Your pcap has an invalid value (or at least one neither I or wireshark can decode) for the layer 2 address type field which is causing the problem. The attached patch is a work around.
-Aaron On Fri, May 28, 2010 at 12:34 PM, Faul, Vaughn <vaughn.f...@goodrich.com> wrote: > I have tried your suggestion and I am still getting the same DLT_LINUX_SLL > error for tcprewrite. Here are the exact steps that I'm doing: > > I want to retransmit all packets from source IP 192.168.1.254. So I prep as > follows: > tcpprep --cidr=192.168.1.254/24 --include=S:192.168.1.254/24 --pcap=orig.pcap > --cachefile=input.cache > > Then I attempt to rewrite as follows: > tcprewrite --dlt=enet --enet-dmac=00:0E:99:02:B5:D3 > --enet-smac=00:24:81:03:FE:7F --cachefile=input.cache --infile=orig.pcap > --outfile=out.pcap > > I'm attaching the orig.pcap file for your reference (note that I stripped out > all packets, except for one). > > Thanks > > -----Original Message----- > From: Aaron Turner [mailto:synfina...@gmail.com] > Sent: Monday, May 24, 2010 4:42 PM > To: Main forum for tcpreplay > Subject: Re: [Tcpreplay-users] Tcprewrite error: "DLT_LINUX_SLL pcap's > mustcontain only ethernet packets" > > On Mon, May 24, 2010 at 12:22 PM, Faul, Vaughn <vaughn.f...@goodrich.com> > wrote: >> I have a pcap file from a third party that I am trying to playback. >> When using tcprewrite, I'm receiving the error: "DLT_LINUX_SLL pcap's >> must contain only ethernet packets". I opened the pcap in Wireshark >> and saw that the packets are "Linux cooked capture". How do I convert >> the packets to ethernet type? Looking at the documentation it appears >> that I need to use an input plugin, but I'm not exactly sure how to do this. >> An example would be appreciated. >> >> Platform: Ubuntu version 9.10 >> Tcpreplay Version: 3.4.1 (downloaded via synaptic) > > So LINUX_SLL is a "cooked" capture file format- meaning that it's not a > physical layer 2 header, but rather a fake header that Linux uses when you're > capturing on multiple interfaces. It also means that you can have a mix of > interface types (such as both ethernet and loopback for example). LINUX_SLL > is also lossy, meaning that not all the > layer2 information is stored, so if you want to replay it later, you have to > provide that information manually. Frankly, using "tcpdump -i any" while > seems convenient at capture time, is often more work/pain in the long run for > this reason. > > Input plugins are automatically selected by the DLT of the pcap. > Output plugins allow rewriting the header. So you'll want to use --dlt=enet > to select the DLT_EN10MB output plugin to convert to ethernet. You'll > probably also need to specify --enet-dmac and --enet-smac since the > DLT_LINUX_SLL is often missing one or both ethernet MAC addresses. > > More info here: > http://tcpreplay.synfin.net/wiki/tcprewrite#RewritingLayer2 > > and of course the man pages. > > -- > Aaron Turner > http://synfin.net/ Twitter: @synfinatic > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & > Windows Those who would give up essential Liberty, to purchase a little > temporary Safety, deserve neither Liberty nor Safety. > -- Benjamin Franklin > "carpe diem quam minimum credula postero" > > ------------------------------------------------------------------------------ > > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > ------------------------------------------------------------------------------ > > > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero"
non-ethernet-rewite.patch
Description: Binary data
------------------------------------------------------------------------------
_______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
