Well I was checking if the packets arrived using wireshark. I have been told that they are basically the same. When I use tcpdump with -p option I get few packets which are lab traffic and the replayed traffic is not seen. When I stop tcpdumb it says something like: 19 packets captured 12428 packets received by filter 12379 packets dropped by kernel
Now, do I need to change the destination address or not? I have tried changing it before using tcprewrite, but all without success. The destination host does not have ipv4 address at the moment just a MAC address, because we are doing traffic mirroring to get the data from the sender to destination host. Would that be a problem or it does not affect anything? Thanks, Andrey On Wed, Jun 29, 2011 at 1:51 PM, Aaron Turner <synfina...@gmail.com> wrote: > On Wed, Jun 29, 2011 at 9:37 AM, Andrey <and...@cs.dal.ca> wrote: >> When I check with tcpdump on the destination host I can see the traffic. >> That is why I think that the packets get to the destination host. > > That's because tcpdump by default puts the interface in 'promiscuous > mode'. Do you still see the traffic on the target host when running > tcpdump with the -p flag which turns off that feature? > >> My problem is that the packets are not seen by iptables, and I'm >> wondering if it is a problem with tcpreplay or iptables itself. >> Another suggestion I got by a colleague is that my Linux distribution >> my not work properly. >> I am using Ubuntu 11.04. > > It's more of a kernel thing then distribution thing, but I seriously > doubt there are any bugs of this sort in any recent linux distro. > >> Somebody told me this: >> AF_PACKET sockets bypass Netfilter. >> He did not explain to much and I don't have any experience with those terms. >> Do you know what it means? How can I fix this? > > Yes, outbound traffic sent by tcpreplay will not be seen by > iptables/etc on the host sending the traffic. Technically tcpreplay > uses PF_PACKET on Linux though if you want to google that for more > info. However the receiving host has no way to know that. > > > -- > Aaron Turner > http://synfin.net/ Twitter: @synfinatic > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & > Windows > Those who would give up essential Liberty, to purchase a little temporary > Safety, deserve neither Liberty nor Safety. > -- Benjamin Franklin > "carpe diem quam minimum credula postero" > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
