build a new pcap file from changed packets

Feb 27, 2015 at 9:41 AM
Hi everybody
i have used pcap.net library to read an offline pcap file and i have changed some fields of the packet(all the ip addresse , all the port numbers and ...) with some algorithms .
but now i want to create an output pcap file with new values. could anybody help me?
some piece of my code is here:
 private void button1_Click(object sender, EventArgs e)
        {
                          
            OfflinePacketDevice selectedDevice = new OfflinePacketDevice(textBox1.Text);
            // OfflinePacketDevice selectedDevice = new OfflinePacketDevice(@"C:\Users\Only God Remains\Desktop\naja prject\HTTP.pcap");

            // Open the capture file

            if (textBox1.Text != "")
            {
                using (PacketCommunicator communicator =
                    selectedDevice.Open(65536,                                  // portion of the packet to capture
                    // 65536 guarantees that the whole packet will be captured on all the link layers
                                        PacketDeviceOpenAttributes.Promiscuous, // promiscuous mode
                                        1000))                                  // read timeout
                {
                    // Read and dispatch packets until EOF is reached

                    //***

                    //communicator.SetFilter("port 80");
                    communicator.ReceivePackets(0, DispatcherHandler);
                    //new            

                }
            }
        }
and
  //IP address

          if ((ip.Source.ToString() != null) && (ip.Destination.ToString() != null))
          {
              listBox1.Items.Add("Source IP: " + ip.Source.ToString());
              listBox1.Items.Add("\tDestination IP: " + ip.Destination.ToString());

              string[] str1 = { ip.Source.ToString(), ip.Destination.ToString() };
              foreach (string item in str1)
              {
                  if (item == "")
                      continue;
                  tmpIP.Add(item);
              }
          }
and
  if (comboBox2.SelectedItem == "Black Marker")
            {

                foreach (string item in tmpIP)
                {

                    Result.Add(BlackMarker(item));
                    string tmp = String.Format("{0}\t{1}", item, "-->");
                    listBox2.Items.Add(String.Format("{0}\t{1}", tmp, Result.Last()));                   
                }
                listBox2.Items.Add("******");
                       
            }
blackmarker is a function that replace all ip addresses with 0.0.0.0

could anybody help me please?
thanks in advance
Coordinator
Feb 27, 2015 at 11:40 AM
Hi fatima2007,

Please see "Saving packets to a dump file" in Pcap.Net User Guide.

I hope this helps,

Boaz.
Feb 27, 2015 at 8:35 PM
thanks but i dont think it could help me. this code is for when we want to write packets from interfaces to dump file. but i want to save my new data to pcap file ,not from interface.
Coordinator
Feb 28, 2015 at 10:38 AM
As the documentation say
A different and very simple way to dump Packets into a file is by calling PacketDumpFile.Dump() static method.
Mar 1, 2015 at 11:22 PM
Edited Mar 1, 2015 at 11:23 PM
thank you.
i have used this method and i could create an output pcap file. but i have a problem now.
i want to retain all protocols and structure of my main file after change of fields. i have a problem. after change file. i lost protocols. the size of files and number of packets after change fields,retain fix but some protocols change. i changed ip address,mac address and port numbers. for example i have a packet with some protocols like http,icmp and ... after anonymization i see just tcp protocol (i test my input and output pcap files in wireshark to see the content).
could you please help me what should i do?
thanks.

i used this code for create new file:
   IpV4Datagram ipV4Datagram = packet.Ethernet.IpV4;
                EthernetLayer ethernet = (EthernetLayer)packet.Ethernet.ExtractLayer();
                IpV4Layer ipV4Layer = (IpV4Layer)packet.Ethernet.IpV4.ExtractLayer();
                DateTime packetTimestamp = packet.Timestamp;                 
               PayloadLayer Payloadtcp = (PayloadLayer)packet.Ethernet.IpV4.Tcp.Payload.ExtractLayer(); //extract the data 
                PayloadLayer Payloadudp = (PayloadLayer)packet.Ethernet.IpV4.Udp.Payload.ExtractLayer(); //extract the data
    TcpLayer tcpLayer = (TcpLayer)packet.Ethernet.IpV4.Tcp.ExtractLayer();
                UdpLayer udpLayer = (UdpLayer)packet.Ethernet.IpV4.Udp.ExtractLayer();
then i changed some fields
 if (comboBox3.SelectedItem == "Black Marker")
                    {
                        foreach (string item in tmpMAC)
                        {
                            Result.Add(MACBlackMarker(item));
                            string tmp = String.Format("{0}\t{1}", item, "-->");
                            listBox2.Items.Add(String.Format("{0}\t{1}", tmp, Result.Last()));
                            ethernet.Source = new MacAddress(Result.Last());
                          
                        }
                        foreach (string item in tmpMAC2)
                        {
                            Result.Add(MACBlackMarker(item));
                            string tmp = String.Format("{0}\t{1}", item, "-->");
                            listBox2.Items.Add(String.Format("{0}\t{1}", tmp, Result.Last()));
                            ethernet.Destination = new MacAddress(Result.Last());
                           
                        }
                       
for construct new packets:
 if (ipV4Datagram.Protocol == IpV4Protocol.Tcp)
                {
                    Packet pkt = PacketBuilder.Build(packetTimestamp,ethernet,ipV4Layer,tcpLayer,Payloadtcp);
                    packetList.Add(pkt);
                }
                else if (ipV4Datagram.Protocol == IpV4Protocol.Udp)
                {
                    Packet pkt = PacketBuilder.Build(packetTimestamp, ethernet, ipV4Layer, udpLayer,Payloadudp);
                    packetList.Add(pkt);
                }
  if(textBox2.Text!="")   //address of output file
                PacketDumpFile.Dump(textBox2.Text, DataLinkKind.Ethernet, PacketDevice.DefaultSnapshotLength,packetList);
what is my mistake?
Coordinator
Mar 13, 2015 at 10:09 AM
Can you send me an example pcap file containing one packet before you've changed it and another pcap file containing the same packet after your changes?