Bit-Twist is a simple yet powerful libpcap-based Ethernet packet generator. It is designed to compliment tcpdump or wireshark packet captures. In this tutorial, you will learn how to edit and replay network packet captures files on a live lab network.
bittwist.sourceforge.net
 

 
 
Bittwist Features

  • Runs on *BSD, Linux, and Windows 2000/XP/Vista
  • Send multiple trace files at a time
  • Send packets at a specific speed or line rate in Mbps
  • Comprehensive trace file editor with control over most fields in Ethernet, ARP, IP, ICMP, TCP, and UDP headers with automatic header checksum correction
  • Append user payload to existing packets after a specific header
  • Select a specific range of packets and save them in another trace file
  • Highly scriptable – with proper manipulation you can turn Bit-Twist into an extremely flexible packet generator tool!

 
 
Windows installation

  1. Download bittwist from http://bittwist.sourceforge.net/
  2. Download the cygwin dll file from http://bittwist.sourceforge.net
  3. Extract bittwist-win-x.x.zip and cygwin1.zip
  4. Copy bittwist.exe and bittwiste.exe from the src dir to c:\windows\system32\
  5. Copy cygwin1.dll from cygwin to c:\windows\system32\

 
 
 
 
Edit capture file with Bittwiste
 

 
In order to edit packet captures for replay, use the bittwiste.exe capture file editor. Each run of the bittwiste.exe application must have 4 options defined. Multiple runs may be required to make all the changes necessary (see video for details)

  • input capture file – The input capture file is the file to be edited
  • output capture file – The output capture file is the result of the edit
  • standard options – There are several different options but we will only focus on the -T option.
  • header-specific options … ethernet source/destination, IP source/destination, tcp/udp ports, etc.

 
Download sample pcap files
 
 
In the text below, I only demonstrate changing ip addresses in the ip header. The same method is used to manipulate ethernet mac addresses or tcp/udp port numbers. Just use type ‘eth’, ‘udp’ or ‘tcp’ instead of ‘ip’.
 
Change all source addresses to 192.168.0.1
bittwiste -I test1.pcap -O test2.pcap -T ip -s 192.168.0.1
 
Change all destination addresses to 192.168.0.1
bittwiste -I test1.pcap -O test2.pcap -T ip -d 192.168.0.1
 
Replace source address 10.10.10.94 with 192.168.0.1
bittwiste -I test1.pcap -O test2.pcap -T ip -s 10.10.10.94,192.168.0.1
 
Replace destination address 10.10.10.94 with 192.168.0.1
bittwiste -I test1.pcap -O test2.pcap -T ip -s 10.10.10.94,192.168.0.1
 
Replace all instances of 10.10.10.94 with 192.168.0.1 both source and destination
bittwiste -I test1.pcap -O test2.pcap -T ip -s 10.10.10.94,192.168.0.1 -d 10.10.10.94,192.168.0.1
 
 
 
 
Replay capture file with Bittwist
 

 
Replay the packet capture one time exactly the way it was captured
bittwist -i 1 capturefile.pcap
 
Replay the packet capture 3 times exactly the way it was captured
bittwist -i 1 -l 3 capturefile.pcap
 
Replay the packet capture infinitely as fast as possible. Meaning the next packet is sent as soon as the previous packet leaves. Bittwist does not replay the packet capture with regard to the timing when packets were captured. This does not necessarily mean the link will be flooded.
bittwist -i 1 -l 0 -m 0 capturefile.pcap
 
Replay the packet capture at a line rate of 100Mbps
bittwist -i 1 -l 0 -m 0 -r 100 capturefile.pcap
 
 
 
 

Be Sociable, Share!