Randpkt

Test protocol dissectors or software with malformed packets.

2 min　|　 Ross Jacobs　|　 March 3, 2019

Quicklinks: manpage | Wireshark text doc | code

About

randpkt is a tool used to generate fuzzed packets for a specific protocol or randomly from a list. While randpkt has a more limited feature set than similar tools, it is only has 4 flags and generates packets quickly.

randpktdump is available as an extcap interface if you want to tshark to treat this generator as if it were an interface.

Caveats

On Windows, the default is to not install randpkt. You must select randpkt manually during installation.
The tcp option uses token-ring instead of ethernet at layer 2. To get packets using the eth/ip/tcp stack, use giop, tdp, or bgp.
If you set -b, byte counts will vary wildly up to this byte count ceiling.
~~randpkt -r crashes for -c > 1~~

Examples

Save to pcap

In this asciicast, we’ll create pcap with 100 ethernet-II frames and then read it with tshark.

To get an idea of possible traffic, this capture contains a fuzzed packet of every available type (2019).

stdout

If you write to stdout, it will write raw pcap-formatted packet bytes (i.e. looks like �M�0Ϻ�ZR�d%sX�˯B). If you are using stdout, you are sending this onto another utility like tshark.

# Send 4 ARP frames to tshark
$ randpkt -t arp -c 4 - | tshark -r -
    1   0.000000 00:00:32:25:0f:ff → Broadcast    ARP 3873 Unknown ARP opcode 0x25dc
    2   1.000000 00:00:32:25:0f:ff → Broadcast    ARP 3690 Unknown ARP opcode 0xbb97
    3   2.000000 00:00:32:25:0f:ff → Broadcast    ARP 4618 Unknown ARP opcode 0x8f78
    4   3.000000 00:00:32:25:0f:ff → Broadcast    ARP 1204 Unknown ARP opcode 0x6c41

Similar Tools

Fuzz an existing capture

fuzz-test: Mutates provided captures and then calls Wireshark to try to crash it
Fuzz with editcap: Mutate a percent of your pcap’s bytes

Generate traffic

boofuzz: “Network Protocol Fuzzing for Humans”
trafgen: Part of a suite of Linux network tools