{"id":13643559,"url":"https://github.com/xlab/netsed","last_synced_at":"2025-10-05T17:19:57.010Z","repository":{"id":35797878,"uuid":"40079325","full_name":"xlab/netsed","owner":"xlab","description":"Mirror of http://silicone.homelinux.org/git/netsed.git/","archived":false,"fork":false,"pushed_at":"2017-06-18T09:24:52.000Z","size":82,"stargazers_count":63,"open_issues_count":0,"forks_count":10,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-26T09:11:07.093Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xlab.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-08-02T12:56:46.000Z","updated_at":"2025-02-26T23:18:35.000Z","dependencies_parsed_at":"2022-09-08T18:30:22.370Z","dependency_job_id":null,"html_url":"https://github.com/xlab/netsed","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xlab%2Fnetsed","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xlab%2Fnetsed/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xlab%2Fnetsed/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xlab%2Fnetsed/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xlab","download_url":"https://codeload.github.com/xlab/netsed/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248581358,"owners_count":21128155,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T01:01:49.273Z","updated_at":"2025-10-05T17:19:51.984Z","avatar_url":"https://github.com/xlab.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"\n  netsed 1.2       (C) 2010-2012  Julien VdG \u003cjulien@silicone.homelinux.org\u003e\n  --------------------------------------------------------------------------\n\n  This work is based on the original netsed:\n      netsed 0.01c      (C) 2002  Michal Zalewski \u003clcamtuf@ids.pl\u003e\n\n  Please contact Julien VdG \u003cjulien@silicone.homelinux.org\u003e if you encounter\n  any problems with this version.\n  The changes compared to version 0.01c are related in the NEWS file.\n\n  --------------------------------------------------------------------------\n\n  \"When things go well, expect something to explode, erode, collapse or\n  just disappear.\"  -- anonymous\n\nNetSED is small and handful utility designed to alter the contents of\npackets forwarded thru your network in real time. It is really useful\nfor network hackers in following applications:\n\n  * black-box protocol auditing - whenever there are two or more\n    propertiary boxes communicating over undocumented protocol (by enforcing \n    changes in ongoing transmissions, you will be able to test if tested \n    application is secure),\n\n  * fuzz-alike experiments, integrity tests - whenever you want to test \n    stability of the application and see how it ensures data integrity,\n\n  * other common applications - fooling other people, content filtering,\n    etc etc - choose whatever you want to.\n\nIt perfectly fits netgrep, netcat and tcpdump tools suite :P\n\nIt has been designed because I was suspicious about Lotus Domino carrying\nmailbox path in every packet after authorization. Having no Lotus Domino\nclient software under Linux, I needed something to install on my bridging\nfirewall to modify this mailbox path and try to read someone's else\nmailbox. Guess what happened?:P\n\nThis is release 0.01b, which isn't really effective or stable, and I\nwouldn't suggest you putting it nowhere in your production systems ;)\nBut - well - any suggestions, fixes, comments and ideas are welcome. For\nnow, only TCP and UDP user-space filtering is possible - no support for\nkernel firewalling / routing, raw packets, ICMP and other things.\n\nI bet it won't compile on platforms other than Linux, as I haven't tested\nit, but it shouldn't be too difficult to run it on *BSD, IRIX, Solaris\netc.\n\n  Setting up netsed - theory\n  --------------------------\n\nThere are two possible ways of using netsed. Basic configuration looks this\nway:\n\n  ( client software ) ---\u003e------+\n                                |\n                          \u003c local port \u003e\n                                |\n                         [ netsed engine ]\n                                |\n                                +-------------\u003e ( remote server )\n\nIn this solution, client software has to connect specified port on specified\nmachine - which is not always possible, and not always expected. So,\nthere is a second way - which is completely system-dependent. It is called\ntransparent proxy.\n\nNetSED supports kernel-level transparent proxy. This means you can set up\nyour gateway machine (firewall, router, ethernet bridge) to transparently\nredirect all traffic coming from client software to remote server without\ntouching anything outside this box. On Linux, you can set up transparent\nproxying in pretty easy way:\n\nipfwadm -I -i accept -S source_ip -D destination_ip port -P protocol -r lport\n\nFor example, if you want to redirect all traffic coming from host \n1.2.3.4 to network 5.6.0.0/16 with destination port 12345/tcp, and you\nhave netsed working on port 10101 on your local machine, you should do\nsomething like:\n\nipfwadm -I -i accept -S 1.2.3.4 -D 5.6.0.0/16 12345 -P tcp -r 10101\n\nBy setting up netsed properly, content will be transparenly modified and\nforwarded to the destination:\n\n                                 NetSED\n                              ______|______\n  ( client software ) ---\u003e---| - - -+- - - |--------\u003e ( server host )\n                             | transparent |\n                             |    proxy    |\n                             |_____________|\n\nFor more instructions on rules syntax and transparent proxies in general,\nrefer your OS documentation.\n\nUpdate for linux 2.4 and later with netfilter:\n\nFirst you need to make sure LINUX_NETFILTER is defined in source code \nbefore compiling.\nThen the command are as follows:\niptables -t nat -D PREROUTING -s source_ip -d destination_ip -p protocol --dport port -j REDIRECT --to lport\n\nSo the previous example becomes:\niptables -t nat -D PREROUTING -s 1.2.3.4 -d 5.6.0.0/16 -p tcp --dport 12345 -j REDIRECT --to 10101\n\n  Setting up netsed - practice\n  ----------------------------\n\nOk, here we are. First of all, you should know how to set up the first\nconfiguration I've been talking about - static, user-space forwarder.\nNetSED accepts following parameters:\n\n   netsed proto lport rhost rport rule1 [ rule2 ... ]\n\nFirst parameter, 'proto', means, obviously, the protocol. You might choose\n'tcp' or 'udp'. Then, you have to specify 'lport' - local listening port.\nNext argument, 'rhost', is the remote server address where the connection\nshould be forwarded. ONLY IP ADDRESSES ARE SUPPORTED BY NOW. Then, we\nhave 'rport' - remote port number, and up to 50 filtering rules.\n\nGeneral replacement rules syntax is: \n\n   s/pat1/pat2[/expire]\n\nThis will replace all occurrences of pat1 with pat2 in matching packets.\nAn additional parameter (count) can be used to expire rule after 'count'\nsuccessful substitutions for a given connection. Eight-bit characters, \nincluding NULL and '/', can be passed using HTTP-alike hex escape \nsequences (eg. %0a%0d). Single '%' can be reached by using '%%'.\nWildcards are supported by specifying %* and will match any value. Up to 10 wildcards can be used.\nExamples:\n\n  's/andrew/mike/1'     - replace 'andrew' with 'mike' (only first time)\n  's/andrew/mike'       - replace all occurrences of 'andrew' with 'mike'\n  's/start%*end/new'    - replace anything between (and including) 'start' and 'end' with 'new'\n  's/andrew/mike%00%00' - replace 'andrew' with 'mike\\x00\\x00'\n                          (manually padding to keep original size)\n  's/%%/%2f/20'         - replace the 20 first occurence of '%' with '/'\n\nRules are not working on cross-packet boundaries and are evaluated from\nfirst to last not expired rule.\n\nPer-rule TTLs (time-to-live) are useful if you want to modify eg. only\nthe first packet, letting other packets unmodified, or to dynamically\nchange NetSED functionality. This rule, for example, will change 'Henry'\nto 'William' in the first packet, and to 'Mariah' in all other packets:\n\n      s/Henry/William/1 s/Henry/Mariah\n\nSo, let's try our first command-line example:\n\n  ./netsed tcp 10101 127.0.0.1 25 s/ehlo/badcommand/1\n\nThis should be obvious - connection to local port 10101 will be forwarded\nto local smtp service. Take a look:\n\n$ telnet localhost 10101\n220 squirrel.tpi.pl ESMTP Sendmail 8.9.3/8.9.3; Fri, 5 Jan 2001 00:15:18 +0100\nehlo\n500 Command unrecognized: \"badcommand\"\nehlo\n501 ehlo requires domain address\n\nApparently, it worked :) Try playing a little with different patterns,\nmultiple rules etc. Generally, NetSED works by incremental comparsion\nof the rules, and then skipping already replaced data. For example:\n\n    Rules: s/degener/devi/\n           s/generation/%20and%20sausages/\n           s/sausages/chicken/\n\n    Input data: 'degenerationgeneration'\n\n    Init: degenerationgeneration\n          ^ (replace pointer)\n\n    Pass 1: deviationgeneration       [degener -\u003e devi]\n                ^ (replace pointer)\n\n    Pass 2: deviation and sausages    [generation -\u003e and sausages]\n                                  ^\n    No futher replacements made - end of input data (so, 'sausages'\n    won't be replaced with 'chicken').\n\nNow, I suppose you'd like to know how to setup good-working transparent\nconfiguration. Well - nothing easier :) The configuration described above\nshould work just fine - set up transparent packet redirection to port\n10101 in traffic from one remote host to another and watch the results...\n\nUhm, right. There's one thing. You might want to divert traffic from\none host to whole network - but you do not know how to configure netcat\nto preserver original destination addresses? So, for example, connecting\nto 5.6.7.1 and to 5.6.7.2 from 1.2.3.4 (example mentioned above) will\nestablish working session to existing targets? Nothing easier. Just\nset rhost and/or rport parameters to '0' while invoking NetSED to preserve\noriginal destination host and port settings while forwarding the connection\nvia proxy :)\n\nWARNING: nothing will stop you before setting up forwarding loops - you\ncan eg. forward connections to port 100 to port 1000 using netsed, and then,\nusing kernel-space transparent proxy, forward connections to local port 1000\nback to port 100. This might lead to ugly DoS attack if you do not have\nper-user resource limits set. Sorry. Not a Microsoft product.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxlab%2Fnetsed","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxlab%2Fnetsed","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxlab%2Fnetsed/lists"}