Tutorials
Part 5: Packet crafting and editing
This part explains how to edit existing packet and craft new ones
Table of contents:
- Part 1: Introduction and basics
- Part 2: Reading and writing pcap files
- Part 3: Capturing and sending packets
- Part 4: Packet parsing
- Part 5: Packet crafting and editing
Introduction
In the previous Packet editing tutorial we demonstrated how PcapPlusPlus parses packets and how to read data out the various layers. In this tutorial we'll focus on editing packets - meaning change existing protocol data, add more data and add/remove layers, and also how to craft new packets from scratch.
Of course we won't go over all the protocols, we'll focus on a few which are popular:
- Ethernet
- VLAN
- IPv4
- TCP
- UDP
- HTTP
- DNS
For further information about these protocols and the other protocols supported in PcapPlusPlus please go to the API documentation
Packet editing
In this part of the tutorial we'll read a packet from a pcap file,
let PcapPlusPlus parse it, and then see how we can edit and change the
data in each layer. Let's start by writing a main()
method and add the includes that we need:
#if !defined(WIN32) && !defined(WINx64)
#include // this is for using ntohs() and htons() on non-Windows OS's
#endif
#include "stdlib.h"
#include "Packet.h"
#include "EthLayer.h"
#include "VlanLayer.h"
#include "IPv4Layer.h"
#include "TcpLayer.h"
#include "HttpLayer.h"
#include "UdpLayer.h"
#include "DnsLayer.h"
#include "PcapFileDevice.h"
int main(int argc, char* argv[])
{
// We'll write our code here
}
As you can see we added an include to Packet.h
which contains the basic parsed packet structures, to PcapFileDevice.h
which contains the API for reading/writing from/to pcap files and to
all of the layers which we will edit and add data from. In addition we included
in.h
for using htons()
and
ntohs()
which we'll use later. This include is relevant for non-Windows
operating systems only.
Now let's read the packet from the pcap file. This pcap file contains only 1 packet, so we'll open the reader, read the packet and close the reader:
// use the IFileReaderDevice interface to automatically identify file type (pcap/pcap-ng)
// and create an interface instance that both readers implement
pcpp::IFileReaderDevice* reader = pcpp::IFileReaderDevice::getReader("1_http_packet.pcap");
// verify that a reader interface was indeed created
if (reader == NULL)
{
printf("Cannot determine reader for file type\n");
exit(1);
}
// open the reader for reading
if (!reader->open())
{
printf("Cannot open input.pcap for reading\n");
exit(1);
}
// read the first (and only) packet from the file
pcpp::RawPacket rawPacket;
if (!reader->getNextPacket(rawPacket))
{
printf("Couldn't read the first packet in the file\n");
return 1;
}
// close the file reader, we don't need it anymore
reader->close();
The next step is to let PcapPlusPlus parse the packet by creating an
instance of the Packet
class and giving it
in the constructor a pointer to the RawPacket
instance we have:
// parse the raw packet into a parsed packet
pcpp::Packet parsedPacket(&rawPacket);
You may notice this is exactly the same packet as we used in the Packet parsing tutorial but this time we won't just read data from the various layers but actually change it. First thing we'll do is get the Ethernet layer and change it:
// now let's get the Ethernet layer
pcpp::EthLayer* ethernetLayer = parsedPacket.getLayerOfType<pcpp::EthLayer>();
// change the source dest MAC address
// change the source dest MAC address
ethernetLayer->setDestMac(pcpp::MacAddress("aa:bb:cc:dd:ee:ff"));
As you can see, we changed the destination MAC address to "aa:bb:cc:dd:ee".
We used the
setDestMac()
method exposed
in EthLayer
to do that and we gave it a MacAddress
class instance we created with the new MAC address we want.
Ethernet layer is quite simple, let's move to a more complex layer - IPv4, and see what data we can change there:
// let's get the IPv4 layer
pcpp::IPv4Layer* ipLayer = parsedPacket.getLayerOfType<pcpp::IPv4Layer>();
// change source IP address
ipLayer->setSrcIpAddress(pcpp::IPv4Address(std::string("1.1.1.1")));
// change IP ID
ipLayer->getIPv4Header()->ipId = htons(4000);
// change TTL value
ipLayer->getIPv4Header()->timeToLive = 12;
First we changed the source IPv4 address to "1.1.1.1"
using the method setSrcIpAddress()
and provided it
an instance of the class IPv4Address
with the value
of "1.1.1.1"
. Then, we used the getIPv4Header()
method which casts the raw packet bytes to a struct called iphdr*
in the same way we did in the packet
parsing tutorial, but this time instead of reading values we're
changing them. It is very important to understand that the iphdr*
object gives access to the actual packet bytes so it can be both
read and manipulated, and each change affects the actual packet
data. When setting fields which are wider than 1 byte it's
important to write in network order and that's why we're using htons()
to set the IP ID to 4000.
Let's move on to the next layer - TCP:
// let's get the TCP layer
pcpp::TcpLayer* tcpLayer = parsedPacket.getLayerOfType<pcpp::TcpLayer>();
// change source port
tcpLayer->getTcpHeader()->portSrc = htons(12345);
// add URG flag
tcpLayer->getTcpHeader()->urgFlag = 1;
// add MSS TCP option
uint16_t mssValue = htons(1460);
tcpLayer->addTcpOptionAfter(pcpp::TCPOPT_MSS, PCPP_TCPOLEN_MSS, (uint8_t*)&mssValue, NULL);
We start by using the method getTcpHeader()
which
casts the raw packet bytes to a struct tpchdr*
which contains all of the TCP fields. Again, like we saw in IPv4Layer
, this method gives access to the actual
packet bytes so every change we do changes the packet. So
we changed the source port to 12345 and set the URG flag.
Now let's take a look at the 2 bottom lines in the code snippet
above. TcpLayer
exposes an API to read, add
and remove TCP options. The packet we're editing already has 3 TCP
options: NOP, NOP and Timestamp. We'd like to add a fourth one of
type MSS with MSS value of 1460 and we want it to appear first (before
the existing TCP options). So we use the addTcpOptionAfter()
method and give it the following parameters: TCP option type
(MSS), TCP option length (PcapPlusPlus already has a macro for
that: PCPP_TCPOLEN_MSS
), the TCP option value which
is 1460 cast to a byte array, and the layer we want to put our
option after (in this case we set NULL
which means this option
will be inserted as the first one). That's it! with 2 lines of
code we managed to add a TCP option!
Now let move on to the last layer in this packet: HTTP. Let's see the code:
// let's get the HTTP layer
pcpp::HttpRequestLayer* httpRequestLayer = parsedPacket.getLayerOfType<pcpp::HttpRequestLayer&hl;();
// change the request method from GET to TRACE
httpRequestLayer->getFirstLine()->setMethod(pcpp::HttpRequestLayer::HttpTRACE);
// change host to www.google.com
httpRequestLayer->getFieldByName(PCPP_HTTP_HOST_FIELD)->setFieldValue("www.google.com");
// change referer value to www.aol.com
httpRequestLayer->getFieldByName(PCPP_HTTP_REFERER_FIELD)->setFieldValue("www.aol.com");
// remove cookie field
httpRequestLayer->removeField(PCPP_HTTP_COOKIE_FIELD);
// add x-forwarded-for field
pcpp::HttpField* xForwardedForField = httpRequestLayer->insertField(httpRequestLayer->getFieldByName(PCPP_HTTP_HOST_FIELD), "X-Forwarded-For", "1.1.1.1");
// add cache-control field
httpRequestLayer->insertField(xForwardedForField, "Cache-Control", "max-age=0");
We already discussed the highlights of the HttpLayer
API in the
Packet parsing tutorial so we
won't repeat all of it again. But as you can see the
API provides setters for all of the relevant data:
HttpRequestFirstLine
exposes is a setter for the HTTP methodsetMethod()
where we change it toTRACE
. Similar methods exist for the URI and version- When retrieving HTTP fields, the
HttpField
class exposes a method ofsetFieldValue()
for setting the field value (demonstrated above for"Host"
and"Referer"
fields) HttpLayer
exposes methods for adding new fields:insertField()
andaddField()
, and methods for removing existing fields:removeField()
. Here we demonstrated how to add"X-Forwarded-For"
and"Cache-Control"
header fields (and set their values) and how to remove the"Cookie"
header field
So far we've seen editing of existing layers. But what about adding new layers or removing existing ones?
Of course this is also possible using the Packet
class API. Let's demonstrate how to add a VLAN layer between the Ethernet and IPv4 layer:
// create a new vlan layer
pcpp::VlanLayer newVlanLayer(123, false, 1, PCPP_ETHERTYPE_IP);
// add the vlan layer to the packet after the existing Ethernet layer
parsedPacket.insertLayer(ethernetLayer, &newVlanLayer);
First we created a new VlanLayer
instance and gave it the necessary parameters which are VLAN ID (123), CFI (false), priority (1) and the Ether type for the next layer (IPv4). Then we added this layer to the packet right after the Ethernet layer using insertLayer()
method. Nice and simple :)
In the same way we added a new layer we can also remove layers from the packet using the Packet::removeLayer()
method.
We've made quite a lot of changes to the packet. Let's save it to a pcap file and view the result in Wireshark. But before doing that let's first instruct the packet to re-calculate all of the layers' calculated fields:
// compute all calculated fields
parsedPacket.computeCalculateFields();
// write the modified packet to a pcap file
pcpp::PcapFileWriterDevice writer("1_modified_packet.pcap");
writer.open();
writer.writePacket(*(parsedPacket.getRawPacket()));
writer.close();
Now let's open "1_modified_packet.pcap"
in Wireshark and view the result:
Packet Creation
In this part of the tutorial we'll build a packet from scratch, create the different layers one by one and eventually save it to a pcap file to verify packet data is the same as expected.
Let's start by creating the first layer - an Ethernet layer:
// create a new Ethernet layer
pcpp::EthLayer newEthernetLayer(pcpp::MacAddress("00:50:43:11:22:33"), pcpp::MacAddress("aa:bb:cc:dd:ee"));
What we did here is create a new instance of the EthLayer
class and give it the necessary parameters which are source and dest MAC addresses (both are instances of the MacAddress
class instantiated with the MAC address string). Rather easy right?
Now let's move on to the second layer - IPv4:
// create a new IPv4 layer
pcpp::IPv4Layer newIPLayer(pcpp::IPv4Address(std::string("192.168.1.1")), pcpp::IPv4Address(std::string("10.0.0.1")));
newIPLayer.getIPv4Header()->ipId = htons(2000);
newIPLayer.getIPv4Header()->timeToLive = 64;
Here we created a new instance of the IPv4Layer
and gave it the necessary parameters which are source and dest IP addresses (both are instances of the IPv4Address
class instantiated with the IP address string). Next, we wanted to set the IP ID and TTL values of this layer. As you can see we do that using the same API we used in the
Packet editing part: call the getIPv4Header()
method to get an instance of the iphdr*
struct (which is actually a pointer to the packet raw data cast to iphdr*
) and set the IP ID and TTL values. Since IP ID is 2-bytes long we use htons()
to convert from host to network order.
Now let's move on to the third layer - UDP:
// create a new UDP layer
pcpp::UdpLayer newUdpLayer(12345, 53);
As you can see, this is quite straight forward: we created a new instance of UdpLayer
and gave it in the constructor the source and dest UDP ports.
Let's move on to the fourth and last layer - DNS:
// create a new DNS layer
pcpp::DnsLayer newDnsLayer;
newDnsLayer.addQuery("www.ebay.com", pcpp::DNS_TYPE_A, pcpp::DNS_CLASS_IN);
Here we first created an instance of DnsLayer
with the default constructor (without any parameters). Then we added a DNS query record to the layer using the addQuery()
method and gave it the query parameters which are: query name ("www.ebay.com"), query type (type A means IPv4 address) and query class (class IN means Internet).
That's it! we created 4 layers, now let's add them to a new packet. Let's first create a new Packet
instance:
// create a packet with initial capacity of 100 bytes (will grow automatically if needed)
pcpp::Packet newPacket(100);
The value 100 we gave in the constructor is the expected length of the packet (in bytes). When we give this number a buffer of size 100 is automatically created and will be used to store the packet raw data. Of course, if our packet exceeds 100 bytes this buffer will be automatically extended, but this has a performance cost, so in applications that require high performance it's better to allocate this buffer in advanced (meaning setting the buffer size in the constructor). Now it's time to add all the layers we created to the packet, we'll use the addLayer()
method for that:
// add all the layers we created
newPacket.addLayer(&newEthernetLayer);
newPacket.addLayer(&newIPLayer);
newPacket.addLayer(&newUdpLayer);
newPacket.addLayer(&newDnsLayer);
We're almost done. All that is left is to call the computeCalculateFields()
method to calculate the layers' calculated fields:
// compute all calculated fields
newPacket.computeCalculateFields();
Our packet is ready! Now let's save it to a pcap file and open this file in Wireshark to verify the packet looks exactly like we built it:
// write the new packet to a pcap file
pcpp::PcapFileWriterDevice writer2("1_new_packet.pcap");
writer2.open();
writer2.writePacket(*(newPacket.getRawPacket()));
writer2.close();
Now let's compile the code, run it and open the "1_new_packet.pcap"
file in Wireshark:
As you can see, the packet looks exactly as expected.
Running the example
All code that was covered in this tutorial can be found here. In order to compile and run the code please first download and compile PcapPlusPlus code or downloaded a pre-compiled version from the latest PcapPlusPlus release. Then follow these instruction, according to your platform:
- Linux and Mac OSX - make sure PcapPlusPlus is installed (by running sudo make install in PcapPlusPlus main directory). Then either change the
Makefile.non_windows
file name toMakefile
and runmake all
, or runmake -f Makefile.non_windows all
- Windows using MinGW or MinGW-w64 - either change the
Makefile.windows
file name toMakefile
and runmake all
, or runmake -f Makefile.windows all
- Windows using Visual Studio 2015 - there is a Visual Studio 2015 solution containing all tutorials here. Just open it and compile all tutorials
In all options the compiled executable will be inside the
tutorial directory ([PcapPlusPlus
Folder]/Examples/Tutorials/Tutorial-PacketCraftAndEdit
)