On Oct 19, 2007 9:04 AM, <[EMAIL PROTECTED]> wrote: > > Quoting Aaron Turner <[EMAIL PROTECTED]>: > > > On Oct 19, 2007 5:59 AM, <[EMAIL PROTECTED]> wrote: > >> Quoting Aaron Turner <[EMAIL PROTECTED]>: > >> > On 8/7/07, David <[EMAIL PROTECTED]> wrote: > >> >> I have a capture file in pcap format that does not include Ethernet > >> >> headers. I create a dummy interface in Linux and I am trying to > >> >> replay the packets across it. The tcpdump analysis that tcpreplay > >> >> shows is correct. However, the actual data that is sent is incorrect, > >> >> because it lacks an ethernet header (so the first few bytes of the IP > >> >> header get read as ethernet). > >> >> > >> >> I have looked for tools to add a 'fake' ethernet header but I have not > >> >> found any. > >> >> > >> >> Is there a way to get tcpreplay to add a fake ethernet header? Can I > >> >> add a header using another tool (od and text2pcap do not work > >> >> correctly)? Should this be considered as a feature request? > >> > > >> > Missing L2 headers is common for BSD RAW and BSD Loopback captures. > >> > tcprewrite can add a ethernet header for you. tcprewrite is part of > >> > the tcpreplay 3.0 suite. More information here: > >> > > >> > http://tcpreplay.synfin.net/trac/wiki/tcprewrite > >> > >> Aaron, > >> > >> Thanks. I've checked the trac page and compiled the latest (3.2.0) > >> from source. However, I can't find an option to add an ethernet header. > >> > >> I can find how to rewrite the MAC addresses, but this just corrupts > >> the capture. Can you provide an example of the options required to > >> take an IP only capture and add an ethernet header with imaginary MAC > >> addresses? > > > > What options for tcprewrite were you using? What is the DLT type of > > the pcap? Did you use the --dlt =enet to change your DLT type to > > ethernet? > > Sorry for not being clear. The capture is IP only and tcpdump shows > it as "13:59:57 IP src_ip > dst_ip .....". I ran tcprewrite with the > options: > > $ tcprewrite --dlt=enet --enet-dmac="01:01:01:01:01:01" > --enet-smac="01:01:01:01:01:02" -i in.pcap -o out.pcap > > However, the resulting file appears to be corrupt. Frames have the > correct date and the MAC addresses that would be expected, but tcpdump > does not decode any IP data. Instead, each packet has "Unknown DSAP > 0x44 Information" as the decode. > > The file has increased slightly, from 91052 to 97156 bytes. > > Thanks for your help, it is appreciated.
"IP only" unfortunately doesn't tell me what DLT type the pcap file is. There are at least 2 different DLT types which fit that description that I know of, possibly more. If you can send me your pcap, I can take a look at this more closely when I get some free time. It could be a bug in tcprewrite or maybe the pcap is whacked. Unfortunately, today thru sunday I'm at the race track "working" while I also am the pit crew for my buddy, so no promises when I'll get back to you. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Tcpreplay-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
