I have tried your suggestion and I am still getting the same DLT_LINUX_SLL error for tcprewrite. Here are the exact steps that I'm doing:
I want to retransmit all packets from source IP 192.168.1.254. So I prep as follows: tcpprep --cidr=192.168.1.254/24 --include=S:192.168.1.254/24 --pcap=orig.pcap --cachefile=input.cache Then I attempt to rewrite as follows: tcprewrite --dlt=enet --enet-dmac=00:0E:99:02:B5:D3 --enet-smac=00:24:81:03:FE:7F --cachefile=input.cache --infile=orig.pcap --outfile=out.pcap I'm attaching the orig.pcap file for your reference (note that I stripped out all packets, except for one). Thanks -----Original Message----- From: Aaron Turner [mailto:synfina...@gmail.com] Sent: Monday, May 24, 2010 4:42 PM To: Main forum for tcpreplay Subject: Re: [Tcpreplay-users] Tcprewrite error: "DLT_LINUX_SLL pcap's mustcontain only ethernet packets" On Mon, May 24, 2010 at 12:22 PM, Faul, Vaughn <vaughn.f...@goodrich.com> wrote: > I have a pcap file from a third party that I am trying to playback. > When using tcprewrite, I'm receiving the error: "DLT_LINUX_SLL pcap's > must contain only ethernet packets". I opened the pcap in Wireshark > and saw that the packets are "Linux cooked capture". How do I convert > the packets to ethernet type? Looking at the documentation it appears > that I need to use an input plugin, but I'm not exactly sure how to do this. > An example would be appreciated. > > Platform: Ubuntu version 9.10 > Tcpreplay Version: 3.4.1 (downloaded via synaptic) So LINUX_SLL is a "cooked" capture file format- meaning that it's not a physical layer 2 header, but rather a fake header that Linux uses when you're capturing on multiple interfaces. It also means that you can have a mix of interface types (such as both ethernet and loopback for example). LINUX_SLL is also lossy, meaning that not all the layer2 information is stored, so if you want to replay it later, you have to provide that information manually. Frankly, using "tcpdump -i any" while seems convenient at capture time, is often more work/pain in the long run for this reason. Input plugins are automatically selected by the DLT of the pcap. Output plugins allow rewriting the header. So you'll want to use --dlt=enet to select the DLT_EN10MB output plugin to convert to ethernet. You'll probably also need to specify --enet-dmac and --enet-smac since the DLT_LINUX_SLL is often missing one or both ethernet MAC addresses. More info here: http://tcpreplay.synfin.net/wiki/tcprewrite#RewritingLayer2 and of course the man pages. -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
orig.pcap
Description: orig.pcap
------------------------------------------------------------------------------
_______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
