How to block a pcap pumped by tcpreplay from one server by iptables on the other?

0

I am new to stack exchange. What I am trying is: I am pumping traffic from one server by the following command: tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1

And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn I want to block all SIP traffic which uses 5060 by default as source or destination.

But the ip in the pcap is not destination ip: My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).

[root@serevr1]# tshark -r outbound_incoming1.pcap

  1          0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 | 
  2          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK | 
  3          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK | 
  4          0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 | 
  5          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK | 
  6          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK | 
  7          3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK | 
  8          3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 | 
  9          6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 | 
 10          6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |

I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.

Please help me out to do so.

Debiprasanna Mohanty

Posted 2019-01-23T13:10:47.833

Reputation: 1

Answers

0

Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).

Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.

fredk

Posted 2019-01-23T13:10:47.833

Reputation: 101

Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets. – Debiprasanna Mohanty – 2019-01-31T05:02:05.717

HOST A--------->SWITCH-------->HOST B – Debiprasanna Mohanty – 2019-01-31T05:13:26.383

SWITCH-->Mirrored Port-->Sniffing application – Debiprasanna Mohanty – 2019-01-31T05:15:00.787

Asked: 2019-01-23T13:10:47.833

Viewed: 92 times

Active: 2019-01-25T16:58:27.027