Replaying PCAP Dumps Thu, 11 Mar 2010 08:35:40 -0500

Step 1) Collect data.

tcpdump -w logPackets.pcap tcp port 53

Step 2) Statup virtual machine

Step 3) Copy logPackets.pcap to VM.

Step 4) tcpreplay-edit -i eth0 --enet-dmac <your mac address on physical node> logPackets.pcap

 

If your using an older copy tcpreplay or do not have tcpreplay-edit installed, then you can either use tcpprep to write a cache file to separate the client and server instances ... this will also be able to modify the destination mac address. Alternatively you can use macchanger and just change the mac address on your physical ethernet device. Either way works.

  • About The Author

  • This is the definitive blog for the musings of Brian Smith. I've been a programmer / sys admin for most of my life. I don't have much to say, I work, I enjoy my family, and every once in awhile I'll dump a little something I want to keep track of here.

    Currently I am the CTO of DNS.com where we provide geolocation based authoritative DNS services for the masses. I also have been working on drafts that are submitted to the IETF to the dnsext working group.

    In the past I have been involved with organizing various user groups, including an off and on again 2600 group. Also I have been involved with the development of Seclude, an open source secure instant messaging platform as well as Sliker, a project that later developed into plasma for the KDE desktop environment.

    Additionally I am an avid home brewer making my own beer. Everything else should be below or to the left.

  • Disclaimer
  • The ideas and opinions expressed here are mine.
  • I'm a Linux and BSD user, and lean heavily toward the use of OSS vs certain other commercial solutions.

:= RSS =: