General

PacketModifier.exe must be run as administrator in order to properly communicate with the WinDivert driver which is needed to process packets.

Settings File

After the first time you run PacketModifier a file named Settings.json will be saved to the directory PacketModifier.exe was ran from. This file generally just contains your saved preferences however, it also contains a few settings that can't be changed through the UI. Firstly, "RedactedIpList" which is just a list that you can add Ip addresses to in order to prevent them from showing up in your packet viewing panel. This could be useful if you are recording a video and want to ensure certain IP addresses don't pop up. The second setting is "MaxPacketRows" which just allows you to specify how many packets can show up in your panel at a time. New packets always go from bottom to top meaning the newest packets will be at the bottom while the oldest will be at the top. After the total packets captured has gone past the set amount packets at the top aka the oldest packets will be replaced with a new packet at the bottom. The next setting that can be manually changed is the background color of the paused state, main background, and for dropped packets. The last setting that can be changed is the priority WinDivert will run at. Although please keep in mind running multiple instances of PacketModifier while both are modifying packets is not supported. However, you can run multiple instances where one modifies packets and the other just logs packets.

Shortcuts

A few notable keyboard short cuts are 'CTRL + s' to auto save your Settings.json file otherwise it will auto size upon you closing the application. The second is 'del' which allows you to delete selected rows from the panel. Please note if a packet was already sent deleting it will only affect the UI while pausing packets will cause unsent rows to turn red. Deleting these red rows will prevent those packets from being sent. Furthermore, you can also use the common 'CTRL + c' and 'CTRL + v' to copy and paste. You can also use 'CTRL + p' to toggle between pausing and unpausing packets where the color of your gui will change between states. Lastly, pressing 'CTRL + Left Arrow or Right Arrow' will allow a paused packet to pass through basically a shortcut to the Next Button.

Start All

This button is just a more optimized way to view all packets from any route including TCP, UDP, ICMP, inbound, outbound, external, local network, vm external, and local machine. When viewing packets in this mode you will see "View All Packets" show up in green at the top right of the screen. Also please note you can't toggle your filters while viewing all packets.

Clear

This button just provides an easy way to clear the screen and remove all ip address + port associations with its process name and process id along with clearing other packet trackers.

Toggle Key

First click inside the text box and then click any keybind you would like to bind. Pressing this key will then run the filters denoted inside of Active Filters. When your Active Filters are running you will see "Filtering Packets" in green in the top right corner.

Name

Pressing this button will bring up a warning since it will query each process via the ip address and port. The warning is there since some external programs may not like us doing this such as video game kernel anti-cheats. This query will save the process name and pid of each ip address + port number of all packets currently loaded so that all new packets whose names were already discovered will have their process names and pid displayed in the main GUI and inside the inspect window.

Gui

This contains a drop down menu of packet details that can be displayed in the main GUI. This includes Source Name, Source Ip, Destination Name, Destination Ip, Protocol, Packet Type, Length, Relative Time, ACK Number, and SEQ Number.

Next

This button allows you to pass a paused packet through one at a time. This gives finer control over sending packets, but this same feature can be used with keyboard shortcuts by pressing 'CTRL + Left Arrow or Right Arrow'.

Hide Port

This checkbox allows you to toggle on and off port suffixes to each ip inside your panel.

Hide Packets

This checkbox allows you to toggle on and off packets from showing up in the panel. This can be useful if you would like to reduce resource usage and only need to apply filters without needing to visualize each packet.

Preserve Handles

This last checkbox is designed to keep active filtering handles alive where a handle is just an instance of packet capturing. Normally after you finish active filtering handles will be destroyed however, this also means packets can't be duplicated or injected outside of active filtering since a handle is required to send packets. When handles are being held in this preserved state they will essentially hibernate and will only be used to forward newly captured packets without processing them (which will slightly reduce performance). This, however, allows you to inject or duplicated any of your packets whenever you want even without active filtering. The one requirement is that any packets you want to inject, or duplicate, must have its associated handle preserved. So, for example if you want to inject outbound TCP packets you would of needed to of checked TCP and Outbound from the Packet Checkboxes and of at least pressed your toggle key once.

General

Active filters are filters that are applied upon the user pressing their toggle key. All items in this window will only take effect during the active state. Once active filtering stops all packets currently queued won't be deleted even if Preserve Handles is unchecked in this case the handles will stay active just long enough to ensure all queued packets get processed.

All Packets

Checking this means that all packets will be processed essentially bypassing the need to specify target ip's. This is useful if you are not targeting a specific ip address. However please note ip addresses that are listed in Exempt IPs will not be processed. Furthermore, the packet type must also be valid. Meaning if TCP, Outbound, and External are checked all packets not listed in Exempt IPs that are TCP packets and are being sent externally outbound will be processed. Please note this works in combination with All Ports meaning if that is not selected then that packet must also either have a inbound or outbound port that’s listed in Target Ports.

All Ports

Checking this means that all packets will be processed essentially bypassing the need to specify target ports. This is useful if you are not targeting a specific port. However please note ports that are listed in Exempt Ports will not be processed. Furthermore, the packet type must also be valid. Meaning if TCP, Outbound, and External are checked all packets not listed in Exempt Ports that are TCP packets and are being sent externally outbound will be processed. Please note this works in combination with All Packets meaning if that is not selected then that packet must also either have a inbound or outbound ip address that’s listed in Target IPs.

Pause

This checkbox means all packets that meet your other active filtering requirements will be stored in order until you deselected this checkbox or until you stop active filtering. Please be very cautious with this since saving too many packets could cause you to run out of memory resulting in a crash. But when used correctly this is extremely powerful. When packets are paused, they will show up red in the gui since they are not sent. In this state you can delete, edit, inject, or duplicate them. If you then want to allow a single packet to pass through at a time you can either press the Next button or use the 'CTRL + Left Arrow or Right Arrow' shortcut. You can also manually toggle on and off the paused state by using the 'CTRL + p' keyboard shortcut. The last thing to not here is that by default the paused state will cause the GUI to darken which makes it clear when you are pausing packets or not. If you would like to change this setting you can inside of the Settings.json file.

Quick

This state optimizes how packets are handled internally which bypasses many internal checks and structures. This should only be checked when you are only using active filtering to observe packets without modifying them. If you choose to modify packets in any way this should be unchecked.

Packet Checkboxes

These checkbox items allow you to select the types of packets you would like to process which includes TCP, UDP, and ICMP. It also allows you to select the path whether you would like to process outbound or inbound packets where outbound means packets, your machine is sending out. The last option allows you to choose the traffic route from External which means traffic going out into the global web to Local Network to Local Machine traffic to vm external which denotes packets your virtual machine is sending out.

Packet Loss

This denotes the percent chance each packet has to be dropped. Setting this to 0 disables adding extra packet loss.

Ping Delay

This denotes the number of milliseconds each packet will be delayed. Setting this to 0 disables adding extra ping.

Max Queue

This denotes how many packets you want bundled together before being sent. This can be useful for optimizing sending packets with a delay but is also useful if you want give packets artificial jitter. Setting this to 0 will disable it. However, one thing to keep in mind is this may cause some timing issues but there is a built-in timer to auto send packets if more don't get queued up within one and a half seconds.

Out of Order

The Out of Order percent denotes the percent chance each packet will have to be sent out of order. The box on the right then labeled 'Amount' denotes how many packets out of order each packet will be. The default value is 1 which means there will be no other packets to swap positions with. However, if for example you set the percent to 50% and the amount to 3 then each packet will have a 50% chance to be saved then once the saved packet count reaches 3 the packets will be sent out in reverse order they were intercepted from. Please note these packets will then have the other active filter attributes applied such as corruption or extra delay based upon your settings.

Corruption

The Corruption percent denotes the percent chance each packet will have to be corrupted. The amount denotes how many bytes will be corrupted. Please note corruption is only applied to the packet’s payload meaning if the payload is 0 then no corruption will occur. The 3 main types of corruption are 'Truncate', 'Expand', and 'Randomize'. Truncating means each packet will have the specified amount of bytes removed from the end of the payload. Expand in the exact opposite where instead the amount denotes how many bytes will be added to the end of the payload whereby default 0's are added. Lastly, Randomize by itself just means that the by amount of bytes specified indexing from the end of the payload forward will be changed to random valid hex values. The options that combine randomize with truncate or expand just means that instead of 0's being added random values will instead be added.

Ignore Zero Window

Checking this means things such as corruption will not be applied to packets when the other side has set the window size equal to zero. So, for example if a TCP packet is received where the window size equals zero and we attempt to reply with a packet that has a payload we will be stopped unless we check this box.

Exempt and Target

Ip's and ports added to the exempt list will not be processed and instead will pass right through unaffected. This is true for both source and destination ip's and ports. On the other hand, packets whose source or destination ip addresses are listed within target ip's will be the only ones processed when All Packets is not selected. Similarly packets whose source or destination port is listed within target ports will be the only ones processed when packets All Ports is not selected.

General

The main GUI by default will show blank names for the source and destination Ip address but you can read more about how these columns work here. It can also show the source and destination Ip address along with the protocol, traffic type, and length of the entire packet. Furthermore, it can also show the SEQ numbers and ACK numbers for TCP packets. The last thing it shows is the relative time in milliseconds between that type of packet. Meaning each packet type aka TCP, UDP and ICMP will use different relative times. Furthermore, this relative time is also unique to inbound and outbound packets. This means that the time will show the relative duration between each packet where for example TCP inbound packets won’t affect TCP outbound packets. The time will also be very large for the first packet of each type since there won't be a previous time to compare to.

If you would like to customize what is displayed in the main gui you can modify it here here. Another major aspect of the main GUI is your ability to modify the background colors for the paused packet state, default state and the line color for dropped packets. To change this value, you will need to edit the color code located inside the Settings.json file.

Right Click Options

When right clicking on packets in this GUI you will have serveral options "Inspect", "Copy", "Inject", "Duplicate", and "Delete". Inspecting packets is disccused here and packet injection is talked about here. On the other hand Copy will just copy all of the data on that row to your clipboard.

Then Duplicate will copy the currently highlighted packet and paste it after the packet it was copied from. Remember that the main GUI is ordered so newest packets appear at the very bottom and the oldest packets appear at the top. This means that duplicating a packet will cause the new packet to be added above the current packet in the GUI. However, if the packet you duplicated was already sent it will add it to the bottom. When duplicating it’s important to realize that the packet will only be actually injected if you are Actively Filtering or if you Preserved Handles.

Similarly, when you try to delete a packet, it will only stop it from being sent when you have Active Filtering on and also have Paused on, or if that packet is being delayed by a lot and you delete it before its sent. If a packet has not been sent it will show up as red in your GUI.

General

Right clicking on a packet in the main gui and clicking "Inspect" will open up a new window that contains details about that specific packet. You can have multiple of these windows up at the same time to make inspecting multiple packets easier. This window will show you key details about the packet such as source and destination Ip and port. It will also show the name and pid if you clicked the Name from the main tool bar. This window will also show the packet type, traffic type, and if the packet was injected or has been sent yet. The last thing the top of this window will show is the relative and physical time stamps of said packet.

IPv4 Header

The first tab will show the IPv4 Header of the said packet. This will contain the version, header length, tos, length, id, reserved, df, mf, frag off, ttl, protocol, checksum, source address and destination address. This menu outlines the field name, data, fields size, relative offset, and a brief description of each. At the very bottom you will see the raw hex values of said header. If you would like to modify this header you can do it there. Although please note modifying the header won't have an effect unless the packet was first paused or if you plan on resending said modified packet by right clicking it in the main gui and clicking "Duplicate" of said modified packet.

Transport Header

The next tab will show the transport header for TCP, UDP and ICMP packets depending on which packet you are currently viewing. The fields will change depending on the packet type but it will contain the same headers of field name, data, size, offset, and brief description. At the bottom of this section, you can also find the raw hex which can also be modified to your liking.

Payload

The last tab will contain the payload of each packet. You can also modify this section by changing the hex at the bottom. However, you can also view what the payload says by viewing it's ASCII. You can change the way the text is displayed from the default the ASCII to ASCII aligned which causes the text to be displayed lined up to each hex byte. You can also try to view the hex in .NET UTF-8 or .NET Unicode which is a default implementation of converting hex native to .NET applications but can be prone to alignment issues. Lastly, there’s UTF-16 LE (little endian) and UTF-16 BE (big endian) which are custom implementation of this conversion which does not start converting till it finds valid characters in the correct form.

General

By right clicking a line inside the main gui you can select the "Inject" option. This will open up a new gui that will allow you to inject your own packet. If you clicked "Inject" on a packet that has not been sent yet then your injected packet will be sent next right after that packet once you unpause your packets. If, however, you clicked "Inject" on an open line or on a packet that was already sent it will just send the packet like normal which you can observe by viewing the sent packets at the bottom of your main gui.

Inside the main window you can paste a full packets hex where each byte should be separated by a space. Make sure you remove extra lines and spaces from the end before sending said packet. Next you can select the packet route you wish it to be sent along with the traffic type. Next keep "Update Checksums" checked if you want your packets checksums to be auto computed and updated. After this click save and PacketModififers internal system will verify its a valid packet before sending it.