Exact PCAP Modify

Exact PCAP Modify (exact-pcap-modify) is a tool which can be used to filter and modify Ethernet packets. Where modifications occur which would invalidate a checksum, Exact PCAP Modify will recalculate a correct checksum in the output file.

It can perform modify/filter operations on the following fields:

  • Ethernet header:
    • Destination MAC address (DST MAC)
    • Souce MAC address (SRC MAC)
  • 8021.Q tag:
    • VLAN ID
  • IPv4 header:
    • Source address (SRC IP)
    • Destination address (DST IP)
    • Time-to-live (IP TTL)
  • UDP/TCP headers:
    • Source port (SRC PORT)
    • Destination port (DST PORT)
$ exact-pcap-modify -i capture.pcap -f expcap -w modified -a 1.1.1.1,2.2.2.2

Configuration

Options which operate on the fields of a header are to be supplied in the form filter,modify. For example, if Exact PCAP Modify should filter a capture such that only packets with the SRC IP of 1.1.1.1 are present written to the output, it should be invoked with the --src-ip 1.1.1.1 option.

If the user wishes to modify all packets which have the SRC IP 1.1.1.1 to produce an output where the SRC IP becomes 2.2.2.2, it should be invoked with the --src-ip 1.1.1.1,2.2.2.2 option.

When multiple filters are used, packets will need to match all of the specified filters to be present in the output capture.

The following table lists all commands available:

Short Long Default Description
i input (required) The .pcap/.expcap file to filter/modify.
w write (required) The destination file where packets which match the specified filter will be written to.
W write-filtered (optional) The destination file where all packets which do not match all specified filters will be written to.
v verbose (flag) Enables verbose output printing.
f format expcap The file format to use when writing out packets. Valid options are .pcap and .expcap.
o offset 0 Jump to the specified packet offset and start processing filter/modify operations from there.
t time 0 (Epoch time in ns) Skip all packets that are older than this time.
m max 0 (no limit) The maximum number of packets to write out in total.
n num-chars 64 For use with --verbose. Limit the amount of characters written when dumping packets.
e --dst-mac (null) Filter/modify based on the DST MAC. Accepts arguments in the form 0x001122334455 for filtering and 0x001122334455,0xAABBCCDDEEFF for filtering and modifying.
E --src-mac (null) Fitler/modify based on the SRC MAC. Accepts arguments in the form 0x001122334455 for filtering and 0x001122334455,0xAABBCCDDEEFF for filtering and modifying.
l vlan (null) Filter/modify based on the VLAN ID. Accepts arguments in the form 100 for filtering and 100,200 for filtering and modifying.

The --vlan option also allows users to strip and add 8021.Q tags in addition to filtering and modifying based on these tags. For example if --vlan 0,100 is specified, that will cause Exact PCAP Modify to add an 8021.Q header with a VLAN ID of 100 to all non-8021.Q frames.

The inverse usage, --vlan 100,0 will cause Exact PCAP Modify to strip all 8021.Q frames which have VLAN ID 100 and set the Ethertype to IPv4.
a src-ip (null) Fitler/modify based on the SRC IP. Accepts arguments in the form 1.1.1.1 for filtering and 1.1.1.1,2.2.2.2 for filtering and modifying.
A dst-ip (null) Fitler/modify based on the DST IP. Accepts arguments in the form 1.1.1.1 for filtering and 1.1.1.1,2.2.2.2 for filtering and modifying.
T ip-ttl (null) Fitler/modify based on the IP TTL. Accepts arguments in the form 10 for filtering and 10,64 for filtering and modifying.
p src-port (null) Fitler/modify based on the SRC PORT of the TCP/UDP header. Accepts arguments in the form 1000 for filtering and 1000,2000 for filtering and modifying.
P dst-port (null) Fitler/modify based on the DST PORT of the TCP/UDP header. Accepts arguments in the form 1000 for filtering and 1000,2000 for filtering and modifying.
d device-type nexus3548 When modifying frames, emulate the behaviour of the specified device. Valid values are: nexus3548, fusion, triton, arista7150.