I am experimenting with scapy in python and captured a test pcap which only contains a transfer of a file over HTTP. The contents of the file are plaintext.
I am trying to basically change the Server string:
<code>HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.11.8
</code>
<code>HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.11.8
</code>
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.11.8
to a different one, let’s say:
<code>HTTP/1.0 200 OK
Server: A custom one
</code>
<code>HTTP/1.0 200 OK
Server: A custom one
</code>
HTTP/1.0 200 OK
Server: A custom one
The thing is that after this change, the size of the packet changes and as a result a lot of TCP packets are marked as retransmissions, the content of the HTTP packet says that bytes are missing etc.
Is there a way to modify strings – and the corresponding size fields – so that the pcap remains without errors?
P.S. I tried changing the Frame Length and Capture Length fields of Ether layer but still was getting errors.
My demo script for the time being is:
<code>from scapy.all import *
def replace_user_agent(packets):
i = 0
for packet in packets:
i+=1
if packet.haslayer(Raw):
raw = packet[Raw].load
if b"SimpleHTTP/0.6 Python/3.11.8" in raw:
raw = raw.replace(b"SimpleHTTP/0.6 Python/3.11.8", b"A custom one"+ b" " * (len("SimpleHTTP/0.6 Python/3.11.8") - len("A custom one"))) # cover the missing length with spaces
packet[Raw].load = raw
# Recalculate length fields and checksums
if packet.haslayer(IP):
del packet[IP].len # Recalculate IP length
del packet[IP].chksum # Recalculate IP checksum
if packet.haslayer(TCP):
del packet[TCP].chksum # Recalculate TCP checksum
elif packet.haslayer(UDP):
del packet[UDP].len # Recalculate UDP length
del packet[UDP].chksum # Recalculate UDP checksum
return packets
if __name__ == "__main__":
input_pcap = "input.pcap"
output_pcap = "output.pcap"
packets = rdpcap(input_pcap)
modified_packets = replace_user_agent(packets)
wrpcap(output_pcap, modified_packets)
</code>
<code>from scapy.all import *
def replace_user_agent(packets):
i = 0
for packet in packets:
i+=1
if packet.haslayer(Raw):
raw = packet[Raw].load
if b"SimpleHTTP/0.6 Python/3.11.8" in raw:
raw = raw.replace(b"SimpleHTTP/0.6 Python/3.11.8", b"A custom one"+ b" " * (len("SimpleHTTP/0.6 Python/3.11.8") - len("A custom one"))) # cover the missing length with spaces
packet[Raw].load = raw
# Recalculate length fields and checksums
if packet.haslayer(IP):
del packet[IP].len # Recalculate IP length
del packet[IP].chksum # Recalculate IP checksum
if packet.haslayer(TCP):
del packet[TCP].chksum # Recalculate TCP checksum
elif packet.haslayer(UDP):
del packet[UDP].len # Recalculate UDP length
del packet[UDP].chksum # Recalculate UDP checksum
return packets
if __name__ == "__main__":
input_pcap = "input.pcap"
output_pcap = "output.pcap"
packets = rdpcap(input_pcap)
modified_packets = replace_user_agent(packets)
wrpcap(output_pcap, modified_packets)
</code>
from scapy.all import *
def replace_user_agent(packets):
i = 0
for packet in packets:
i+=1
if packet.haslayer(Raw):
raw = packet[Raw].load
if b"SimpleHTTP/0.6 Python/3.11.8" in raw:
raw = raw.replace(b"SimpleHTTP/0.6 Python/3.11.8", b"A custom one"+ b" " * (len("SimpleHTTP/0.6 Python/3.11.8") - len("A custom one"))) # cover the missing length with spaces
packet[Raw].load = raw
# Recalculate length fields and checksums
if packet.haslayer(IP):
del packet[IP].len # Recalculate IP length
del packet[IP].chksum # Recalculate IP checksum
if packet.haslayer(TCP):
del packet[TCP].chksum # Recalculate TCP checksum
elif packet.haslayer(UDP):
del packet[UDP].len # Recalculate UDP length
del packet[UDP].chksum # Recalculate UDP checksum
return packets
if __name__ == "__main__":
input_pcap = "input.pcap"
output_pcap = "output.pcap"
packets = rdpcap(input_pcap)
modified_packets = replace_user_agent(packets)
wrpcap(output_pcap, modified_packets)
This script does and does not do what I am trying to achieve. It basically replaces the Server string with my shorter custom one, and for the missing bytes it just uses spaces.