Menu
▾
▴
Re: [Tcpreplay-users] sending pcap files from one computer to another using tcpreplay
|
From: Prosiac A. <cra...@ya...> - 2011-12-15 20:56:31
|
Thank for your tremendous help till date. Actually, my target was to detect the protocol of real traffic with the use of Linux L7 filter. Since, i cannot generate real traffics with all the protocols listed on L7 filter http://l7-filter.sourceforge.net/protocols , i decided to use the pcap file of it. So i searched the method for sending the traffic (like the real one) which is already stored in the pcap files with the protocol description. Therefore, for that, i installed Vmware and installed ubuntu 11.10 on it. I followed the method sudo tcpreplay -i eth0 dhcp.pcap and checked whether the "dhcp.pcap" file is being sent or not. I checked it through wireshark while issuing the above command. The same packets that was captured was seen in the wireshark. Therefore, i thought this is working. This i did in virtual OS. Then i now tried to replay the same pcap file i.e dhcp.pap from one computer to another (one computer is the Virtual OS i.e ubuntu in Vmware) and another is the real Computer also installed Ubuntu on it. I issued the below command from source as my virtual PC for sending pcap named output.pcap to the destined computer for detection. However, it was not shown in the wireshark unlike previous case. ~/Desktop$ sudo tcprewrite --enet-dmac=00:19:D1:07:0F:73 --enet-smac=00-24-8C-0B-CA-A2 --infile=dhcp.pcap --outfile=output.pcap and :~/Desktop$ sudo tcpreplay --intf1=eth0 "output.pcap" (Note: the mac address in red is the mac address of virtual eth0 interface) I don't know why this time this was not working. Is it due to the command being issued from virtual environment with virtual MAC address?? ________________________________ From: Aaron Turner <syn...@gm...> To: Main forum for tcpreplay <tcp...@li...> Sent: Thursday, December 15, 2011 8:08 PM Subject: Re: [Tcpreplay-users] sending pcap files from one computer to another using tcpreplay Actually the cache file is necessary for tcprewrite to edit traffic bi-directionally like with the --endpoints option. Honestly though, a little more information might be useful... it sounds like you're trying to replay DHCP client traffic to a DHCP server. If so, then what you want to do is only send the client traffic to the server and not send any traffic stored in the pcap that was sent by the DHCP server. Either way, you'll need to create a cache file which tells tcpreplay/tcprewrite which traffic was sent by the client vs. server. You can create a cache file using the tcpprep tool. Tcpprep isn't application aware, but instead provides a bunch of methods which can be used to decide which packets are which. Information about tcpprep is available here: http://tcpreplay.synfin.net/wiki/tcpprep On Thu, Dec 15, 2011 at 9:11 AM, Ali Gouta <ali...@gm...> wrote: > You need at first to change mac adresses of the trace or pcap file you are > replaying (use tcprewrite) to the source and destination of your cards > (ifconfig to know them). > Chcek if you are dealing with Vlans !!! > Cache file you will need if you want to seperate downlink from the uplink > :means that you send your pcap file from 2 interfaces not only one !!! > Your use case: sending the trace file from 1 pc to another means you won't > need the cache file( or you can use it but in this case you will send only > one direction not both) > > Good luck > On Thu, Dec 15, 2011 at 5:53 PM, Prosiac Akin <cra...@ya...> > wrote: >> >> hello all, >> >> i am trying to send the pcap file from one pc to another >> while going through the tcpreplay website, i found >> >> tcprewrite --endpoints=10.10.1.1:10.10.1.2 --cachefile=input.cache >> --infile=input.pcap --outfile=output.pcap --skipbroadcast >> >> does this endpoints means (two computers)??? >> >> If it is for the two pcs, i tried to issue that command >> sudo tcprewrite --endpoints=192.168.234.139:192.168.15.215 >> --cachefile=dhcp.cache --infile=dhcp.pcap --outfile=dhcp.pcap >> --skipbroadcast >> >> where 192.168.234.139 is the ip of the computer which is sending the pcap >> file and 192.168.15.215 is the ip of the computer which i am destined to. >> >> But i got this error >> Fatal Error: unable to open dhcp.cache:No such file or directory >> >> I am not aware how to create that cachefile for this process. and i don't >> know whether i am following the right process or not. >> >> Could you please help/suggest the method of doing so.. >> >> >> >> ------------------------------------------------------------------------------ >> 10 Tips for Better Server Consolidation >> Server virtualization is being driven by many needs. >> But none more important than the need to reduce IT complexity >> while improving strategic productivity. Learn More! >> http://www.accelacomm.com/jaw/sdnl/114/51507609/ >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcp...@li... >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > > > ------------------------------------------------------------------------------ > 10 Tips for Better Server Consolidation > Server virtualization is being driven by many needs. > But none more important than the need to reduce IT complexity > while improving strategic productivity. Learn More! > http://www.accelacomm.com/jaw/sdnl/114/51507609/ > _______________________________________________ > Tcpreplay-users mailing list > Tcp...@li... > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ 10 Tips for Better Server Consolidation Server virtualization is being driven by many needs. But none more important than the need to reduce IT complexity while improving strategic productivity. Learn More! http://www.accelacomm.com/jaw/sdnl/114/51507609/ _______________________________________________ Tcpreplay-users mailing list Tcp...@li... https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support |