2

I'm replaying a PCAP file containing UDP packets only using tcpreplay, from one server to another (same IP subnet). The destination MAC address and IP address have been changed to that of the receiving server using tcprewrite. When I did a tcpdump on the receiving server, I'm able to capture the replayed packets. However, when I tried to run Filebeat and listening on the (destination) IP and port, I'm not getting any packets. Filebeat is set up correctly, because I was able to capture packets previously from another sender (not tcpreplay). It just doesn't seem to be able to see the replayed packets.

These are jumbo packets, and the MTU of the network interfaces on both servers have been changed to 9000, and the pcap was re-written with --mtu=6000 (each packet was about 6000B or smaller).

How can tcpdump see the packets, but not Filebeat?

Rayne
  • 623

1 Answers1

0

This could be a case of dealing with Martian packets. The kernel drops these packets if they fail the RPF check

You can either disable the RPF or modify the source IP address to pass the RPF check.

There are a lot of details in replaying packets into the network, and this post here explains them in great detail.

PoJam
  • 101