Rewrite Source Mac

Mar 31, 2010 at 7:52 PM

Greetings,

I'm working on an academic project that aims to create a piece of software for testing IDS systems. What we're looking to do is re-write the MAC address on PCAP captures before sending them out on the wire. Right now we're sending the PCAP files out onto the network without a hitch, but I can't seem to figure out if it's possible to rewrite MAC addresses. So, the question: utilizing pcap.net, can I rewrite pieces of the packet from a pcap file on the fly?

FWIW, I'm not exactly what one would call a "programmer", more of a hacker trying to get a proof of concept, so any help would be great!

Thanks

Coordinator
Apr 1, 2010 at 12:37 PM

Hi,

I believe the simplest way to modify the source MAC address of a packet is as follows:

// Extract the Ethernet layer from the Ethernet datagram.
EthernetLayer ethernet = (EthernetLayer)sourcePacket.Ethernet.ExtractLayer();

// Change the source MAC address.
ethernet.Source = new MacAddress("11:22:33:44:55:66");

// Create a new packet with the modified source MAC address.
Packet targetPacket = PacketBuilder.Build(sourcePacket.Timestamp, ethernet, sourcePacket.Ethernet.Payload.ExtractLayer());

The most important thing to note is the usage of ExtractLayer(), which extracts a layer from a datagram.

When you call it on an EtherentDatagram, you get an EthernetLayer.

When you call it on an IpV4Datagram, you get an IpV4Layer.

When you call it on a Datagram, you get a PayloadLayer.

 

In the example I call it on the EtherentDatagram to get the EthernetLayer and modify the source MAC address.

In order to get the rest of the packet unchanged, I call the EthernetDatagram.Payload property, which gives me a Datagram, and then call the ExtractLayer() on that to get a PayloadLayer.

With the given two layers, I build a packet using the PacketBuilder.

 

I hope this would help you,

Boaz.