How To Craft

How to tell packet crafting

  1. Home
  2. Carefree Crafting
  3. How to tell packet crafting
How to tell packet crafting
January 26, 2019 Carefree Crafting 1 comment

Part 5: Packet Crafting And Editing

Table of contents

  1. Introduction
  2. Packet editing
  3. Packet Creation
  4. Running the example


In the previous Packet parsing tutorial we demonstrated how PcapPlusPlus parses packets and how to read data out the various layers. In this tutorial we’ll focus on editing packets - meaning change existing protocol data, add more data and add/remove layers, and also how to craft new packets from scratch.

Of course we won’t go over all the protocols, we’ll focus on a few which are popular:

  • Ethernet
  • VLAN
  • IPv4
  • TCP
  • UDP
  • HTTP
  • DNS

For further information about these protocols and the other protocols supported in PcapPlusPlus please go to the API documentation

Packet editing

In this part of the tutorial we’ll read a packet from a pcap file, let PcapPlusPlus parse it, and then see how we can edit and change the data in each layer. Let’s start by writing a method and add the includes that we need:

As you can see we added an include to which contains the basic parsed packet structures, to which contains the API for reading/writing from/to pcap files and to all of the layers which we will edit and add data from. In addition we included for using and which we’ll use later. This include is relevant for non-Windows operating systems only.

Now let’s read the packet from the pcap file. This pcap file contains only 1 packet, so we’ll open the reader, read the packet and close the reader:

The next step is to let PcapPlusPlus parse the packet by creating an instance of the class and giving it in the constructor a pointer to the instance we have:

You may notice this is exactly the same packet as we used in the Packet parsing tutorial but this time we won’t just read data from the various layers but actually change it. First thing we’ll do is get the Ethernet layer and change it:

As you can see, we changed the destination MAC address to We used the method exposed in to do that and we gave it a class instance we created with the new MAC address we want.

Ethernet layer is quite simple, let’s move to a more complex layer - IPv4, and see what data we can change there:

First we changed the source IPv4 address to using the method and provided it an instance of the class with the value of . Then, we used the method which casts the raw packet bytes to a struct called in the same way we did in the packet parsing tutorial, but this time instead of reading values we’re changing them. It is very important to understand that the object gives access to the actual packet bytes so it can be both read and manipulated, and each change affects the actual packet data. When setting fields which are wider than 1 byte it’s important to write in network order and that’s why we’re using to set the IP ID to 4000.

Let’s move on to the next layer - TCP:

We start by using the method which casts the raw packet bytes to a struct which contains all of the TCP fields. Again, like we saw in , this method gives access to the actual packet bytes so every change we do changes the packet. So we changed the source port to 12345 and set the URG flag.

Now let’s take a look at the 2 bottom lines in the code snippet above. exposes an API to read, add and remove TCP options. The packet we’re editing already has 3 TCP options: NOP, NOP and Timestamp. We’d like to add a fourth one of type MSS with MSS value of 1460 and we want it to appear first (before the existing TCP options). So we use the method and give it a object. This builder object gets in its constructor the TCP option type (which is ), and the option value (1460) and uses it to create the TCP option object and add it to the existing list of TCP options. That’s it! with 1 line of code we managed to add a new TCP option!

Now let move on to the last layer in this packet: HTTP. Let’s see the code:

We already discussed the highlights of the API in the Packet parsing tutorial so we won’t repeat all of it again. But as you can see the API provides setters for all of the relevant data:

  • exposes is a setter for the HTTP method where we change it to . Similar methods exist for the URI and version
  • When retrieving HTTP fields, the class exposes a method of for setting the field value (demonstrated above for and fields)
  • exposes methods for adding new fields: and , and methods for removing existing fields: . Here we demonstrated how to add and header fields (and set their values) and how to remove the header field

So far we’ve seen editing of existing layers. But what about adding new layers or removing existing ones?

Of course this is also possible using the class API. Let’s demonstrate how to add a VLAN layer between the Ethernet and IPv4 layer:

First we created a new instance and gave it the necessary parameters which are VLAN ID (123), CFI (false), priority (1) and the Ether type for the next layer (IPv4). Then we added this layer to the packet right after the Ethernet layer using method. Nice and simple :)

In the same way we added a new layer we can also remove layers from the packet using the method.

We’ve made quite a lot of changes to the packet. Let’s save it to a pcap file and view the result in Wireshark. But before doing that let’s first instruct the packet to re-calculate all of the layers’ calculated fields:

Now let’s open in Wireshark and view the result:

Packet Creation

In this part of the tutorial we’ll build a packet from scratch, create the different layers one by one and eventually save it to a pcap file to verify packet data is the same as expected.

Let’s start by creating the first layer - an Ethernet layer:

What we did here is create a new instance of the class and give it the necessary parameters which are source and dest MAC addresses (both are instances of the class instantiated with the MAC address string). Rather easy right?

Now let’s move on to the second layer - IPv4:

Here we created a new instance of the and gave it the necessary parameters which are source and dest IP addresses (both are instances of the class instantiated with the IP address string). Next, we wanted to set the IP ID and TTL values of this layer. As you can see we do that using the same API we used in the Packet editing part: call the method to get an instance of the struct (which is actually a pointer to the packet raw data cast to ) and set the IP ID and TTL values. Since IP ID is 2-bytes long we use to convert from host to network order.

Now let’s move on to the third layer - UDP:

As you can see, this is quite straight forward: we created a new instance of and gave it in the constructor the source and dest UDP ports.

Let’s move on to the fourth and last layer - DNS:

Here we first created an instance of with the default constructor (without any parameters). Then we added a DNS query record to the layer using the method and gave it the query parameters which are: query name (“”), query type (type A means IPv4 address) and query class (class IN means Internet).

That’s it! we created 4 layers, now let’s add them to a new packet. Let’s first create a new instance:

The value 100 we gave in the constructor is the expected length of the packet (in bytes). When we give this number a buffer of size 100 is automatically created and will be used to store the packet raw data. Of course, if our packet exceeds 100 bytes this buffer will be automatically extended, but this has a performance cost, so in applications that require high performance it’s better to allocate this buffer in advanced (meaning setting the buffer size in the constructor). Now it’s time to add all the layers we created to the packet, we’ll use the method for that:

We’re almost done. All that is left is to call the method to calculate the layers’ calculated fields:

Our packet is ready! Now let’s save it to a pcap file and open this file in Wireshark to verify the packet looks exactly like we built it:

Now let’s compile the code, run it and open the file in Wireshark:

As you can see, the packet looks exactly as expected.

Running the example

All code that was covered in this tutorial can be found here. In order to compile and run the code please first download and compile PcapPlusPlus code or downloaded a pre-compiled version from the latest PcapPlusPlus release. Then follow these instruction, according to your platform:

  • Linux, MacOS, FreeBSD - make sure PcapPlusPlus is installed (by running sudo make install in PcapPlusPlus main directory). Then either change the file name to and run , or run
  • Windows using MinGW or MinGW-w64 - either change the file name to and run , or run
  • Windows using Visual Studio - there is a Visual Studio solution containing all tutorials: . Just open it and compile all tutorials

In all options the compiled executable will be inside the tutorial directory ()

There’s crafting and crafting.

Technically, intercepting HTTP GET/POST traffic to modify values inside before they are sent to the server is packet crafting. In that case it could be used to verify that security isn’t just “enforced” on the client side. If I see traffic coming out of my browser with either a cookie or a parameter that says “admin = 0” you can be damn sure I’ll try it with admin set to 1.

Now, crafting packets from the ground up (ethernet frame, IP data, tcp/udp data and so on) gives you more granularity. It’s helpful when you want to see if things break when you talk to them in a weir way. Say you spot a network device that handles Vlan traffic. What happens if you change the tag? What happens if you send packets fragmented in a strange way? Once upon a time one could bypass a firewall by fragmenting the packets in such a way that neither part would trigger the rules but put together both parts should have been blocked by the policy had they been sent in only one packet. You can also make your own web/exploit scanner using specially crafted packets to check if targets are vulnerable.

Another thing that I can think of is data exfiltration and general stealth. If you work from the assumption that your target has a paranoid security specialist that keeps his phone close and is always ready to swoop in should his/her IDS/IPS starts whining that the ennemy is at the gate (or already inside) then you want to fly under the radar. How do you do that? You can piggyback on someone else’s traffic (but that requires some infrastructure already in place) or you can try to make yourself inconspicuous by staying with the crowd. If I see a boatload of traffic coming out a specific subnet during office hours (say, a lot of devs browsing stackoverflow), then I can always try and hide some traffic by crafting packets so they:

  1. Look like they come from the same subnet
  2. Look like run off the mill DNS requests for some stackoverflow subdomain, or https.
  3. Contain data I want to exfiltrate.

Now, depending on the kind of security architecture this could blow up easily so I might want to use something else entirely. Maybe…

Crafted ping packets!

Those are quite easy to make and allow you to send data over the wire while hiding them as simple ICMP traffic.

If I control a router I could also intercept and rewrite SNMP traffic so the admin doesn’t thing something’s amiss (no, I’ve not been sending 50gigs of IP over the wire, keep walking, nothing to see here).

This is but a simple overview of what can be done and I’m sure other answers will cover a lot more possibilities. The main takeaway is that if you can craft packets you get access to a lot more things that can break or behave in ways that they shouldn’t. You can also lie your mouth off to monitoring equipment but you better keep your lies consistent else things will go wrong.

How to check live systems in a network and the concept of a live system By using a customized packet, a hacker can perform many tasks, such as Lots of tools are available for packet crafting, such as Hping and Colasoft packet builder.

[Solved] Packet crafting


Hi, I'm trying to write a script that will capture signal strength of each device on my network (I've done this with just a simple tcpdump command). I now want to craft a packet and have this captured information as the payload.
I am just wondering is there a way of crafting a packet using a shell script?

Any advice would be greatly appreciated thank you.


Quick answer, no, the shell doesn't have access to raw sockets nor would "crafting" a binary packet be anything but insanely painful with what the shell provides you. The shell can certainly execute other programs that are more appropriate for this.

Without knowing your application, if you are truly looking to generate an "arbitrary" raw packet, scapy or libnet are a couple starting points.

Very seldom does one need to "craft a packet" as must applications can use one of the existing "cooked" sockets, such as those used for UDP and TCP.

1 Like


It also depends on where the data will be going. I might be tempted to investigate sending syslog packets to a remote syslog server.

  • The shell certainly can send to a syslog message with the desired contents
  • There are a zillion syslog servers that will listen for and record these messages
  • Syslog can send UDP packets, so it's very nearly as efficient as crafting your own packet
  • Messages are in text, so they're easy to read/debug


As you've brought up syslog, and I'll admit I haven't dug into it too deeply, do you know if OpenWRT natively supports syslog over TLS or, if not, which packages are required? I've seen that it can support unencrypted, unauthenticated "old-school" syslog, but I prefer to "protect" the log host.

Rich's suggestion is a good one if you need to deliver the "payload" locally. I often use MQTT over TLS with authentication if I need to have the information delivered to more than one consumer. With a "last will" on your MQTT connection, you can also get a reasonably reliable hint of the source being dead


I suggested syslog both because it can send data over a network as UDP packets (or over a TCP connection, maybe with encryption) and also because it's really easy to get it working.

If syslog worked well enough for @ConorQ, then he'd be done after only a couple hours of implementation effort. If not, he could implement a better way of sending data after verifying the rest of the application (data collection, data analysis) was working properly.


Hi @jeff and @richb-hanover thank you for your replies and I really apologize for the delayed reply I have been focusing on another part of of my code.
The reason I am creating my own packets is because I wanted to send them to an SDN controller running on my laptop (
I have tried using echo -n "hello" > /dev/udp/
Obviously I am going to change the "hello" with information that is of use to the controller but I get an error
-ash: can't create /dev/udp/ nonexistent directory
I also tried a similar way echo -n "hello" | nc 6633 but all I seem to be able to do with that method is just set up a socket connection with the controller but not actually send "hello" and it just hangs not letting me do anything. The -u option for nc does not work because the connection just gets refused.


When using nc my connection keeps being refused when trying to send a UDP packet
when I run
echo "foo" | nc -u 6633
I get back
read(net): Connection refused


Try this for writing to syslog...

[email protected]:~# logger (Your message to quotes)

Example -

[email protected]:~# logger System rebooted for hard disk upgrade

Worked for me.

Solution courtesy of


Hi @jwoods . I'm not sure this is what I am looking for but thank you for your suggestion.
What I want to do is send a custom network packet(where I supply the destination address and payload) to an SDN controller


connection refused is weird. are you sure that you have a route to that network on your machine? Do you have another program also listening to the same port? Maybe a second netcat still running in background?



What I want to do is send a custom network packet(where I supply the destination address and payload) to an SDN controller

I was following @richb-hanover's line of thought...


I might be tempted to investigate sending syslog packets to a remote syslog server.


There are a zillion syslog servers that will listen for and record these messages

I personally use Visual Syslog Server.


Example -

Configure remote logging

Send message

[email protected]:~# logger Test remote packet sent to syslog

View messages on remote location with a syslog server


@dlakelan .Thank you for the reply. I definitely have a connection as the SDN controller is printing out packets related to the devices connected to the router.
The only program I have running at the moment is the simple_switch in Ryu on my laptop as the controller.
I don't think I have another netcat running as I killed everything a few times to start up the connections again


I think I figured it out. I was making a very stupid mistake when using netcat I was using the IP address of the controller which then was getting refused. I just needed to change the IP address to a random one so that the oopenvswitch would direct the packet to the controller.
Thank you for all the help.
Here is my solution which I have put inside a C program.

char message[64];
sprintf(message,"echo %d | nc -uc 6600",rssi);

tmomas closed #16

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Powered by Discourse, best viewed with JavaScript enabled

Nemesis – command-line network packet crafting and injection utility

how to tell packet crafting

craft fair benson hammond house how to register
How to clean acorns for crafts
subnautica how to craft seamoht depth module 2
How to make fun christmas crafts
red dead 2 how to craft improved arrow
Dayz how to craft fireplace
how to start crafting in final fantasy 14
Hextech crafting how to get rare skins

This is a place for scripts and tools related to Wireshark / TShark that users may like to share, and for links to related NetworkTroubleshooting tools.

Some command line tools are shipped together with Wireshark. These tools are useful to work with capture files.

  • dumpcap.bat A batch file front-end for . It allows you to save settings, be notified of capture events or trigger capturing after a capture event occurs. It also provides hooks for performing custom actions through user-defined batch files, among other things. In order to get the most out of this batch file, it is recommended that you also download Handle.exe as well as mailsend1.17b14.exe, being sure to rename it to . These executables should be saved either in a directory that is in your or in the same directory as itself. (GPL, Windows)

  • maxfiles.bat A batch file to limit either the number of files in a directory to a specified limit, or the total disk space consumed by those files or both.

  • menushark, a Bourne shell menu script to allow users to employ the use of tshark by answering a few menu questions. The script also gives you the command that the menu system has made to try to teach you how to use tshark at the command line.

  • mpeg_dump, a Lua script that adds a Wireshark extension to dump MPEG-2 transport stream packets (ISO/IEC 13818-1) from a network capture to a file, for example, to extract one or more mpeg PIDs that were transported via UDP unicast or multicast.

  • osXextraction, a macOS bash script to extract particular packet types from a capture file (NOTE: it's not very macOS-specific - some small changes should allow it to work on other UN*Xes, and would probably allow it to work on Windows with Cygwin as well.)

  • RtpDumpScript, a perl script to dump RTP audio data

  • RtpH263DumpScript, a perl script to dump H.263 video data

  • tektronix2pcap, a script to convert Tektronix rf5 files to pcap format that can be loaded into Wireshark. Note that current versions of Wireshark can directly read rf5 binary captures.

  • update-ws-profiles and update-ws-profiles.bat automate changing strings in a collection of Wireshark profiles, e.g. changing "gui.filter_expressions.expr: eth.addr==11:22:33:44:55:66" to "gui.filter_expressions.expr: eth.addr==66:55:44:33:22:11"

  • update_geoip.bat A batch file inspired by Jasper Bongertz's UpdateGeoIPDB.cmd file that makes it easier to update the MaxMind GeoIP database files. (GPL, Windows)

  • The following tools can process the libpcap-format files that Wireshark and TShark produce or can perform network traffic capture and analysis functions complementary to those performed by Wireshark and TShark. In brackets you will find the program license and the supported operating systems.

  • Bro a powerful network analysis framework (BSD license, Linux, FreeBSD, macOS, possibly other various UN*Xes)

  • Cap'r Mak'r generates new pcaps for various protocols

  • Chaosreader Extracts data streams from TCP connections and writes each stream to a file (GPL, Windows, various UN*Xes)

  • CloudShark Ability to view and analyze captures in a browser, annotate and tag them, and share them with a URL.

  • Cookie Cadger Helps identify information leakage from applications that utilize insecure HTTP GET requests.

  • Driftnet It is a program which listens to network traffic and picks out images from TCP streams it observes (GPL, Linux)

  • Dshell is an extensible network forensic analysis framework that enables rapid development of plugins to support the dissection of network packet captures. (MIT, Linux)

  • EtherApe A graphical network monitor (GPL, Linux only)

  • Ettercap Allows for sniffing of machines in a switched network LAN (GPL, BSD/Linux/Solaris)

  • ExtShark is web-interface to tshark. It will bring dumping to cloud.

  • Homer SIP Capture Server & Agent

  • HPD Online hex message and pcap file parser with packet visualization.

  • HUNT Allows for sniffing of machines in a switched network LAN as well as providing a very easy to use API to modify the intercepted frames before they are forwarded. Intercept and Modify. (GPL, Linux)

  • Impacket It is a collection of Python classes focused on providing access to network packets (Apache, Linux).

  • ipsumdump summarizes TCP/IP dump files into a self-describing ASCII format easily readable by humans and programs (uses the Click modular router).

  • joincap Merge multiple pcap files together, gracefully (MIT, Linux/MacOS/Windows)

  • junkie A real-time packet sniffer and analyzer (AGPLv3, Linux)

  • justsniffer is a tcp packet sniffer. (GPL, BSD/Linux/Win32)

  • Mojo Packets Mojo Packets™ is web based tool which aims to simplify trace based analysis and troubleshooting of connectivity issues observed in Wi-Fi (IEEE 802.11) environments.

  • Moluch Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system.

  • Mu DoS converts any packet into a DoS generator

  • NetSleuth is a free network forensics and pcap file analyser. It provides offline analysis for incident response, and live "silent portscanning" functionality. (GPL, Windows)

  • netsniff-ng is a free, Linux network analyzer and networking toolkit.

  • NetworkMiner A network forensic analysis tool (GPL, Windows)

  • Ntop Network top - tool that lets you analyze network traffic statistics (GPL, FreeBSD/Linux/Unix)

  • online message parser Online single hex message parser, supports Wireless/PSTN/VoIP protocols (Freeware, Web)

  • Online PCAP to MSC chart Generator generates MSC arrow diagram charts from PCAP files.

  • p0f versatile passive OS fingerprinting and many other tricks (Freeware, BSD/Linux/Win32/...). Take a lookhere to see some stats generated with p0f and some scripts.

  • packet-o-matic is a packet sniffer, supporting fairly general packet processing, used mainly for network forensics. (GPL, BSD/Linux/macOS/Solaris)

  • PacketShark™ A handheld hardware tap for 100% on-field capturing of Ethernet packets at wire speed; store captured data using an external storage device (SD memory card) and analyze using wireshark

  • pcap_diff compares pcap files for received, missing or altered packets.

  • pcapdatacopy Windows based application with various functions: copy TCP/UDP payload data from one or more .pcap files to a single file. merge multiple .pcap files into a single file, detect and export rtp streams from one or more files to both raw and wav format file.(Win32)

  • Prelude Another network intrusion detection system (GPL, BSD/Linux/Unix)

  • RRDtool is "a system to store and display time-series data (i.e. network bandwidth, machine-room temperature, server load average)". (GPL, various UN*Xes) Many RRDtool-based applications are listed on the RRD World page.

  • Show Traffic shows continuous summary list of TCP/UDP traffic (BSD, Win32)

  • Snort Network intrusion detection system (GPL, BSD/Linux/Unix/Win32)

  • SplitCap A pcap file splitter.

  • Suricata a free and open source, mature, fast and robust network threat detection engine. (GPLv2, Windows, various Un*Xes)

  • tcpflow Extracts data streams from TCP connections and writes each stream to a file (GPL, UN*X/Windows)

  • tcpick tcpick is a textmode sniffer libpcap-based that can track, reassemble and reorder tcp streams (GPL, BSD/Linux/Unix)

  • tcpstat Tool for reporting statistics for TCP connections (BSD style, BSD/Linux/Unix)

  • tcptrace Tool for analysis of TCP connections (GPL, BSD/Linux/Unix)

  • TcpView maps TCP/UDP endpoints to running programs (Freeware, Win32)

  • tcpxtract It is a tool for extracting files from network traffic based on file signatures (GPL, various UN*Xes)

  • Tele Traffic Tapper Graphical traffic-monitoring tool; can also read saved capture files (BSD style?, BSD/Linux)

  • TPCAT will analyze two packet captures (taken on each side of the firewall as an example) and report any packets that were seen on the source capture but didn’t make it to the destination (GPLv2, any OS with Python and pcapy)

  • tracesplit will split a trace into a number of smaller tracefiles (GPLv3)

  • Tranalyzer It is a lightweight flow generator and packet analyzer application (GPL, Linux)

  • TribeLab Workbench Formerly known as TraceMatcher, Workbench is a Wireshark enhancement tool that simplifies and automates many of the actions you perform each time you use Wireshark (proprietary, Windows)

  • TrimPCAP Trim PCAP files

  • Tstat A passive sniffer able to provide several insights on the traffic patterns at both the the network and transport levels (GPL, various UN*Xes)

  • VisualEther Protocol Analyzer generates sequence diagrams from Wireshark PDML output (Win32)

  • WebScarabWebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.

  • Xplico A network forensic analysis tool (GPL, Linux only)

  • xtractr collaborative cloud app for indexing, searching, reporting and extracting on large pcaps using tshark

  • Expert Network Analysis An online tool where you can upload a pcap traffic trace captured in the network point considered as problematic and receive a personalized report

  • These tools will either generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it.

  • Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write the result to another file (GPL, BSD/Linux/OSX/Windows)

  • Cat Karat - Easy packet generation tool that allows to build custom packets for firewall or target testing and has integrated scripting ability for automated testing. (Windows)

  • D-ITG - (Distributed Internet Traffic Generator) is a platform capable to produce traffic at packet level accurately replicating appropriate stochastic processes for both IDT (Inter Departure Time) and PS (Packet Size) random variables (exponential, uniform, cauchy, normal, pareto, ...).

  • epb - ethernet package bombardier Simple CLI tool for generating/converting ethernet packets from plain text/pcap/netmon/snoop files. (BSD like, Linux/Unix)

  • HexInject is a very versatile packet injector and sniffer, that provides a command-line framework for raw network access. (BSD License (2011), *nix)

  • Mausezahn Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet.

  • Nemesis is a command-line network packet crafting and injection utility. Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. (GPL, BSD/Linux/Solaris/Mac OSX/Win32)

  • Network Expect is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network. Network Expect uses libwireshark for all packet dissection tasks. (GPL, BSD/Linux/OSX)

  • Network Traffic Generator Client/Server based TCP/UDP traffic generator (GPL, BSD/Linux/Win32)

  • Ostinato is a network packet and traffic generator and analyzer with a friendly GUI. It aims to be "Wireshark in Reverse" and thus become complementary to Wireshark. It features custom packet crafting with editing of any field for several protocols: Ethernet, 802.3, LLC SNAP, VLAN (with Q-in-Q), ARP, IPv4, IPv6, IP-in-IP a.k.a IP Tunneling, TCP, UDP, ICMP, IGMP, MLD, HTTP, SIP, RTSP, NNTP, etc. It is useful for both functional and performance testing. (GPL, Linux/BSD/OSX/Win32)

  • packETH GUI/CLI Ethernet packet generator (GPL, Linux/OSX/Windows)

  • PlayCap is a GUI tool for playing back pcap/Wireshark captures (GPL, Linux/Windows).

  • Scapy Scapy is a powerful interactive packet manipulation program (in Python). It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. (GPL, BSD/Linux/OSX)

  • tcpreplay the opposite of tcpdump, send pcap files out of an interface (BSD, BSD/Linux/Unix)

  • Colasoft Packet Player is a packet replayer which allows users to open captured packet trace files and play them back in the network. (Windows, see EULA)

  • These tools can be used to "anonymize" capture files, replacing fields such as IP addresses with randomized values.

    These tools attempt to repair damaged capture files as much as can be done.

    These tools convert between different capture file formats.

    Currently, raw USB traffic can be captured with Wireshark only under Linux, macOS, and Windows; see CaptureSetup/USB. If it's an Ethernet (or any other network related) USB adapter, Wireshark can capture e.g. Ethernet traffic from that USB device if the platform supports it (which it usually will do). On Win32 you can however try:

    • SniffUSB "minor" updates and port of usbsnoop 1.8 (v2.0.0006 Feb 2007)

    • SnoopyPro based on usbsnoopy, last updated (v0.22) in 2002 (GPL, Win32)

      • Also usbsnoop seems to be by the same developer, but updated through 2001-2003 (latest v1.8)

    • usbsnoopy last updated (v0.13) in 2001 (no license, source incl., Win32)

    Intrusion Analysis / SQL Database Support

    • C5 SIGMA from Command Five Pty Ltd automates TShark (Wireshark) to load large quantities of packet capture data into a SQL database using an automatically generated schema. C5 SIGMA flattens the Wireshark protocol tree into a relational table structure useful for intrusion analysis and data correlation with other systems. It also enables SQL queries against otherwise unnamed text fields visible in the Wireshark protocol tree by intelligently generating human readable names. C5 SIGMA is free software, released under GPL.

    • pcap2xml/sqlite This tool converts 802.11 packet traces (PCAP format) into an XML and SQLITE equivalent so you can now run XPATH/XQUERY/SQL queries on the packets.

    WATCH THE VIDEO ON THEME: Daniel Pacheco - INACAP: Packet Crafting

    Steps Involved in Packet Crafting [icegram messages=”″]. The idea behind crafting is to try to simulate an attack and to identify the.

    Cyber Attacks Explained: Packet Crafting

    How to Hack: Using Scapy Packet Crafting Tools

    Scapy is a tool that enables the user to craft, sniff and forge network packets. In other words, it is a powerful interactive packet manipulation tool written in python by Philippe Biondi. It can easily handle most tasks like scanning, tracerouting, probing, attacks or network discovery in a network. It can replace hping, arpspoof, arping, and even some part of Nmap, tcpdump, & tshark. Mainly operates two Scenario: sending packets and receiving packets.

    You will get an interactive terminal when you write command in the terminal.

    Figure 1
    Now let’s create via Scapy tool in Terminal

    Figure 2
    Here, in fig.2 “a” is the variable that we have taken to store our packet values in it. “TCP()/IP()” is the packet that we are crafting here.

    Figure 3

    Here in Fig.3, is used to show the fields of the packets.

    Now, let’s manipulate the packet.

    Scapy tries to use sensible default values for all packet fields. If not overridden,

    • IP source is chosen according to destination and routing table
    • Checksum is computed
    • Source MAC is chosen according to the output interface
    • Ethernet type and IP protocol are determined by the upper layer

    Other fields’ default values are chosen to be the most useful ones:

    • The TCP source port is 20, the destination port is 80.
    • UDP source and destination ports are 53.
    • ICMP type is echo request.

    So, to manipulate the packet you need to give the commands as shown in Fig.4

    Figure 4
    Now, to check if all the fields are set, we can give the command as shown in Fig.5

    Figure 5

    Now that we know how to manipulate the packet. Let’s see how to send them. The send() function will send the packets as shown in Fig.6
    To send a packet more than one time you can give the command as shown in Fig.7

    Figure 6

    Figure  10

    As you can see the packet has been crafted and now, we can send it.

    Figure 11

    From the above figure, you can see the results that we have got. For more in-depth information on Scapy you can also refer to the documentation by Philippe Biondi. We can do a lot using Scapy functions and modules.

    For More Cyber Security related Blog’s 

    Related Topics:

    What is Domain Name Server (DNS) Attacks and How Does it Work?

    Nmap Cheatsheet For Beginners 

    how to tell packet crafting

    WATCH THE VIDEO ON THEME: Packet crafting

    Packet crafting for Python2 and Python3. Scapy versions · GPLv2 · Join the chat at · Packaging status.

    how to tell packet crafting
    Written by Bajind
    1 Comment
    • Faegrel

      FaegrelFebruary 05, 2019 12:13 AM

      It agree, a remarkable phrase

    Write a comment