Tcpdump is a very useful tool to capture network packets.
e.g. to capture TCP packet from interface lo0 via port 9999
1 | sudo tcpdump -i lo0 port 9999 -XX -v |
Here demostrate sending some UDP packets, using tcpdump to capture them and using Tcpreplay to playback.
- Send some UDP packets via port 9999
- Listen UDP packets from port 9999
- Capture UDP packet using Tcpdump, save captured packets into a file
- Playback captured packets
- Listen UDP packets to verify
Let’s have more fun! Assuming we have captured some UDP packets using the command below:
1 | sudo tcpdump -i en0 udp port 3333 -XX -v -w li.pcap |
Then we use tcprewrite command to reverse the source and destination.
And if we double check the modified .pcap file, it shows as we want.
I also wrote a shell script to rewrite the network package automatically.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
usage() | |
{ | |
printf "\n" | |
printf "Usage: $0 [-h] [-f]\n"; | |
printf " -h : Display this help.\n"; | |
printf " -f : INPUT FILE name.\n"; | |
printf " -i : Destination IP address.\n"; | |
printf " -m : Destination MAC address.\n"; | |
printf "\n" | |
printf "Example:\n" | |
printf "$0 -f filename.pcap -i 192.168.0.16 -m 68:01:A7:B2:13:0A\n" | |
exit 0 | |
} | |
if [ $# -eq 0 ] | |
then | |
echo "No arguments supplied" | |
usage | |
exit 1 | |
fi | |
while getopts ':f:i:m:h' option | |
do | |
case "${option}" | |
in | |
f) FILE=${OPTARG};; | |
i) DST_IP=${OPTARG};; | |
m) DST_MAC=${OPTARG};; | |
h) usage;; | |
\?)echo "Invalid option: -$OPTARG" >&2 | |
usage | |
exit 1 | |
;; | |
:) echo "Option $OPTARG requires an argument." >&2 | |
usage | |
exit 1 | |
;; | |
esac | |
done | |
[ -z "$FILE" ] && echo "INPUT FILE should not be empty!" && usage && exit 1 | |
[ -z "$DST_IP" ] && echo "DEST IP should not be empty!" && usage && exit 1 | |
[ -z "$DST_MAC" ] && echo "DEST MAC not be empty!" && usage && exit 1 | |
unameOut="$(uname -s)" | |
case "${unameOut}" in | |
Linux*) SRC_MAC=$(ifconfig | grep -Eo 'HWaddr ([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' | awk '{print $2}');; | |
Darwin*) SRC_MAC=$(ifconfig en0 | grep -Eo '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}');; | |
esac | |
SRC_IP=$(ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1') | |
tcprewrite --infile=$FILE --outfile=temp1.pcap --dstipmap=0.0.0.0/0:$DST_IP --enet-dmac=$DST_MAC | |
tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap=0.0.0.0/0:$SRC_IP --enet-smac=$SRC_MAC | |
tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum | |
rm temp1.pcap temp2.pcap | |
echo "New file is generated!" | |
echo "Now run the command below to replay the data." | |
echo "sudo tcpreplay --intf1=en0 final.pcap" | |
echo "Interface(intf1) could be eth0, eth1 or en0 or others, run ifconfig command to check what you have on you machine." |
References: