Tuesday, April 1, 2014

Announcing netvi, a new tool from the Snort team for editing network packets in real time


A real-time packet editor for traffic on network interfaces

Useful for protecting a single system before traffic reaches an application,
or as an inline tool for protecting an entire network.

netvi has a number of command line options, similar to Snort, and includes all of
Snort's DAQ command line options as well as the ability to specify a BPF via the
command line.

Command line options

-h                          Help
-c                          Specify configuration
-i                           Specify network interface
-n                          Limit the number of packets
-r                           Test netvi with a pcap
-V                         Version

Example uses

To use netvi, and protect your local host (host mode)

netvi -i eth0

Or, use with a bridged interface to protect an interface (network mode)

netvi -i bridge0

Additionally, you can use netvi in trial mode using a pcap with the -r
command line switch.

Editing Packets

Once netvi starts and acquires a packet thru the DAQ, it will present the packet in
an editor.  Modify the hex or the ASCII bytes as you desire from within the vi-style
editor to make changes to the packet before it is written to the wire.  In place
of the filename, the editor shows the name of the interface (or pcap file) and
the packet number.

All common vi editor commands are supported for search and replace,
nagivation, insertion and deletion.

:wq writes the current packet and loads the next packet that arrives
on the network interface.

In between packets -- when not in the packet editor itself, use Control-C to
terminate netvi, just the same as terminating Snort.
Below shows a screenshot of netvi in action.
netvi editing a UDP packet

Words of Warning

Care must be taken to ensure that when packet data is modified, added,
or deleted, IP, TCP or UDP header checksums as well as any TCP sequence
numbers are all properly adjusted.  Failure to do this will result in
netvi sending a malformed packet on thru the network and a broken connection.

In either mode -- host or network -- the user must be able to keep up with loading,
modifying as desired, and writing the network packets to keep traffic flowing.
Impropoer use of netvi can severly impact the rate at which packets arrive at a
host or flow thru a network.

It is recommended that you use -n option to only edit a handful
of packets to get the hang of it before deploying on a real network.  To allow
users to get adjusted to the speed and process by which they can edit packets,
we have defaulted this to 20 packets.


netvi has been tested on Linux, FreeBSD, and Mac OSX w/ DAQ 2.0.2.

Download it here: netvi-01.04.14.tar.gz

Happy editing!

No comments:

Post a Comment