Replay network captures in Linux using ‘tcpreplay’

tcpreplay_logo

Rewrite any source IP address and MAC address in traffic capture to 10.0.10.1 and 00:AB:DD:BB:58:1B. Source IP and MAC address should match with the interface on which traffic needs to be played.

# tcprewrite --srcipmap=192.168.1.10:10.0.10.1 --enet-smac=00:AB:DD:BB:58:1B --infile=capture.pcap --outfile=temp.pcap

if any source IP address needs to be re-written in the traffic capture then use

--srcipmap=0.0.0.0/0:10.0.10.1

Rewrite any destination IP address and MAC address in traffic dump to 10.0.100.20 and 00:AB:DD:BB:50:1A

# tcprewrite --dstipmap=0.0.0.0/0:10.0.10.1 --enet-dmac=00:AB:DD:BB:50:1A --infile=temp.pcap --outfile=final.pcap

After packet rewrite is done, traffic can be played using tcpreplay

# tcpreplay --intf1=eth0 final.pcap

To loop through a pcap file 10 number times, (use 0 for infinite loops or until CTRL-C is pressed)

# tcpreplay --intf1=eth0 --loop=10 final.pcap

If the pcap file(s) you are looping are small enough to fit in available RAM, consider using the – – enable-file-cache option. This option caches each packet in RAM so that subsequent reads don’t have to hit the slower disk.

Another useful option is – – quiet. This suppresses printing out to the screen each time tcpreplay starts a new iteration.

Options

 -q, --quiet                Quiet mode
   -T, --timer=str            Select packet timing mode: select, ioport, rdtsc, gtod, nano, abstime
       --sleep-accel=num      Reduce the amount of time to sleep by specified usec
       --rdtsc-clicks=num     Specify the RDTSC clicks/usec
   -v, --verbose              Print decoded packets via tcpdump to STDOUT
   -A, --decode=str           Arguments passed to tcpdump decoder
   -K, --enable-file-cache    Enable caching of packets to internal memory
       --preload-pcap         Preloads packets into RAM before sending
   -c, --cachefile=str        Split traffic via a tcpprep cache file
   -i, --intf1=str            Server/primary traffic output interface
   -I, --intf2=str            Client/secondary traffic output interface
       --listnics             List available network interfaces and exit
   -l, --loop=num             Loop through the capture file X times
       --pktlen               Override the snaplen and use the actual packet len
   -L, --limit=num            Limit the number of packets to send
   -x, --multiplier=str       Modify replay speed to a given multiple
   -p, --pps=num              Replay packets at a given packets/sec
   -M, --mbps=str             Replay packets at a given Mbps
   -t, --topspeed             Replay packets as fast as possible
   -o, --oneatatime           Replay one packet at a time for each user input
       --pps-multi=num        Number of packets to send for each time interval
   -P, --pid                  Print the PID of tcpreplay at startup
       --stats=num            Print statistics every X seconds
   -V, --version              Print version information
   -h, --less-help            Display less usage information and exit
   -H, --help                 Display usage information and exit
   -!, --more-help            Extended usage information passed thru pager
       --save-opts[=arg]      Save the option state to a config file
       --load-opts=str        Load options from a config file

Saving linux tcpdump captures to File

For capturing all the packets on interface

#tcpdump -i <interface> -w <filename>.pcap

Example:

#tcpdump -i eth1 -w capture.pcap

Limiting captures to number of packets

#tcpdump -i <interface> -c <count> -w <filename>.pcap

Example:

#tcpdump -i eth1 -c 1000 -w capture.pcap

Only capturing packet with destination ip

#tcpdump -i <interface> -c <count> -w <filename>.pcap dst <ip>

Example:

#tcpdump -i eth1 -c 1000 -w capture.pcap dst 192.168.1.120

Capturing packets with destination port

#tcpdump -i <interface> -c <count> -w <filename>.pcap dst port <port>

Example:

#tcpdump -i eth1 -c 1000 -w capture.pcap dst port 80

Capturing packets where host is the source or destination

#tcpdump -i <interface> -c <count> -w <filename>.pcap <host>

Example:

#tcpdump -i eth1 -c 1000 -w capture.pcap host 192.168.1.120

 

Later these can be viewed on a wireshark or any other ip packet analyzer which support .pcap files.

[Read More: “Tcpdump usage examples” by rationallyPARANOID]

IP Subnetting Quick Cheat Sheet

If you work in IP Networks then you already know how IP subnetting works and most likely remembers all the subnets… this tutorial is not for you.

Few years back when I was doing my CCNA, I had a good basics of IP subnetting and I knew all the binary calculation which is the first step for understanding through which I was able to calculate subnets, hosts range , etc. However, it used to take me minutes to calculate. So, I had to make something simple for me to remember and I made the following table.

Note: I may not be the only one who created this table , there may be thousands of versions similar to it. But it worked for me. So, it may work for the person who is new to IP just like me when I was trying to polish my skills.

Table-1

subnettable1

Table-2

subnettable2

Example:

Suppose we have an IP address : 10.10.10.163/27

We need to find out the Subnet Mask, Network Address, Broadcast Address and Range of Hosts.

Step 1:

In Table-1 we see /27 has a subnet of ‘224’, we know that /27 is in the last octet so,

Subnet mask=  255.255.255.224

Step 2:

Now from the same Table-1 we see that Number of IPs will be 32 per subnet.

But we know that we have to subtract 2 IP address from 32, one for Network Address and other for Broadcast Address.

No of Host in 27 Network = 32-2= 30

Step 3:

We see Table-2 and go through /27 column, we find that out IP last octet .163 lies in the range between ‘160’ and ‘192’.

So, For network address we always take the lowest one so,

Network Address= 10.10.10.160

For Broadcast address , we will subtract 1 from 192.

Broadcast Address= 10.10.10.191

Step 4:

Range Host of addresses is now easy to find.

We know our Network Address= 10.10.10.160 & Broadcast Address= 10.10.10.191

Range of Hosts= 10.10.10.161 – 10.10.10.190

Ok, That was easy and I know subnetting Class-3 is always easy!

Configuring VLANs in Linux

Turn off the Network Manager

#chkconfig NetworkManager off

goto directory “/etc/sysconfig/network-scripts/” and edit ifcfg-eth0 or ifcfg-eth1.

#cd /etc/sysconfig/network-scripts/
#vi ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
HWADDR=00:0C:29:CA:19:29
HOTPLUG=no
IPADDR=10.10.1.230
PREFIX=24
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
IPV6_AUTOCONF=no
NAME="Ethernet1"
VLAN=yes

For creating VLAN with ID=300

#cp ifcfg-eth0 ifcfg-eth.300          //copy file and rename it to eth.vlanid
#vi ifcfg-eth.300
DEVICE=eth0.300
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
HWADDR=00:0C:29:CA:19:29
HOTPLUG=no
IPADDR=10.10.2.230
PREFIX=24
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
IPV6_AUTOCONF=no
NAME="VLAN300"
VLAN=yes

Then

#service network restart

You can create more VLANs by creating more files “ifcfg-eth0.<VLANID>” and replacing it with VLAN ID.

Detect Packet Errors In LAN Connection Status

Many of us are already using fast broadband connections these days and it’s important to know whether the information you are sending or receiving is correct and error free. When there is an error in sending or receiving data you might have problems downloading or uploading files and they could fail MD5 checksums or appear corrupt and the downloaded Zip or Rar archive won’t open etc. For example, if you keep getting errors sending packets but not receiving, then that could actually point to a faulty network adapter.

 

Error information can be an important first step in troubleshooting a connection. It’s very easy to view the basic network connection information, and you can see a network connection’s current status, connection duration, speed and packets or bytes sent and received for the connection. This is usually found by double-clicking the status icon in the system tray or going through Network and Sharing Center > Change adapter settings in Vista and above. The Status dialog box by default shows nearly everything but weirdly chooses not to display errors for the connection.

local area connection status

Before using sophisticated or tough to use packet sniffing software to detect packet loss and errors, you can just enable a hidden setting in Windows to show you any possible errors with your connection. Here’s how to do it with a quick registry change and the information will be added to the status dialog window.

[Read More: Full article by Raymond.cc]

TamoSoft Throughput Test

TamoSoft Throughput Test is a utility for testing the performance of a wireless or wired network. This utility continuously sends TCP and UDP data streams….

Click for more screen shots

[Read More]

TCP Packet Replay & Editor

Tcpreplay is a suite of BSD GPLv3 licensed tools written by Aaron Turner for UNIX (and Win32 under Cygwin) operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 headers and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS’s. Tcpreplay supports both single and dual NIC modes for testing both sniffing and inline devices.

 

Tcpreplay is used by numerous firewall, IDS, IPS and other networking vendors, enterprises, universities, labs and open source projects. If your organization uses Tcpreplay, please let me know who you are and what you use it for so that I can continue to add features which are useful.

 

The Tcpreplay suite includes the following tools:

  • tcpprep – multi-pass pcap file pre-processor which determines packets as client or server and creates cache files used by tcpreplay and tcprewrite
  • tcprewrite – pcap file editor which rewrites TCP/IP and Layer 2 packet headers
  • tcpreplay – replays pcap files at arbitrary speeds onto the network
  • tcpliveplay – Replays network traffic stored in a pcap file on live networks using new TCP connections
  • tcpreplay-edit – replays & edits pcap files at arbitrary speeds onto the network
  • tcpbridge – bridge two network segments with the power of tcprewrite
  • tcpcapinfo – raw pcap file decoder and debugger

[Read More]