NAME

bittwiste -- pcap capture file editor

SYNOPSIS

bittwiste [ -I input ] [ -O output ] [ -L layer ] [ -X payload ] [ -C ] [ -M linktype ] [ -D offset ] [ -R range ] [ -S timeframe ] [ -T header ] [ header-specific-options ] [ -h ]

DESCRIPTION

This document describes the bittwiste program, the pcap(3) capture file editor. Bittwiste is designed to work only with Ethernet frame, e.g. link type DLT_EN10MB in pcap(3), with a maximum frame size of 1514 bytes which is equivalent to a MTU of 1500 bytes, 14 bytes for Ethernet header.
Bittwiste can currently edit Ethernet, ARP, IP, ICMP, TCP, and UDP headers. If run with the -X flag, you can append your own payload after any of these headers; specified using the -L and -T flag. Bittwiste will, if not run with the -C flag, recalculate the checksums for IP, ICMP, TCP, and UDP packets, except for the last fragment of a fragmented IP datagram; bittwiste does not currently support checksum correction for the last fragment of a fragmented IP datagram. While parsing the packets in a trace file, bittwiste will skip, i.e. write to output file as is, any truncated packet, for example, an ICMP packet with a captured length of 25 bytes (we need at least 28 bytes; 14 bytes for Ethernet header, minimum 20 bytes for IP header, and 4 bytes for ICMP header) does not give enough information on its ICMP header for bittwiste to read and modify it. In this case, you can utilize the -L and -T flag to copy the original packet up to its IP header and append your customized ICMP header and data to the packet using the -X flag. When specifying payload that covers the ICMP, TCP or UDP header and its data, you can use zeros, e.g. 0000 for 2 bytes of zeros, for the header checksum which is then corrected automatically by bittwiste.
In order to simplify the way options are specified, you can only edit packets of a specific type supplied to the -T flag per execution of bittwiste on a trace file. In addition, the -T flag must appear last among the general options which are the -I, -O, -L, -X, -C, -M, -D, -R and -S flag.

OPTIONS

-I input
Input pcap based trace file.
-O output
Output trace file.
-L layer
Copy up to the specified layer and discard the remaining data. Value for layer must be either 2, 3 or 4 where 2 for Ethernet, 3 for ARP or IP, and 4 for ICMP, TCP or UDP.
-X payload
Append payload in hex digits to the end of each packet.
 
Example: -X 0302aad1
 
-X flag is ignored if -L and -T flag are not specified.
-C
Specify this flag to disable checksum correction. Checksum correction is applicable for non-fragmented IP, ICMP, TCP, and UDP packets only.
-M linktype
Replace the linktype stored in the pcap file header. Typically, value for linktype is 1 for Ethernet.
 
Example: -M 12 (for raw IP), -M 51 (for PPPoE)
For the complete list, see:
 
http://www.tcpdump.org/linktypes.html
-D offset
Delete the specified byte offset from each packet.
 
First byte (starting from link layer header) starts from 1.
 
-L, -X, -C and -T flag are ignored if -D flag is specified.
 
Example: -D 15-40, -D 10 or -D 18-9999
-R range
Save only the specified range of packets.
 
Example: -R 5-21 or -R 9
-S timeframe
Save only the packets within the specified timeframe with up to one-second resolution using DD/MM/YYYY,HH:MM:SS as the format for start and end time in timeframe.
 
Example: -S 22/10/2006,21:47:35-24/10/2006,13:16:05
 
-S flag is evaluated after -R flag.
-T header
Edit only the specified header. Possible keywords for header are, eth, arp, ip, icmp, tcp, or udp. -T flag must appear last among the general options.
-h
Print version information and usage.
header-specific-options
Each packet that matches the type supplied to the -T flag is modified based on the options described below:
Options for eth (RFC 894):
-d dmac or omac,nmac
 
Destination MAC address. Example: -d 00:08:55:64:65:6a
 
If omac and nmac are specified instead, all occurrences of omac in the destination MAC address field will be replaced with nmac.
-s smac or omac,nmac
 
Source MAC address. Example: -s 00:13:20:3e:ab:cf
 
If omac and nmac are specified instead, all occurrences of omac in the source MAC address field will be replaced with nmac.
-t type
EtherType. Possible keywords for type are, ip and arp only.
Options for arp (RFC 826):
-o opcode
Operation code in integer value between 0 to 65535. For example, you can set opcode to 1 for ARP request, 2 for ARP reply.
-s smac or omac,nmac
 
Sender MAC address. Example: -s 00:13:20:3e:ab:cf
 
If omac and nmac are specified instead, all occurrences of omac in the sender MAC address field will be replaced with nmac.
-p sip or oip,nip
 
Sender IP address. Example: -p 192.168.0.1
 
If oip and nip are specified instead, all occurrences of oip in the sender IP address field will be replaced with nip.
-t tmac or omac,nmac
 
Target MAC address. Example: -t 00:08:55:64:65:6a
 
If omac and nmac are specified instead, all occurrences of omac in the target MAC address field will be replaced with nmac.
-q tip or oip,nip
 
Target IP address. Example: -q 192.168.0.2
 
If oip and nip are specified instead, all occurrences of oip in the target IP address field will be replaced with nip.
Options for ip (RFC 791):
-i id
 
Identification in integer value between 0 to 65535.
-f flags
Control flags. Possible characters for flags are:
- : remove all flags
 
r : set the reserved flag
 
d : set the don't fragment flag
 
m : set the more fragment flag
Example: -f d
 
If any of the flags is specified, all original flags are removed automatically.
-o offset
Fragment offset in integer value between 0 to 7770. Value for offset represents the number of 64-bit segments contained in earlier fragments which must not exceed 7770 (62160 bytes).
-t ttl
 
Time to live in integer value between 0 to 255 (milliseconds).
-p proto
Protocol number in integer value between 0 to 255. Some common protocol numbers are:
1 : Internet Control Message Protocol (ICMP)
 
6 : Transmission Control Protocol (TCP)
 
17 : User Datagram Protocol (UDP)
For the complete list, see:
 
http://www.iana.org/assignments/protocol-numbers
-s sip or oip,nip
 
Source IP address. Example: -s 192.168.0.1
 
If oip and nip are specified instead, all occurrences of oip in the source IP address field will be replaced with nip.
-d dip or oip,nip
 
Destination IP address. Example: -d 192.168.0.2
 
If oip and nip are specified instead, all occurrences of oip in the destination IP address field will be replaced with nip.
Options for icmp (RFC 792):
-t type
Type of message in integer value between 0 to 255. Some common messages are:
0 : Echo reply
 
3 : Destination unreachable
 
8 : Echo
 
11 : Time exceeded
For the complete list, see:
 
http://www.iana.org/assignments/icmp-parameters
-c code
Error code for this ICMP message in integer value between 0 to 255. For example, code for time exceeded message may have one of the following values:
0 : transit TTL exceeded
 
1 : reassembly TTL exceeded
For the complete list, see:
 
http://www.iana.org/assignments/icmp-parameters
Options for tcp (RFC 793):
-s sport or op,np
Source port number in integer value between 0 to 65535. If op and np are specified instead, all occurrences of op in the source port field will be replaced with np.
-d dport or op,np
Destination port number in integer value between 0 to 65535. If op and np are specified instead, all occurrences of op in the destination port field will be replaced with np.
-q seq
 
Sequence number in integer value between 0 to 4294967295. If SYN control bit is set, e.g. character s is supplied to the -f flag, seq represents the initial sequence number (ISN) and the first data byte is ISN + 1.
-a ack
 
Acknowledgment number in integer value between 0 to 4294967295. If ACK control bit is set, e.g. character a is supplied to the -f flag, ack represents the value of the next sequence number that the receiver is expecting to receive.
-f flags
Control flags. Possible characters for flags are:
- : remove all flags
 
u : urgent pointer field is significant
 
a : acknowledgment field is significant
 
p : push function
 
r : resets the connection
 
s : synchronizes the sequence numbers
 
f : no more data from sender
Example: -f s
 
If any of the flags is specified, all original flags are removed automatically.
-w win
 
Window size in integer value between 0 to 65535. If ACK control bit is set, e.g. character a is supplied to the -f flag, win represents the number of data bytes, beginning with the one indicated in the acknowledgment number field that the receiver is willing to accept.
-u urg
 
Urgent pointer in integer value between 0 to 65535. If URG control bit is set, e.g. character u is supplied to the -f flag, urg represents a pointer that points to the first data byte following the urgent data.
Options for udp (RFC 768):
-s sport or op,np
Source port number in integer value between 0 to 65535. If op and np are specified instead, all occurrences of op in the source port field will be replaced with np.
-d dport or op,np
Destination port number in integer value between 0 to 65535. If op and np are specified instead, all occurrences of op in the destination port field will be replaced with np.

SEE ALSO

bittwist(1), pcap(3), tcpdump(1)

BUGS

File your bug report and send to:
Addy Yeow Chin Heng <[email protected]>
Make sure you are using the latest stable version before submitting your bug report. Copyright (C) 2006 - 2012 Addy Yeow Chin Heng <[email protected]>
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

AUTHORS

Original author and current maintainer:
Addy Yeow Chin Heng
The current version is available from http://bittwist.sourceforge.net

Recommended readings

Pages related to bittwiste you should read also: