Re: [Tcpreplay-users] tcprewrite -e option usage

[Aaron T. <at...@po...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Oct 31, 2005, at 12:46 AM, smanish wrote:

> Hi,
> I executed following command line
>
> ./tcprewrite -e 10.0.0.1:10.0.0.2 -i /tmp/a.cap -o /tmp/ 
> endpoints_a.cap
>
> and expected tcpwriet to change communication to be between  
> 10.0.0.1 and
> 10.0.0.2.
> Instead what I get is all the source IP in capture file are  
> replaced by
> 10.0.0.1
> and all the destination were replaeced by 10.0.0.2.
>
> Is this expected?

tcprewrite is behaving as designed.

> Though I got what wanted using -N
> ./tcprewrite -N  
> 192.168.0.111/32:10.0.0.1/32,192.168.0.1/32:10.0.0.2/32
> -i /tmp/a.cap -o /tmp/nated_a.cap

You can use -N or pre-process the pcap file with tcpprep and then  
pass the resulting tcpprep cache file to tcprewrite.  The important  
thing to remember is that tcpreplay and tcprewrite *do not*  
understand "client" and "server" relationships.  They just look at  
one packet at a time.  If you want them to be aware of the client/ 
server relationship of packets, then you have to use tcpprep first.

> Can I get the same effect with -e option?

Use tcpprep.

> I looked througth the sources and it actually converts -e command to
> equivalent -N options using
> 0.0.0.0/0. What does this mean?

0.0.0.0/0 is "match everything".  Just like a default route in your  
routing table.

Hope that helps.

- -Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)

iD8DBQFDZlRGhweYF/hu2uYRAoHaAJ981S63plCLyX2olbur47LTOhiFsACfVBm6
2JHdX7IdD9yD7JlBWtAqq4A=
=1hEK
-----END PGP SIGNATURE-----