Manipulating network data streams with Netsed
Switcheroo
Netsed is a small communication tool that lets users modify the content of TCP and UDP data packets on the local network.
The Netsed command-line tool lets you directly manipulate unencrypted data streams, allowing data integrity tests and black-box protocol auditing. It needs very little in terms of resources and is available for installation in all the major distributions. If your distribution only offers a legacy version, rather than the current v1.2, you can download the source code [1] and build the software manually with:
make && sudo make install
Netsed naturally only works on computers that route packages (i.e., routers, e.g., under OpenWrt) or on servers that provide this service. Like a proxy, the software sniffs the data stream from a defined connection and then manipulates it in-line according to rules you define.
You can either launch the program manually or add it to a shell script. If you use local port numbers higher than 1023, you can make do with normal user privileges; otherwise, you need to be root.
Syntax
Netsed syntax is as follows:
$ netsed {<protocol>} {<local port>} {<remote computer>} {<remote port>}\ {<Search>/<Replace>}
The <protocol>
is either tcp
or udp
, and you can address the <remote computer>
by either its hostname or its IP address. The <Search>/<Replace>
pattern looks like this:
's/<Search>/<Replace>'
If you omit <Replace>
, you delete the specified search term from the data stream. If so desired, the software will also process multiple statements of this kind at the same time. By adding a numeric parameter to the search/replace instruction, you can restrict the number of change actions per transmission. If you want the program to perform a change exactly once, you would use:
's/<old>/<new>/1'
Even if the term exists multiple times, the tool will only replace it once in this case.
Hands On
Assuming the command-line syntax is valid, Netsed shows all the actions related to the connection in the first part of the output, including the number of search and replace rules you pass in. The test setup then manipulates the output of a web server on port 8080 and redirects it to port 9000:
$ netsed tcp 9000 192.168.0.35 8080 's/test/trial/'
After this, Netsed outputs notices on packet forwarding and handling. Figure 1, for example, shows a successful search and replace action (Applying rule outlined in red), and Figure 2 shows the result.
As mentioned before, Netsed lets you modify multiple content instances. This command shows a configuration that issues four search and replace commands:
$ netsed tcp 9000 ze5 8080 's/Test/Trial/1' \ 's/http:%2f%2fwww.startpage.com%2f/Search engine locked/''s/192.168.0.35/192.168.0.36/''s/ZE5/ZE6/'
The first task is to replace the string Test once only with Trial. The second instruction removes the link to a search engine and replaces it with the message Search engine locked. The last two instructions replace the server's IP address and hostname (Figure 3).
You need to quote any forward slash (/) that is part of the Netsed command by using a percent character and the hexadecimal equivalent of a slash (%2f) from the ASCII table.
Conclusions
Netsed provides a relatively simple approach for manipulating unencrypted data transported by a network. The test setup shown in this article is basically intended as a proof of concept to show how easily cleartext can be manipulated. For this reason, it always makes sense to check your websites and hide the imprint in graphical elements instead of using cleartext HTML. This makes it more difficult for attackers to produce spurious website copies.
Infos
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.