Removing payload from tcpdump?

Question

Removing payload from tcpdump?

Is there an automated way (either in tcpdump or through the Out There helper application) to create a pcap file that contains only Ethernet, IP and Layer 4 headers (TCP in my case), so there is no data payload / application in the resulting pcap? I found that since header sizes often vary, it is not possible to choose a capture size that will not capture payload data.

+6

python networking tcp tcpdump scapy

caw Dec 9 '11 at 3:30

source share

3 answers

If simple truncate will work for you, you can use:

 tcpdump -i eth0 -s 96 -w test1.pcap

Later you can analyze it using wirehark.

0

ILYA Khlopotov Dec 9 '11 at 4:05

source share

My solution was as follows. I would like to hear others do it without external libraries or truncation. I would like to hear how others did this because I could not find the remove_payload () function in the Scapy documentation, which makes this answer unusable.

 #read pcap file pkts = rdpcap("packet-capture.pcap") #write packet with payload "XXXXXXXXXX" for pkt in pkts: pkt.load = "XXXXXXXXXX" #write new pcap wrpcap("new.pcap", pkts)

The problem with this is that when reading with tcpdump it does not contain bytes! for src IP address. I can verify that infromation still exists using scapy via

 pkts[_packet_num].load

Is there a way to restore the entire capture, so it looks as if it has not changed?

-2

user2938818 Oct 30 '13 at 19:34

source share

Mike pennington · Accepted Answer · 2011-12-09T06:44:20+0000

You can easily remove TCP payload with Python scapy module

before

 [ mpenning@hotcoffee tshark_wd]$ tcpdump -n -r sample.pcap reading from file sample.pcap, link-type EN10MB (Ethernet) 00:25:42.443559 IP 192.168.12.237.1052 > 192.168.12.236.22: Flags [P.], seq 2445372969:2445373021, ack 1889447842, win 63432, length 52 00:25:42.443607 IP 192.168.12.236.22 > 192.168.12.237.1052: Flags [.], ack 52, win 65535, length 0 00:25:42.443980 IP 192.168.12.236.22 > 192.168.12.237.1052: Flags [P.], seq 1:389, ack 52, win 65535, length 388

PAYLOAD STRIPPING

Doing this as root in linux ...

 #!/usr/bin/env python from scapy.all import * INFILE = 'sample.pcap' OUTFILE = 'stripped.pcap' paks = rdpcap(INFILE) for pak in paks: pak[TCP].remove_payload() wrpcap(OUTFILE, paks)

after

 [ mpenning@hotcoffee tshark_wd]$ tcpdump -n -r stripped.pcap reading from file sample.pcap, link-type EN10MB (Ethernet) 00:25:42.443559 IP truncated-ip - 52 bytes missing! 192.168.12.237.1052 > 192.168.12.236.22: Flags [P.], seq 2445372969:2445373021, ack 1889447842, win 63432, length 52 00:25:42.443607 IP 192.168.12.236.22 > 192.168.12.237.1052: Flags [.], ack 52, win 65535, length 0 00:25:42.443980 IP truncated-ip - 388 bytes missing! 192.168.12.236.22 > 192.168.12.237.1052: Flags [P.], seq 1:389, ack 52, win 65535, length 388

In tcpdump above, pay attention to "XX bytes missing!". Messages This is because we removed the TCP payload.

Removing payload from tcpdump?

More articles: