Step 2>
Instead of '-r DNS1.pcap' try capturing an interface, e.g. '-i eth0'
From: "rikagg1 ." <[email protected]<mailto:[email protected]>>
Reply-To: Main forum for tcpreplay
<[email protected]<mailto:[email protected]>>
Date: Tuesday, September 16, 2014 at 3:55 AM
To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [Tcpreplay-users] Pcap files not getting detected by L7 filter
Hello all,
I am also attaching DNS1-client.pcap file for the refrence..:)
Best Regards,
Rikshit
On Tue, Sep 16, 2014 at 12:51 PM, rikagg1 .
<[email protected]<mailto:[email protected]>> wrote:
Hello all,
I am hopeful, I will get the answer to my question here..
My problem is, I am sending DNS pcap file to the l7 filter but the filter is
not able to detect it..Rather the server is answering a dhcp broadcast which is
getting detected.
I sent 5 DNS packets but DHCP is getting detected..
I used the following commands on my client.
1) tcprewrite --enet-dmac=ff:ff:ff:ff:ff:ff --enet-smac=00:19:D1:02:6D:0D
--infile=dns1.cap --outfile=DNS1.pcap
(since the packets are broadcast)
2)tcpdump -s0 -r DNS1.pcap -w DNS1-client.pcap ip src 192.168.170.56
(to filter the packets, removing the packets from server)
3)sudo tcpreplay -i eth0 DNS1-client.pcap
[root@D10-15 PPA]# sudo tcpreplay -i eth0 DNS1-client.pcap sending out eth0
processing file: DNS1-client.pcap Actual: 5 packets (533 bytes) sent in 7.61
seconds. Rated: 70.0 bps, 0.00 Mbps, 0.66 pps Statistics for network device:
eth0 Attempted packets: 5 Successful packets: 5 Failed packets: 0 Retried
packets (ENOBUFS): 0
Here is the preview from L7 filter:
Added: stun mark=19
opening library handle
unbinding existing nf_queue handler for AF_INET (if any)
binding nfnetlink_queue as nf_queue handler for AF_INET
binding this socket to queue '0'
setting copy_packet mode
hw_protocol = 0x0800 hook = 0 id = 0 wholemark = 00000000 mark = 0 indev = 4
payload_len = 115
Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
dport=1707
Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24
sport=1707 dport=53
Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24
sport=1707 dport=53
Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
dport=1707
Set verdict ACCEPT, mark 0x000001
hw_protocol = 0x0800 hook = 0 id = 1 wholemark = 00000000 mark = 0 indev = 4
payload_len = 84
Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
dport=1708
Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24
sport=1708 dport=53
Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24
sport=1708 dport=53
Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
dport=1708
Set verdict ACCEPT, mark 0x000001
hw_protocol = 0x0800 hook = 0 id = 2 wholemark = 00000000 mark = 0 indev = 4
payload_len = 126
Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
dport=1709
Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24
sport=1709 dport=53
Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24
sport=1709 dport=53
Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
dport=1709
Set verdict ACCEPT, mark 0x000001
hw_protocol = 0x0800 hook = 0 id = 3 wholemark = 00000000 mark = 0 indev = 4
payload_len = 69
Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
dport=1710
Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24
sport=1710 dport=53
Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24
sport=1710 dport=53
Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
dport=1710
Set verdict ACCEPT, mark 0x000001
hw_protocol = 0x0800 hook = 0 id = 4 wholemark = 00000000 mark = 0 indev = 4
payload_len = 328
Made key from packet: udp 17 src=255.255.255.255 dst=0.0.0.0 sport=67
dport=68
Made key from packet: udp 17 src=0.0.0.0 dst=255.255.255.255 sport=68
dport=67
Got packet, had no ct: udp 17 src=0.0.0.0 dst=255.255.255.255 sport=68
dport=67
Didn't yet find udp 17 src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68
Set verdict ACCEPT, mark 0x000001
Got event: NFCT_MSG_NEW
Made key from ct: udp 17 src=0.0.0.0 dst=255.255.255.255 sport=68
dport=67
hw_protocol = 0x0800 hook = 0 id = 5 wholemark = 00000000 mark = 0 indev = 4
payload_len = 328
Made key from packet: udp 17 src=255.255.255.255 dst=0.0.0.0 sport=67
dport=68
Made key from packet: udp 17 src=0.0.0.0 dst=255.255.255.255 sport=68
dport=67
Found connection reply: udp 17 src=0.0.0.0 dst=255.255.255.255 sport=68
dport=67
Appended data. Length so far = 33
Packet #1, data is: ..... .&P..zc.Sc5..7..*BC=.255-1.
checking against ssh
checking against telnet
checking against dhcp
matched dhcp
Set verdict ACCEPT, mark 0x000005
I am also attaching a screenshot from L7 filter and the dns.pcap packets, I
replayed.
Can anyone please help??
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Tcpreplay-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
