Hi Aaron,
I faced this problem too, with the CACHEDATASIZE(number of packets /4).
After this modification, I execute again tcpprep to solve the problem with
the cache file.
Interesting, I reproduced just like you.
The question now is, what else does tcpdump is not think it is?
Thank you for all the help!
I will continue with my tests.
Regards,
Felipe
2017-10-20 21:40 GMT-02:00 Fredrick Klassen via Tcpreplay-users <
tcpreplay-users@lists.sourceforge.net>:
> Thanks for hunting this one down Aaron.
>
> I opened the following bug. I usually do most of the bug fixes in
> December, so expect a fix by the end of the year.
>
> https://github.com/appneta/tcpreplay/issues/423
>
> Fred.
>
>
>
>
>
> On Oct 20, 2017, at 4:25 PM, Aaron Turner <synfina...@gmail.com> wrote:
>
> Ah, didn't realize there were two more commands... just saw the
> tcpprep and my brain turned off.
>
> The problem right now for me is that:
>
> tcpprep --auto=client --cachefile=query.cache --pcap=queries-ipv4-new.pcap
>
> is generating an invalid cache file:
>
> $ tcpprep -S query.cache
>
> Fatal Error: Cache data length (256 bytes) doesn't match cache header
> (25000 bytes). looks like a bug in 4.2.6.
>
> Anyways, that's not your problem though.
>
> Your problem is you're mapping the traffic from port 53 to 50068 and
> now tcpdump doesn't think it is DNS traffic and doesn't decode it.
> The data is still there though if you use the -A flag:
>
>
> $ tcpdump -c 1 -r queries-ipv4-READY.pcap -A
> reading from file queries-ipv4-READY.pcap, link-type EN10MB (Ethernet)
> 07:11:14.228108 IP localhost.50471 > localhost.50068: UDP, length 36
> E..@....@.|..........'...,.s.............robotmatchunit.com.....
>
>
> --
> Aaron Turner
> https://synfin.net/ Twitter: @synfinatic
> My father once told me that respect for the truth comes close to being
> the basis for all morality. "Something cannot emerge from nothing,"
> he said. This is profound thinking if you understand how unstable
> "the truth" can be. -- Frank Herbert, Dune
>
>
> On Fri, Oct 20, 2017 at 3:53 PM, Felipe Agnelli Barbosa
> <no.mo...@gmail.com> wrote:
>
> Aaron, the problem occour after, in the next command of the my previous
> email.
>
>
> On Oct 20, 2017 8:01 PM, "Aaron Turner" <synfina...@gmail.com> wrote:
>
>
> Works for me on 4.2.6:
>
> $ tcprewrite --dlt=enet --enet-smac=09:09:09:09:09:09
> --enet-dmac=01:02:03:04:05:06 -i ~/Downloads/queries-ipv4.pcap -o
> test.pcap
>
> $ tcpdump -r test.pcap -c1 -v
> reading from file test.pcap, link-type EN10MB (Ethernet)
> 07:11:14.228108 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none],
> proto UDP (17), length 64)
> localhost.50471 > localhost.domain: 0 NS? robotmatchunit.com. (36)
>
> $ tcprewrite -V
> tcprewrite version: 4.2.6 (build git:v4.2.6)
> Copyright 2013-2017 by Fred Klassen <tcpreplay at appneta dot com> -
> AppNeta
> Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
> The entire Tcpreplay Suite is licensed under the GPLv3
> Cache file supported: 04
> Compiled against libdnet: 1.12
> Compiled against libpcap: libpcap version 1.8.1 -- Apple version 67.60.1
> 64 bit packet counters: enabled
> Verbose printing via tcpdump: enabled
> Fragroute engine: enabled
>
> --
> Aaron Turner
> https://synfin.net/ Twitter: @synfinatic
> My father once told me that respect for the truth comes close to being
> the basis for all morality. "Something cannot emerge from nothing,"
> he said. This is profound thinking if you understand how unstable
> "the truth" can be. -- Frank Herbert, Dune
>
>
> On Thu, Oct 19, 2017 at 6:10 AM, Felipe Agnelli Barbosa
> <no.mo...@gmail.com> wrote:
>
> Hi Aaron,
>
> Follow the commands and the comments:
>
> tcprewrite --dlt=enet --enet-dmac="MAC" --enet-smac="MAC" -i
> queries-ipv4.pcap[0] -o queries-ipv4-new.pcap
>
> The pcap file queries-ipv4-new.pcap originated contains the dns queries.
>
> tcpprep --auto=client --cachefile=query.cache
> --pcap=queries-ipv4-new.pcap
> tcprewrite -C --portmap=53:50068 --endpoints=192.168.0.3:10.153.0.17
> --cachefile=query.cache -i queries-ipv4-new.pcap -o
> queries-ipv4-READY.pcap
>
> Here, with the pcap file queries-ipv4-READY.pcap, the problem that I
> mentioned happens.
>
> [0]
>
> https://www.dropbox.com/sh/qhulhpfr2fcvghj/AACv81C0s7OecBuF1l8x806Aa?dl=0
>
>
> Regards,
>
> []s
> Felipe
>
>
> 2017-10-19 0:44 GMT-02:00 Aaron Turner <synfina...@gmail.com>:
>
>
> Smells like a bug, but _could_ be an issue where your pcap file
> incorrectly states the packet length. If you could share the pcap
> file (dropbox/etc link preferred) and the tcprewrite command you ran
> that would be useful.
> --
> Aaron Turner
> https://synfin.net/ Twitter: @synfinatic
> My father once told me that respect for the truth comes close to being
> the basis for all morality. "Something cannot emerge from nothing,"
> he said. This is profound thinking if you understand how unstable
> "the truth" can be. -- Frank Herbert, Dune
>
>
> On Wed, Oct 18, 2017 at 8:17 AM, Felipe Agnelli Barbosa
> <no.mo...@gmail.com> wrote:
>
> Hi guys,
>
> I have working with tcpreplay suite and I find something interesting
> that I
> can't explain until now.
>
> My environment is made of one pcap file that I use tcprewrite to
> replace
> source/destiny IP, MAC and the pcap file originated does not contain
> the
> dns
> query, like:
>
> Before tcprewrite modification:
>
> 13:00:00.000181 IP 192.168.0.3.18418 > 10.153.0.17.53: 42386 [1au] A?
> www.example.com. (47)
>
> After:
>
> 13:00:00.000181 IP 192.168.0.3.18418 > 10.153.0.17.50073: UDP, length
> 47
>
> I got to see this with tcpdump.
>
> Has anyone ever experienced this?
>
> Bellow some more informations.
>
> # lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description: Ubuntu 16.04.3 LTS
> Release: 16.04
> Codename: xenial
>
> # tcpreplay -V
> tcpreplay version: 4.2.5 (build git:v4.2.5)
> Copyright 2013-2017 by Fred Klassen <tcpreplay at appneta dot com> -
> AppNeta
> Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
> The entire Tcpreplay Suite is licensed under the GPLv3
> Cache file supported: 04
> Not compiled with libdnet.
> Compiled against libpcap: 1.7.4
> 64 bit packet counters: enabled
> Verbose printing via tcpdump: enabled
> Packet editing: disabled
> Fragroute engine: disabled
> Injection method: PF_PACKET send()
> Not compiled with netmap
>
> # tcpdump --v
> tcpdump version 4.9.0
> libpcap version 1.7.4
> OpenSSL 1.0.2g 1 Mar 2016
>
>
> Regards,
> Felipe
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
>
>
>
>
> --
> " A dúvida é o principio da sabedoria "
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
--
" A dúvida é o principio da sabedoria "
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
