Wireshark: Editing A Packet

There are many situations where you wish you could share a trace file with a vendor, but you can’t because the packets may contain sensitive data such as corporate identifying information, IP addresses, and passwords.

But now, Wireshark, the open source network analysis tool, has an experimental feature under Edit->Preferences called Enable Packet Editor which does exactly what is says. You can edit anything in the packet at any layer. In this video, I change a CDP device ID and CDP’s checksum.

This editing technique doesn’t scale well or isn’t practical if you need to modify 1,000 packets, but I still find it helpful and hope the Wireshark development team continues to build on this cool feature. I am surprised that Wireshark doesn’t have a more comprehensive packet edit tool, but happy it's making headway.

As I mention in the video, there are some tools out there that will change the MAC address or IP address in all your packets like TraceWrangler, which I have used for a while.

Please keep in mind that you should only share real corporate packets that you are familiar with and with vendors you trust.  In my network troubleshooting work, I’ve received many trace files that contained more information than the customer was aware of and wouldn't be too happy about them being shared.