Modifying Packet Captures with tcprewrite

Recently I wanted to look at the structure of sFlow packets. Of course I can read the specs, but it’s often easier to look at some real packets. So I set up a simple network, configured sFlow, created some traffic across the network, and used tcpdump to capture the sFlow packets.

Unfortunately I had a bit of a brain fade, and configured sFlow to use port 2055, not port 6343. So it looked like this:

This is totally fine, but by default Wireshark won’t decode this as sFlow. It appears like this:

Wireshark_UDP_2055

No big deal, I can right-click, go “Decode As…”, set UDP Port to 2055, choose “sFlow” from the drop-down, and hit OK. Now it looks OK:

Wireshark_sFlow

But I don’t want to do that every time I open the file. More to the point, I don’t want to have tell someone else to do that when opening the file. I wanted to change the packets to have a destination port of 6343, the commonly used sFlow port. Wireshark will default to decoding UDP/6343 packets as sFlow.

I’d torn down my lab my this stage, and couldn’t be bothered re-configuring it & collecting new traffic. What I really wanted was to edit the existing packets to change the destination port. I found Tcpreplay did exactly what I needed. Here’s how I did it:

Easy as that. Of course there are many more options for rewriting packets if you want to do something complex. All I needed was this simple change, and it was quick and easy.

2 Responses to Modifying Packet Captures with tcprewrite

  1. What Lies Beneath (@itsthe_network) January 15, 2016 at 11:17 pm #

    Great tool I’d never heard of. Of course, I’ll now never completely trust a capture file again :-)

    • Lindsay Hill January 16, 2016 at 9:57 am #

      Yeah, I’d never heard of it before until recently too. I wasn’t surprised by its existence, I was more surprised that I’d never had a good reason to seek out something like this until recently.

      Would be handy for when you need to anonymise some IP addresses in pcaps.