Hi,
i need to do an excercise for my school.
The excercise is as followed:
I need to create a pcap file that contains a certain ascii string in either the header or the payload. My wireshark knowledge is very limited so it would be helpful if someone could point me in the right direction.
You can start here finding out how you can do a capture. That's one.
Sending a packet with the defined payload can be done via various means, e.g. using the command line tool ping. By using the option -p you can define the payload in the packet.
Using netcat is another easy way. Or you could create a file that text2pcap could read and convert to a pcap file. See also some of the Traffic generators listed on the Wireshark Tools wiki page.
Thanks so much for the answer.
I should have added that the packet has to use TCP. Since ping uses ICMP its not suited for that or am I missing something?
You left out a lot of details, so we're guessing here. But you are right, ping uses ICMP (echo), which is a different protocol than TCP.
The -p option for ping to set the packet contents is only valid on Linux and BSD (and possibly others), but not on Windows.
You can include any arbitrary string in a URL in your browser that will transmit it, so simply append it as a value to a URL, e.g. https://ask.wireshark.org/my-arbitrar...
Thanks so much for the answer. Like I said in the other answer I forgot to mention that the packet has to use TCP. So when I do your tip with the URL it only comes up on HTTP unfortunately.
Which is the application protocol, transported by..... TCP. So the TCP packet has a payload, which contains the HTTP message (Protocol Data Unit, or PDU for short) Wireshark tends to dissect as far up as it can, in this case it can see it's HTTP over TCP over IP over Ethernet, so it dissects up to the HTTP layer. Don't want that? Disable the HTTP dissector, it will stop at the TCP payload, where your string is.
Thanks for explaining that to me. That makes things a lot clearer.
I managed to do it by downloading nping. It has an option --tcp and an option --data <hex value>. I can then easily capture that with frame contains "MY_ASCII_STRING".
I think you got it, awesome. Now try it with a webbrowser in the HTTP request URL.
Done. It works of course, it just confused me that it said protocol HTTP but it makes sense now since the HTTP part is in the TCP Payload. If I search the string value with frame contains "MY_ASCII_STRING" the frame shows up with this method too. I mean it makes total sense because when I filtered for frame contains "MY_ASCII_STRING" && tcp, the frame naturally showed up aswell.
Thank you very much for your answers it helped a ton.
Comments
Do you need to include some given ascii strings? Or do you just need to include some ascii strings in general in your pcap?
If the second is answered with yes, than you just need to capture a normal http session for example...
Yeah i made it work with HTTP aswell as with nping. I just had a slight misunderstanding but it clicked for me now. Thanks for the answer.