pktgen version: 3.4.2
there are multiple pcap files, and how to send those packets in multiple pcap files using DPDK pktgen?
How to use PKTGEN sent all pcap files in in a directory.
First, When I use this cmd, it just send one packet Forever and no stop.
./pktgen -l 0-1 -n 3 -- -P -m "[1].0" -s 0:/pcap/test.pcap
I tried several ways but not work.
Current DPDK pktgen has the option -s P:file, which allows specific PCAP file to associated to a DPDK port. Based on the contents of the PCAP file, either a single packet or multiple packets will be continuously sent through the selected DPDK port via PKTGEN.
using options like rate, count one can control the behaviour. Both the option to select multiple PCAP over a port is not present in Command-Line. Through LUA scripts the option is also not present too.
the only valid option is page pcap to highlight the port and packets in use and pcap show to display pcap relevant information. Hence the option to send packets from multiple pcap files via cmd line or Lua script is absent.
Note: an alternative to exploring would be DPDK hosted project https://doc.dpdk.org/burst-replay/ as the current logic reads the packets into mbuf memory and sends from the cache. You can either modify DPDK-PKTGEN or BUTST-REPLAY to accept pcap folder and read multiple pcap files to achieve the same.
Related
I need to archive and share some PCAP files with people who don't know what the various IP addresses in the pcap refer to.
So I want to find a way to edit the PCAP files and change IP addresses so they appear as the fqdn or a random string in wireshark. e.g. "server.a.some.domain" or "serverA" instead of 192.168.x.x. That way people will understand the traffic flow without having to ask what each IP is.
I can achieve this in wireshark manually with the Name Resolution function, but I want to automate changing the PCAP files before I share them.
I tried bittwiste and tcprewrite but they seem to only support changing an IP address to another IP address, not a string.
e.g. this works
$ bittwiste -I a.pcap.file.pcap -O test.pcap -T ip -s 192.168.0.0,192.168.0.2
input file: a.pcap.file.pcap
output file: test.pcap
1771 packets (665162 bytes) written
but this doesn't
$ bittwiste -I a.pcap.file.pcap -O test.pcap -T ip -s 192.168.0.0,serverA
bittwiste: invalid source IP address
Anyone know if this is possible and how to do it?
thanks
This is not as trivial as it seems. The names you want to replace are only inside the application data, i.e. typically in DNS requests and responses, as part of the TLS handshake (SNI in ClientHello, CN/SAN in server certificate), in the Host field of a HTTP request header ...
While you might try to simply string-replace all such names with something else this would break the sequence numbers in the TCP connections unless you replace it with something of exactly the same length. Even then it would make the TCP checksums invalid, would make signatures on the certificates invalid, ... and in case of DNS a simple string replace would not even find all the names since they might be encoded in DNS and are not just inside the DNS packets as a plain string.
To change the display IP address for source and destination addresses in Wireshark, right click on the packet trace -> "Edit Resolved names" and then add a string to the resolved name for source address and repeat the above step for the destination address.
To ensure that the packet trace is stored with the resolved names, store the file as .pcapng. If the file is stored as .pcap the name resolution is lost, so when you open the file again the resolved names do not appear. My Wireshark version is 4.0.1
So the capture with IP# went from:
to capture with resolved names:
I have a PCAP file from a system with SIP setup/teardown and RTP. Can I use the PCAP file to test that the compatibility of that switch with mine, by firing the packets into my switch?
If yes, how?
I have seen TCP replay, but I'm not used to it. Can I use Star Trinity?
You could use SIPP tool for testing the switch. Added pcap file into xml file and trigger.
http://sipp.sourceforge.net/doc/reference.html#UAC+with+media
I'm training myself on network scanning and i'm focusing on how to identify a sniffer on my net.
Searching on the web, i find that a possible way is the ARP method: i must send an ARP request to a suspect no broadcast IP to check if it's in promiscuous mode.
My doubt is: if my pc is a Windows 7 machine, is there a way to send manually an ARP resuest? Possibly from command line?
You can use tools like nmap.
nmap -sP -PR <IP address/subnet>
For windows you can use the GUI version of nmap - zenmap.
You can use this version of arping for Windows. If you want an already compiled executable you can find it Here (under the "examples" folder).
Usage:
Arping.exe -i <IP_ADDRESS_OF_YOUR_INTERFACE> -T <TARGET_IP_ADDRESS>
another simple way:
ping TARGET_IP_ADDRESS
then
arp -a
the TARGET_IP_ADDRESS shall be shown as type dynamic.
Hi I'm trying to use SCP to upload the files to the remote server through a perl code.
The server on which the code is being run have multiple ethernet interface(eth0,eth1,eth2)
eth0 is the default interface.
The server to which I'm trying to upload the files can only be reached by eth2 interface.
Is there something which I need to modify in the code to use that particular interface for the uploads.(eth2)
I'm using:
use Expect; #for scp
You can't. Routing doesn't work in 'user space' it's handled by the kernel. There is nothing you can do with a perl script that will deal with that.
You need to look at your routing table, or how to configure your network interfaces on appropriate subnets.
Is there a way to convert wireshark .pcap files to a format that fiddler understands?
Every so often we get network traces generated from wireshark in .pcap files. Most of the time the traces contain mostly HTTP traffic which I find much easier to analyze using fiddler.
Fiddler 2 and Fiddler 4 now include import support for PCAP, PCAPNG, and NetMon files. Click File > Import > Packet Capture.
Note that only HTTP traffic will be imported (HTTPS traffic is encrypted, and FTP traffic wasn't a priority).
You can use ColaSoft Packet Player which enables to play captured .pcap files and open fiddler on capturing all processes and receive all data as it was captured.
Fiddler 4 supports pcap files.