Wednesday, May 2, 2012

epb - Ethernet Package Bombardier


What is epb:

Man page for version 1.6rc are online for answering this question in details.
Epb is a tool allowing one to send customized ethernet packages. Package is specified in text file. No GUI offered, but also not many libraries needed. Also understanding what code does is easy. Originally epb was intended just to be a simple way to quickly generate single custom package to network. Now it can also be used to:
-generate sequence of packages (similar human readable package format)
-send packet sequence captured using libpcap/pcapng (tcpdump, wireshark,...) snoop (SUN's packet sniffer) or netmon (Microsoft's sniffer for windows - currently only versions 1 and 2 supported)
-select packets from pcap/snoop files based on src/dst mac address or ethernet header's ethertype field.
File format:

20.12.2012 v1.6 - package has limited support for sending/ converting pcapng files
epb 1.6 (Energy Saving Led Light Sabre) is available for download as tarball

XX.08.2012 Experimantal 1.5_2 package supports converting pcap files to editable epb2 text format allowing making modifications to pcap trace before resending it.
Experimantal 1.5_2 (Really Incoherent Laser) is available for download as tarball

18.07.2012 Epb 1.5 provides support for netmon and (better) stripping pcap+snoop files.
Epb 1.5 (Incoherent Laser) is available as tarball. This version can read and send also snoop (SUN's sniffer format) and cap files (version 1 and 2 of Microsoft's NetMon files). Also stripping packets can now be done for snoop format too. Furthermore it is now possible to select packets based on ethernet header's ether type field.

13.07.2012 - epb version 1.4 (Two Handed Scissors) is there for testing.
After two days of coding like... well... me there is experimental pcap format support. 1.4 version allows you to send packets using pcap file. You can for example send packets captured using tcpdump or wireshark. Epb also includes support for stripping only packages sent from/to certain mac address. 1.4 is available for testing as a tarball.

11.07.2012 - epb version 1.3 (Cold Fusion Bomb) is out! This version adds support for epb file format 2 - allowing epb to be used for sending sequence of packages. Note that 1.3 has gone through some major changes, and I am expecting few bugs to be included... Please please please, let me know if you encounter problems. File format version 2 is explained in version 1.3 man pages. Also there is example file in epb 1.3 tarball. Text below describes version 1 format (which is still supported though).

Package is specified in text file, in format: <datatype>:<value> One item / row.

Possible datatypes are:  u8,i8,u16,i16,u32,i32,u64 and i64, meaning either signed (i) or unsigned (u) values.

Numeric part of datatype tell the width of value in bits. A colon  (:) is used to separate data type and value fields. Value is given as number, defaulting to base 10 integer. However, if value is prefixed with 0x, then it is interpreted as hexadecimal. Lines beginnign with hash (#) - mark are interpreted as comments. There is few example files in examplepackets directory.

Obtaining it:

epb 1.6 tarball limited pcapng support. (sending and converting to epb2)
epb 1.5 tarball snoop and netmon 1 & 2 file format support + stripping packet from snoop and pcap captures based on mac addresses or ether type
epb 1.4 tarball experimental pcap (libpcap) file format support
epb 1.3 tarball
epb 1.2 tarball.

epb 1.5_2 tarball experimental support to convert pcap files to plain text epb2 format (makes editing traces easier)

Tarballs include sources, manpages and static binaries for x86.
Go to folder where Makefile is located and type
sudo make install

Now command epb -h should give you quick help, and man epb display the man pages.

Obtain current development sources from svn repository by typing
svn checkout

Man page for development version 1.6 is also available online at

I am running out of ideas for further epb development. I guess a converter to convert binary traces to easily modified epb v2 plain text format is my next addition.

Some version history:
1.6 Energy Saving Led Light Sabre
- Limited support for sending (or converting to text) the pcapng traces. 1.5_2 Really Incoherent Laser
- Support for converting pcap traces to epb2 format for editing before send.
1.5 Incoherent Laser
- man pages updated
- further refactored code - stripping of snoop files - --strip-ether-type option to select packets based on ether type. 1.5 beta
- man page update
- snoop (SUN's sniffer) file format
- NetMon version 1 and 2 file format (MS NetMon)
1.4 Two Handed Scissors
- man page update
- pcap (libpcap) file format support.
- pcap file stripper.
- almost total redesign for parsers. More modular structure easing adding different file parsers

1.3 Cold Fusion Bomb:
- man pages updated
- icmp6 echo example using epb file format version 2
- Added possibility to generate sequence of different packets (epb file format v2)
- Added possibility to specify packets from stdin.
- Added long options.
- refactored code and decreased memory usage.

1.2 (Rubber Bullet)
- environment checks
- forced compiling to be 32 bit

1.1 (Bladeless Dagger)
- Fixed IPv4 detection bug when 802.1q VLAN tagging is used
- Fixed IPv4 detection bug when endianess conversion was not done.
- Removed unnecessary debugprints
- added -m flag for using real mac address
- added -c flag for not touching the checksum even if it was 0
- man page update

1.0 (Overweight Ninja)
- added -e flag to maintain endianess.
- fixed some print issues
- figed command line param parsing (no order requirements)
- changed binary name to epb

0.3 (Blind Sniper)
- IP target usage fixed
- safer default interval
- updated DO_NOT_READ_ME.txt

0.2 (Singlefire Sergei)
- removed unnecessary commandline parameters
- added -w option
- bugfixes.
- *nix style params

0.1 (Barely Flying Fortress)
- Initial release.


  1. Please leave me a note if you encounter any bugs. (Mazziesaccount, gmail). Of course it would also be nice to hear if this worked for you =)

  2. if there is any features you would like to see in epb - let me know. Also, do you think it would be good to have:

    1. packet spec from stdin (piping from other tools)
    2. Support for specifying sequence of packets
    3. Support for reading pcap file (sending sequence captured using tcpdump / wireshark)

    those are some "further dev" ideas I have in mind - when I get back to working with epb...

  3. epb version 1.3 (Cold Fusion Bomb) is out!

    - man pages updated
    - icmp6 echo example using epb file format version 2
    - Added possibility to generate sequence of different packets (epb file format v2)
    - Added possibility to specify packets from stdin.
    - Added long options.
    - refactored code and decreased memory usage.

    Please note that packet file version 2 is introduced in this release so I am expecting some bugs to be out there. I really need your feedback to iron them out. Please let me know if you encounter any problems!

  4. epb v 1.4 (Two Handed Scissors) is there.

    This release changes basically whole epb code - thus it may break some previously working features. If something is broken, let me know =)

    Fruit of 1.4 is pcap file format support. It is now possible to send packets captured using popular open source tools like wireshark or tcpdump! Epb 1.4 also offers a way to pick only packets sent from / targeted to specific HW address.

  5. Tarball with support for new capture file formats is added for testing. contains support for

    snoop file format (SUN's sniffer)
    version 1 and 2 Netmon files (Microsoft's sniffer)

    As always, let me know if you encounter bugs =)

  6. Version 1.5 has been now out for a lil while. 1.5 adds possibility to strip capture files depending on ether type of ethernet header, and also support for stripping snoop files.

    Also trunk version has now feature for converting binary captures into plaintext epb version 2 format, allowing easy way for sending edited traces! You can obtain trunk version by svn from

    On linux commandline svn client can be used by giving command:
    svn checkout

  7. I wonder if anyone would like to see at least a limited support for pcapng files?