This patch should fix this problem... I'll need to run some additional testing to make sure it doesn't create any other problems though.
http://tcpreplay.synfin.net/changeset/2544?format=diff&new=2544 Love to hear if you have any luck (good or bad). -Aaron On Thu, Sep 1, 2011 at 11:11 AM, Mike Komer <mko...@juniper.net> wrote: > Same result. > > > > > > > > [root@replay-02 tmp]# tcpdump -e -nn -tqr 'cap.pcap' > > reading from file cap.pcap, link-type LINUX_SLL (Linux cooked) > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 1380 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 458 > > P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > > P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > > [root@replay-02 tmp]# tcprewrite --dlt=enet > --pnat=1.1.233.209/32:192.168.129.1/32,1.2.176.1/32:192.168.1.1/32 > --infile='cap.pcap' --outfile='NORMAL.cap' > > [root@replay-02 tmp]# tcpdump -e -nn -tqr NORMAL.cap > > reading from file NORMAL.cap, link-type EN10MB (Ethernet) > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > 1.1.233.209.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 1434: 1.1.233.209.23588 >> 1.2.176.1.80: tcp 1380 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 512: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 458 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > 1.1.233.209.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > 1.1.233.209.23588: tcp 0 > > 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 > > 1.2.176.1.80: tcp 0 > > [root@replay-02 tmp]# > > > > > > > > -----Original Message----- > From: Mike Komer > Sent: Thursday, September 01, 2011 10:08 > To: Main forum for tcpreplay > Subject: Re: [Tcpreplay-users] Error message > > > > It is not tagged. This same command structure is used to rewrite thousands > of captures in a loop. As of yesterday, I now store the L2 link-type > information. So, if need be I can adjust the command based on that. > > > > What I think this might be is that the IP and Link info can not be rewritten > in one go. This is verified by the fact the second attempt with the same > command works. > > > > I will try it without the vlan switch and let you know. > > > > -MK > > > > > > -----Original Message----- > > From: Aaron Turner [mailto:synfina...@gmail.com] > > Sent: Wednesday, August 31, 2011 17:46 > > To: Main forum for tcpreplay > > Subject: Re: [Tcpreplay-users] Error message > > > > Is cap.pcap really 802.1q vlan tagged? I didn't know it was possible > > to have an 802.1q tagged LINUX_SSL frame... doesn't really make a lot > > of sense really, since LINUX_SSL is a fake L2 header and 802.1q is L2. > > > > If it's not tagged, try not using the --enet-vlan=del option. If it > > is tagged, then please send me the pcap so I can use it to test. > > > > On Wed, Aug 31, 2011 at 4:12 PM, Mike Komer <mko...@juniper.net> wrote: > >> I take it back. The rewrite is running, but the IP layer is not getting > >> rewritten. Then the MAC layer is rewritten just fine. > >> > >> > >> > >> The resulting capture with wrong IP number fails to replay correctly. > >> > >> > >> > >> > >> > >> [root@replay-02 tmp]# tcpdump -e -nn -tqr cap.pcap > >> > >> reading from file cap.pcap, link-type LINUX_SLL (Linux cooked) > >> > >> P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > >> > >> P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > >> > >> P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > >> > >> P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 1380 > >> > >> P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 458 > >> > >> P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > >> > >> P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > >> > >> P 02:1a:c5:02:00:00 1.2.176.1.80 > 1.1.233.209.23588: tcp 0 > >> > >> P 02:1a:c5:01:00:00 1.1.233.209.23588 > 1.2.176.1.80: tcp 0 > >> > >> [root@replay-02 tmp]# tcprewrite --dlt=enet --enet-vlan=del > >> --pnat=1.1.233.209/32:192.168.129.1/32,1.2.176.1/32:192.168.1.1/32 > >> --infile=cap.pcap --outfile=NORMAL.cap -v > >> > >> reading from file -, link-type EN10MB (Ethernet) > >> > >> 09:38:07.877834 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP >> 0x08 > >> Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > >> > >> 09:38:07.879223 02:1a:c5:02:00:00 Null > 00:03:00:01:00:06 Unknown DSAP >> 0x08 > >> Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > >> > >> 09:38:07.880207 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP >> 0x08 > >> Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > >> > >> 09:38:07.883955 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP >> 0x08 > >> Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 1422 > >> > >> 09:38:07.885953 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP >> 0x08 > >> Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 500 > >> > >> > >> > >> 09:38:07.887592 02:1a:c5:02:00:00 Null > 00:03:00:01:00:06 Unknown DSAP >> 0x08 > >> Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > >> > >> > >> > >> > >> > >> 09:38:08.020501 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP >> 0x08 > >> Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > >> > >> > >> > >> > >> > >> 09:38:08.022390 02:1a:c5:02:00:00 Null > 00:03:00:01:00:06 Unknown DSAP >> 0x08 > >> Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > >> > >> > >> > >> > >> > >> 09:38:08.023499 02:1a:c5:01:00:00 Null > 00:03:00:01:00:06 Unknown DSAP >> 0x08 > >> Supervisory, Receiver not Ready, rcv seq 0, Flags [Command], length 48 > >> > >> > >> > >> > >> > >> [root@replay-02 tmp]# tcpdump -e -nn -tqr NORMAL.cap > >> > >> reading from file NORMAL.cap, link-type EN10MB (Ethernet) > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 >> > > >> 1.2.176.1.80: tcp 0 > >> > >> 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > >> 1.1.233.209.23588: tcp 0 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 >> > > >> 1.2.176.1.80: tcp 0 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 1434: >> 1.1.233.209.23588 > >>> 1.2.176.1.80: tcp 1380 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 512: 1.1.233.209.23588 >> > > >> 1.2.176.1.80: tcp 458 > >> > >> 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > >> 1.1.233.209.23588: tcp 0 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 >> > > >> 1.2.176.1.80: tcp 0 > >> > >> 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.2.176.1.80 > > >> 1.1.233.209.23588: tcp 0 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: 1.1.233.209.23588 >> > > >> 1.2.176.1.80: tcp 0 > >> > >> [root@replay-02 tmp]# > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> If I rewrite NORMAL.cap again, using the same options it works > >> > >> > >> > >> > >> > >> [root@replay-02 tmp]# tcprewrite --dlt=enet --enet-vlan=del > >> --pnat=1.1.233.209/32:192.168.129.1/32,1.2.176.1/32:192.168.1.1/32 > >> --infile=NORMAL.cap --outfile=NORMAL2.cap -v > >> > >> reading from file -, link-type EN10MB (Ethernet) > >> > >> 09:38:07.877834 IP 1.1.233.209.23588 > 1.2.176.1.http: S > >> 1097483548:1097483548(0) win 16384 > >> > >> 09:38:07.879223 IP 1.2.176.1.http > 1.1.233.209.23588: S > >> 2266378423:2266378423(0) ack 1097483549 win 16384 > >> > >> 09:38:07.880207 IP 1.1.233.209.23588 > 1.2.176.1.http: . ack 1 win 16384 > >> > >> 78423(0) ack 1097483549 win 16384 > >> > >> 09:38:07.883955 IP 1.1.233.209.23588 > 1.2.176.1.http: P 1:1381(1380) ack >> 1 > >> win 16384 > >> > >> 1097483549 win 16384 > >> > >> 09:38:07.885953 IP 1.1.233.209.23588 > 1.2.176.1.http: P 1381:1839(458) >> ack > >> 1 win 16384 > >> > >> 97483549 win 16384 > >> > >> 09:38:07.887592 IP 1.2.176.1.http > 1.1.233.209.23588: . ack 1839 win >> 16384 > >> > >> 1 win 16384 > >> > >> 97483549 win 16384 > >> > >> 09:38:08.020501 IP 1.1.233.209.23588 > 1.2.176.1.http: F 1839:1839(0) ack >> 1 > >> win 16384 > >> > >> 4 > >> > >> 97483549 win 16384 > >> > >> 09:38:08.022390 IP 1.2.176.1.http > 1.1.233.209.23588: F 1:1(0) ack 1840 >> win > >> 16384 > >> > >> 84 > >> > >> 4 > >> > >> 97483549 win 16384 > >> > >> 09:38:08.023499 IP 1.1.233.209.23588 > 1.2.176.1.http: . ack 2 win 16384 > >> > >> win 16384 > >> > >> 84 > >> > >> 4 > >> > >> 97483549 win 16384 > >> > >> [root@replay-02 tmp]# tcpdump -e -nn -tqr NORMAL2.cap > >> > >> reading from file NORMAL2.cap, link-type EN10MB (Ethernet) > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: >> 192.168.129.1.23588 > >>> 192.168.1.1.80: tcp 0 > >> > >> 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.1.1.80 > > >> 192.168.129.1.23588: tcp 0 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: >> 192.168.129.1.23588 > >>> 192.168.1.1.80: tcp 0 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 1434: > >> 192.168.129.1.23588 > 192.168.1.1.80: tcp 1380 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 512: >> 192.168.129.1.23588 > >>> 192.168.1.1.80: tcp 458 > >> > >> 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.1.1.80 > > >> 192.168.129.1.23588: tcp 0 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: >> 192.168.129.1.23588 > >>> 192.168.1.1.80: tcp 0 > >> > >> 02:1a:c5:02:00:00 > 00:00:00:00:00:00, IPv4, length 60: 192.168.1.1.80 > > >> 192.168.129.1.23588: tcp 0 > >> > >> 02:1a:c5:01:00:00 > 00:00:00:00:00:00, IPv4, length 60: >> 192.168.129.1.23588 > >>> 192.168.1.1.80: tcp 0 > >> > >> [root@replay-02 tmp]# > >> > >> >> ------------------------------------------------------------------------------ > >> Special Offer -- Download ArcSight Logger for FREE! > >> Finally, a world-class log management solution at an even better > >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you > >> download Logger. Secure your free ArcSight Logger TODAY! > >> http://p.sf.net/sfu/arcsisghtdev2dev > >> _______________________________________________ > >> Tcpreplay-users mailing list > >> Tcpreplay-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > >> > > > > > > > > -- > > Aaron Turner > > http://synfin.net/ Twitter: @synfinatic > > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & > Windows > > Those who would give up essential Liberty, to purchase a little temporary > > Safety, deserve neither Liberty nor Safety. > > -- Benjamin Franklin > > "carpe diem quam minimum credula postero" > > > > ------------------------------------------------------------------------------ > > Special Offer -- Download ArcSight Logger for FREE! > > Finally, a world-class log management solution at an even better > > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > > download Logger. Secure your free ArcSight Logger TODAY! > > http://p.sf.net/sfu/arcsisghtdev2dev > > _______________________________________________ > > Tcpreplay-users mailing list > > Tcpreplay-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > > > ------------------------------------------------------------------------------ > > Special Offer -- Download ArcSight Logger for FREE! > > Finally, a world-class log management solution at an even better > > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > > download Logger. Secure your free ArcSight Logger TODAY! > > http://p.sf.net/sfu/arcsisghtdev2dev > > _______________________________________________ > > Tcpreplay-users mailing list > > Tcpreplay-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
