Reputation: 11
Replayed pcap files not detected by iptables
I am facing some problems with tcpreplay. I am running L-7 filter userspace version on ATCA- PP81 blade, and I have this following iptable rules :
iptables -A FORWARD -j NFQUEUE --queue-num 0
iptables -t mangle -A PREROUTING -p udp -i eth0 -j NFQUEUE --queue-num 0
iptables -t mangle -A PREROUTING -p tcp -i eth0 -j NFQUEUE --queue-num 0
I am sending pcap files from a computer using tcpreplay, but all the replayed pcap files except those which have broadcast address were not detected by the iptables. I checked it with:
iptables -t mangle -L -v
I tried many ways, including using a cache file as discussed in some of the forums, and everything is in vain. Now I am totally helpless. I would appreciate it if you could reply my question.
Thanking you in anticipation
regards,
Amlas
Upvotes: 1
Views: 545
Answers (1)
Reputation: 21
It is not possible. This is a tcpreplay limitation. http://tcpreplay.synfin.net/wiki/FAQ
Can I use IPTables/Traffic Control with tcpreplay?
You can not use iptables/tc on the same box as you run tcpreplay. The only way to use IPTables or Traffic Control (tc) with tcpreplay is to run tcpreplay on a different box and send the traffic through the system running iptables/tc. This limitation is due to how the Linux kernel injects frames vs. reading frames for iptables/tc which makes traffic sent via tcpreplay to be invisible to iptables/tc.
Upvotes: 2
Related Questions
- Searching through many pcap files with tcpdump
- tcpdump output is diffferent than pcap file
- How to record the packets after iptables?
- I am trying to replay a pcap file that someone else captured for me (Im assuming they used tcpdump)
- iptables and libpcap
- Pcap file replay based on the packet timestamp using scapy
- pcap only picking up on new connections
- tcpdump -dd output doesn't match pcap_compile_nopcap
- missing elements from pcap?
- pcap and iptables tussle