tcpdump mailing list archives

Re: Question about grabbing/modifying packets

From: "Quasar" <quasar () speakeasy net>
Date: Sun, 15 Jun 2003 17:40:36 -0600

Is it possible to modify the packets using that snort-inline patch?  Or how
would I go about that?  Also if you modify the packet and re-insert it into
the stream is that transparent to the application or is there built in CRC's
and things on udp packets that would change?
Thanks

----- Original Message ----- 
From: "Darren Bounds" <dbounds () intrusense com>
To: "'Quasar'" <quasar () speakeasy net>; <tcpdump-workers () tcpdump org>
Sent: Sunday, June 15, 2003 5:23 PM
Subject: RE: [tcpdump-workers] Question about grabbing/modifying packets

I believe the proper term for what you're speaking about is "packet
scrubbing".

Among many others, the Snort-Inline patch for Snort IDS does this but
uses libipq rather than libpcap.

Available at: http://snort-inline.sf.net

Darren Bounds
Security Consultant
Information Security Services
Intrusense Inc.

-----Original Message-----
From: owner-tcpdump-workers () sandelman ottawa on ca
[mailto:owner-tcpdump-workers () sandelman ottawa on ca] On Behalf Of
Quasar
Sent: Sunday, June 15, 2003 2:52 PM
To: tcpdump-workers () tcpdump org
Subject: [tcpdump-workers] Question about grabbing/modifying packets

Goal:
To be able to watch for certain packets, edit them, place them back in
the stream so the application is unaware that anything has been changed,
ie the sender or anything like that.

Possible implementations that I can think of:
place linux machine inbetween me and the internet and write some kind of
program to watch for those packets, change them if need be, and have it
forward the packets to this machine

write a low level NDIS or TDI driver in windows
(dont have any experience doing either of those other than ONLY
forwarding packets with a linux machine between me and the internet
using iptables)

Is there any links anyone can provide on how this could be accomplished,
or am I heading in the right direction? Also I am wondering how I can
stop the stream, maybe stick it in a buffer or something while i work on
that packet then re-insert it and re-enable the stream? Anyway I'm new
to this and figured the veterans might be able to help.
Thanks in advance-

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Question about grabbing/modifying packets Quasar (Jun 15)
- <Possible follow-ups>
- Re: Question about grabbing/modifying packets Quasar (Jun 15)
- Re: Question about grabbing/modifying packets Quasar (Jun 15)