Manipulating network data streams with Netsed
Switcheroo
![© Lead Image © KONSTANTYNOV, 123RF.com © Lead Image © KONSTANTYNOV, 123RF.com](/var/linux_magazin/storage/images/issues/2015/173/netsed/123rf_19377884_swap-replace-exchange_konstantynov_resized.png/647255-1-eng-US/123rf_19377884_Swap-replace-exchange_konstantynov_resized.png_medium.png)
© Lead Image © KONSTANTYNOV, 123RF.com
Netsed is a small communication tool that lets users modify the content of TCP and UDP data packets on the local network.
The Netsed command-line tool lets you directly manipulate unencrypted data streams, allowing data integrity tests and black-box protocol auditing. It needs very little in terms of resources and is available for installation in all the major distributions. If your distribution only offers a legacy version, rather than the current v1.2, you can download the source code [1] and build the software manually with:
make && sudo make install
Netsed naturally only works on computers that route packages (i.e., routers, e.g., under OpenWrt) or on servers that provide this service. Like a proxy, the software sniffs the data stream from a defined connection and then manipulates it in-line according to rules you define.
You can either launch the program manually or add it to a shell script. If you use local port numbers higher than 1023, you can make do with normal user privileges; otherwise, you need to be root.
Syntax
Netsed syntax is as follows:
$ netsed {<protocol>} {<local port>} {<remote computer>} {<remote port>}\ {<Search>/<Replace>}
The <protocol>
is either tcp
or udp
, and you can address the <remote computer>
by either its hostname or its IP address. The <Search>/<Replace>
pattern looks like this:
's/<Search>/<Replace>'
If you omit <Replace>
, you delete the specified search term from the data stream. If so desired, the software will also process multiple statements of this kind at the same time. By adding a numeric parameter to the search/replace instruction, you can restrict the number of change actions per transmission. If you want the program to perform a change exactly once, you would use:
's/<old>/<new>/1'
Even if the term exists multiple times, the tool will only replace it once in this case.
Hands On
Assuming the command-line syntax is valid, Netsed shows all the actions related to the connection in the first part of the output, including the number of search and replace rules you pass in. The test setup then manipulates the output of a web server on port 8080 and redirects it to port 9000:
$ netsed tcp 9000 192.168.0.35 8080 's/test/trial/'
After this, Netsed outputs notices on packet forwarding and handling. Figure 1, for example, shows a successful search and replace action (Applying rule outlined in red), and Figure 2 shows the result.
![](/var/linux_magazin/storage/images/issues/2015/173/netsed/figure-1/647258-1-eng-US/Figure-1_large.png)
![](/var/linux_magazin/storage/images/issues/2015/173/netsed/figure-2/647261-1-eng-US/Figure-2_large.png)
As mentioned before, Netsed lets you modify multiple content instances. This command shows a configuration that issues four search and replace commands:
$ netsed tcp 9000 ze5 8080 's/Test/Trial/1' \ 's/http:%2f%2fwww.startpage.com%2f/Search engine locked/''s/192.168.0.35/192.168.0.36/''s/ZE5/ZE6/'
The first task is to replace the string Test once only with Trial. The second instruction removes the link to a search engine and replaces it with the message Search engine locked. The last two instructions replace the server's IP address and hostname (Figure 3).
You need to quote any forward slash (/) that is part of the Netsed command by using a percent character and the hexadecimal equivalent of a slash (%2f) from the ASCII table.
Conclusions
Netsed provides a relatively simple approach for manipulating unencrypted data transported by a network. The test setup shown in this article is basically intended as a proof of concept to show how easily cleartext can be manipulated. For this reason, it always makes sense to check your websites and hide the imprint in graphical elements instead of using cleartext HTML. This makes it more difficult for attackers to produce spurious website copies.
Infos
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.