-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: TCPReplay: SLL Link Layer PCAP is not being replayed properly #906
Comments
tcpreplay is assuming Ethernet, but the pcap is written with Linux Cooked Capture (SLL). Since this is the link layer it's causing issues. You can list the available link types of an interface with the command
You can rewrite your pcap to use enet link layer using # optionally add option --enet-dmac if you also wish to add a custom mac addr.
# Otherwise it'll be null.
tcprewrite --dlt=enet -i <pcap-in> -o <pcap-out> If you replay the resulting pcap (same as you did) you should see Telnet the way you expect it. IMHO Hope it helps. |
Hey @GabrielGanne, thanks for the quick response! I followed your suggestion, and while I can see the Telnet data, the IP packet still seems to be missing. Here’s a screenshot of the file contents: Any ideas on how to include the IP packet or troubleshoot this further? |
I'm sorry, there' something about your answer that doesn't make sense to me: if your IP layer is missing, then you should not be able to decode and see Telnet. I cannot reproduce your issue with tcpreplay 4.5.1. If I'm mistaken, please post your intermediary files and I'll have a look. |
Describe the bug
When replaying a PCAP file with a Linux SLL (Linux cooked capture) link layer using
tcpreplay
(command:tcpreplay -i $interface
2411_SEL_Protocol_AutoConfig.pcap), the result observed in Wireshark does not display the expected telnet data that the file contains (see screenshot 1). However, opening the same file directly in Wireshark displays the expected Telnet data (see screenshot 2).Screenshots
Screenshot 1: Output observed in Wireshark after replaying the file.
Screenshot 2: Expected output: Opening the file directly in Wireshark.
To Reproduce
Steps to reproduce the behavior:
tcpreplay
on the file with the commandtcpreplay -i $interface 2411_SEL_Protocol_AutoConfig.pcap
.Expected behavior
The replayed packets should contain the Telnet data as expected when viewing in Wireshark, similar to the output seen in opening the file directly in Wireshark.
System
Additional context
Kernel version: 6.8.0-48-generic. Both tested versions of
tcpreplay
show the same behavior with no Telnet data in the replayed traffic on Wireshark, despite the file displaying correctly when opening the file directly in Wireshark.The text was updated successfully, but these errors were encountered: