3

I've been trying to get tcpreplay to work to replay a network capture I have on my system. re. Unfortunately, (from the FAQ):

Can I send packets on the same computer running tcpreplay?

Generally speaking no. When tcpreplay sends packets, it injects them between the TCP/IP stack of the system and the device driver of the network card. The result is the TCP/IP stack system running tcpreplay never sees the packets.

The FAQ proposes running a virtual machine, but I'd like to avoid that. Is there another tool that could allow me to send the info to the same machine?

Giacomo1968
  • 58,727
rtpg
  • 195

1 Answers1

0

It's never too late...

In case of Linux, you can use network namespace for this.
Here is instruction (all under root):

  • Setup names: 
    ns_name=testTcpreplay

    nic_host=testtcpreplay_1
nic_guest=testtcpreplay_2
  • Create network namespace and add veth pair: 
    # Add network namespace:
ip netns add $ns_name
ip -netns $ns_name link set lo up

    Add veth pair:
    

    ip link add $nic_host type veth peer name $nic_guest netns $ns_name
    

    ip -netns $ns_name link set $nic_guest up
ip link set $nic_host up
    

    Check veth links:
    

    echo "Host:"; ip -br a show dev $nic_host;
echo "Net ns:"; ip -netns $ns_name -br a
  • Start tcpreplay inside created network namespace: 
    ip netns exec $ns_name tcpreplay -l 0 -i $nic_guest /HOST/PATH/TO/dump.pcap
  • Now you should see packets on host in testtcpreplay_1 veth interface;
  • Release: 
    ip netns del $ns_name

Common notes on receiving replay traffic (mostly UDP) on regular sockets, you need to check the following:

  • To receive IPv4 traffic, you need to install one on the hosts veth interface. For example: 
    ip a add 192.0.2.1 dev $nic_host
    To receive unicasts you should set appropriate address. IPv6 address should be set automatically on interface already (link local address).
  • The RP filter may require to be loosened or turned off (available variants): 
    # Switch to loose mode, if you have default route on the host:
echo 2 >/proc/sys/net/ipv4/conf/$nic_host/rp_filter

    Or turn off it:
    

    echo 0 >/proc/sys/net/ipv4/conf/$nic_host/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter
  • Add firewall rules or turn it off;
  • Are check sums in IP and UDP/TCP are correct in pcap file? Wireshark can validate this;
  • And more other things I don't know. In this case pwru is a great tool to investigate the problem.
SergA
  • 348