Discussion:
[Tcpreplay-users] replaying packet on remote machine
Manish Sapariya
2005-05-31 07:15:26 UTC
Permalink
Hi List,
I want to capture traffic on my machine and replay it on another machine.
Is this possible? One way I thought was to use netcat to send my captured
traffic on the target machine and run it using tcpreplay. But I couldn't
figure out how to read the packets to be replayed from stdin instead of
file or interface?

Is this possible? If so how?
Any other links will be highly appreciated.
Thanks and Regards,
Manish
Aaron Turner
2005-05-31 14:22:19 UTC
Permalink
You need to use a network sniffer like tcpdump or ethereal to capture
and write traffic to a file. Something like:

tcpdump -i eth0 -s 0 -w myfile.pcap

- -Aaron
Post by Manish Sapariya
Hi List,
I want to capture traffic on my machine and replay it on another machine.
Is this possible? One way I thought was to use netcat to send my captured
traffic on the target machine and run it using tcpreplay. But I couldn't
figure out how to read the packets to be replayed from stdin instead of
file or interface?
Is this possible? If so how?
Any other links will be highly appreciated.
Thanks and Regards,
Manish
- --
Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin
All emails are PGP signed; a lack of a signature indicates a forgery.
ed nospam
2005-05-31 16:08:43 UTC
Permalink
I would say technically it is possible but in general unless the
replayer knows about the protocol in the captured traffic, it is not
feasible. In other words you have to write "plugins" for tcpreplay for
it to work.
Post by Manish Sapariya
Hi List,
I want to capture traffic on my machine and replay it on another machine.
Is this possible? One way I thought was to use netcat to send my captured
traffic on the target machine and run it using tcpreplay. But I couldn't
figure out how to read the packets to be replayed from stdin instead of
file or interface?
Is this possible? If so how?
Any other links will be highly appreciated.
Thanks and Regards,
Manish
-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Tcpreplay-users mailing list
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Aaron Turner
2005-05-31 16:47:12 UTC
Permalink
If you're looking at taking a pcap file and using it to *connect* to
another server and replay the traffic against the server (rather then
say a NIDS), then what you're looking for is flowreplay which ships with
tcpreplay.

That's the good news. The bad news is that flowreplay is very alpha and
basically doesn't work right now. I keep hoping to work on it and
improve it, but between starting a new job and running into limitations
with libnids I haven't gotten as far as I'd like.

- -Aaron
Post by ed nospam
I would say technically it is possible but in general unless the
replayer knows about the protocol in the captured traffic, it is not
feasible. In other words you have to write "plugins" for tcpreplay for
it to work.
Post by Manish Sapariya
Hi List,
I want to capture traffic on my machine and replay it on another machine.
Is this possible? One way I thought was to use netcat to send my captured
traffic on the target machine and run it using tcpreplay. But I couldn't
figure out how to read the packets to be replayed from stdin instead of
file or interface?
Is this possible? If so how?
Any other links will be highly appreciated.
Thanks and Regards,
Manish
- --
Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin
All emails are PGP signed; a lack of a signature indicates a forgery.
Manish Sapariya
2005-06-01 04:28:58 UTC
Permalink
Hi,
I think I will describe my problem again in detail.

So I have my product under test which sniffs the network traffic and
does processing on it. I want to test this product with as much as live
traffic
as possible. Now, what my network administrator doesn't allow is to put
run product on company's live network. Currently it is setup on isolated
hub, where I find it damn difficult to generate real time usage traffic.
What
I plan to do is capture traffic on my machine and send to remote machine
using netcat e.g.
tcpdump -s 0 -i eth0 -w - | nc 127.0.0.1 9000
and on the remote machine run the netcat server to listen to this
traffic and
run it on remote machine e.g.
nc -l -p 9000 | tcpreplay ....

The problem I am facing here is that I am not able to pass the remotely read
capture file to tcpreplay from stdin or pipe.

The tcpreplay man page says that '-' stands for input from stdin, so
does pcap
manpage, but some how its not working in my case.

[***@tapi manishs]# nc -l -p 9000 | tcpreplay -i eth0 -
sending on: eth0
Error opening file: No such file or directory

Any help or link or patch to tcpreplay will be highly appreciated.
Thanks and Regards,
Manish
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you're looking at taking a pcap file and using it to *connect* to
another server and replay the traffic against the server (rather then
say a NIDS), then what you're looking for is flowreplay which ships with
tcpreplay.
That's the good news. The bad news is that flowreplay is very alpha and
basically doesn't work right now. I keep hoping to work on it and
improve it, but between starting a new job and running into limitations
with libnids I haven't gotten as far as I'd like.
- -Aaron
Post by ed nospam
I would say technically it is possible but in general unless the
replayer knows about the protocol in the captured traffic, it is not
feasible. In other words you have to write "plugins" for tcpreplay for
it to work.
Post by Manish Sapariya
Hi List,
I want to capture traffic on my machine and replay it on another machine.
Is this possible? One way I thought was to use netcat to send my captured
traffic on the target machine and run it using tcpreplay. But I couldn't
figure out how to read the packets to be replayed from stdin instead of
file or interface?
Is this possible? If so how?
Any other links will be highly appreciated.
Thanks and Regards,
Manish
- --
Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin
All emails are PGP signed; a lack of a signature indicates a forgery.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iD8DBQFCnLC7hweYF/hu2uYRAvZpAJ9uj1geHcM97Tv9oWOIGNllNCAVGgCcCVay
XIUmw+2Gsqd7ZnPfZIBn0DY=
=WhX1
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Tcpreplay-users mailing list
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Aaron Turner
2005-06-01 04:58:28 UTC
Permalink
Ah, yes, detail! Have you first verified that tcpdump and netcat are
doing what you think they are? Are you even recieving data? Also, if
the problem is in tcpreplay, knowing what version you're running would
be rather useful.

- -Aaron
Post by Manish Sapariya
Hi,
I think I will describe my problem again in detail.
So I have my product under test which sniffs the network traffic and
does processing on it. I want to test this product with as much as live
traffic
as possible. Now, what my network administrator doesn't allow is to put
run product on company's live network. Currently it is setup on isolated
hub, where I find it damn difficult to generate real time usage traffic.
What
I plan to do is capture traffic on my machine and send to remote machine
using netcat e.g.
tcpdump -s 0 -i eth0 -w - | nc 127.0.0.1 9000
and on the remote machine run the netcat server to listen to this
traffic and
run it on remote machine e.g.
nc -l -p 9000 | tcpreplay ....
The problem I am facing here is that I am not able to pass the remotely read
capture file to tcpreplay from stdin or pipe.
The tcpreplay man page says that '-' stands for input from stdin, so
does pcap
manpage, but some how its not working in my case.
sending on: eth0
Error opening file: No such file or directory
Any help or link or patch to tcpreplay will be highly appreciated.
Thanks and Regards,
Manish
Manish Sapariya
2005-06-01 05:07:19 UTC
Permalink
Sorry for not providing complete details. Here they are:
$# tcpreplay -V
tcpreplay version: 2.3.1
Cache file supported: 04
Compiled against libnet: 1.1.2.1
Compiled against libpcap: 0.8.3
Compiled against libpcapnav: 0.5
Using tcpdump located in: /usr/sbin/tcpdump

I verified my basic setup by following:
$# nc -l -p 9000 > /tmp/c.cap
$# ethereal /tmp/c.cap &

and it works like charm except one warning by ethereal saying
that your captures files looks cut short. Thats fine with me, I can
see all the packets though in ethereal.

Thanks for the help.
Regards,
Manish
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ah, yes, detail! Have you first verified that tcpdump and netcat are
doing what you think they are? Are you even recieving data? Also, if
the problem is in tcpreplay, knowing what version you're running would
be rather useful.
- -Aaron
Post by Manish Sapariya
Hi,
I think I will describe my problem again in detail.
So I have my product under test which sniffs the network traffic and
does processing on it. I want to test this product with as much as live
traffic
as possible. Now, what my network administrator doesn't allow is to put
run product on company's live network. Currently it is setup on isolated
hub, where I find it damn difficult to generate real time usage traffic.
What
I plan to do is capture traffic on my machine and send to remote machine
using netcat e.g.
tcpdump -s 0 -i eth0 -w - | nc 127.0.0.1 9000
and on the remote machine run the netcat server to listen to this
traffic and
run it on remote machine e.g.
nc -l -p 9000 | tcpreplay ....
The problem I am facing here is that I am not able to pass the remotely read
capture file to tcpreplay from stdin or pipe.
The tcpreplay man page says that '-' stands for input from stdin, so
does pcap
manpage, but some how its not working in my case.
sending on: eth0
Error opening file: No such file or directory
Any help or link or patch to tcpreplay will be highly appreciated.
Thanks and Regards,
Manish
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iD8DBQFCnVxNhweYF/hu2uYRAl+bAJ9/5ZAd/KYC7a2tZJa81rPHZJiLLgCfQXhC
JTK3wpPfMcvl57j1W7p3fZ8=
=JiOU
-----END PGP SIGNATURE-----
Aaron Turner
2005-06-01 05:18:11 UTC
Permalink
have you tried:

nc -l -p 9000 | tcpdump -r -

If that works, then I'll wager that the problem is in libpcapnav. In
which case the solution is to recompile w/o libpcapnav.

- -Aaron
Post by Manish Sapariya
$# tcpreplay -V
tcpreplay version: 2.3.1
Cache file supported: 04
Compiled against libnet: 1.1.2.1
Compiled against libpcap: 0.8.3
Compiled against libpcapnav: 0.5
Using tcpdump located in: /usr/sbin/tcpdump
$# nc -l -p 9000 > /tmp/c.cap
$# ethereal /tmp/c.cap &
and it works like charm except one warning by ethereal saying
that your captures files looks cut short. Thats fine with me, I can
see all the packets though in ethereal.
Thanks for the help.
Regards,
Manish
Manish Sapariya
2005-06-01 05:37:37 UTC
Permalink
Hi Aaron,
Thanks for all the help, but I am not sure how come libpcap work with
tcpdump
and not with tcpreplay.
-------
$# tcpdump -V
tcpdump version 3.8
libpcap version 0.8.3

Tcpdump works as expected :
$# nc -l -p 9000 | tcpdump -r -
reading from file -, link-type EN10MB (Ethernet)
12:51:37.776040 IP cvs.sourceforge.net.cvspserver >
amazon.pune.gs-lab.com.32914: . 4234229912:4234231360(1448) ack
2404733948 win 1716 <nop,nop,timestamp 1197898360 32932116>
12:51:37.855034 IP saraswati.pune.gs-lab.com.netbios-ns >
192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
-------
Tcpreplay doesn't

$# ./tcpreplay -V
tcpreplay version: 2.3.1
Cache file supported: 04
Compiled against libnet: 1.1.2.1
Compiled against libpcap: 0.8.3
Not compiled against libpcapnav.
Using tcpdump located in: /usr/sbin/tcpdump
$# ./tcpreplay -i eth0 -
sending on: eth0
File to open is -
Error opening pcap file -: fread: Resource temporarily unavailable
$#

One more thing, I couldnot disable linking of libpcapnav using config.
I used
configure -without-pcapnav
but it still compiled with libpcapnav.
Then I had to forcefully move /usr/local/bin/pcapnav-config and it
compiled as
expected. Is my command line incorrect for configure?

Thanks and Regards,
Manish
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
nc -l -p 9000 | tcpdump -r -
If that works, then I'll wager that the problem is in libpcapnav. In
which case the solution is to recompile w/o libpcapnav.
- -Aaron
Post by Manish Sapariya
$# tcpreplay -V
tcpreplay version: 2.3.1
Cache file supported: 04
Compiled against libnet: 1.1.2.1
Compiled against libpcap: 0.8.3
Compiled against libpcapnav: 0.5
Using tcpdump located in: /usr/sbin/tcpdump
$# nc -l -p 9000 > /tmp/c.cap
$# ethereal /tmp/c.cap &
and it works like charm except one warning by ethereal saying
that your captures files looks cut short. Thats fine with me, I can
see all the packets though in ethereal.
Thanks for the help.
Regards,
Manish
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iD8DBQFCnWDKhweYF/hu2uYRAv5RAJ4geZVjwoU9nvzdoPFkcZmgDGNRWQCeNk8n
oG2PfiSLtIyMaoaoy1SnZwU=
=xfdl
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Tcpreplay-users mailing list
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Manish Sapariya
2005-06-01 10:17:34 UTC
Permalink
Hi Aaron,
After tweaking the code of tcpreplay, I could get it running.
Now I can capture live traffic on one machine and replay it on
another machine.

I called close(1) before calling the pcapnav_offline() and
it worked as required.

However what I see is that I drop around 20 packets every
1000 packets, which actually depends on the nature of the traffic.

Any ideas how could I improve upon as far as dropping of the packets
when transporting to other machine is concerned. I guess the piping of
the tcpdump output to netcat and transporting them to other machine is
the bottleneck. I even tried the udp mode of netcat but got almost similar
results.

Do you suggest anything, or somebody here who have more insight in
to the working of tcpdump/tcpreplay/netcat can help.

Thanks for all the help.
Regards,
Manish
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
nc -l -p 9000 | tcpdump -r -
If that works, then I'll wager that the problem is in libpcapnav. In
which case the solution is to recompile w/o libpcapnav.
- -Aaron
Post by Manish Sapariya
$# tcpreplay -V
tcpreplay version: 2.3.1
Cache file supported: 04
Compiled against libnet: 1.1.2.1
Compiled against libpcap: 0.8.3
Compiled against libpcapnav: 0.5
Using tcpdump located in: /usr/sbin/tcpdump
$# nc -l -p 9000 > /tmp/c.cap
$# ethereal /tmp/c.cap &
and it works like charm except one warning by ethereal saying
that your captures files looks cut short. Thats fine with me, I can
see all the packets though in ethereal.
Thanks for the help.
Regards,
Manish
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iD8DBQFCnWDKhweYF/hu2uYRAv5RAJ4geZVjwoU9nvzdoPFkcZmgDGNRWQCeNk8n
oG2PfiSLtIyMaoaoy1SnZwU=
=xfdl
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Tcpreplay-users mailing list
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Aaron Turner
2005-06-01 13:41:30 UTC
Permalink
Post by Manish Sapariya
Hi Aaron,
After tweaking the code of tcpreplay, I could get it running.
Now I can capture live traffic on one machine and replay it on
another machine.
I called close(1) before calling the pcapnav_offline() and
it worked as required.
Ok, I'll be sure to include that in 2.3.4 and the next 3.0 beta.
Post by Manish Sapariya
However what I see is that I drop around 20 packets every
1000 packets, which actually depends on the nature of the traffic.
When you say you drop packets... you mean tcpdump isn't picking them up
and sending them? One guess is that the netcat sending socket buffer
is filling up and you're dropping packets that way. Honestly though, I
don't know, but I'm not surprised.

There is a remote libpcap capture thingy. I haven't tried it, but it
might be more efficent and handle this better:

http://rpcap.sourceforge.net/

- -Aaron
Peter Van Epp
2005-06-01 14:00:27 UTC
Permalink
Post by Manish Sapariya
Hi Aaron,
After tweaking the code of tcpreplay, I could get it running.
Now I can capture live traffic on one machine and replay it on
another machine.
I called close(1) before calling the pcapnav_offline() and
it worked as required.
However what I see is that I drop around 20 packets every
1000 packets, which actually depends on the nature of the traffic.
Any ideas how could I improve upon as far as dropping of the packets
when transporting to other machine is concerned. I guess the piping of
the tcpdump output to netcat and transporting them to other machine is
the bottleneck. I even tried the udp mode of netcat but got almost similar
results.
Do you suggest anything, or somebody here who have more insight in
to the working of tcpdump/tcpreplay/netcat can help.
Thanks for all the help.
Regards,
Manish
I'd suggest doing the capture to file (preferably on a memory based
file system) using tcpdump on the source machine and then move the capture
file to the tcpreplay machine and play it back. That eliminates a couple of
sources of potential packet loss by not requiring the two machines to be
supporting capture, transport to the other machine and replay all at the same
time (which can put a strain on resources depending on what kind of machines
they are and how fast you are going).
As to packet loss, you have a lot of choices :-). You can lose packets
at the interface level in the OS (netstat and/or the NIC error counters in the
OS will tell you this and mbuf stats in the kernel will tell you this). Once
you get through that you can lose packets in the copy from kernel mbufs in to
the user side pcap buffer (which libcap will tell you about in the lost packets
count). This may be able to be fixed by increasing the size of the libpcap
buffer (easy on BSD machines, I have never figured out how and use the ring
buffer code from www.ntop.org to eliminate pcap completely anyway on Linux
then it will keep up to a loaded gig link on a suitably large machine anyway).
As to your network admin's understandable concern, you might ask if he
or she will let you install a passive tap (Cat5 or optical as required) in the
network and cature data off the tap ports where it can't affect the production
network. Finair and Netoptics are two sources of suitable taps (although they
aren't cheap).

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

Loading...