Well tcpdump thinks HTTP runs on port 80 and SMTP is on 25. DNS is on 53. You change the port a service is running on and tcpdump goes ¯\_(ツ)_/¯
If you want it to decode the DNS, don't edit the packet destination port. :) -- Aaron Turner https://synfin.net/ Twitter: @synfinatic My father once told me that respect for the truth comes close to being the basis for all morality. "Something cannot emerge from nothing," he said. This is profound thinking if you understand how unstable "the truth" can be. -- Frank Herbert, Dune On Fri, Oct 20, 2017 at 6:10 PM, Felipe Agnelli Barbosa <no.mo...@gmail.com> wrote: > Hi Aaron, > > I faced this problem too, with the CACHEDATASIZE(number of packets /4). > > After this modification, I execute again tcpprep to solve the problem with > the cache file. > > Interesting, I reproduced just like you. > > The question now is, what else does tcpdump is not think it is? > > Thank you for all the help! > > I will continue with my tests. > > Regards, > Felipe > > > > > > > > 2017-10-20 21:40 GMT-02:00 Fredrick Klassen via Tcpreplay-users > <tcpreplay-users@lists.sourceforge.net>: >> >> Thanks for hunting this one down Aaron. >> >> I opened the following bug. I usually do most of the bug fixes in >> December, so expect a fix by the end of the year. >> >> https://github.com/appneta/tcpreplay/issues/423 >> >> Fred. >> >> >> >> >> >> On Oct 20, 2017, at 4:25 PM, Aaron Turner <synfina...@gmail.com> wrote: >> >> Ah, didn't realize there were two more commands... just saw the >> tcpprep and my brain turned off. >> >> The problem right now for me is that: >> >> tcpprep --auto=client --cachefile=query.cache --pcap=queries-ipv4-new.pcap >> >> is generating an invalid cache file: >> >> $ tcpprep -S query.cache >> >> Fatal Error: Cache data length (256 bytes) doesn't match cache header >> (25000 bytes). looks like a bug in 4.2.6. >> >> Anyways, that's not your problem though. >> >> Your problem is you're mapping the traffic from port 53 to 50068 and >> now tcpdump doesn't think it is DNS traffic and doesn't decode it. >> The data is still there though if you use the -A flag: >> >> >> $ tcpdump -c 1 -r queries-ipv4-READY.pcap -A >> reading from file queries-ipv4-READY.pcap, link-type EN10MB (Ethernet) >> 07:11:14.228108 IP localhost.50471 > localhost.50068: UDP, length 36 >> E..@....@.|..........'...,.s.............robotmatchunit.com..... >> >> >> -- >> Aaron Turner >> https://synfin.net/ Twitter: @synfinatic >> My father once told me that respect for the truth comes close to being >> the basis for all morality. "Something cannot emerge from nothing," >> he said. This is profound thinking if you understand how unstable >> "the truth" can be. -- Frank Herbert, Dune >> >> >> On Fri, Oct 20, 2017 at 3:53 PM, Felipe Agnelli Barbosa >> <no.mo...@gmail.com> wrote: >> >> Aaron, the problem occour after, in the next command of the my previous >> email. >> >> >> On Oct 20, 2017 8:01 PM, "Aaron Turner" <synfina...@gmail.com> wrote: >> >> >> Works for me on 4.2.6: >> >> $ tcprewrite --dlt=enet --enet-smac=09:09:09:09:09:09 >> --enet-dmac=01:02:03:04:05:06 -i ~/Downloads/queries-ipv4.pcap -o >> test.pcap >> >> $ tcpdump -r test.pcap -c1 -v >> reading from file test.pcap, link-type EN10MB (Ethernet) >> 07:11:14.228108 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], >> proto UDP (17), length 64) >> localhost.50471 > localhost.domain: 0 NS? robotmatchunit.com. (36) >> >> $ tcprewrite -V >> tcprewrite version: 4.2.6 (build git:v4.2.6) >> Copyright 2013-2017 by Fred Klassen <tcpreplay at appneta dot com> - >> AppNeta >> Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net> >> The entire Tcpreplay Suite is licensed under the GPLv3 >> Cache file supported: 04 >> Compiled against libdnet: 1.12 >> Compiled against libpcap: libpcap version 1.8.1 -- Apple version 67.60.1 >> 64 bit packet counters: enabled >> Verbose printing via tcpdump: enabled >> Fragroute engine: enabled >> >> -- >> Aaron Turner >> https://synfin.net/ Twitter: @synfinatic >> My father once told me that respect for the truth comes close to being >> the basis for all morality. "Something cannot emerge from nothing," >> he said. This is profound thinking if you understand how unstable >> "the truth" can be. -- Frank Herbert, Dune >> >> >> On Thu, Oct 19, 2017 at 6:10 AM, Felipe Agnelli Barbosa >> <no.mo...@gmail.com> wrote: >> >> Hi Aaron, >> >> Follow the commands and the comments: >> >> tcprewrite --dlt=enet --enet-dmac="MAC" --enet-smac="MAC" -i >> queries-ipv4.pcap[0] -o queries-ipv4-new.pcap >> >> The pcap file queries-ipv4-new.pcap originated contains the dns queries. >> >> tcpprep --auto=client --cachefile=query.cache >> --pcap=queries-ipv4-new.pcap >> tcprewrite -C --portmap=53:50068 --endpoints=192.168.0.3:10.153.0.17 >> --cachefile=query.cache -i queries-ipv4-new.pcap -o >> queries-ipv4-READY.pcap >> >> Here, with the pcap file queries-ipv4-READY.pcap, the problem that I >> mentioned happens. >> >> [0] >> >> https://www.dropbox.com/sh/qhulhpfr2fcvghj/AACv81C0s7OecBuF1l8x806Aa?dl=0 >> >> >> Regards, >> >> []s >> Felipe >> >> >> 2017-10-19 0:44 GMT-02:00 Aaron Turner <synfina...@gmail.com>: >> >> >> Smells like a bug, but _could_ be an issue where your pcap file >> incorrectly states the packet length. If you could share the pcap >> file (dropbox/etc link preferred) and the tcprewrite command you ran >> that would be useful. >> -- >> Aaron Turner >> https://synfin.net/ Twitter: @synfinatic >> My father once told me that respect for the truth comes close to being >> the basis for all morality. "Something cannot emerge from nothing," >> he said. This is profound thinking if you understand how unstable >> "the truth" can be. -- Frank Herbert, Dune >> >> >> On Wed, Oct 18, 2017 at 8:17 AM, Felipe Agnelli Barbosa >> <no.mo...@gmail.com> wrote: >> >> Hi guys, >> >> I have working with tcpreplay suite and I find something interesting >> that I >> can't explain until now. >> >> My environment is made of one pcap file that I use tcprewrite to >> replace >> source/destiny IP, MAC and the pcap file originated does not contain >> the >> dns >> query, like: >> >> Before tcprewrite modification: >> >> 13:00:00.000181 IP 192.168.0.3.18418 > 10.153.0.17.53: 42386 [1au] A? >> www.example.com. (47) >> >> After: >> >> 13:00:00.000181 IP 192.168.0.3.18418 > 10.153.0.17.50073: UDP, length >> 47 >> >> I got to see this with tcpdump. >> >> Has anyone ever experienced this? >> >> Bellow some more informations. >> >> # lsb_release -a >> No LSB modules are available. >> Distributor ID: Ubuntu >> Description: Ubuntu 16.04.3 LTS >> Release: 16.04 >> Codename: xenial >> >> # tcpreplay -V >> tcpreplay version: 4.2.5 (build git:v4.2.5) >> Copyright 2013-2017 by Fred Klassen <tcpreplay at appneta dot com> - >> AppNeta >> Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net> >> The entire Tcpreplay Suite is licensed under the GPLv3 >> Cache file supported: 04 >> Not compiled with libdnet. >> Compiled against libpcap: 1.7.4 >> 64 bit packet counters: enabled >> Verbose printing via tcpdump: enabled >> Packet editing: disabled >> Fragroute engine: disabled >> Injection method: PF_PACKET send() >> Not compiled with netmap >> >> # tcpdump --v >> tcpdump version 4.9.0 >> libpcap version 1.7.4 >> OpenSSL 1.0.2g 1 Mar 2016 >> >> >> Regards, >> Felipe >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> >> >> >> -- >> " A dúvida é o principio da sabedoria " >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > > > > -- > " A dúvida é o principio da sabedoria " > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
