Friday, 28 August 2009

Netdude

Netdude is a tool for manipulating packets. If you can not write code to manipulate packets - or like me, are too lazy/busy to always do that, Netdude is the answer.
Netdude is another libpcap based program. As you can see from the image loaded above, we can load a pcap capture file into the program and view the output line by line.

By selecting the tabs, we can drill down and view selected packets in a more user friendly manner. In the images below we will drill down from the pcap capture to the payload using netdude.
Here we start with the details from the pcap file itself on the individual packet.
And next the Ethernet header. All we do to jump to the different sections of the packet is to click on the related field.
Then the IP header.
The TCP header.
And the packet payload. This in itself would have use, but the real purpose of netdude is to allow us to change these values. By clicking on any of the fields, we are given a dialog box that we can enter a new value into.

For instance, in the image below, I have decided to click the destination address under the IPv4 header:
In this case I have changed the destination from 203.57.21.103 to 203.57.21.100.
You can note from the image above that the destination IP address is now 203.57.21.100 and has changed from the previous packets that I displayed. Also note that the checksum is highlighted in red as this is no longer correct. We now need to fix this.

To fix this, select:
-> Plugins -> 'Checksum Fixer'

This is located on the top menu.
Now you see that the checksum is no longer highlighted and our packet has been altered. At this point we could save the pcap file with the altered variables.

Why you ask?

Netdude allows you to create 'canned' packet traces. For pen testing, you can change the destination and run a defined test stream. For load tests you can place separate server under different loads. The good bit being that you have a set pcap that you can use as the input. Hence a baseline.

The thing is, pcap captures can be replayed.

No comments: