Hi Aaron, You're right, using /0 is not the right thing to do, but I started off using /32 and got increasingly desperate.
However, your suggestion seems to have made it work nicely. For the future archaeologists, here's what I did that worked: tcprewrite --infile=../pcap/sendfax.pcap --outfile=../pcap/mod_sendfax.pcap --dlt=enet tcprewrite --srcipmap=91.194.225.4/32:192.168.1.211/32 --dstipmap=91.194.225.103/32:192.168.1.170/32 --infile=../pcap/mod_sendfax.pcap --outfile=../pcap/final_sendfax.pcap --fixcsum And that seems to have made the exact changes I was looking for, when I check the new file in Wireshark. However, if I don't change it to enet first, and just run: tcprewrite --srcipmap=91.194.225.4/32:192.168.1.211/32 --dstipmap=91.194.225.103/32:192.168.1.170/32 --infile=../pcap/sendfax.pcap --outfile=../pcap/final_sendfax.pcap --dlt=enet --fixcsum Then the source ip breaks, becoming 255.255.255.4, with bad checksums. Anyway, thanks for the help. Ryan On 2014-02-10, at 11:49 PM, Aaron Turner wrote: > Using 94.194.255.4/0 is a bit odd. You're basically writing 0.0.0.0/0 > or 255.255.255.255/0... they're all equivalent and so you're matching > everything. > > Could be a bug with calculating the offsets though. Try first > converting it to Ethernet first and then running tcprewrite a second > time to change the source IP. > -- > Aaron Turner > http://synfin.net/ Twitter: @synfinatic > Those who would give up essential Liberty, to purchase a little temporary > Safety, deserve neither Liberty nor Safety. > -- Benjamin Franklin > > > On Mon, Feb 10, 2014 at 2:00 PM, Ryan d'Eon <rd...@jnetrixsystems.com> wrote: >> Hello, >> >> I've taken a pcap file from: https://code.osso.nl/projects/sipp/browser#pcap >> , the one labeled "sendfax.pcap". >> I've viewed it in wireshark, looked at the source and dest IPs, and want to >> change them to ones of my choosing. >> To try to change source ip = 94.194.255.4 to 192.168.1.211, I used: >> tcprewrite --srcipmap=94.194.255.4/0:192.168.1.211/32 >> --infile=../pcap/sendfax.pcap --outfile=../pcap/mod_sendfax.pcap --dlt=enet >> --fixcsum >> >> But when I view this output file in wireshark, instead I find that the >> source IP has changed to 255.255.192.168 and dest IP is now 1.211.255.103 . >> Notice the ip I was looking for, 192.168.1.211, is split across the two! >> Wireshark also tells me the checksum is now wrong. >> This looks to (naive) me like the tool might have edited the wrong bytes. >> However, I know so little about the syntax of this operation, that I can't >> be sure. I've tried a variety of xx.xx.xx.xx/y , with colons and commas, and >> this experimentation + reading the docs has left me here. >> >> So, any help you could give would great. >> In case it helps, >> $ tcprewrite -V >> tcprewrite version: 3.4.4 (build 2450) >> Copyright 2000-2010 by Aaron Turner <aturner at synfin dot net> >> Cache file supported: 04 >> Not compiled with libdnet. >> Compiled against libpcap: 1.1.1 >> 64 bit packet counters: enabled >> Verbose printing via tcpdump: enabled >> Fragroute engine: disabled >> >> I'm using OSX 10.7.5, and there are no error messages. The input file is >> Linux Cooked (DLT_LINUX_SLL), which is why I had to specify the output >> encoding to enet. >> >> Thanks, >> Ryan >> ------------------------------------------------------------------------------ >> Android apps run on BlackBerry 10 >> Introducing the new BlackBerry 10.2.1 Runtime for Android apps. >> Now with support for Jelly Bean, Bluetooth, Mapview and more. >> Get your Android app in front of a whole new audience. Start now. >> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > ------------------------------------------------------------------------------ > Android apps run on BlackBerry 10 > Introducing the new BlackBerry 10.2.1 Runtime for Android apps. > Now with support for Jelly Bean, Bluetooth, Mapview and more. > Get your Android app in front of a whole new audience. Start now. > http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
