Manipulating network data streams with Netsed
Switcheroo
Netsed is a small communication tool that lets users modify the content of TCP and UDP data packets on the local network.
The Netsed command-line tool lets you directly manipulate unencrypted data streams, allowing data integrity tests and black-box protocol auditing. It needs very little in terms of resources and is available for installation in all the major distributions. If your distribution only offers a legacy version, rather than the current v1.2, you can download the source code [1] and build the software manually with:
make && sudo make install
Netsed naturally only works on computers that route packages (i.e., routers, e.g., under OpenWrt) or on servers that provide this service. Like a proxy, the software sniffs the data stream from a defined connection and then manipulates it in-line according to rules you define.
You can either launch the program manually or add it to a shell script. If you use local port numbers higher than 1023, you can make do with normal user privileges; otherwise, you need to be root.
Syntax
Netsed syntax is as follows:
$ netsed {<protocol>} {<local port>} {<remote computer>} {<remote port>}\ {<Search>/<Replace>}
The <protocol>
is either tcp
or udp
, and you can address the <remote computer>
by either its hostname or its IP address. The <Search>/<Replace>
pattern looks like this:
's/<Search>/<Replace>'
If you omit <Replace>
, you delete the specified search term from the data stream. If so desired, the software will also process multiple statements of this kind at the same time. By adding a numeric parameter to the search/replace instruction, you can restrict the number of change actions per transmission. If you want the program to perform a change exactly once, you would use:
's/<old>/<new>/1'
Even if the term exists multiple times, the tool will only replace it once in this case.
Hands On
Assuming the command-line syntax is valid, Netsed shows all the actions related to the connection in the first part of the output, including the number of search and replace rules you pass in. The test setup then manipulates the output of a web server on port 8080 and redirects it to port 9000:
$ netsed tcp 9000 192.168.0.35 8080 's/test/trial/'
After this, Netsed outputs notices on packet forwarding and handling. Figure 1, for example, shows a successful search and replace action (Applying rule outlined in red), and Figure 2 shows the result.
As mentioned before, Netsed lets you modify multiple content instances. This command shows a configuration that issues four search and replace commands:
$ netsed tcp 9000 ze5 8080 's/Test/Trial/1' \ 's/http:%2f%2fwww.startpage.com%2f/Search engine locked/''s/192.168.0.35/192.168.0.36/''s/ZE5/ZE6/'
The first task is to replace the string Test once only with Trial. The second instruction removes the link to a search engine and replaces it with the message Search engine locked. The last two instructions replace the server's IP address and hostname (Figure 3).
You need to quote any forward slash (/) that is part of the Netsed command by using a percent character and the hexadecimal equivalent of a slash (%2f) from the ASCII table.
Conclusions
Netsed provides a relatively simple approach for manipulating unencrypted data transported by a network. The test setup shown in this article is basically intended as a proof of concept to show how easily cleartext can be manipulated. For this reason, it always makes sense to check your websites and hide the imprint in graphical elements instead of using cleartext HTML. This makes it more difficult for attackers to produce spurious website copies.
Infos
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.