually edit the pcap files. It's crude, but versatile.

Cheers,
-JB-


 Editing pcap files

I recently needed a pcap file to reproduce a problem we were seeing at a customer site. The tool I had could get text dumps of the MGCP packets that were causing problems, but I didn't have the actual pcap traffic, which is helpful for testing.

The problem I was chasing was that MGCP packets at the customers site would set up an RTP stream with a set of UDP port values, then CHANGE the UDP port values before starting the RTP. I wrote code to detect the late port change and retrofit the RTP stream parameters, but didn't have a good way to test it - MGCP calls at our site have never done this, and I had no pcap samples of it.

What I wanted was a way to actually add a few slightly altered packets to an otherwise good MGCP call, so I could play it with tcpreplay and test my code. I found a combination of tools to do just what I wanted.


[edit <http://us.packetisland.net:8080/wiki/index.php?title=Editing_pcap_files&action=edit&section=1>


   Tools:

You need these three tools, all of which are probably already on your Linux system:

   * Etheral
   *

     xxd

   *

     text editor


[edit <http://us.packetisland.net:8080/wiki/index.php?title=Editing_pcap_files&action=edit&section=2>]


   Steps:

   * First step is to record a packet sequence very similar to the
     packets you want to create. In my case this was a short simple
     MGCP phone call.
   *

     Next, Use Ethereals right-button "mark" feature to select the
     packets to edit. I selected two - an MDCX packet which had UDP
     port info, and it's reply.

   *

     Save the marked packets in a separate file. I named my file
     "part-B". Parts "A" and "C" will come later.

   *

     Figure out where in the trace you will want inject your edited
     packets. note the numbers of the packet around this area. Also
     note the number of the last packet in the file.

   *

     Using Ethereals "save as" menu select the "Specify a packet range"
     option, and save all the packets BEFORE that spot in the trace to
     a pcap file. I gave the file the name "part-A".

   *

     Next, Save all the packets AFTER that spot in the trace to a pcap
     file. I gave the file the name "part-C". (part-b will be your
     edits) The packets I saved for editing can be part of one of these
     two files or not. If they are left in one of the files, then both
     the original packets and your edited packet will be in the final
     pcap file.

   *

     Use xxd to convert you edit file ("part-b") to binary. Here's my
     command line:

     xxd part-b part-b.txt
     This created *part-b.txt*.

   *

     use your editor to edit the .txt file. It will look something like
     this:

     0000000: d4c3 b2a1 0200 0400 0000 0000 0000 0000  ................
     0000010: ffff 0000 0100 0000 861c 3146 f820 0c00  ..........1F. ..
     0000020: 5101 0000 5101 0000 0016 477a 4831 0014  Q...Q.....GzH1..
     0000030: 6c6d 317a 0800 4500 0143 249d 0000 3611  lm1z..E..C$...6.
     0000040: ec82 42f3 6d1c c0a8 01d3 0aa7 097b 012f  ..B.m........{./
     0000050: a950 4352 4358 2034 3332 3734 3320 6430  .PCRCX 432743 d0
0000060: 3031 4030 3031 3634 3737 6134 3833 3120 01@0016477a4831 0000070: 4d47 4350 2031 2e30 0a43 3a20 3031 6666 MGCP 1.0.C: 01ff
     00000f0: 3630 2e31 310a 743d 3020 300a 6d3d 6175  60.11.t=0 0.m=au
     0000100: 6469 6f20 3336 3037 3420 5254 502f 4156  dio 36074 RTP/AV
     0000110: 5020 3020 3130 310d 0a63 3d49 4e20 4950  P 0 101..c=IN IP
     Note that all you edits MUST be in the hex columns toward the
     middle of the page. The text on the right is ignored when
     converting back to binary, so don't bother making any edits there.

     You can use the pcap header definitions to find out where the
     fields you need to change are. I edited timestamp (added a few
     milliseconds). Be aware that the stamp is saved in LITTLE ENDIAN
     (at least on my system...).

     I also changed the port number ("36074") to create the problem
     condition that I was testing. Since I changed UDP packet content,
     I also needed to change the UDP checksum. In this example it's the
     "a950" value at "0000050:". The easiest thing is just to change it
     to zero - this will force UDP to skip checksumming.

   *

     Once you have made you edits, convert the file back to hex:

     xxd -r part-b.txt part-b
   *

     Open file "part-a" with Ethereal.

   *

     Use Ethereal's file->merge feature to merge part-b. Be sure to use
     the "Merge packets chronologically" setting. If you have adjusted
     the timestamps correctly the new packets will appear in the packet
     order exactly as you want them. Check for big jumps in time -
     these will screw up your playback with tcpreplay.

   *

     Save the merged file. I named mine part-a-b. You will not be able
     to merge part-c unless you save the newly merged data.

   *

     Now merge part-c with the part-a-b. Again, check timestamps. This
     is also a good time th check for bad UDP checksums.

   *

     Save the data to a file - AND your DONE! you've edited a pcap file.

Last update 4/27/07 -JB-




Trebor Sreyb wrote:
I'm in need of changing the timestamps of the packets in a pcap file. editcap has a global approach to this, where a range of packets can be applied the same time adjustment. However, I need to have much finer grained control.

So, I noticed wireshark will let me save my file as a text format called "k12text", which I then was able to modify using a tcl script that read the k12text file and rewrote it with new timestamps according to my requirements.

For example, my script increments the timestamp from one packet to the next by a default of 0.0000001s, with specific overrides for any packet of my choosing.

Then - I had hoped - I could read the k12text file into wireshark and do a file > save as, to ultimately save it as a pcap file again.

Problem is, it appears that a k12text file cannot be saved as a pcap (or most anything else). This was a huge disappointment, as I spent the time to write the tcl script and thought all was set. But alas I seem to be back at the drawing board.

Is there another approach I might take to accomplish this task?

Ultimately, the file will be imported into a 3rd party capture/replay tool, which understands libpcap files only.
Thanks,
-Bob
 Andover, MA usa






      ____________________________________________________________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users