Are you trying to get the L7 filter on the same box that is running tcpreplay to see/process the packets? If so, that's your problem. L7 filters see incoming packets, but tcpreplay sends them outbound (regardless of what your L2 header says).
The only time a process will see packets that tcpreplay sends on the same box is when it is opening a PF_PACKET (or equivalent) socket and running in promiscuous mode. -- Aaron Turner http://synfin.net/ Twitter: @synfinatic Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin On Tue, Sep 16, 2014 at 3:55 AM, rikagg1 . <rika...@gmail.com> wrote: > Hello all, > > I am also attaching DNS1-client.pcap file for the refrence..:) > > Best Regards, > Rikshit > > On Tue, Sep 16, 2014 at 12:51 PM, rikagg1 . <rika...@gmail.com> wrote: >> >> Hello all, >> >> I am hopeful, I will get the answer to my question here.. >> My problem is, I am sending DNS pcap file to the l7 filter but the filter >> is not able to detect it..Rather the server is answering a dhcp broadcast >> which is getting detected. >> >> I sent 5 DNS packets but DHCP is getting detected.. >> I used the following commands on my client. >> >> 1) tcprewrite --enet-dmac=ff:ff:ff:ff:ff:ff --enet-smac=00:19:D1:02:6D:0D >> --infile=dns1.cap --outfile=DNS1.pcap >> (since the packets are broadcast) >> >> 2)tcpdump -s0 -r DNS1.pcap -w DNS1-client.pcap ip src 192.168.170.56 >> (to filter the packets, removing the packets from server) >> >> 3)sudo tcpreplay -i eth0 DNS1-client.pcap >> >> [root@D10-15 PPA]# sudo tcpreplay -i eth0 DNS1-client.pcap sending out >> eth0 processing file: DNS1-client.pcap Actual: 5 packets (533 bytes) sent in >> 7.61 seconds. Rated: 70.0 bps, 0.00 Mbps, 0.66 pps Statistics for network >> device: eth0 Attempted packets: 5 Successful packets: 5 Failed packets: 0 >> Retried packets (ENOBUFS): 0 >> >> Here is the preview from L7 filter: >> >> Added: stun mark=19 >> opening library handle >> unbinding existing nf_queue handler for AF_INET (if any) >> binding nfnetlink_queue as nf_queue handler for AF_INET >> binding this socket to queue '0' >> setting copy_packet mode >> hw_protocol = 0x0800 hook = 0 id = 0 wholemark = 00000000 mark = 0 indev = >> 4 payload_len = 115 >> Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56 >> sport=53 dport=1707 >> Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24 >> sport=1707 dport=53 >> Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24 >> sport=1707 dport=53 >> Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53 >> dport=1707 >> Set verdict ACCEPT, mark 0x000001 >> hw_protocol = 0x0800 hook = 0 id = 1 wholemark = 00000000 mark = 0 indev = >> 4 payload_len = 84 >> Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56 >> sport=53 dport=1708 >> Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24 >> sport=1708 dport=53 >> Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24 >> sport=1708 dport=53 >> Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53 >> dport=1708 >> Set verdict ACCEPT, mark 0x000001 >> hw_protocol = 0x0800 hook = 0 id = 2 wholemark = 00000000 mark = 0 indev = >> 4 payload_len = 126 >> Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56 >> sport=53 dport=1709 >> Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24 >> sport=1709 dport=53 >> Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24 >> sport=1709 dport=53 >> Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53 >> dport=1709 >> Set verdict ACCEPT, mark 0x000001 >> hw_protocol = 0x0800 hook = 0 id = 3 wholemark = 00000000 mark = 0 indev = >> 4 payload_len = 69 >> Made key from packet: udp 17 src=217.13.4.24 dst=192.168.170.56 >> sport=53 dport=1710 >> Made key from packet: udp 17 src=192.168.170.56 dst=217.13.4.24 >> sport=1710 dport=53 >> Got packet, had no ct: udp 17 src=192.168.170.56 dst=217.13.4.24 >> sport=1710 dport=53 >> Didn't yet find udp 17 src=217.13.4.24 dst=192.168.170.56 sport=53 >> dport=1710 >> Set verdict ACCEPT, mark 0x000001 >> hw_protocol = 0x0800 hook = 0 id = 4 wholemark = 00000000 mark = 0 indev = >> 4 payload_len = 328 >> Made key from packet: udp 17 src=255.255.255.255 dst=0.0.0.0 >> sport=67 dport=68 >> Made key from packet: udp 17 src=0.0.0.0 dst=255.255.255.255 >> sport=68 dport=67 >> Got packet, had no ct: udp 17 src=0.0.0.0 dst=255.255.255.255 >> sport=68 dport=67 >> Didn't yet find udp 17 src=255.255.255.255 dst=0.0.0.0 sport=67 >> dport=68 >> Set verdict ACCEPT, mark 0x000001 >> Got event: NFCT_MSG_NEW >> Made key from ct: udp 17 src=0.0.0.0 dst=255.255.255.255 >> sport=68 dport=67 >> hw_protocol = 0x0800 hook = 0 id = 5 wholemark = 00000000 mark = 0 indev = >> 4 payload_len = 328 >> Made key from packet: udp 17 src=255.255.255.255 dst=0.0.0.0 >> sport=67 dport=68 >> Made key from packet: udp 17 src=0.0.0.0 dst=255.255.255.255 >> sport=68 dport=67 >> Found connection reply: udp 17 src=0.0.0.0 dst=255.255.255.255 >> sport=68 dport=67 >> Appended data. Length so far = 33 >> Packet #1, data is: ..... .&P..zc.Sc5..7..*BC=.255-1. >> checking against ssh >> checking against telnet >> checking against dhcp >> matched dhcp >> Set verdict ACCEPT, mark 0x000005 >> >> I am also attaching a screenshot from L7 filter and the dns.pcap packets, >> I replayed. >> >> Can anyone please help?? >> > > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce. > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
