Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: TCPReplay: SLL Link Layer PCAP is not being replayed properly #906

Open
iago-silva-unvoid opened this issue Nov 4, 2024 · 3 comments

Comments

@iago-silva-unvoid
Copy link

iago-silva-unvoid commented Nov 4, 2024

Describe the bug
When replaying a PCAP file with a Linux SLL (Linux cooked capture) link layer using tcpreplay (command: tcpreplay -i $interface 2411_SEL_Protocol_AutoConfig.pcap), the result observed in Wireshark does not display the expected telnet data that the file contains (see screenshot 1). However, opening the same file directly in Wireshark displays the expected Telnet data (see screenshot 2).

Screenshots

  • Screenshot 1: Output observed in Wireshark after replaying the file.
    Screenshot from 2024-11-04 09-14-53

  • Screenshot 2: Expected output: Opening the file directly in Wireshark.
    Screenshot from 2024-11-04 09-15-13

To Reproduce
Steps to reproduce the behavior:

  1. Use a PCAP file with a Linux SLL link layer (e.g., 2411_SEL_Protocol_AutoConfig.zip).
  2. Run tcpreplay on the file with the command tcpreplay -i $interface 2411_SEL_Protocol_AutoConfig.pcap.
  3. Observe the output in Wireshark.
  4. Compare with the output of directly opening the file in Wireshark.

Expected behavior
The replayed packets should contain the Telnet data as expected when viewing in Wireshark, similar to the output seen in opening the file directly in Wireshark.

System

  • OS: Ubuntu
  • OS version: 24.04
  • Tcpreplay Version: Tested on versions 4.4.4 and 4.5.1

Additional context
Kernel version: 6.8.0-48-generic. Both tested versions of tcpreplay show the same behavior with no Telnet data in the replayed traffic on Wireshark, despite the file displaying correctly when opening the file directly in Wireshark.

@GabrielGanne
Copy link
Contributor

Hi @iago-silva-unvoid

tcpreplay is assuming Ethernet, but the pcap is written with Linux Cooked Capture (SLL). Since this is the link layer it's causing issues.
For example you can notice that SLL has a source mac address but no destination.
Captures with SLL are usually made when capturing with tcpdump -i any. Capturing when specifying an interface will default to capturing with Ethernet (enet).

You can list the available link types of an interface with the command

tcpdump --list-data-link-types -i <iface>

You can rewrite your pcap to use enet link layer using tcprewrite with a command like this

# optionally add option --enet-dmac if you also wish to add a custom mac addr.
# Otherwise it'll be null.
tcprewrite --dlt=enet -i <pcap-in> -o <pcap-out>

If you replay the resulting pcap (same as you did) you should see Telnet the way you expect it.

IMHO tcpreplay should not have an option to combine the two commands above, but maybe tcpreplay-edit should. I'm not sure.

Hope it helps.
Best regards

@iago-silva-unvoid
Copy link
Author

Hey @GabrielGanne, thanks for the quick response!

I followed your suggestion, and while I can see the Telnet data, the IP packet still seems to be missing.

Here’s a screenshot of the file contents:
Screenshot from 2024-11-07 16-53-14
And here’s the result of replaying the modified pcap:
Screenshot from 2024-11-07 16-51-28
If I have an application that expects both the IP of the packet and the data, it would end up skipping these packets due to the missing IP information.

Any ideas on how to include the IP packet or troubleshoot this further?

@GabrielGanne
Copy link
Contributor

I'm sorry, there' something about your answer that doesn't make sense to me: if your IP layer is missing, then you should not be able to decode and see Telnet.

I cannot reproduce your issue with tcpreplay 4.5.1.
I assume the 1st screenshot is the result of the tcprewrite command, and the second the result of the tcpdump command while replaying the modified pcap.
The screenshot you posted hints at you replaying the original SLL file instead of the one re-written to be based on Ethernet. Could you double check please ?

If I'm mistaken, please post your intermediary files and I'll have a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants