How to modify tcpdump packets?
 

Hello people,

I have collected traces of a worm ( as part of a research project)
Now i would like to replace the source code of the worm in the colected packets with some number (say 0), can anyone suggest me of some tools for doing this or any ways of doing this?

--Thanks

I found a website for a course exercise that included the file format of a tcdump.out file: http://www.cs.huji.ac.il/course/2003...ex3/format.txt

However, if what you want to do is not publish the actual code of the worm in your paper, then replacing the text in the latex source of your paper, for example, might be a better way of doing things.

Otherwise, you may need to resort to reading the source code for tcpdump to discover the exact format used. Part of the answer, such as endianess, may depend on the machine that sent the payload in the first place, according to some of the descriptions I read trying to google for an answer. Plus the payload packets themselves could have been split up by a router along the way, so I think that different samples of the same worm could have different patterns, due to the differing length of the packets used to send it.

If you add to that whether your tcpdump file is compressed, it may be better working with a text formatted version of your dumpfile rather than trying to replace bit patterns in the tcpdump file.

Good Luck!

hey, Thanks a Lot for the Reply.
I apologize for not replying early.

Using libpcap (because tcpdump stores packets in pcap format) seems the best solution. It offers functions to load trace, get next packet and so on. It also allows you to save trace to another file (also modified trace).