5

I am trying to send packets using TCP replay. The file was captured in another network and contains UDP packets. In order to replay, I've changed the src and destination address, etc...using the following command:

tcprewrite --infile=original.cap --outfile=changed.cap --srcipmap=0.0.0.0/0:<MY HOST IP>/32 --dstipmap=0.0.0.0/0:<MY HOST IP>/32 --enet-dmac=<enp0s25 mac addr> --enet-smac=<enp0s25 mac addr> --fixcsum

After changing the packets, I've tried to replay using tcpreplay:

sudo tcpreplay --intf1=enp0s25  changed.cap

tcpdump shows that packets were rewrited and apprently ok:

[root@localhost ~]# tcpdump -i enp0s25 udp port 6302 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
09:31:56.758809 IP localhost.localdomain.qb-db-server > localhost.localdomain.6302: UDP, length 673
09:31:56.758836 IP localhost.localdomain.12608 > localhost.localdomain.6302: UDP, length 669
09:31:56.758845 IP localhost.localdomain.13024 > localhost.localdomain.6302: UDP, length 671
09:31:56.758967 IP localhost.localdomain.11584 > localhost.localdomain.6302: UDP, length 666
....

However, if I launch netcat to listen on port 0.0.0.0:6302, I can't see any traffic!

Any idea what's wrong?

rgoncalves
  • 171
  • 1
  • 1
  • 7

2 Answers2

4

This is perfectly normal. The parameter --intf1 sets the output interface not the input interface. So your packets will not be injected to the linux network stack. In other words, the interface driver's output functions are used to send the packets which is not what you want.

To fix this you need to either use a UDP socket from an application (like netcat) and send the UDP payload of your pcap or run tcpreplay on a different machine (it can also be a VM).

This way tcpreplay will use the interface (set by --intf1) to "output" the packets and your machine will use the driver's input functions to inject the packets to the Linux network stack.

B--rian
  • 5,578
  • 10
  • 38
  • 89
Krzysztof
  • 41
  • 2
1

I see that you are replaying the file to interface enp0s25. However your tcpdump output is showing that you are capturing on localhost. Try tcpdump -i enp0s25.

fredk
  • 328
  • 1
  • 6
  • I've edited the question to add the tcpdump command and the output details. – rgoncalves Oct 02 '18 at 08:35
  • OK, now I see what is happening. You are changing both the source and destination addresses in the PCAP file to your local IP address. This effectively tells the stack that you don't want to send the packet out the interface, rather have it sent to the localhost. Try just changing the source address to your local IP address, and leave the destination address as is. – fredk Oct 02 '18 at 19:07
  • Tried your suggestion, but it's not working! I've also copied the capture to another host and applied the rewrite rules/replay accordingly, but no luck! – rgoncalves Oct 09 '18 at 13:06