Reputation: 2519
Replaying pcap on loopback
I have a set of pcap files containing UDP traffic from two hosts, and have to perform some analysis on this traffic on a regular basis.
Ideally, I would want to avoid having to frequently setup local interfaces with specific IPs and such to replay these files. I want to be able to simply replay them on my loopback interface, using tcprewrite to change the pcap.
Here is what it currently looks like:
# Remove mac addresses for loopback interface
# Remove VLAN tags
tcprewrite \
--enet-smac=00:00:00:00:00:00 \
--enet-dmac=00:00:00:00:00:00 \
--enet-vlan=del \
--infile="${INFILE}" \
--outfile="${OUTFILE}.tmp"
# Change source and destination IP to loopback
# Regenerate IP checksums
tcprewrite \
--srcipmap=0.0.0.0/0:127.0.0.1 \
--dstipmap=0.0.0.0/0:127.0.0.1 \
--fixcsum \
--infile="${OUTFILE}.tmp" \
--outfile="${OUTFILE}"
It seems to almost work. I can then simply replay these files on my loopback using tcpreplay and I see the packets using tcpdump on lo. Still, it seems that any regular userspace socket does not see this traffic on the loopback.
From my understanding, it seems to be related to the way layer 2 is handled on the loopback interface on linux. It would seem I need to rewrite the layer 2 headers (DLT) from plain ethernet to the null protocol used by BSD loopbacks.
Anyone having experience on replaying UDP traffic captured on ethernet to the loopback interface would be greatly appreciated. I cannot figure out how, or whether this is at all possible with pcap/tcprewrite.
I tried to follow https://www.tcpdump.org/linktypes.html and force a DLT header type of 0 (DLT_NULL) and content of 2 (IPv4) but with no success:
tcprewrite \
--enet-smac=00:00:00:00:00:00 \
--enet-dmac=00:00:00:00:00:00 \
--enet-vlan=del \
--dlt=user \
--user-dlt=0 \
--user-dlink=02,00,00,00 \
--infile="${INFILE}" \
--outfile="${OUTFILE}.tmp"
Fatal Error in tcpedit.c:tcpedit_packet() line 135:
From plugins/dlt_null/null.c:dlt_null_encode() line 201:
DLT_NULL and DLT_LOOP plugins do not support packet encoding
Upvotes: 5
Views: 1544
Answers (0)
Related Questions
- "Replay" tcpdump file
- tcpreplay: replay a pcap in reverse order
- replay captured udp traffic
- Listening with a script to tcpdump output pcaps
- I am trying to replay a pcap file that someone else captured for me (Im assuming they used tcpdump)
- Pcap file replay based on the packet timestamp using scapy
- packet loss when using pcap_loop
- Why can't our packet sniffer receive all of the replayed TCP packets?
- Replayed pcap files not detected by iptables
- How can I replay a TCP stream to my client