It is not tagged. This same command structure is used to rewrite thousands of captures in a loop. As of yesterday, I now store the L2 link-type information. So, if need be I can adjust the command based on that.
What I think this might be is that the IP and Link info can not be rewritten in one go. This is verified by the fact the second attempt with the same command works. I will try it without the vlan switch and let you know. -MK -----Original Message----- From: Aaron Turner [mailto:synfina...@gmail.com] Sent: Wednesday, August 31, 2011 17:46 To: Main forum for tcpreplay Subject: Re: [Tcpreplay-users] Error message Is cap.pcap really 802.1q vlan tagged? I didn't know it was possible to have an 802.1q tagged LINUX_SSL frame... doesn't really make a lot of sense really, since LINUX_SSL is a fake L2 header and 802.1q is L2. If it's not tagged, try not using the --enet-vlan=del option. If it is tagged, then please send me the pcap so I can use it to test. On Wed, Aug 31, 2011 at 4:12 PM, Mike Komer <mko...@juniper.net> wrote: > I take it back. The rewrite is running, but the IP layer is not getting > rewritten. Then the MAC layer is rewritten just fine. > > > > The resulting capture with wrong IP number fails to replay correctly. > > > > > > [root@replay-02 tmp]# tcpdump -e -nn -tqr cap.pcap > > reading from file cap.pcap, link-type LINUX_SLL (Linux cooked) > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 1380 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 458 > > P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > [root@replay-02 tmp]# tcprewrite --dlt=enet --enet-vlan=del > --pnat=1.1.233.209/32:192.168.129.1/32,1.2.176.1/32:192.168.1.1/32 > --infile=cap.pcap --outfile=NORMAL.cap -v > > reading from file -, link-type EN10MB (Ethernet) > > 09:38:07.877834 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > 09:38:07.879223 02:1a:c5:02:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > 09:38:07.880207 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > 09:38:07.883955 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 1422 > > 09:38:07.885953 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 500 > > > > 09:38:07.887592 02:1a:c5:02:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > > > > > 09:38:08.020501 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > > > > > 09:38:08.022390 02:1a:c5:02:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > > > > > 09:38:08.023499 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP 0x08 > Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > > > > > > [root@replay-02 tmp]# tcpdump -e -nn -tqr NORMAL.cap > > reading from file NORMAL.cap, link-type EN10MB (Ethernet) > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > 1.1.233.209.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 1434: 1.1.233.209.23588 >> 1.2.176.1.80: tcp 1380 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 512: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 458 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > 1.1.233.209.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > 1.1.233.209.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > [root@replay-02 tmp]# > > > > > > > > > > If I rewrite NORMAL.cap again, using the same options it works > > > > > > [root@replay-02 tmp]# tcprewrite --dlt=enet --enet-vlan=del > --pnat=1.1.233.209/32:192.168.129.1/32,1.2.176.1/32:192.168.1.1/32 > --infile=NORMAL.cap --outfile=NORMAL2.cap -v > > reading from file -, link-type EN10MB (Ethernet) > > 09:38:07.877834 IP 1.1.233.209.23588 > 1.2.176.1.http: S > 1097483548:1097483548(0) win 16384 > > 09:38:07.879223 IP 1.2.176.1.http > 1.1.233.209.23588: S > 2266378423:2266378423(0) ack 1097483549 win 16384 > > 09:38:07.880207 IP 1.1.233.209.23588 > 1.2.176.1.http: . ack 1 win 16384 > > 78423(0) ack 1097483549 win 16384 > > 09:38:07.883955 IP 1.1.233.209.23588 > 1.2.176.1.http: P 1:1381(1380) ack 1 > win 16384 > > 1097483549 win 16384 > > 09:38:07.885953 IP 1.1.233.209.23588 > 1.2.176.1.http: P 1381:1839(458) ack > 1 win 16384 > > 97483549 win 16384 > > 09:38:07.887592 IP 1.2.176.1.http > 1.1.233.209.23588: . ack 1839 win 16384 > > 1 win 16384 > > 97483549 win 16384 > > 09:38:08.020501 IP 1.1.233.209.23588 > 1.2.176.1.http: F 1839:1839(0) ack 1 > win 16384 > > 4 > > 97483549 win 16384 > > 09:38:08.022390 IP 1.2.176.1.http > 1.1.233.209.23588: F 1:1(0) ack 1840 win > 16384 > > 84 > > 4 > > 97483549 win 16384 > > 09:38:08.023499 IP 1.1.233.209.23588 > 1.2.176.1.http: . ack 2 win 16384 > > win 16384 > > 84 > > 4 > > 97483549 win 16384 > > [root@replay-02 tmp]# tcpdump -e -nn -tqr NORMAL2.cap > > reading from file NORMAL2.cap, link-type EN10MB (Ethernet) > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.1.1.80 > > 192.168.129.1.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 1434: > 192.168.129.1.23588 > 192.168.1.1.80: tcp 1380 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 512: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 458 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.1.1.80 > > 192.168.129.1.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.1.1.80 > > 192.168.129.1.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.129.1.23588 >> 192.168.1.1.80: tcp 0 > > [root@replay-02 tmp]# > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
