Is cap.pcap really 802.1q vlan tagged? I didn't know it was possible to have an 802.1q tagged LINUX_SSL frame... doesn't really make a lot of sense really, since LINUX_SSL is a fake L2 header and 802.1q is L2.
If it's not tagged, try not using the --enet-vlan=del option. If it is tagged, then please send me the pcap so I can use it to test. On Wed, Aug 31, 2011 at 4:12 PM, Mike Komer <mko...@juniper.net> wrote: > I take it back. The rewrite is running, but the IP layer is not getting > rewritten. Then the MAC layer is rewritten just fine. > > > > The resulting capture with wrong IP number fails to replay correctly. > > > > > > [root@replay-02 tmp]# tcpdump -e -nn -tqr cap.pcap > > reading from file cap.pcap, link-type LINUX_SLL (Linux cooked) > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 1380 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 458 > > P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > [root@replay-02 tmp]# tcprewrite --dlt=enet --enet-vlan=del > --pnat=1.1.233.209/32:192.168.129.1/32,1.2.176.1/32:192.168.1.1/32 > --infile=cap.pcap --outfile=NORMAL.cap -v > > reading from file -, link-type EN10MB (Ethernet) > > 09:38:07.877834 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > 09:38:07.879223 02:1a:c5:02:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > 09:38:07.880207 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > 09:38:07.883955 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 1422 > > 09:38:07.885953 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 500 > > > > 09:38:07.887592 02:1a:c5:02:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > > > > > 09:38:08.020501 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > > > > > 09:38:08.022390 02:1a:c5:02:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > > > > > 09:38:08.023499 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > > > > > [root@replay-02 tmp]# tcpdump -e -nn -tqr NORMAL.cap > > reading from file NORMAL.cap, link-type EN10MB (Ethernet) > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > 1.1.233.209.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 1434: 1.1.233.209.23588 >> 1.2.176.1.80: tcp 1380 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 512: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 458 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > 1.1.233.209.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > 1.1.233.209.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > [root@replay-02 tmp]# > > > > > > > > > > If I rewrite NORMAL.cap again, using the same options it works > > > > > > [root@replay-02 tmp]# tcprewrite --dlt=enet --enet-vlan=del > --pnat=1.1.233.209/32:192.168.129.1/32,1.2.176.1/32:192.168.1.1/32 > --infile=NORMAL.cap --outfile=NORMAL2.cap -v > > reading from file -, link-type EN10MB (Ethernet) > > 09:38:07.877834 IP 1.1.233.209.23588 > 1.2.176.1.http: S > 1097483548:1097483548(0) win 16384 > > 09:38:07.879223 IP 1.2.176.1.http > 1.1.233.209.23588: S > 2266378423:2266378423(0) ack 1097483549 win 16384 > > 09:38:07.880207 IP 1.1.233.209.23588 > 1.2.176.1.http: . ack 1 win 16384 > > 78423(0) ack 1097483549 win 16384 > > 09:38:07.883955 IP 1.1.233.209.23588 > 1.2.176.1.http: P 1:1381(1380) ack 1 > win 16384 > > 1097483549 win 16384 > > 09:38:07.885953 IP 1.1.233.209.23588 > 1.2.176.1.http: P 1381:1839(458) ack > 1 win 16384 > > 97483549 win 16384 > > 09:38:07.887592 IP 1.2.176.1.http > 1.1.233.209.23588: . ack 1839 win 16384 > > 1 win 16384 > > 97483549 win 16384 > > 09:38:08.020501 IP 1.1.233.209.23588 > 1.2.176.1.http: F 1839:1839(0) ack 1 > win 16384 > > 4 > > 97483549 win 16384 > > 09:38:08.022390 IP 1.2.176.1.http > 1.1.233.209.23588: F 1:1(0) ack 1840 win > 16384 > > 84 > > 4 > > 97483549 win 16384 > > 09:38:08.023499 IP 1.1.233.209.23588 > 1.2.176.1.http: . ack 2 win 16384 > > win 16384 > > 84 > > 4 > > 97483549 win 16384 > > [root@replay-02 tmp]# tcpdump -e -nn -tqr NORMAL2.cap > > reading from file NORMAL2.cap, link-type EN10MB (Ethernet) > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.1.1.80 > > 192.168.129.1.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 1434: > 192.168.129.1.23588 > 192.168.1.1.80: tcp 1380 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 512: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 458 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.1.1.80 > > 192.168.129.1.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.1.1.80 > > 192.168.129.1.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 0 > > [root@replay-02 tmp]# > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
