Replay a tcp packet captured by wireshark

To replay a tcp packet cpatured by wireshark, you can use either tcpreplay/bittwist tools


Example1:

tcprewrite --infile=capturedtraffic.pcap --outfile=temp.pcap --srcipmap=0.0.0.0/0:192.168.1.15 --enet-smac=00:0c:29:de:78:42

tcpreplay --intf1=eth0 temp.pcap

sender source MAC is set to 00:0c:29:de:78:42


Example2:

bittwiste -I arp-packet.pcap -O fake-arp.pcap -T arp -o 2 -s 00:00:aa:bb:cc:dd -p 192.168.1.1 -t 00:08:55:64:65:6a -q 192.168.1.20

input file: arp-packet.pcap

output file: fake-arp.pcap

The sender MAC address is set to 00:00:aa:bb:cc:dd; a non-existent MAC address on the network.

bittwist -i vr0 fake-arp.pcap sending packets through vr0 trace file

Find the IP address of the client in an SSH session

1) SSH_CLIENT
shows the address of the client system, the outgoing port number on the client system and the incoming port on the server.

Ex:
echo $SSH_CLIENT
10.10.10.211 63956  22

2) SSH_CONNECTION

Identifies the client and server ends of the connection.
The variable contains four space-separated values: client IP address,
client port number, server IP address, and server port number.

Ex:
echo $SH_CONNECTION
10.10.10.211 63956 172.16.32.11 22

3) SSH_TTY

This is set to the name of the tty (path to the device) associated
with the current shell or command.  If the current session has no tty,
this variable is not set.

Ex:
echo $SSH_TTY
/dev/pts/22

4) Set your own .bashrc

userIP=`echo $SSH_CLIENT | awk '{ print $1}'`

 if [ "$userIP" = "x.x.x.x" ]

 then

        echo "It's my machine IP"

        source /home/bob/.bashrc

 fi

Using this feature you can set your own .bashrc

Fragmenation offset

Fragment Offset

The fragment offset field is measured in units of eight-byte blocks. It is 13 bits long and specifies the offset of a particular fragment relative to the beginning of the original fragmented IP datagram. The first fragment has an offset of zero. This allows a maximum offset of (213 – 1) × 8 = 65,528 bytes, which would exceed the maximum IP packet length of 65,535 bytes with the header length included (65,528 + 20 = 65,548 bytes).

From <https://en.wikipedia.org/wiki/IPv4#Header>

Why we need to divide fragment offset by 8?

Total length of the packet ( 2^16 -1) = 65535 bytes. If the fragment offset is 16 bits then we

Can keep  fragment offset as it's because 2^16 bytes is 65535 (Total length of the packet)..

We can only specify 8192 bytes (2^13) as maximum value of fragment offset. Only if we multiply 8192*8=65536 we will get the total length of the packet.

 So whenever we mention fragment offset we need to divide total size of the packet by 8.  Because in case if the packet size is 65535 byes we can't mention it because the maximum value of the fragment offset is 8192 bytes(2^13)