On Wed, Dec 2, 2009 at 10:14 PM, Guanyao Huang <[email protected]> wrote: > This is raw IP pcap file from OC192 high speed link. I want to replay > it in an ethernet port, of course, with reduced link rate. > Also I want to change its mac addresses and ip addresses to some fixed values. > If you now tcpreplay it and tcpdump the output, you can see that > tcpdump can not recognize the file. > So, I guess I should convert it first and then replay it. > Thanks. > > On Wed, Dec 2, 2009 at 9:30 PM, Aaron Turner <[email protected]> wrote: >> got it. I'll let you know if I find anything interesting. Just so >> I'm clear, what are you trying to do? Are you testing an IDS or ?????
Well I looked at a sample of the packets in wireshark... almost every single packet is truncated. So if --fixlen=del actually worked, it would of deleted 95% of the packets, and basically every packet with application data. If you still want to remove the truncated packets, then you could write a small C program using libpcap to compare the pcap_pkthdr.len vs pcap_pkthdr.caplen for each packet and then throw away any packet where those two don't match. FYI, there's a simple filter you can use in wireshark to find packets like this: frame.cap_len < 14 Anyways, I was looking at your pcap in wireshark. Packets #18189 and 18959 (there may be others) are really truncated- only 8 bytes each. A quirk of tcprewrite is that it likes to pretend all packets are at least 14 bytes long (long enough to have a valid ethernet header). In your case it's not a valid assumption, so feel free to just comment out the offending line of code: src/tcpedit/plugins/dlt_en10mb/en10mb.c @ line 346: assert(pktlen >= 14) And you should be able to rewrite your packets just fine. Unfortunately, there is so few valid packets in the capture it is not IMHO particularly useful for replay. Nobody is going to properly process those packets (although it might be a good robustness test I suppose). -Aaron -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Tcpreplay-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
