The intent of this tool is to simplify testing when it involves the evil bit. It will read packets from a .pcap file, set the IP reserved bit on each IP datagram, recalculates the header checksum, and forward the packet in a new Layer 2 frame.

This tool can also capture live traffic and forward it in the same manner. The cleanest way to do so is with two systems as follows:

• The host generating the traffic is referred to as “S” (source).
• The host running evilbitchanger is referred to as “E”.
• The target IP is referred to as T.

Start evilbitchanger on E with a filter that identifies the traffic you want made evil. This filter is *very* important. If the filter is not specific enough, *all* packets E receives will be retransmitted (but evil). evilbitchanger will filter out packets sent by host E's mac address automatically to prevent looping.

On host S, set a static route that sends traffic destined for T to E. Something like this, assuming E is 1.2.3.4 and the targets are 9.8.7.0/24:

  route add -net 9.8.7.0/24 gw 1.2.3.4

Or for a single host:

  route add -host 9.8.7.6 gw 1.2.3.4

As S sends traffic, E will receive it. evilbitchanger will receive a copy of the packet because it is sniffing. The OS on E will see that IP destination is not one of E's IPs and drop the packet. evilbitchanger will manipulate the packet received and send out the new packet according to its routing table.

NOTE: firewall settings may cause malfunction. If something isn't working, use tcpdump to locate the problem and adjust firewall settings accordingly.

• In sniff mode evilbitchanger will only send on the interface it listens on
• Only changes the evil bit. Could do other kooky stuff
• Might be slow. It uses the incredible scapy and I hear scapy is slow

BSD License

Download from Google Code