When I check with tcpdump on the destination host I can see the traffic. That is why I think that the packets get to the destination host. My problem is that the packets are not seen by iptables, and I'm wondering if it is a problem with tcpreplay or iptables itself. Another suggestion I got by a colleague is that my Linux distribution my not work properly. I am using Ubuntu 11.04.
Somebody told me this: AF_PACKET sockets bypass Netfilter. He did not explain to much and I don't have any experience with those terms. Do you know what it means? How can I fix this? Thanks, Andrey On Wed, Jun 29, 2011 at 1:35 PM, Andrey Kulakevich <andr3y...@gmail.com> wrote: > When I check with tcpdump on the destination host I can see the traffic. > That is why I think that the packets get to the destination host. > My problem is that the packets are not seen by iptables, and I'm > wondering if it is a problem with tcpreplay or iptables itself. > Another suggestion I got by a colleague is that my Linux distribution > my not work properly. > I am using Ubuntu 11.04. > > Somebody told me this: > AF_PACKET sockets bypass Netfilter. > He did not explain to much and I don't have any experience with those terms. > Do you know what it means? How can I fix this? > > Thanks, > Andrey > > On Wed, Jun 29, 2011 at 1:23 PM, Aaron Turner <synfina...@gmail.com> wrote: >> On Wed, Jun 29, 2011 at 9:04 AM, Andrey <and...@cs.dal.ca> wrote: >>> Hello, >>> >>> I am trying to make layer 7 userspace filter to see the traffic in a pcap >>> file. >>> To do so I need to create an iptables rule that will direct the >>> traffic to QUEUE which layer 7 listens to. >>> My problem is that iptables seem to be empty when I replay the traffic >>> with tcpreplay. >>> I am using 2 computers , one is sending the data and the other is >>> receiving it using mirroring. >>> The traffic can be seen on the receiving computer with tcpdump, but >>> iptables is still empty. >>> Could someone tell me how to fix this? I am not sure if the problem is >>> with tcpreplay or iptables or something else. >> >> Based on your description, I'd have to guess that the destination >> MAC/IP address of the packets being sent by tcpreplay is not that of >> the target host running iptables. You can use tcprewrite to edit the >> packets to fix that. >> >> >> -- >> Aaron Turner >> http://synfin.net/ Twitter: @synfinatic >> http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & >> Windows >> Those who would give up essential Liberty, to purchase a little temporary >> Safety, deserve neither Liberty nor Safety. >> -- Benjamin Franklin >> "carpe diem quam minimum credula postero" >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> > ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
