The Network Expect Wiki
Welcome to the Network Expect wiki. This wiki is the central repository of information about NetworkExpect, a framework for manipulating network packets, including packet crafting, injection, and reception. The Network Expect source code, documentation, and examples can be found here.
Here are some pages that contain information about Network Expect:
Documentation: the Network Expect documentation
Examples: sample Network Expect scripts
DownloadPage: download the Network Expect source code
PortabilityPage: information about running Network Expect in different platforms and operating systems
Future work: sort of a to-do list of things that should change in Network Expect
April 03, 2012: we now have a mailing list for general questions and discussion of the Network Expect framework. Visit http://lists.alioth.debian.org/mailman/listinfo/netexpect-users to subscribe or to check the mailing list archive. I encourage Network Expect users to subscribe to this mailing list and send your Network Expect questions there instead of directly to me since your question/problem/solution might actually help someone else.
March 22, 2012: Network Expect version 0.20. No new features and just a handful of small bug fixes (I am sorry; life has been busy). This release builds against libwireshark 1.6.x, but this means that it no longer builds against older libwireshark versions.
June 09, 2011: It's been a while (one year), but I am still maintaining Network Expect. It seems like I always resurface when the Wireshark project puts out a new major release. Since they just released Wireshark 1.6.0, I am releasing Network Expect version 0.19, which builds with libwireshark from Wireshark 1.4.x. Besides libwireshark 1.4.x support, there are a few other bugs fixes here and there, but no new big features. Now that Wireshark 1.6.0 is out my plan is to publish very shortly a new release that supports libwireshark 1.6.x. Finally, a good news is that Network Expect is now officially part of the Debian distribution, and, because of the Debian to Ubuntu automatic package cross-pollination, it is also available on Ubuntu. Information on the netexpect package for Debian is available here and for Ubuntu here. This should be good news for those who do not want to mess with building from sources.
June 30, 2010: Released Network Expect version 0.18. First official release that supports building against libwireshark 1.2.x (libwireshark 1.0.x is no longer supported). As always, the NEWS file in the top level directory of the netexpect source code documents the most important, high-level changes, improvements, and new features, but to summarize, this release adds Simple Network Time Protocol (SNTP) and Dynamic Trunking Protocol (DTP) to libpbuild, adds support for Wireshark configuration profiles, enhances the "data" PDU in libpbuild, adds a new "ws" command that allows to change Wireshark preferences from within netexpect scripts, e.g. "ws setprefs ip.defragment:FALSE"; adds the capability of recovering data from transmissions that come through multiple packets (IP fragmentation, TCP segmentation), uses Tcl namespaces to store variables produced during packet dissection, changes (hopefully for better) the way Tcl dissection variables are named, and attempts to workaround problems with the select() system call on OS X (and probably other BSD-like OS') when used on BPF file descriptors.
October 25, 2009: Network Expect version 0.17 is out. New in this release is a "generic" PDU builder in libpbuild that hopefully makes it easier to create new PDUs, new "send_tcl" and "packet new" framework commands, ability to import data into byte arrays ("barray hex-import") and Tcl packet objects ("packet hex-import") directly from hexadecimal dumps, and libpbuild protocol support for Ethernet 802.3 frames, 802.2 Logical Link Control, 802.2 SNAP, and Cisco VLAN Trunking Protocol (VTP). Check out the NEWS file in the top level of the netexpect tarball for more details. This release should be the last one that supports libwireshark 1.0.x since libwireshark 1.2.x is not API- and ABI-compatible with older releases.
September 12, 2009: Network Expect version 0.16 has been released. This release introduces a new CLI-based program tgn that allows to easily generate traffic from a shell prompt or non-Network Expect/Tcl scripts. See the NEWS file or tgn(1) for a couple of examples. Work on the netexpect-libwireshark has been merged into the trunk, which is why "libwireshark" has been dropped from the version number. Note that everything that tgn does can be done from netexpect via the send_network command. Having a little stand-alone utility that only generates traffic is just a small convenience.
September 03, 2009: Wow, it's been 15 months since the last Network Expect release. Guess life has kept me busy, but fortunately there's been a little bit of time to do some Network Expect development and today I've released Network Expect version 0.15libwireshark. The NEWS file in the top level of the source tree has a lot of details about what's new but to briefly summarize here, this release has little improvements and new features that make it easier to handle PCAP file re-writing and replaying situations, new tgn (traffic generator) and ghost framework commands, and a re-written packet build subsystem that makes a bit easier to create new PDUs (still not effort-less like in Scapy but should be much better than what we had before). Some of these new developments are discussed and used as examples in the two new wiki pages RewriteAndReplay and Naptha. We obviously still have the dependency on libwireshark, which makes building a little bit more challenging, but so far this dependency seems worth the trouble since it gives us access to a great packet dissection infrastructure with very little effort.
June 04, 2008: Network Expect version 0.14libwireshark has been released. This release adds the capability to use libwireshark display filters to have more control over what packets "expect_network" commands will see (this complements the use of PCAP capture filters, which have been a fundamental part of NetExpect since day one.) In addition, this release also fixes the problem of libwireshark packet dissection reusing, in some cases, field names. For example, dissecting a BOOTP message will reuse several times the field names bootp.option.type, bootp.option.length, and bootp.option.value. Before this release we would overwrite the old set of variables with new ones, so a script would only have access to the last set. Starting with this release we now detect field name reuse and convert reused variables to Tcl lists that hold all values. This way scripts can have access to everything. See NEWS file in the tarball for a brief example of how to use this.
May 29, 2008: released Network Expect version 0.13libwireshark. This version fixes a bug that causes endianess problems when crafting and injecting packets on non-i386 architectures.
May 15, 2008: today I released the first public release of a version of NetworkExpect that uses libwireshark (from the Wireshark project) for packet dissection instead of my own code. This version is 0.12libwireshark and is available from the downloads directory. Note that this is currently a work in progress and that I have not committed yet to the use of libwireshark in this project. It'll depend on several factors. We'll see how it goes, but so far so good... (yes, I am aware of the software license implications of this move - NetworkExpect has a GPL license, so that should settle it.)
May 13, 2008: the NetworkExpect wiki was down for several months because it got hijacked by Chinese spammers to host spam pages. I was busy and couldn't clean things up until very recently. I've now removed all the crap they left behind, tried to lock the site a bit to prevent the same problem from happening again, and re-launched the site. If you want to contribute please drop me a note and I'll give you write access.
All content in this wiki can be improved by the community. Please feel free to add and modify content.