I did it in step 3..
Regards,
Rikshit
On Tue, Sep 16, 2014 at 4:03 PM, Fred Klassen <fklas...@appneta.com> wrote:
> Step 2>
> Instead of '-r DNS1.pcap' try capturing an interface, e.g. '-i eth0'
>
> From: "rikagg1 ." <rika...@gmail.com>
> Reply-To: Main forum for tcpreplay <tcpreplay-users@lists.sourceforge.net>
> Date: Tuesday, September 16, 2014 at 3:55 AM
> To: "Tcpreplay-users@lists.sourceforge.net" <
> Tcpreplay-users@lists.sourceforge.net>
> Subject: Re: [Tcpreplay-users] Pcap files not getting detected by L7
> filter
>
> Hello all,
>
> I am also attaching DNS1-client.pcap file for the refrence..:)
>
> Best Regards,
> Rikshit
>
> On Tue, Sep 16, 2014 at 12:51 PM, rikagg1 . <rika...@gmail.com> wrote:
>
>> Hello all,
>>
>> I am hopeful, I will get the answer to my question here..
>> My problem is, I am sending DNS pcap file to the l7 filter but the filter
>> is not able to detect it..Rather the server is answering a dhcp broadcast
>> which is getting detected.
>>
>> I sent 5 DNS packets but DHCP is getting detected..
>> I used the following commands on my client.
>>
>> 1) tcprewrite --enet-dmac=ff:ff:ff:ff:ff:ff
>> --enet-smac=00:19:D1:02:6D:0D --infile=dns1.cap --outfile=DNS1.pcap
>> (since the packets are broadcast)
>>
>> 2)tcpdump -s0 -r DNS1.pcap -w DNS1-client.pcap ip src 192.168.170.56
>> (to filter the packets, removing the packets from server)
>>
>> 3)sudo tcpreplay -i eth0 DNS1-client.pcap
>>
>> [root@D10-15 PPA]# sudo tcpreplay -i eth0 DNS1-client.pcap sending out
>> eth0 processing file: DNS1-client.pcap Actual: 5 packets (533 bytes) sent
>> in 7.61 seconds. Rated: 70.0 bps, 0.00 Mbps, 0.66 pps Statistics for
>> network device: eth0 Attempted packets: 5 Successful packets: 5 Failed
>> packets: 0 Retried packets (ENOBUFS): 0
>>
>> Here is the preview from L7 filter:
>>
>> Added: stun mark=19
>> opening library handle
>> unbinding existing nf_queue handler for AF_INET (if any)
>> binding nfnetlink_queue as nf_queue handler for AF_INET
>> binding this socket to queue '0'
>> setting copy_packet mode
>> hw_protocol = 0x0800 hook = 0 id = 0 wholemark = 00000000 mark = 0 indev
>> = 4 payload_len = 115
>> Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56
>> sport=53 dport=1707
>> Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24
>> sport=1707 dport=53
>> Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24
>> sport=1707 dport=53
>> Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
>> dport=1707
>> Set verdict ACCEPT, mark 0x000001
>> hw_protocol = 0x0800 hook = 0 id = 1 wholemark = 00000000 mark = 0 indev
>> = 4 payload_len = 84
>> Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56
>> sport=53 dport=1708
>> Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24
>> sport=1708 dport=53
>> Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24
>> sport=1708 dport=53
>> Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
>> dport=1708
>> Set verdict ACCEPT, mark 0x000001
>> hw_protocol = 0x0800 hook = 0 id = 2 wholemark = 00000000 mark = 0 indev
>> = 4 payload_len = 126
>> Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56
>> sport=53 dport=1709
>> Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24
>> sport=1709 dport=53
>> Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24
>> sport=1709 dport=53
>> Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
>> dport=1709
>> Set verdict ACCEPT, mark 0x000001
>> hw_protocol = 0x0800 hook = 0 id = 3 wholemark = 00000000 mark = 0 indev
>> = 4 payload_len = 69
>> Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56
>> sport=53 dport=1710
>> Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24
>> sport=1710 dport=53
>> Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24
>> sport=1710 dport=53
>> Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53
>> dport=1710
>> Set verdict ACCEPT, mark 0x000001
>> hw_protocol = 0x0800 hook = 0 id = 4 wholemark = 00000000 mark = 0 indev
>> = 4 payload_len = 328
>> Made key from packet: udp 17 src=255.255.255.255 dst=0.0.0.0
>> sport=67 dport=68
>> Made key from packet: udp 17 src=0.0.0.0 dst=255.255.255.255
>> sport=68 dport=67
>> Got packet, had no ct: udp 17 src=0.0.0.0 dst=255.255.255.255
>> sport=68 dport=67
>> Didn't yet find udp 17 src=255.255.255.255 dst=0.0.0.0 sport=67
>> dport=68
>> Set verdict ACCEPT, mark 0x000001
>> Got event: NFCT_MSG_NEW
>> Made key from ct: udp 17 src=0.0.0.0 dst=255.255.255.255
>> sport=68 dport=67
>> hw_protocol = 0x0800 hook = 0 id = 5 wholemark = 00000000 mark = 0 indev
>> = 4 payload_len = 328
>> Made key from packet: udp 17 src=255.255.255.255 dst=0.0.0.0
>> sport=67 dport=68
>> Made key from packet: udp 17 src=0.0.0.0 dst=255.255.255.255
>> sport=68 dport=67
>> Found connection reply: udp 17 src=0.0.0.0 dst=255.255.255.255
>> sport=68 dport=67
>> Appended data. Length so far = 33
>> Packet #1, data is: ..... .&P..zc.Sc5..7..*BC=.255-1.
>> checking against ssh
>> checking against telnet
>> checking against dhcp
>> matched dhcp
>> Set verdict ACCEPT, mark 0x000005
>>
>> I am also attaching a screenshot from L7 filter and the dns.pcap
>> packets, I replayed.
>>
>> Can anyone please help??
>>
>>
>
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce.
> Perforce version control. Predictably reliable.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
