Manipulating network data streams with Netsed
Switcheroo
Netsed is a small communication tool that lets users modify the content of TCP and UDP data packets on the local network.
The Netsed command-line tool lets you directly manipulate unencrypted data streams, allowing data integrity tests and black-box protocol auditing. It needs very little in terms of resources and is available for installation in all the major distributions. If your distribution only offers a legacy version, rather than the current v1.2, you can download the source code [1] and build the software manually with:
make && sudo make install
Netsed naturally only works on computers that route packages (i.e., routers, e.g., under OpenWrt) or on servers that provide this service. Like a proxy, the software sniffs the data stream from a defined connection and then manipulates it in-line according to rules you define.
You can either launch the program manually or add it to a shell script. If you use local port numbers higher than 1023, you can make do with normal user privileges; otherwise, you need to be root.
Syntax
Netsed syntax is as follows:
$ netsed {<protocol>} {<local port>} {<remote computer>} {<remote port>}\ {<Search>/<Replace>}
The <protocol>
is either tcp
or udp
, and you can address the <remote computer>
by either its hostname or its IP address. The <Search>/<Replace>
pattern looks like this:
's/<Search>/<Replace>'
If you omit <Replace>
, you delete the specified search term from the data stream. If so desired, the software will also process multiple statements of this kind at the same time. By adding a numeric parameter to the search/replace instruction, you can restrict the number of change actions per transmission. If you want the program to perform a change exactly once, you would use:
's/<old>/<new>/1'
Even if the term exists multiple times, the tool will only replace it once in this case.
Hands On
Assuming the command-line syntax is valid, Netsed shows all the actions related to the connection in the first part of the output, including the number of search and replace rules you pass in. The test setup then manipulates the output of a web server on port 8080 and redirects it to port 9000:
$ netsed tcp 9000 192.168.0.35 8080 's/test/trial/'
After this, Netsed outputs notices on packet forwarding and handling. Figure 1, for example, shows a successful search and replace action (Applying rule outlined in red), and Figure 2 shows the result.
As mentioned before, Netsed lets you modify multiple content instances. This command shows a configuration that issues four search and replace commands:
$ netsed tcp 9000 ze5 8080 's/Test/Trial/1' \ 's/http:%2f%2fwww.startpage.com%2f/Search engine locked/''s/192.168.0.35/192.168.0.36/''s/ZE5/ZE6/'
The first task is to replace the string Test once only with Trial. The second instruction removes the link to a search engine and replaces it with the message Search engine locked. The last two instructions replace the server's IP address and hostname (Figure 3).
You need to quote any forward slash (/) that is part of the Netsed command by using a percent character and the hexadecimal equivalent of a slash (%2f) from the ASCII table.
Conclusions
Netsed provides a relatively simple approach for manipulating unencrypted data transported by a network. The test setup shown in this article is basically intended as a proof of concept to show how easily cleartext can be manipulated. For this reason, it always makes sense to check your websites and hide the imprint in graphical elements instead of using cleartext HTML. This makes it more difficult for attackers to produce spurious website copies.
Infos
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4