How to replace udp packets on the fly?
Clash Royale CLAN TAG#URR8PPP
I've used iptables to reroute traffic to netsed like this, but it seems to route the traffic to another location.
I've used hexinject like this:
hexinject -s -i eth0 -c 1 -f 'arp' | replace '06 04 00 01' '06 04 00 02' | hexinject -p -i eth0
but the problem with hexinject is that it only injects, it doesn't replace the original packet, it just sends another one.
I've also used ettercap + etterfilter, but it doesn't seem to replace the traffic:
if (ip.proto == UDP)
if (search(DATA.data, "x1fx0fx00x08x00x01"))
log(DATA.data, "/tmp/payload");
drop();
execinject("/bin/sed s/x1fx0fx00x08x00x01/x1fx0fx00x08x00x00/g' /tmp/payload");
msg("caught!");
What I want to do is replace the hex representation of 1f 0f 00 08 00 01 to 1f 0f 00 08 00 00, just changing the last bit to zero, but I was unable to get iptables + netsed, hexinject, or ettercap + etterfilter to work.
Here's a visualization:
Server attempts to send 1f 0f 00 08 00 01 to someone, a program changes so that 1f 0f 00 08 00 00 is sent instead.
What can I try next? Or maybe I'm using these programs in the wrong way.
linux networking iptables udp
edited Feb 27 at 14:07
peterh
4,499113361
asked Sep 19 '15 at 13:18
David ChenDavid Chen
1187
add a comment |
I've used iptables to reroute traffic to netsed like this, but it seems to route the traffic to another location.
I've used hexinject like this:
hexinject -s -i eth0 -c 1 -f 'arp' | replace '06 04 00 01' '06 04 00 02' | hexinject -p -i eth0
but the problem with hexinject is that it only injects, it doesn't replace the original packet, it just sends another one.
I've also used ettercap + etterfilter, but it doesn't seem to replace the traffic:
if (ip.proto == UDP)
if (search(DATA.data, "x1fx0fx00x08x00x01"))
log(DATA.data, "/tmp/payload");
drop();
execinject("/bin/sed s/x1fx0fx00x08x00x01/x1fx0fx00x08x00x00/g' /tmp/payload");
msg("caught!");
What I want to do is replace the hex representation of 1f 0f 00 08 00 01 to 1f 0f 00 08 00 00, just changing the last bit to zero, but I was unable to get iptables + netsed, hexinject, or ettercap + etterfilter to work.
Here's a visualization:
Server attempts to send 1f 0f 00 08 00 01 to someone, a program changes so that 1f 0f 00 08 00 00 is sent instead.
What can I try next? Or maybe I'm using these programs in the wrong way.
linux networking iptables udp
edited Feb 27 at 14:07
peterh
4,499113361
asked Sep 19 '15 at 13:18
David ChenDavid Chen
1187
Heck withhexinjectand other possible tools. Formulate the problem (what to be achieved) from the beginning, please; and don’t expect me following to the bullies’ site even by direct links.
– Incnis Mrsi
Sep 19 '15 at 14:22
add a comment |
I've used iptables to reroute traffic to netsed like this, but it seems to route the traffic to another location.
I've used hexinject like this:
hexinject -s -i eth0 -c 1 -f 'arp' | replace '06 04 00 01' '06 04 00 02' | hexinject -p -i eth0
but the problem with hexinject is that it only injects, it doesn't replace the original packet, it just sends another one.
I've also used ettercap + etterfilter, but it doesn't seem to replace the traffic:
if (ip.proto == UDP)
if (search(DATA.data, "x1fx0fx00x08x00x01"))
log(DATA.data, "/tmp/payload");
drop();
execinject("/bin/sed s/x1fx0fx00x08x00x01/x1fx0fx00x08x00x00/g' /tmp/payload");
msg("caught!");
What I want to do is replace the hex representation of 1f 0f 00 08 00 01 to 1f 0f 00 08 00 00, just changing the last bit to zero, but I was unable to get iptables + netsed, hexinject, or ettercap + etterfilter to work.
Here's a visualization:
Server attempts to send 1f 0f 00 08 00 01 to someone, a program changes so that 1f 0f 00 08 00 00 is sent instead.
What can I try next? Or maybe I'm using these programs in the wrong way.
linux networking iptables udp
edited Feb 27 at 14:07
peterh
4,499113361
asked Sep 19 '15 at 13:18
David ChenDavid Chen
1187
I've used iptables to reroute traffic to netsed like this, but it seems to route the traffic to another location.
I've used hexinject like this:
hexinject -s -i eth0 -c 1 -f 'arp' | replace '06 04 00 01' '06 04 00 02' | hexinject -p -i eth0
but the problem with hexinject is that it only injects, it doesn't replace the original packet, it just sends another one.
I've also used ettercap + etterfilter, but it doesn't seem to replace the traffic:
if (ip.proto == UDP)
if (search(DATA.data, "x1fx0fx00x08x00x01"))
log(DATA.data, "/tmp/payload");
drop();
execinject("/bin/sed s/x1fx0fx00x08x00x01/x1fx0fx00x08x00x00/g' /tmp/payload");
msg("caught!");
What I want to do is replace the hex representation of 1f 0f 00 08 00 01 to 1f 0f 00 08 00 00, just changing the last bit to zero, but I was unable to get iptables + netsed, hexinject, or ettercap + etterfilter to work.
Here's a visualization:
Server attempts to send 1f 0f 00 08 00 01 to someone, a program changes so that 1f 0f 00 08 00 00 is sent instead.
What can I try next? Or maybe I'm using these programs in the wrong way.
linux networking iptables udp
linux networking iptables udp
edited Feb 27 at 14:07
peterh
4,499113361
asked Sep 19 '15 at 13:18
David ChenDavid Chen
1187
edited Feb 27 at 14:07
peterh
4,499113361
asked Sep 19 '15 at 13:18
David ChenDavid Chen
1187
edited Feb 27 at 14:07
peterh
4,499113361
edited Feb 27 at 14:07
peterh
4,499113361
edited Feb 27 at 14:07
peterh
4,499113361
4,499113361
asked Sep 19 '15 at 13:18
David ChenDavid Chen
1187
asked Sep 19 '15 at 13:18
David ChenDavid Chen
1187
asked Sep 19 '15 at 13:18
David ChenDavid Chen
1187
1187
Heck withhexinjectand other possible tools. Formulate the problem (what to be achieved) from the beginning, please; and don’t expect me following to the bullies’ site even by direct links.
– Incnis Mrsi
Sep 19 '15 at 14:22
add a comment |
Heck withhexinjectand other possible tools. Formulate the problem (what to be achieved) from the beginning, please; and don’t expect me following to the bullies’ site even by direct links.
– Incnis Mrsi
Sep 19 '15 at 14:22
Heck with
hexinject and other possible tools. Formulate the problem (what to be achieved) from the beginning, please; and don’t expect me following to the bullies’ site even by direct links.– Incnis Mrsi
Sep 19 '15 at 14:22
Heck with
hexinject and other possible tools. Formulate the problem (what to be achieved) from the beginning, please; and don’t expect me following to the bullies’ site even by direct links.– Incnis Mrsi
Sep 19 '15 at 14:22
add a comment |
1 Answer
1
active
oldest
votes
You can use HexInject and just add a firewall rule to block the forwarding of that specific packet.
Easy and simple.
An example using IPTables to block UDP packets to port 53:
iptables -A FORWARD -p udp --destination-port 53 -j DROP
If you instead want to filter at layer2, you can give a look at EBTables.
It is a sort of firewall for layer 2 frames.
edited Jan 5 '17 at 0:42
HalosGhost
3,77392236
answered Jan 5 '17 at 0:12
Emanuele AcriEmanuele Acri
111
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f230712%2fhow-to-replace-udp-packets-on-the-fly%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can use HexInject and just add a firewall rule to block the forwarding of that specific packet.
Easy and simple.
An example using IPTables to block UDP packets to port 53:
iptables -A FORWARD -p udp --destination-port 53 -j DROP
If you instead want to filter at layer2, you can give a look at EBTables.
It is a sort of firewall for layer 2 frames.
edited Jan 5 '17 at 0:42
HalosGhost
3,77392236
answered Jan 5 '17 at 0:12
Emanuele AcriEmanuele Acri
111
add a comment |
You can use HexInject and just add a firewall rule to block the forwarding of that specific packet.
Easy and simple.
An example using IPTables to block UDP packets to port 53:
iptables -A FORWARD -p udp --destination-port 53 -j DROP
If you instead want to filter at layer2, you can give a look at EBTables.
It is a sort of firewall for layer 2 frames.
edited Jan 5 '17 at 0:42
HalosGhost
3,77392236
answered Jan 5 '17 at 0:12
Emanuele AcriEmanuele Acri
111
add a comment |
You can use HexInject and just add a firewall rule to block the forwarding of that specific packet.
Easy and simple.
An example using IPTables to block UDP packets to port 53:
iptables -A FORWARD -p udp --destination-port 53 -j DROP
If you instead want to filter at layer2, you can give a look at EBTables.
It is a sort of firewall for layer 2 frames.
edited Jan 5 '17 at 0:42
HalosGhost
3,77392236
answered Jan 5 '17 at 0:12
Emanuele AcriEmanuele Acri
111
You can use HexInject and just add a firewall rule to block the forwarding of that specific packet.
Easy and simple.
An example using IPTables to block UDP packets to port 53:
iptables -A FORWARD -p udp --destination-port 53 -j DROP
If you instead want to filter at layer2, you can give a look at EBTables.
It is a sort of firewall for layer 2 frames.
edited Jan 5 '17 at 0:42
HalosGhost
3,77392236
answered Jan 5 '17 at 0:12
Emanuele AcriEmanuele Acri
111
edited Jan 5 '17 at 0:42
HalosGhost
3,77392236
edited Jan 5 '17 at 0:42
HalosGhost
3,77392236
edited Jan 5 '17 at 0:42
HalosGhost
3,77392236
3,77392236
answered Jan 5 '17 at 0:12
Emanuele AcriEmanuele Acri
111
answered Jan 5 '17 at 0:12
Emanuele AcriEmanuele Acri
111
answered Jan 5 '17 at 0:12
Emanuele AcriEmanuele Acri
111
111
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f230712%2fhow-to-replace-udp-packets-on-the-fly%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Heck with
hexinjectand other possible tools. Formulate the problem (what to be achieved) from the beginning, please; and don’t expect me following to the bullies’ site even by direct links.– Incnis Mrsi
Sep 19 '15 at 14:22