lost and found ( for me ? )

Showing posts with label tcpreplay. Show all posts
Showing posts with label tcpreplay. Show all posts

tcpreplay, tcprewite ( rewrite MAC, IP for your network environments and replay the capture data )

Here is how to use tcpreplay / tcprewrite.

With tcprewrite, you can edit a capture data for your network environment, such as src MAC, dst MAC, dst IP, and you can replay a capture data with tcpreplay.

# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"

# apt-get install tcpreplay -y


dump dst udp 53 captures ( DNS request queries)
tcpdump -r dns.cap -n udp dst port 53 -w a_dns.cap

rewrite src MAC, dst MAC and Dst IP. also fix checksum.
# tcprewrite --infile=a_dns.cap --outfile=c_dns.cap --dstipmap=0.0.0.0/0:192.168.11.20/32 --enet-dmac=08:00:27:27:c5:f1 --enet-smac=08:00:27:1b:09:e4 --fixcsum

replay the capture data.
# tcpreplay --intf1=eth0 --pps=100 c_dns.cap

capture data on the target device.
# tcpdump -i eth0 port 53 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:31:07.452087 IP 192.168.170.8.32795 > 192.168.11.20.53: 4146+ TXT? google.com. (28)
21:31:07.452610 IP 192.168.11.20.37474 > 192.168.11.1.53: 48231+% [1au] TXT? google.com. (39)
21:31:07.461590 IP 192.168.170.8.32795 > 192.168.11.20.53: 63343+ MX? google.com. (28)
21:31:07.461881 IP 192.168.11.20.57190 > 192.168.11.1.53: 61338+% [1au] MX? google.com. (39)

queries log
Feb  1 21:31:07 ubuntu-vm2 unbound: [2853:0] info: 192.168.170.8 google.com. TXT IN
Feb  1 21:31:07 ubuntu-vm2 unbound: [2853:0] info: 192.168.170.8 google.com. MX IN
Feb  1 21:31:07 ubuntu-vm2 unbound: [2853:0] info: 192.168.170.8 google.com. LOC IN
Feb  1 21:31:07 ubuntu-vm2 unbound: [2853:0] info: 192.168.170.8 104.9.192.66.in-addr.arpa. PTR IN

tcpreplay 3.4.4: replay DNS capture file with tcpreplay

Here are trial and error logs when replaying a DNS capture file with tcpreply.

tcpreplay machine: 192.168.10.15
target machine (DNS Server): 192.168.10.12

install tcpreplay via apt-get
# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 13.04"

# uname -ri
3.8.0-35-generic x86_64

# apt-get install tcpreplay –y

# tcpreplay --version
tcpreplay version: 3.4.4 (build 2450) (debug)
Copyright 2000-2010 by Aaron Turner <aturner at synfin dot net>
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.3.0
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled
Packet editing: disabled
Fragroute engine: disabled
Injection method: PF_PACKET send()



prepare a capture data for tcpreplay.
on the tcpreplay box,
# tcpdump -i br0 udp dst port 53 -w dns_dump.cap

# dig @192.168.10.12 isc.org any +bufsize=4096 +ignore

# file dns_dump.cap
dns_dump.cap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

replay the cap file
# tcpreplay --loop=1 --intf1=br0 dns_dump.cap
sending out br0
processing file: dns_dump.cap
Actual: 1 packets (78 bytes) sent in 0.03 seconds.              Rated: 2600.0 bps, 0.02 Mbps, 33.33 pps
Statistics for network device: br0
       Attempted packets:         1
       Successful packets:        1
       Failed packets:            0
       Retried packets (ENOBUFS): 0
       Retried packets (EAGAIN):  0

cap date on the NS server
# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.10.15 -> 192.168.10.12 DNS 78 Standard query 0x5718  ANY isc.org

checksum problem?
Let’s compare checksum between dig cap and tcpreplay cap.

[ dig cap ]

IP header
   Total Length: 64
   Identification: 0x43b6 (17334)
   Flags: 0x00
       0... .... = Reserved bit: Not set
       .0.. .... = Don't fragment: Not set
       ..0. .... = More fragments: Not set
   Fragment offset: 0
   Time to live: 64
   Protocol: UDP (17)
   Header checksum: 0xa18b [correct]
       [Good: True]
       [Bad: False]
   Source: 192.168.10.15 (192.168.10.15)
   Destination: 192.168.10.12 (192.168.10.12)



UDP header
User Datagram Protocol, Src Port: domain (53), Dst Port: 60739 (60739)
   Source port: domain (53)
   Destination port: 60739 (60739)
   Length: 44
   Checksum: 0x95a9 [validation disabled]
       [Good Checksum: False]
       [Bad Checksum: False]

[ tcpreplay cap ]

IP header
   Total Length: 64
   Identification: 0x43aa (17322)
   Flags: 0x00
       0... .... = Reserved bit: Not set
       .0.. .... = Don't fragment: Not set
       ..0. .... = More fragments: Not set
   Fragment offset: 0
   Time to live: 64
   Protocol: UDP (17)
   Header checksum: 0xa197 [correct]
       [Good: True]
       [Bad: False]
   Source: 192.168.10.15 (192.168.10.15)
   Destination: 192.168.10.12 (192.168.10.12)

UDP header
User Datagram Protocol, Src Port: 50164 (50164), Dst Port: domain (53)
   Source port: 50164 (50164)
   Destination port: domain (53)
   Length: 44
   Checksum: 0x95a9 [validation disabled]
       [Good Checksum: False]
       [Bad Checksum: False]

It seems that there are no problems about checksum, I think.

How about using a cap file captured with tshark
# tshark -i br0 udp dst port 53 -w tshark_dig.pcap

# dig @192.168.10.12 isc.org any +bufsize=4096

# file tshark_dig.pcap
tshark_dig.pcap: pcap-ng capture file - version 1.0

# tcpreplay --loop=1 --intf1=br0 tshark_dig.pcap
sending out br0
processing file: tshark_dig.pcap
Actual: 1 packets (78 bytes) sent in 0.04 seconds.              Rated: 1950.0 bps, 0.01 Mbps, 25.00 pps
Statistics for network device: br0
       Attempted packets:         1
       Successful packets:        1
       Failed packets:            0
       Retried packets (ENOBUFS): 0
       Retried packets (EAGAIN):  0

same issue. DNS server does not replay the answer.
# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.10.15 -> 192.168.10.12 DNS 78 Standard query 0xf9d4  ANY isc.org

How about re-calculating checksum with tcprewrite

[ tcprewrite: tcpdump cap file ]

# tcprewrite --fixcsum --infile=dns_dump.cap --outfile=out_dns_dump.cap

# tcpreplay --loop=1 --intf1=br0 out_dns_dump.cap
sending out br0
processing file: out_dns_dump.cap
Actual: 1 packets (78 bytes) sent in 0.03 seconds.              Rated: 2600.0 bps, 0.02 Mbps, 33.33 pps
Statistics for network device: br0
       Attempted packets:         1
       Successful packets:        1
       Failed packets:            0
       Retried packets (ENOBUFS): 0
       Retried packets (EAGAIN):  0

Okay.
190.106051 192.168.10.15 -> 192.168.10.12 DNS 78 Standard query 0x5718  ANY isc.org
190.106191 192.168.10.12 -> 192.168.10.15 DNS 78 Standard query response 0x5718

I was able to replay pcap file from both tcpdump pcap and tshark pcap after issuing fixing checksum with tcprewrite.

[ tcprewrite: tshark cap file ]

# tcprewrite --fixcsum --infile=tshark_dig.pcap --outfile=out_tshark_dig.pcap

# tcpreplay --loop=1 --intf1=br0 out_tshark_dig.pcap
sending out br0
processing file: out_tshark_dig.pcap
Actual: 1 packets (78 bytes) sent in 0.03 seconds.              Rated: 2600.0 bps, 0.02 Mbps, 33.33 pps
Statistics for network device: br0
       Attempted packets:         1
       Successful packets:        1
       Failed packets:            0
       Retried packets (ENOBUFS): 0
       Retried packets (EAGAIN):  0

Okay.
382.992509 192.168.10.15 -> 192.168.10.12 DNS 78 Standard query 0xf9d4  ANY isc.org
382.992657 192.168.10.12 -> 192.168.10.15 DNS 78 Standard query response 0xf9d4

Seen from the result, the problem on this issue seemed to be caused by checksum..

Seen from the tcpreplay documents, it describes that
Forcing Checksum Calculation
Many network cards support TCP/UDP/IP checksum offloading, so if you capture traffic which was generated by the same system, the checksums will be incorrect. This can obviously cause problems later on when you try replaying the traffic. By using the --fixcsum flag, you can force tcprewrite to fix the checksums. Note, tcprewrite will automatically fix checksums when editing packets.
$ tcprewrite --fixcsum --infile=input.pcap --outfile=output.pcap

[ sample usage ]

replay the cap file at top speed
# tcpreplay --loop=1000 -t -q --intf1=br0 out_dns_dump.cap

--loop=1000 : repeat 1,000 times
--loop=0: repeat forever until Ctrl-C is pressed

send 1,000 pps
# tcpreplay -q --loop=100 --pps=1000 --intf1=br0 out_dns_dump.cap


tcpreplay

[ what’s tcpreplay ? ]

http://tcpreplay.synfin.net/
Tcpreplay replys a pcap file.
This tool is useful for testing DUT such as Firewall , IDS etc.

[ how to install tcpreplay on Ubuntu 11.04 ]

You can install tcpreplay through apt-get.
root@hat1:~# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 11.04"

root@hat1:~# apt-get install tcpreplay

/usr/bin/tcpreplay
/usr/bin/tcpprep  
/usr/bin/tcprewrite
/usr/bin/tcpreplay-edit
/usr/bin/tcpbridge

[ how to use : replay UDP packets ]

let’s send DNS ( DUP ) packets.

client 192.168.11.100  -------- unbound 192.168.11.14

prepare a capture file.
root@hat1:~# dig @192.168.11.14 www.isc.org +dnssec +multiline


capture data
root@hat1:~# tshark -r dns.pcap
 1   0.000000 192.168.11.100 -> 192.168.11.14 DNS Standard query A www.isc.org
 2   0.000693 192.168.11.14 -> 192.168.11.100 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=20a8)

extract a request packet ( client -> server )
root@hat1:~# tshark -R "ip.src==192.168.11.100" -r dns.pcap -w client_dns.pcap

root@hat1:~# tshark -r client_dns.pcap
Running as user "root" and group "root". This could be dangerous.
 1   0.000000 192.168.11.100 -> 192.168.11.14 DNS Standard query A www.isc.org

Let’s replay client_dns.pcap

on client
root@hat1:~# tcpreplay --pps=1 --intf1=eth0 client_dns.pcap
sending out eth0
processing file: client_dns.pcap
Actual: 1 packets (82 bytes) sent in 0.07 seconds
Rated: 1171.4 bps, 0.01 Mbps, 14.29 pps
Statistics for network device: eth0
Attempted packets:         1
Successful packets:        1
Failed packets:            0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN):  0

on server
root@hat2:~# tshark -i eth0 port 53
 0.000000 192.168.11.100 -> 192.168.11.14 DNS Standard query A www.isc.org
 0.000120 192.168.11.14 -> 192.168.11.100 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=20ab)

useful options :

--loop=number : how many times you replay pcap file
--topspeed : replay pcap as quickly as possible
--mbps=10.0 : bandwidth

If the pcap file(s) you are looping are small enough to fit in available RAM, consider using the --enable-file-cache option. This option caches each packet in RAM so that subsequent reads don't have to hit the slower disk. It does have a slight performance hit for the first iteration of the loop since it has to call malloc() for each packet, but after that it seems to improve performance by around 5-10%. Of course if you don't have enough free RAM, then this will cause your system to swap which will dramatically decrease performance.

Another useful option is --quiet. This suppresses printing out to the screen each time tcpreplay starts a new iteration. This can have a dramatic performance boost for systems with slower consoles.

--loop=0 menas replay forever untile you enter Ctrl-Z
root@hat1:~# tcpreplay --loop=0 --enable-file-cache --quiet --intf1=eth0 client_dns.pcap

an output of dnstop on server
Source         Query Name      Count      %
-------------- ----------- --------- ------
192.168.11.100 www.isc.org       152  100.0

DNS request is one packet. --pps=50000 means sending 50,000 queries per sec.
root@hat1:~# tcpreplay --loop=0 --enable-file-cache --pps=50000 --quiet --intf1=eth0 client_dns.pcap

unbound log
hat2 unbound: [3644:0] notice: sendto failed: Resource temporarily unavailable