Introduction
- Table of Contents
- What Is Netdude?
- What is Netdude Not?
Welcome! You're looking at the manual for Netdude, the NETwork DUmp data Displayer and Editor. Thanks for reading this.
What Is Netdude?
tcpdump tracefiles and their corresponding tcpdump output are among the standard means to handle captured network traffic, illustrate networking issues and test networking applications with repeatable traffic patterns.
All these situations require handling tcpdump tracefiles, which can be large, complex and hard to inspect. Handling these files is usually done through code, which will generally be of similar structure:
Open the tracefile using pcap_open_offline().
Iterate over the packets in the trace using pcap_dispatch() or pcap_loop(), optionally using a pcap filter.
In the pcap handler, inspect the packet data manually and cast offsets into the data into various protocol header struct pointers to access and/or modify the captured data.
If the packet data gets modified, the packet is writting out to a new tracefile using pcap_dump().
Edit multiple traces at the same time, making it easy to move packets from one trace to a different one.
Modify every field in protocol headers for which a protocol plugin provides support.
Edit arbitrary packet content using Netdude's hex editor in both hex- or ASCII-mode, whichever is more convenient for the payload you're editing
Move packets around, duplicate them, remove them from traces.
Instantly see the tcpdump output update according to the modifications you're making.
Conveniently use the clipboard to select lines from the tcpdump output for situations when you need the tcpdump output, but not the packet data that's underneath, like when writing documentation, papers or emails.
Protocol Plugins: Editing packets using a hex editor is cumbersome. If you need convenient access to packet data, consider writing a protocol plugin. The plugin gets registered in Netdude's protocol registry automatically, all you need to do is provide a bunch of callbacks. The set of callbacks provides support for both state-free and stateful protocols[1].
Functionality Plugins: If the problem isn't support for a protocol but the need to do something that Netdude currently cannot do, you can write a plugin providing that feature. Those plugins support a single big entry point that gets called from a menu item and can do anything you desire, be that correcting checksums, anonymizing data, statistical analysis etc.
Notes
| [1] | The TCP plugin that comes with Netdude uses its own system to monitor TCP connection state in order to provide correct seq/ack numbers in the tcpdump output -- if you want that feature. |