If you are ever given a packet capture as an attempt to attribute an address to some type of traffic, think twice. It is actually very easy to rewrite traffic. In ubuntu, the tools are easily installed using
sudo apt-get install -y tcpdump tcpreplay
In order to get a packet capture (pcapng format), a common tool is WireShark. You can install it in Ubuntu using the following:
sudo add-apt-repository ppa:wireshark-dev/stable sudo apt-get update sudo apt-get install wireshark sudo dpkg-reconfigure wireshark-common sudo wireshark
Now that we have the tools, suppose we dump a capture to Original.pcapng.
We can change the traffic on our network to make it look like it's on a different network.
echo "Filtering traffic sent to 192.168.0.168"
tcpdump -r Original.pcapng -w- 'dst host 192.168.0.168' -w original-tcpdump.pcapng
echo "Rewriting 192.168.0.132 to 10.0.0.11 and changing the prot from 80 to 8080"
tcprewrite --infile=original-tcpdump.pcapng \
--outfile=Sample.pcapng \
--srcipmap=192.168.0.132:10.0.0.11 \
--dstipmap=192.168.0.168:10.0.0.12 \
--portmap=80:8080 \
--fixcsu
echo "Deleting temporary files"
rm original-tcpdump.pcapng
You could also have filtered on the HTTP port 80 using tcpdump -r Original.pcapng -w- 'tcp port 80' -w original-tcpdump.pcapng
Finally, you can send the traffic back out over the network using
echo "Replay the traffic" tcpreplay --intf1=eth0 Sample.pcapngwhere
eth0 is your network interface connected to the network.
It will then look like 10.0.0.11 is making contact with 10.0.0.12 using the content from the original network.