11

I have some data packets captured using tcpdump in a pcap file. Now I want to send those packets to a another destination. how I can achieve this?

Lakal Malimage
  • 466
  • 1
  • 4
  • 10

2 Answers2

17

I wanted to capture some SNMP traps and keep them to test my application later. So I don't want to generate traps each time I wanted to test my application. I would like to post how I have done this. Hope this may help someone.

1) Capturing one packet with destination host 192.168.159.149 and port 1620 and saving it to a file

tcpdump -n -c 1 -s 0 dst host 192.168.159.149 and port 1620 -w snmp.pcap -i eth0

2) Reading captured packet 

tcpdump -r snmp.pcap -X

3) Changing destination ip, MAC and checksum

tcprewrite --infile=snmp.pcap --outfile=snmp2.pcap --dstipmap=192.168.159.149:192.168.159.150 --enet-dmac=00:0c:29:d6:0f:61 --fixcsum

4) Replaying 

tcpreplay --intf1=eth0 snmp2.pcap
Lakal Malimage
  • 466
  • 1
  • 4
  • 10
  • 1
    This was great; I wanted to replay some IPFIX data from a production device into Logstash in a development VM. I did find I needed to rewrite the source address as well, otherwise I ended up with martians in the environment I was trying to replay into. (`echo 1 > /proc/sys/net/ipv4/conf/enp0s8/log_martians` will enable log_martians, which can be a useful troubleshooting tool. Also, if using VirtualBox, ensure you connect via 'Internal Network' and not 'Host Only Networking'. Also worth noting, you must send from a different machine as you capture on, due to limitations in packet injection. – Cameron Kerr Apr 23 '17 at 21:06
  • But how do you do that to nth packet though? – Hi-Angel Dec 22 '19 at 16:59
1

You'll need to use a tool that's capable of replaying pcap files. No special trick to it. An example would tcpreplay. A simple search for "replay pcap file" will turn up even more tools gloriously up to date within the very second that you hit enter in your search engine of choice.

Wesley
  • 32,320
  • 9
  • 80
  • 116