Change packet IP Address change also additional value except the packet IP Address

Feb 28, 2014 at 8:25 AM
Edited Feb 28, 2014 at 8:27 AM
I try to change packet IP Address and it seems that another value is changed except the IP Address.

This is how i am change the IP Address:
        private Packet ChangePacketIp(Packet packet, IpV4Address oldIpAddress, IpV4Address newIpAddress)
        {
            try
            {
                EthernetLayer ethernet = (EthernetLayer)packet.Ethernet.ExtractLayer();
                IpV4Layer ipV4Layer = (IpV4Layer)packet.Ethernet.IpV4.ExtractLayer();
                IpV4Datagram ipV4Datagram = packet.Ethernet.IpV4;
                ILayer layer = ipV4Datagram.ExtractLayer();
                DateTime packetTimestamp = packet.Timestamp;
                ILayer payload = packet.Ethernet.IpV4.Payload.ExtractLayer();

                if (packet.Ethernet.IpV4.Source == oldIpAddress)
                {
                    ipV4Layer.Source = newIpAddress;
                    ipV4Layer.HeaderChecksum = null;
                }
                else if (packet.Ethernet.IpV4.Destination == oldIpAddress)
                {
                    ipV4Layer.CurrentDestination = newIpAddress;
                    ipV4Layer.HeaderChecksum = null;
                }

                return PacketBuilder.Build(packetTimestamp, ethernet, ipV4Layer, payload);
            }
            catch (Exception)
            {
                return null;
            }
        }
For example, the original packets is:

Image

And the new packet after the IP Address has changed:

Image

As you can see after change the IP Address from 212.25.99.74 into 80.81.82.83, another 2 bytes changes: from e6 16 into 7a d6

You can also fine the original capture and the new capture after changed th IP Address here:

http://www.sendspace.com/filegroup/x2BsuZhr0F4mXVTnsQtrUw
Mar 3, 2014 at 12:24 PM
Edited Mar 3, 2014 at 1:44 PM
Those 2 bytes are the IP header checksum, and they change as a result of you modifying the IP packet. Keep in mind that you also need to recalculate the TCP/UDP checksum if you change the source/destination IP address. To do this just set the UDP/TCP checksum to null before building the packet.

"The [TCP] checksum also covers a 96 bit pseudo header conceptually prefixed to the TCP header. This pseudo header contains the Source Address, the Destination Address, the Protocol, and TCP length." RFC793

Edit: Also, activate IP/UDP/TCP checksum validation in Wireshark. It will make things like this easier to spot.
Mar 4, 2014 at 10:13 AM
Edited Mar 4, 2014 at 10:15 AM
Can you show me an example how to set the UDP/TCP checksum to null ?

i try packet.Ethernet.IpV4.Tcp.Checksum = null; but ushort is a non nullable value type
Mar 4, 2014 at 10:35 AM
The same way you do it for IP header checksum.
if (packet.Ethernet.IpV4.Protocol == IpV4Protocol.Tcp)
{
    TcpLayer tcpLayer = packet.Ethernet.IpV4.Tcp.ExtractLayer();
    tcpLayer.Checksum = null;
    ILayer payload = packet.Ethernet.IpV4.Tcp.Payload.ExtractLayer();
    return PacketBuilder.Build(packetTimestamp, ethernet, ipV4Layer, tcpLayer, payload);
}
else if (packet.Ethernet.IpV4.Protocol == IpV4Protocol.Udp)
{
    UdpLayer udpLayer = packet.Ethernet.IpV4.Udp.ExtractLayer();
    udpLayer.Checksum = null;
    ILayer payload = packet.Ethernet.IpV4.Udp.Payload.ExtractLayer();
    return PacketBuilder.Build(packetTimestamp, ethernet, ipV4Layer, udpLayer, payload);
}
Also check the Sending Packets Tutorial.
Mar 4, 2014 at 12:46 PM
Edited Mar 4, 2014 at 12:47 PM
i still have differences between the old and the new packet - this is the TCP/UDP checksum ?

Image

At the top - the original packet
At the button - the new packet
Mar 4, 2014 at 2:11 PM
Yes, that's the TCP checksum.
Mar 4, 2014 at 3:14 PM
Thanks a lot !