I want to create a pcap file by myself to test the system, but I don’t know how to create or edit the pcap file that has been recorded by tcpdump, so I ask here
I am not familiar with the process of editing pcaps.
But I know of some tools that might help you:
- Scapy allows one to create pcaps from scratch: https://scapy.net/
(maybe it’s also possible to edit existing pcaps with that, but I’m unware)
- There’s also this, for editing (I have never used it): Tshark | Edit Pcap
Hope that helps!
Depending on what you’re trying to create in a pcap, one alternative is to create a simple web server (in python) and then capture traffic with
tcpdump -i lo0 (or similar) while interacting with the webserver using
# python 3 server example from http.server import BaseHTTPRequestHandler, HTTPServer import time hostName = "localhost" serverPort = 8080 class MyServer(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(bytes("<html><head><title>https://pythonbasics.org</title></head>", "utf-8")) self.wfile.write(bytes("<p>Request: %s</p>" % self.path, "utf-8")) self.wfile.write(bytes("<body>", "utf-8")) self.wfile.write(bytes("<p>This is an example web server.</p>", "utf-8")) self.wfile.write(bytes("</body></html>", "utf-8")) if __name__ == "__main__": webServer = HTTPServer((hostName, serverPort), MyServer) print("Server started http://%s:%s" % (hostName, serverPort)) try: webServer.serve_forever() except KeyboardInterrupt: pass webServer.server_close()
OK, thanks，I know this way，This method is more difficult to construct special test scenarios，Thanks for your suppport ！I want to construct special test scenarios to test suricata ，But I don’t know how to construct **.pcap file。
Thanks for the help! Currently learning Scapy, I will learn Tshark.
How is the pcap file of suricata-verify constructed?
Some suricata-verify tests will have a README file indicating what is the source of the pcap used.
Some have been created with Scapy, some are from public wikis like wireshark, some are the result of running a local server and capturing the traffic, some have been shared in bug reports…
Suricata-verify will only require that you provide a valid pcap file.
Does this answer your question?
There is also flowsynth, GitHub - secureworks/flowsynth: a network packet capture compiler, a python tool to help create pcap files based on a configuration file.
For example, in the test suricata-verify/tests/ftp/ftp-too-long-command-first at master · OISF/suricata-verify · GitHub, you’ll see a
ftp-too-long-command.syn that is used as input to
flowsynth and it generates the pcap that can be found in the same directory.
yes，Thanks！I’m QA and want to contribute to suricata-verify or suricata, how do I get started？
I think the following can serve as a good starting point. It has almost all the basic guidelines and reference links:
Getting Started Contributing to Suricata
You beat me to it
Yes thanks, this tool solved my problem. What standard is the synfile edited according to?
I don’t think there is one. It is its own format. I’d just say add comments so someone else can follow along later. As can be seen by the repo we don’t use it often. It just fit that ftp test case very well that I used it.