replay captured udp traffic

Question

I am trying to send packets using TCP replay. The file was captured in another network and contains UDP packets. In order to replay, I've changed the src and destination address, etc...using the following command:

tcprewrite --infile=original.cap --outfile=changed.cap --srcipmap=0.0.0.0/0:<MY HOST IP>/32 --dstipmap=0.0.0.0/0:<MY HOST IP>/32 --enet-dmac=<enp0s25 mac addr> --enet-smac=<enp0s25 mac addr> --fixcsum

After changing the packets, I've tried to replay using tcpreplay:

sudo tcpreplay --intf1=enp0s25  changed.cap

tcpdump shows that packets were rewrited and apprently ok:

[root@localhost ~]# tcpdump -i enp0s25 udp port 6302 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
09:31:56.758809 IP localhost.localdomain.qb-db-server > localhost.localdomain.6302: UDP, length 673
09:31:56.758836 IP localhost.localdomain.12608 > localhost.localdomain.6302: UDP, length 669
09:31:56.758845 IP localhost.localdomain.13024 > localhost.localdomain.6302: UDP, length 671
09:31:56.758967 IP localhost.localdomain.11584 > localhost.localdomain.6302: UDP, length 666
....

However, if I launch netcat to listen on port 0.0.0.0:6302, I can't see any traffic!

Any idea what's wrong?

Answer 1

I see that you are replaying the file to interface enp0s25. However your tcpdump output is showing that you are capturing on localhost. Try tcpdump -i enp0s25.

Answer 2

This is perfectly normal. The parameter --intf1 sets the output interface not the input interface. So your packets will not be injected to the linux network stack. In other words, the interface driver's output functions are used to send the packets which is not what you want.

To fix this you need to either use a UDP socket from an application (like netcat) and send the UDP payload of your pcap or run tcpreplay on a different machine (it can also be a VM).

This way tcpreplay will use the interface (set by --intf1) to "output" the packets and your machine will use the driver's input functions to inject the packets to the Linux network stack.