NOTE Make sure you don’t use the same out file as the infile, it will not work and corrupt your file! The interesting parameters here are the IP maps, these key value pairs map old addresses to new ones. Just find the one you want to play back on, often the one that actually has an inet address set. Docker might have one, your ethernet, wireless, VPN etc. It will usually output quite a few interfaces. You can find your IP address with ifconfig on Mac and Linux. After some toying around with ifconfig I found my IP address and issued a rewrite like this: tcprewrite -infile file.pcap -outfile file-2.pcap -dstipmap '0.0.0.0/0:' -srcipmap '0.0.0.0/0:' Usually you would want to use the loopback device for this, but I had trouble getting that to work (Wireshark would show those packets then as N/A) so I resorted to using my regular network interface for this. For us and I think for many folks the use case is that you simply want to replay your pcap data back to yourself, so that regardless of the original target IP address it should now be set to your own IP. Install it on Ubuntu using apt-get install tcprewrite or on Mac using brew install tcpreplay. TCPRewrite can be used to modify pcap files and is part of the tcpreplay suite. This means the IP addresses and the MAC addresses need to be rewritten. Capturing is one thing, but it is often interesting to replay that data back into a network, often not quite the same network as before. What I did want to discuss quickly is how to replay this information. I am not going to dive into how all this works, there’s plenty of good resources for that on the internet. When you start a Wireshark session by clicking the shark-finned play button (see what they did there?!), it will collect all the data according to your filters. It’s kind of the final lithmus test of networking, if Wireshark doesn’t see it, it’s probably really not there. Usually, Wireshark will still show it, which I find quite amazing, and very useful. Wireshark also has the ability to sniff out packets that you would not usually detect in code because it didn’t manage to get past the firewall, the MAC address was incorrect, or for any other reason. It’s not even necessarily always packets meant for you, which is why it’s also a tool sometimes employed by techies of a more eh dubious nature. It can be useful to see at a very fine grained level what packets are being sent, what’s in them and to whom they were addressed. Wireshark is a useful tool to that we often use at Captain AI to monitor network traffic on a vessel.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |