Core Features

PacketSmith supports the PCAP file format, LibPCAP Little-Endian (microsecond/nanoseconds-resolution timestamps).

It is written in C++ and distributed as an x64-bit binary release exclusively for the Windows operating system.

Notably, its core features operate independently of any third-party libraries. The only external dependency is the open-source libraries: JSON for Modern C++ developed by Niels Lohmann and cxxopts developed by Jarryd Beck (for parsing command-line options), otherwise, the entirety of the software was developed in-house by Netomize.

This software is compatible with Windows 7 64-bit and newer versions.

Some of PacketSmith’s features include:
Comprehensive Packet Capture Analysis

PacketSmith provides a suite of tools for extracting and presenting detailed statistical information from PCAP files. This feature empowers network administrators, security analysts, and researchers to gain deeper insights into captured network traffic. The tool processes the PCAP file and outputs the requested statistics directly to the console, offering a quick and efficient way to analyze network behaviour.

  • PCAP Header Analysis
  • Stream-Level Statistical Reporting (Console: Table or JSON) for TCP/UDP over IPv4/IPv6
  • Flow Analysis
  • Entropy Calculation

PacketSmith enables the modification of various IPv4 and IPv6 layer fields through parameterized arguments. More importantly,  the IPv4 identification field can be updated for designated TCP and UDP streams. This update is performed on a per-stream basis, taking into account the traffic directionality (client or server flow).

PacketSmith provides the capability to recalculate the sequence and acknowledgment fields for TCP streams. For the first release, only a “basic” implementation is provided, which doesn’t account for keep-alive packets, out-of-order packets, packet retransmission, cumulative acknowledgment, or any other details that might influence the TCP seq and ack values.

PacketSmith can automatically recalculate and correct checksums for various network protocols within a packet capture. This feature supports the following protocols: Ethernet FCS (Frame Check Sequence), IPv4 header checksum, IPv6 header checksum (extensions aware), ICMP checksum, ICMPv6 checksum (IPv6 extensions aware), IGMP checksum, TCP checksum, UDP-Lite, and UDP checksum.

PacketSmith supports replacing various types of data link layers with Ethernet. Supported layers include:

  • Raw IP
  • BSD loopback encapsulation
  • Cisco PPP with HDLC framing
  • OpenBSD loopback encapsulation
  • Linux “cooked” capture encapsulation
  • Linux “cooked” capture encapsulation v2
  • FakeNet – Dynamic Network Analysis Tool
  • Juniper Networks private data link type

PacketSmith is the only tool capable of replacing an IPv4 layer with an IPv6 layer and vice versa. It is fragmentation-aware.

A key feature of PacketSmith is its ability to transform TCP data into UDP packets. This can be done for entire TCP streams, multiple streams, single frames, or multiple independent frames, with PacketSmith substituting the original TCP packets with their UDP counterparts. It supports both IPv4 and IPv6.

PacketSmith supports the conversion of UDP streams to TCP streams, analogous to its TCP-to-UDP conversion. This stream-level transformation, not frame-based, is a sophisticated operation that involves the injection of TCP control packets, including SYN, SYN-ACK, ACK, FIN, and others, to construct a proper TCP stream for each input UDP stream. It supports both IPv4 and IPv6.

PacketSmith provides the capability to insert synthetic network traffic, including 3-way TCP handshake packets for connection establishment and DNS Query and Response packets for domain name resolution. Supports both IPv4 and IPv6.

PacketSmith enables users to insert artificial and parametrized DNS query and response packets into a given set of frames—requests that ask DNS servers to resolve domain names—into an existing network traffic capture. It supports adding multiple A/AAAA records in the DNS response packet.

PacketSmith offers the functionality to inject different network protocol layers into existing packets. It supports the following layers:

802.1Q VLAN (0x8100) Ethernet Extension: Although the 802.1Q Virtual LAN (VLAN) tagging is technically an extension to the Ethernet data link layer and not a distinct layer itself, PacketSmith allows the insertion of a parametrized 802.1Q VLAN header into all Ethernet frames.

PacketSmith allows for the removal of specific layers from network frames. This includes:

  • 802.1Q VLAN (0x8100) layer removal
  • Virtual eXtensible LAN (VXLAN)
  • IPv4 or IPv6 layer removal from IPv4-in-IPv6 encapsulation (IPv4-IPIP: 0x04)
  • IPv4 or IPv6 layer removal from IPv6-in-IPv4 encapsulation (IPv6: 0x29)

PacketSmith allows you to TCP fragment a packet capture’s packets using a specific MTU (Maximum Transmission Unit) value. It supports both IPv4 and IPv6 network layers.

For UDP, it fragments a packet capture’s packets using a specific max UDP payload size value.

PacketSmith offers the ability to replace source and destination IP addresses and TCP/UDP port numbers within network streams, or statically for IPs.

PacketSmith provides functionality to replace source and destination MAC addresses within the Ethernet layer, offering both static replacement and stream-based replacement anchored by IP or port numbers (in case the src and dst IP addresses are the same).

Check for WoL magic packets over UDP or the network layer (Ethernet), with the capability to anonymize WoL magic packets optional SecureOn password with randomly generated bytes.

To facilitate the secure sharing of sensitive packet captures—which may contain real-world traffic or other confidential data—PacketSmith provides a robust anonymization capability.

Other than in-memory IP fragmentation packet reassembly, PacketSmith provides the capability to rewrite the fully reassembled IPv4/v6 fragmented packet into the original pcap (option -u ip_frag_perm and -u ip_frag_disable).

PacketSmith allows you to fragment a packet capture’s packets at the IP level using a specific MTU (Maximum Transmission Unit) value. It supports both IPv4 and IPv6 network layers. Available via the option —frag_pkt (ipv4|ipv6):<mtu>.

PacketSmith is the only known tool capable of constructing ICMPv4/v6 Echo streams, like TCP/UDP streams (option -I, –Info istreams_j and istreams_j:fids).

This module identifies malicious and suspicious activity using behavioral and protocol-semantic analysis, making it independent of specific signatures (option -D, –Detect icmp).

A special feature of PacketSmith is the capability to detect TCP handshake packets across all TCP streams, providing a detailed breakdown of the TCP handshake states for every stream in the pcap file, covering both IPv4 and IPv6 traffic.

PacketSmith (starting with version 4) comes equipped with a TCP reassembly engine that reassembles all TCP streams in the pcap. This feature is used internally by PacketSmith whenever needed, with configurable options provided to the user via the configuration file “packetsmith.ini” under the [tcp_reassemble] section.

An x.509 certificate extractor designed for use with TLS/SSL over TCP and DTLS over UDP streams. You can now either save these certificates to disk or dissect their attributes and output them as JSON objects and arrays.

We have exposed all the major protocols supported by PacketSmith to the Yara compiler and scanner, via custom pattern identifiers (PaIDs), unique to PacketSmith. Think of these PaIDs as domain-specific objects with nested attributes that you can leverage to write powerful and semantic-aware Yara-X rules to detect malicious traffic, targeting different protocols in the same rule.

Integrated Microsoft’s Antimalware Scan Interface (AMSI) detection module to scan frames, streams, and istreams for malicious content.