Inline... On Fri, Apr 1, 2011 at 5:42 AM, DjamOlsky <djamol...@gmail.com> wrote: > Aaron Turner ecrivait le 31/03/2011 18:11: > >> Make sure you're specifying the MAC addresses of the two routers the >> laptop is directly attached to. > > The mac addresses are OK. (checked on the 2 cisco routers). > Maybe I am doing something wrong due to the fact, in your example > (nicely written, thanks!) > http://tcpreplay.synfin.net/wiki/usage#PassingTrafficThroughaFirewallRouterNon-TransparentDevice > You talk about passing the traffic on *one* device which is a little bit > different with my scenario (3 routers+1 IPS). > I am sure I am not the first person using a such scenario.
First person to ask me about it, but tcpreplay doesn't really care honestly. > Here is again my network schema (detailled) with the commands I am doing > (LAPTOP with tcpreplay replaying a pcap file): > > IPS > | | > router1 > / \ > --router2---router3-- > / \ / \ > SERVER LAPTOP CLIENT That's a lot different from the last diagram you gave me. Are the two NIC interfaces from the laptop on the same or different broadcast domains? Are they the same or different IP subnet? I thought you were just trying to replay traffic through the IPS, what purpose is the server on router2? Is it supposed to process/reply to any traffic? > The commands (according your man/wiki pages): > > tcpprep --pcap=mini.pcap --cachefile=mini.cache --port > > tcprewrite --cachefile=mini.cache --infile=mini.pcap > --outfile=mini_updated.pcap > --enet-dmac=@MAC-ROUTER2,@MAC-ROUTER3 --endpoints=@IP-SERVER,@IP-CLIENT > --enet-vlan=del Destination MAC addresses are ALWAYS the MAC address of the local router/gateway/next hop. Remember that ethernet is Layer2 and is not routed. So that tcprewrite command of yours might work with the first diagram, but it won't work with the most recent one. > tcpreplay --intf1=LAPTOP-eth0 --intf2=LAPTOP-eth1 --cachefile=mini.cache > mini_updated.pcap > >> If you're still having problems then I highly recommend placing a hub >> or switch that supports sniffing (often called a SPAN port) to sniff >> on each link between the routers & IPS and verify the packets are >> showing up correctly. Your network topology has multiple paths, so >> it's possible you have a routing issue. > > I was thinking about a routing issue, no problem. > Tests I did: ping from everywhere to everywhere and ftp transfert from > client to server (correctly caught by the IPS). > Thanks a lot for your help! :D Well replaying both sides of the communication with tcpreplay connected via router3 twice would take a very different path in the network then a FTP transfer between the laptop (connected to router3) and server (connected to router2). Apples and oranges. -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
