Sending packets captured with Wireshark [closed]

Asked 22/1, 2014 at 10:2 Answered 4/4, 2018 at 17:27

I captured some HTTP POST requests, and want to send them again. How to do it? Googling didn't yield any easy way not involving some complex stuff resulting in a script being able to send only this specific request, without any flexibility.

Stokowski answered 22/1, 2014 at 10:2 Comment(2)

is the net interface in promiscuous mode? – Voice 22/1, 2014 at 10:3

No, it isn't as far as I understand. I didn't enable this mode in Wireshark, and, I guess, it is not enabled by default in Mac OS. – Stokowski 22/1, 2014 at 10:11

You might look into tcpreplay.

It's great for replaying entire streams of traffic captured by Wireshark or tcpdump in libpcap format.

Brougham answered 22/1, 2014 at 10:9 Comment(3)

Tcpreplay has now been taken over by AppNeta - their latest version is available here: github.com/appneta/tcpreplay – Marinamarinade 4/4, 2018 at 16:41

See also wiki.wireshark.org/Tools for a list of these and other tools, with updated tcpreplay and tcprewrite URLs thanks to @Marinamarinade – Cutcheon 5/4, 2018 at 12:38

There are some free utilities such as tcprelay and you can also write a script in Python using scapy. However these are command line tools that may be somewhat difficult to use, specially on Windows. As I encountered this problem myself I have written a light tool called Player that enables sending packets from a PCAP file. It is GUI based (Written in C# and runs on Windows). You can try it out from here: github.com/Blondy314/Player – Epigenous 2/9, 2020 at 17:8

PlayCap is a very easy to use solution for replaying network captures. All you need to do is point it to a PCAP file and press play.

Featurelength answered 9/9, 2016 at 18:15 Comment(0)

If the HTTP requests are being sent from a browser then you can take advantage of the Web Developer mode available in most modern browsers - by going to the 'Network' section and right clicking on a particular GET/POST requests and then one can optionally modify and resend selected requests and/or using curl (e.g. see FireFox, Chrome).

It's not straightforward to just resend a HTTP interactions that have been captured by Wireshark as the the HTTP is transported over TCP which needs to set up a new connection for each interaction so things like the TCP sequence numbers would need to be different. One approach would be to extract the HTTP content from the packet trace and resend that over a new TCP connection - Wireshark does allow for HTTP traces to be extracted which could be resent. However the latest version of tcpreplay suite from AppNeta now provides a tool tcpliveplay that says it can replay TCP streams so that seems like it could be the best option.

Otherwise for more programmatic control of packet replay one could use scapy as suggested in this answer, though one would need to extract the HTTP content and resend it on new connection(s).

Marinamarinade answered 4/4, 2018 at 17:27 Comment(2)

Would this execute the same request? For example, I post a thread onto twitter. I resend the HTTP request through curl reciting the same headers. Would it post the thread again? Or would the session ID only be stored on the node browser that primarily logged in and the second request fail? – Sepulchre 11/6, 2020 at 17:0

It would send exactly the same request with the same url, headers and cookies. If u send a duplicate post on Twitter it will get filtered. – Marinamarinade 16/6, 2020 at 10:36

Recommended topics

Hot tags