Ticket #128 (closed defect: duplicate)
tcprewrite fails to rewrite the ip addresses of the input pcap file
| Reported by: | anonymous | Owned by: | aturner |
|---|---|---|---|
| Priority: | high | Milestone: | Future Release |
| Component: | tcprewrite | Version: | 3.0.beta12 |
| Keywords: | Cc: | gcc version 3.4.4 20050721 (Red Hat 3.4.4-2) | |
| Operating System: | Add to FAQ?: | ||
| Hardware: | Intel | ||
| Output of tcpreplay -V: | |||
Description
replayed pcap file: wei.pcap contains a ftp session BTW, i can't find the option to upload this pcap file
commands:
src/tcpprep --port --pcap=wei.pcap --cachefile=wei.cache src/tcpprep --print-stats=wei.cache src/tcprewrite --endpoints=192.168.0.11:192.168.0.12 --cachefile=wei.cache --infile=wei.pcap --outfile=wei_o.pcap
the problem happens when the tcprewrite is called, the ip addresses inside of the outfile didn't get rewritten.
I re-compiled the tcpreplay with the debug option turned on, and the tcprewrite returns following error message: DEBUG3 in tcpedit.c:tcpedit_packet() line 131: Packet isn't IPv4...
the gdb shows the 12proto returned by the tcpedit_dlt_proto contains value 8
l2proto = tcpedit_dlt_proto(tcpedit->dlt_ctx, dlt, *pktdata, (*pkthdr)->caplen);
while the ETHERTYPE_IP is defined as 0x0800. Therefore, following condition is not ture: if (l2proto == ETHERTYPE_IP) {}
I added two lines in file src/tcpedit/plugins/dlt_en10mb/en10mb.c line 320: ctx->proto = ntohs(eth->ether_type);
line 437: eth->ether_type = htons(ctx->proto);
after that, the code works as expected: DEBUG3 in tcpedit.c:tcpedit_packet() line 131: Packet has an IPv4 header...
