Change order of packets in pcap file

Hi all, I have found new cap edit tool by which you can reorder the packets in pcap file. Not only ordering but also changing fields, fragmenting packets and adding vlan headers and so many other options. It has nice GUI will provide you user friendly experience.
Here is the GUI screen shot


Steps to install.
just check out the code from net
#svn co svn+http://code.google.com/p/packetsquare-capedit/source/browse/#svn/branches/0.0.1
#cd svn/branches/0.0.1/
#make
If you get any gtk+2 not installed issue then install gtk libs.
In ubuntu simply run below command
apt-get install libgtk2.0-dev
After successful installation, install capedit tool.
Once compiled you can run tool by simply typing below command.
./capedit
This tool is very usefull when your are working with protocol stacks...

Ok, just dig and explore more. Happy crafting packets :)

cmds grouping in expect script if we are expecting on same patron

Hi, below script is just to explain a data variable that can be used as list. So each value in the list are send to spawned program. This is helpful only if you are expecting on same string.
#!/usr/bin/expect -f


set force_conservative 0 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}


set timeout -1
set data "ls
date
ls -ltr
bla
bla
bla
exit"

#Spwan the new bash shell
spawn bash


match_max 100000

foreach line [split $data \n] {
expect "root@phaneedra:/home/phaneedra#"
send -- "$line\r"
sleep 1
}



Above foreach will split each line (each element) from data and copies to line variable. Now our script will look for "root@phaneedra:/home/phaneedra#" this and when ever it occurs send first and then next cmds.

This is just for example so it may not make much sense. But use full to test Cli interacting applications where expecting string patron not changed.

Writing simple perl module and using it.

package Mymodule; #Mymodule is the module name used in ur script
use strict; # This pragma forces you to declare you'r variables
use warnings;#This pragma turns on optional warnings
use base "Exporter";#The Exporter is standard module available in perl,it knows how to export functions and variables
#our module uses that export mechanism by inheriting using use base
our @EXPORT = qw(add mul $test); # our global scope. qw notation is telling perl to create a list separated by spaces
#our @EXPORT = qw(add,$sum);
#our @EXPORT = qw(mul,$mul);
#our @EXPORT = qw/sub/;
#our @EXPORT = qw($test);
our $test = 'yes';
my $sum;
my $mul;
sub add
{
$a = $_[0];
$b = $_[1];
$sum = $a + $b;
}

sub mul
{
$a = $_[0];
$b = $_[1];
$mul = $a * $b;
}

1;#This is the last line in module. Return values by which app knows module ran properly

Application to use above perl module


#!/usr/bin/perl
use Mymodule;
my $sum = add(2,3);
my $mul = mul(2,3);
print "sum is: $sum\n";
print "multiplication is: $mul\n";
if ($sum == 5)
{
print"$test\n";
}

kernel crash debugging Tip: how to know which line in your code caused the crash

Use "objdump" utility with option "-S" on your object file (.o) which dumps the disassembly of your object file along with source code. it displays each line and the corresponding disassembly.

Example: following is an instance of kernel crash which shows the crash happened at address 0x58 in init_module() function which of size 0x8c and the module name is domu_share:

root@PVHVM-domU:~/tets_programs/page_share_interdomain# dmesg -c
[ 2463.297489] BUG: unable to handle kernel paging request at 000000003bd28000
[ 2463.297495] IP: [] init_module+0x58/0x8c [domu_share]
[ 2463.297503] PGD 3bdb3067 PUD 36f56067 PMD 0
[ 2463.297506] Oops: 0002 [#1] SMP
[ 2463.297508] last sysfs file: /sys/devices/pci0000:00/0000:00:01.2/usb1/1-0:1.0/uevent
[ 2463.297512] CPU 0
=========

Now do objdump of domu_share.o and redirect to a file (as sometimes the objdump can be very big)
# objdump -S domu_share.o > my_objdump

Now look for the init_module function in "my_objdump" and from the base address of the function, go 0x58 bytes further and check the line to which the address belongs to. that is where the crash happened exactly.

The section of code which caused the crash is as below

int init_module(void)
{
80: 55 push %rbp <<<<<------ 80 (actually 0x80) is the base address of the init_module();
81: 48 89 e5 mov %rsp,%rbp
84: e8 00 00 00 00 callq 89
* that is several physically contiguous pages long, and doesn't zero
.....
..... /* crash is at 0x58 of init_module; so go to 0x80+0x58 = 0xd8 */
sring = (struct as_sring*) page;
a6: 48 63 d0 movslq %eax,%rdx

SHARED_RING_INIT(sring);
a9: be 2f 00 00 00 mov $0x2f,%esi
ae: 48 8d 7a 11 lea 0x11(%rdx),%rdi
b2: c7 42 08 00 00 00 00 movl $0x0,0x8(%rdx)
b9: c7 02 00 00 00 00 movl $0x0,(%rdx)
bf: c7 42 0c 01 00 00 00 movl $0x1,0xc(%rdx)
c6: c7 42 04 01 00 00 00 movl $0x1,0x4(%rdx)
cd: 40 f6 c7 01 test $0x1,%dil
d1: 0f 85 f1 00 00 00 jne 1c8
d7: 40 f6 c7 02 test $0x2,%dil <<<<<----- here is where the crash happened
and this assembly belongs to
SHARED_RING_INIT(sring);
db: 0f 85 ff 00 00 00 jne 1e0
==============

So, have a look at SHARED_RING_INIT(sring) which caused the crash.