Randpkt

ADVANCED TOPICS
ANALYZE PCAP
OBTAIN PCAP
GET STARTED
Generate Pcap

Test protocol dissectors or software with malformed packets.
2 min |  Ross Jacobs |  March 3, 2019

Table of Contents

Quicklinks: manpage | Wireshark text doc | code


About

randpkt is a tool used to generate fuzzed packets for a specific protocol or randomly from a list. While randpkt has a more limited feature set than similar tools, it is only has 4 flags and generates packets quickly.

randpktdump is available as an extcap interface if you want to tshark to treat this generator as if it were an interface.

Caveats

  • On Windows, the default is to not install randpkt. You must select randpkt manually during installation.
  • The tcp option uses token-ring instead of ethernet at layer 2. To get packets using the eth/ip/tcp stack, use giop, tdp, or bgp.
  • If you set -b, byte counts will vary wildly up to this byte count ceiling.
  • randpkt -r crashes for -c > 1

Examples

Save to pcap

In this asciicast, we’ll create pcap with 100 ethernet-II frames and then read it with tshark.

To get an idea of possible traffic, this capture contains a fuzzed packet of every available type (2019).

stdout

If you write to stdout, it will write raw pcap-formatted packet bytes (i.e. looks like �M�0Ϻ�ZR�d%sX�˯B). If you are using stdout, you are sending this onto another utility like tshark.

# Send 4 ARP frames to tshark
$ randpkt -t arp -c 4 - | tshark -r -
    1   0.000000 00:00:32:25:0f:ff → Broadcast    ARP 3873 Unknown ARP opcode 0x25dc
    2   1.000000 00:00:32:25:0f:ff → Broadcast    ARP 3690 Unknown ARP opcode 0xbb97
    3   2.000000 00:00:32:25:0f:ff → Broadcast    ARP 4618 Unknown ARP opcode 0x8f78
    4   3.000000 00:00:32:25:0f:ff → Broadcast    ARP 1204 Unknown ARP opcode 0x6c41

Similar Tools

Fuzz an existing capture

  • fuzz-test: Mutates provided captures and then calls Wireshark to try to crash it
  • Fuzz with editcap: Mutate a percent of your pcap’s bytes

Generate traffic

  • boofuzz: “Network Protocol Fuzzing for Humans”
  • trafgen: Part of a suite of Linux network tools

Further Reading

  • Awesome-Fuzzing: A comprehensive list of fuzzing resources, including books, courses, videos, and tools.
  • Fuzzing Proprietary Protocols: Author was tasked with security testing the client’s in-house protocol after being given traffic samples. He was able to induce 4 crashes by fuzzing with Scapy and Radamsa.
  • Basic AFL Usage: Using AFL to check tcpdump test cases.