tcpdump mailing list archives
Re: Question about grabbing/modifying packets
From: "Quasar" <quasar () speakeasy net>
Date: Sun, 15 Jun 2003 17:40:36 -0600
Is it possible to modify the packets using that snort-inline patch? Or how would I go about that? Also if you modify the packet and re-insert it into the stream is that transparent to the application or is there built in CRC's and things on udp packets that would change? Thanks ----- Original Message ----- From: "Darren Bounds" <dbounds () intrusense com> To: "'Quasar'" <quasar () speakeasy net>; <tcpdump-workers () tcpdump org> Sent: Sunday, June 15, 2003 5:23 PM Subject: RE: [tcpdump-workers] Question about grabbing/modifying packets I believe the proper term for what you're speaking about is "packet scrubbing". Among many others, the Snort-Inline patch for Snort IDS does this but uses libipq rather than libpcap. Available at: http://snort-inline.sf.net Darren Bounds Security Consultant Information Security Services Intrusense Inc. -----Original Message----- From: owner-tcpdump-workers () sandelman ottawa on ca [mailto:owner-tcpdump-workers () sandelman ottawa on ca] On Behalf Of Quasar Sent: Sunday, June 15, 2003 2:52 PM To: tcpdump-workers () tcpdump org Subject: [tcpdump-workers] Question about grabbing/modifying packets Goal: To be able to watch for certain packets, edit them, place them back in the stream so the application is unaware that anything has been changed, ie the sender or anything like that. Possible implementations that I can think of: place linux machine inbetween me and the internet and write some kind of program to watch for those packets, change them if need be, and have it forward the packets to this machine write a low level NDIS or TDI driver in windows (dont have any experience doing either of those other than ONLY forwarding packets with a linux machine between me and the internet using iptables) Is there any links anyone can provide on how this could be accomplished, or am I heading in the right direction? Also I am wondering how I can stop the stream, maybe stick it in a buffer or something while i work on that packet then re-insert it and re-enable the stream? Anyway I'm new to this and figured the veterans might be able to help. Thanks in advance- - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Question about grabbing/modifying packets Quasar (Jun 15)
- <Possible follow-ups>
- Re: Question about grabbing/modifying packets Quasar (Jun 15)
- Re: Question about grabbing/modifying packets Quasar (Jun 15)