This question already has answers here:
Sending packets captured with Wireshark [closed]
(3 answers)
Closed 2 years ago.
I have some network traffic captured pcap file and want to send its packets on NIC; is it possible? Is there any application to do this?
You should be able to use some kind of replay application like tcpreplay.
bit-twist can do this.
just install it and inject your packet like this :
# bittwist -i eth0 pcap-file.pcap
Yes there is a way - sending a packet to NIC means injecting it to an interface.
You can do this with the help of libnet packege in linux. I myself am working on the same these days. Try Googling with this term, you'll surely get some good stuff to share.
I use tcpreplay on Linux/Freebsd eg:
#tcpreplay -l 0 -i eth1 path-to-your-captured-file.pcap
-l loop how many times, 0 for infinite
-i interface where you want to send out
Related
I have an iOS application that remotely connects to 3 sockets(of some hardware). Each Socket has its own priority. One channel is only used for transferring messages between iPad App & hardware, one for Tx/Rx Images, another one for Tx/Rx Videos. I had implemented all the three sockets using GCDAsyncSocket API & things worked fine while using MSGSocket/ImageSocket (OR) MSGSocket/VideoSocket, but when I start using the VideoSocket/ImageSocket/MSGSocket simultaneously this is where things go a little haywire. I Lose Packets of Data.{Actually a chunk of file goes missing :-(} I went through the API & found some bug in the API: Unable to complete Read Stream which I assumed could be a cause of problem. Hence, I Switched to threads & implemented the same using NSThreads/CFSocket API.
I changed only the implementation for ImageSocket/VideoSocket code using NSThreads/CFSocket API & here is the implementation of the same dropbox-ed. I'm just unable to understand as to where the things are going wrong whether it is at iOS App end or at the Server side. In my understanding there shall be no loss of packets in TCP Communication.
Is there a way to Debug This issue. Also I request to go through the code & let me know if any thing is wrong(I know this can be too much that I'm asking for but I need some assurance as to the code implementation is correct). Any help to resolve this issue will be highly appreciated.
EDIT 1: After #JoeMcMahon Comment, I referred to this Technical Q&A & got a TCP Dump - trace.pcap file. I opened this tcp dump with Wireshark & it does show me the bytes transferred between the ports of hardware & iPad.
Also in the terminal when I stopped the tcp dump capture I saw these messages:
12463 packets captured
36469 packets received by filter
0 packets dropped by kernel
Can someone point out the difference between packets captured & packets received by filter?
Note - The TCP dump attached is not for a failed scenario.
EDIT 1.1: Found the answer to difference between packets captured & packets received by filter here
TCP communication is not guaranteed to be reliable. The basic ack-syn paradigm can break, that is why you have re-transmission mechanism etc. Wireshark reports such problem in your packet capture session.
For using wireshark/tcpdump, you generally want to provide a filter, since the amount of traffic goes through the wire is overwhelming (ping, ntp, etc), you want to filter the capture using some basic filter to see the packets which is relevant to you. The packets which are filtered out is not captured, hence the numerical difference.
If it is a chunk of file went missing, I doubt issue is at TCP level. Most likely it is something higher level went wrong. I would run a fixed size file repeatedly through the channel till I can reliably reproduce the loss.
I have a packet capture and I'm trying to find out which program a download was made with, where would I go in the packet to find this information?
Thanks all!
Instead of looking for answers within the packet, you may want to look at which port the download was done through. That could give you more information, and faster
I assume you know the destination ip address from where the file is downloaded. If it's something that you can catch while it's happening or you can trigger it then you could use netstat to determine the PID of the program that is handling that socket after filtering the netstat output based on the destination ip address.
Then you could use ps on Linux or TaskManager on Windows to know which program has that PID.
On windows: How to determine which program uses or blocks specific transmission control protocol ports in Windows
Alternative if the packet capture it's all you got and it's not a recurring event then if the download was done via HTTP you could check the headers of the HTTP request for info about the client in the User-Agent header.
Hope it helps.
I would like to capture the "incoming" interface and "outgoing" interface for packets transiting through a software switch (assume it has 10 ports and I want to know which of those 10 interfaces a particular packet came from). I can't seem to find any way to get "tcpdump -i any" to output the arriving or outgoing interfaces. It only gives fields of the packet. Is there any other derivative of tcpdump (like tshark perhaps?) which will enable extracting the port information? The intention is tracing a packet flow path through a network. Regards.
tcpdump 4.10 should include this feature (hasn't been released as of today).
Meanwhile you can use Sebastian Haas's script.
Just curious to see if there is a lua way to ping a server without using os.execute. The purpose being to see if a server is up.
I checked the lua sockets library but I don't think ICMP is supported? Any idea?
You can use io.popen() to execute ping commands.
e.g.,
local handler = io.popen("ping -c 3 -i 0.5 10.10.10.10")
local response = handler:read("*a")
print(response)
To the best of my knowledge, no, you can't send ICMP raw packets without root access. That's not a Lua limitation, it's an OS restriction.
To get root access, the best way is to have a small well tested program that's SUID root rather than changing your entire application with Lua to be SUID root. This means you'll end up using os.execute(). And rather than writing your own program, the OS provided ping seems to be a nice command for solving your issue.
I agree it's not ideal (especially since this creates OS specific code to handle the various ping commands). But without a SUID function call, I don't think there's any better way.
I'm working on an embedded linux system in C, I'm looking for the source code to the equivalet of SendARP in Windows. Any pointers?
Take a look at arping. The quick and dirty way of sending an arp would be to do:
foo = system("/somepath/arping somehost");
But a look through the arping source should be able to give you a better solution.
For the all-out solution though, you can construct your own by hand and use either a raw socket or libpcap to send it.
btw. If all you're trying to do is force an arp to be sent (but necessarily from you) you could achieve that by deleting any arp entry that you already have for your host. The next access to that address will require an arp to be sent.
eg. /usr/sbin/arp -d destination_host_ip
This may be of interest: http://cvs.linux-ha.org/viewcvs/viewcvs.cgi/linux-ha/resources/heartbeat/SendArp.in?rev=1.4
It is an implmenetation in a Bourne Shell script.
I've never seen anything specifically for ARP, but I think you can send any kind of packet you want using libpcap and the appropriate RFCs.