Hello everyone, Abhishek asked me a good question and I'd like to
share it with everyone along with the answer.
On 1/25/07, Abhishek Bhuyan <[EMAIL PROTECTED]> wrote:
> hey,
> I installed tcpreplay 3.0.beta 11 (build 1583:1584)
> I just want to replay pcaps to a particular IP in my network (on the
> same segment on which host resides) to test HIPS product. It's not
> sending anything. I just want to verify if I'm wrong somewhere.
> I want to replay pcaps (say dcerpc based pcaps from 192.168.1.111
> (linux) to 192.168.1.222 (windows host)
> First I used tcpprep as:
>
> $ tcpprep --include=D:192.168.1.222 --pcap=input.pcap
> --cachefile=input.cache --port --services=/etc/services
> $ tcpreplay --cachefile=input.cache --intf1=eth0 input.pcap
> This didn't work.
Well tcpprep is only for creating a cache file to be used later by
tcprewrite or tcpreplay. I'm not sure what you expected to happen at
this point. It's not editing the packets in any way.
Anyways, I'm concerned with your statement "It's not sending
anything." since it should be sending the packets- at least it works
for me. Perhaps you had a filter looking only for 192.168.x.x??? If
not, then I'll need more information about your system to help.
> Even I tried doing.
> $ tcprewrite -endpoints=192.168.1.111:192.168.1.222
> --cachefile=input.cache --infile=input.pcap --outfile=input.pcap
> --skipbroadcast
> $ tcpreplay --cachefile=input.cache --intf1=eth0 input.pcap
Well, first, don't specify the input file to be the same as the output
file. That's just asking for problems (I guess I should generate an
error).
Second, why are you passing a cachefile to tcpreplay? What do you
want it to do?
Last, this is what I would use:
First, split the traffic between client & server:
tcpprep --pcap=input.pcap --cachefile=input.cache --port
Second, edit the IP addresses of the client & server:
tcprewrite --endpoints=192.168.1.111:192.168.1.222 --cachefile=input.cache \
--infile=input.pcap --outfile=out.pcap --skipbroadcast
Third, replay the new pcap file:
tcpreplay --intf1 eth0 out.pcap
That should do what you're looking for.
--
Aaron Turner
http://synfin.net/
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Tcpreplay-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
