headers
Jaime Nebrera | 25 May 2012 10:26
Gravatar

Split pcap in 2 directions

   Hi all,

   This is my first post to the list so please be gentle :D

   I have a pcap file including both directions traffic from a bunch of 
servers and clients. Im aware I can create a cache file of such pcap in 
order to "split" it in multiple ways. Actually I have already done so.

   The problem is, the final result is still a pcap file and a cache 
file, that yes, tcpreplay fully understands but maybe not other tools.

   From this pcap + cache combo I would like to "create" two distinct 
pcap files, one with all client -> server packets, the other with all 
server -> client packets

   How can I do this? Is it possible?

   Very thankful in advance. Regards

--

-- 
Jaime Nebrera - jnebrera <at> eneotecnologia.com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla	
Telf.- 955 60 11 60 / 619 04 55 18

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions
(Continue reading)

Permalink | Reply |
headers
James Bergeron | 25 May 2012 15:05
Favicon

Re: Split pcap in 2 directions

I would be easier to accomplish this using wireshark.  Simply open the 
pcap, filter on one direction save the displayed packets and repeat for 
the other side.

On 05/25/2012 04:26 AM, Jaime Nebrera wrote:
>     Hi all,
>
>     This is my first post to the list so please be gentle :D
>
>     I have a pcap file including both directions traffic from a bunch of
> servers and clients. Im aware I can create a cache file of such pcap in
> order to "split" it in multiple ways. Actually I have already done so.
>
>     The problem is, the final result is still a pcap file and a cache
> file, that yes, tcpreplay fully understands but maybe not other tools.
>
>     From this pcap + cache combo I would like to "create" two distinct
> pcap files, one with all client ->  server packets, the other with all
> server ->  client packets
>
>     How can I do this? Is it possible?
>
>     Very thankful in advance. Regards
>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware
(Continue reading)

Permalink | Reply |
headers
Jaime Nebrera | 25 May 2012 15:23
Gravatar

Re: Split pcap in 2 directions

Interesting I didn't consider that

Still, the pcaps are big, like 1 to 2 Gb. Might be a bit too much for WS

Any way to do so from command line so I can automate it?

Enviado desde Xperia™ S

-------- Original Message --------
Subject: Re: [Tcpreplay-users] Split pcap in 2 directions
From: James Bergeron <james.bergeron <at> alcatel-lucent.com>
To: tcpreplay-users <at> lists.sourceforge.net
CC: 

I would be easier to accomplish this using wireshark.  Simply open the 
pcap, filter on one direction save the displayed packets and repeat for 
the other side.

On 05/25/2012 04:26 AM, Jaime Nebrera wrote:
>     Hi all,
>
>     This is my first post to the list so please be gentle :D
>
>     I have a pcap file including both directions traffic from a bunch of
> servers and clients. Im aware I can create a cache file of such pcap in
> order to "split" it in multiple ways. Actually I have already done so.
>
>     The problem is, the final result is still a pcap file and a cache
> file, that yes, tcpreplay fully understands but maybe not other tools.
>
(Continue reading)

Permalink | Reply |
headers
Ali Gouta | 25 May 2012 15:53
Picon

Re: Split pcap in 2 directions

Yeap you can Use tshark instead of Wireshark...

On Fri, May 25, 2012 at 3:23 PM, Jaime Nebrera <jnebrera <at> eneotecnologia.com> wrote:
Interesting I didn't consider that

Still, the pcaps are big, like 1 to 2 Gb. Might be a bit too much for WS

Any way to do so from command line so I can automate it?

Enviado desde Xperia™ S

-------- Original Message --------
Subject: Re: [Tcpreplay-users] Split pcap in 2 directions
From: James Bergeron <james.bergeron <at> alcatel-lucent.com>
To: tcpreplay-users <at> lists.sourceforge.net
CC:

I would be easier to accomplish this using wireshark.  Simply open the
pcap, filter on one direction save the displayed packets and repeat for
the other side.

On 05/25/2012 04:26 AM, Jaime Nebrera wrote:
>     Hi all,
>
>     This is my first post to the list so please be gentle :D
>
>     I have a pcap file including both directions traffic from a bunch of
> servers and clients. Im aware I can create a cache file of such pcap in
> order to "split" it in multiple ways. Actually I have already done so.
>
>     The problem is, the final result is still a pcap file and a cache
> file, that yes, tcpreplay fully understands but maybe not other tools.
>
>     From this pcap + cache combo I would like to "create" two distinct
> pcap files, one with all client ->  server packets, the other with all
> server ->  client packets
>
>     How can I do this? Is it possible?
>
>     Very thankful in advance. Regards
>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
Permalink | Reply |
headers
Michael Schultz | 25 May 2012 16:25
Picon
Gravatar

Re: Split pcap in 2 directions

On Fri, May 25, 2012 at 8:23 AM, Jaime Nebrera <jnebrera <at> eneotecnologia.com> wrote:

Still, the pcaps are big, like 1 to 2 Gb. Might be a bit too much for WS

Any way to do so from command line so I can automate it?

tcpdump should work.

The format would be something like:

    $ tcpdump -r <master-file> -w <client-file> src <client-ip>
    $ tcpdump -r <master-file> -w <server-file> src <server-ip>

The -r and -w flags tell tcpdump to read from and write to the respective files.

If you have other packets you could extend the BPF expressions by specifying the destination IP of the server or client.  This will only filter out packet with the client and server IPs (missing any ARP and some DHCP packets), but that probably won't be a problem.

--michael
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
Permalink | Reply |
headers
Jaime Nebrera | 25 May 2012 16:53
Gravatar

Re: Split pcap in 2 directions

Actually I would prefer to some way usr the cache file already generated

As the pcap files are from public repositories (for IPS testing) it would be quite a job to gather all client and server IPs in order to split it this way, specially since tcpprep already did the job

Even more, I would love to keep too non IP traffic like those ARP and DHCP

Enviado desde Xperia™ S



-------- Original Message --------
Subject: Re: [Tcpreplay-users] Split pcap in 2 directions
From: Michael Schultz <mjschultz <at> gmail.com>
To: Main forum for tcpreplay <tcpreplay-users <at> lists.sourceforge.net>
CC:

On Fri, May 25, 2012 at 8:23 AM, Jaime Nebrera <jnebrera <at> eneotecnologia.com> wrote:
Still, the pcaps are big, like 1 to 2 Gb. Might be a bit too much for WS

Any way to do so from command line so I can automate it?

tcpdump should work.

The format would be something like:

    $ tcpdump -r <master-file> -w <client-file> src <client-ip>
    $ tcpdump -r <master-file> -w <server-file> src <server-ip>

The -r and -w flags tell tcpdump to read from and write to the respective files.

If you have other packets you could extend the BPF expressions by specifying the destination IP of the server or client.  This will only filter out packet with the client and server IPs (missing any ARP and some DHCP packets), but that probably won't be a problem.

--michael
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
Permalink | Reply |
headers
Aaron Turner | 25 May 2012 18:33
Picon

Re: Split pcap in 2 directions

Hmmm.... that's a challenge then.  To be fair, I'd usually use tcpdump
for this purpose.

Anyways, the only way I can think of right now given the existing
tcpreplay/tcpprep code to do what you want is this *ugly* hack:

Run:
tcpdump -i eth0 -s0 -w primary.pcap &
tcpdump -i eth1 -s0 -w secondary.pcap &
tcpreplay -c cache.prep -i eth0 -j eth1 some.pcap
kill %1 ; kill %2  # kill the tcpdump processes

Basically you're replaying the pcap file on two interfaces and using
tcpdump to read those packets and save them into separate files.
You'll want to make sure your computer isn't generating any traffic on
eth0/eth1 or anything like that or you'll get extra packets.  As I
said, this is really ugly.

A much better solution would require some coding.  Basically you'd
enhance the sendpacket.[ch] code and tcpreplay.c to allow it to open
pcap files for writing like if it was a network interface.  That would
avoid having to run tcpdump to capture the packets, avoid any extra or
dropped packets and would mean the pcap timestamps would be carried
over perfectly.

This wouldn't be too hard to do, but there's a bunch of #defines in
sendpacket.c which can make for confusing reading.  I really need to
rewrite this in a plugin architecture someday like tcpedit's DLT
plugins to make that sorta thing easier.   Anyways, if you look at the
changes in http://tcpreplay.synfin.net/ticket/505 you'll see how I
added support for a new Linux kernel driver which exposes a pseudo
interface via a chardev to sendpacket/tcpreplay.

Anyways, I opened a feature request ticket for this:
http://tcpreplay.synfin.net/ticket/510

On Fri, May 25, 2012 at 7:53 AM, Jaime Nebrera
<jnebrera <at> eneotecnologia.com> wrote:
> Actually I would prefer to some way usr the cache file already generated
>
> As the pcap files are from public repositories (for IPS testing) it would be
> quite a job to gather all client and server IPs in order to split it this
> way, specially since tcpprep already did the job
>
> Even more, I would love to keep too non IP traffic like those ARP and DHCP
>
> Enviado desde Xperia™ S
>
> ________________________________
>
>
> -------- Original Message --------
> Subject: Re: [Tcpreplay-users] Split pcap in 2 directions
> From: Michael Schultz <mjschultz <at> gmail.com>
> To: Main forum for tcpreplay <tcpreplay-users <at> lists.sourceforge.net>
> CC:
>
> On Fri, May 25, 2012 at 8:23 AM, Jaime Nebrera <jnebrera <at> eneotecnologia.com>
> wrote:
>>
>> Still, the pcaps are big, like 1 to 2 Gb. Might be a bit too much for WS
>>
>> Any way to do so from command line so I can automate it?
>
>
> tcpdump should work.
>
> The format would be something like:
>
>     $ tcpdump -r <master-file> -w <client-file> src <client-ip>
>     $ tcpdump -r <master-file> -w <server-file> src <server-ip>
>
> The -r and -w flags tell tcpdump to read from and write to the respective
> files.
>
> If you have other packets you could extend the BPF expressions by specifying
> the destination IP of the server or client.  This will only filter out
> packet with the client and server IPs (missing any ARP and some DHCP
> packets), but that probably won't be a problem.
>
> --michael
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support

-- 
Aaron Turner
http://synfin.net/         Twitter:  <at> synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
Permalink | Reply |

Gmane