what I did -
- Got a wireshark capture of web traffic.
- Edited the capture file to remove one GET request. (removed that line using editcap)
- Saved the edited file (from step 2)
- Did a tcpreplay of this file.
When I do this, I get an error: Fatal Error: Error opening pcap file: bad dump file format.
Any inputs on what could be wrong? Am I doing something wrong in the way I have edited my wireshark pcap file?
thanks, Andy
The default editcap capture file output type is pcapng.
A quick look at the tcpreplay docs shows mentions only of libpcap format (and not pcapng).
So: Maybe the solution is to specify the '-F pcap' option to editcap to specify the capture file output format as libpcap format.
Update:
From the tcpreplay FAQ:
"Does Tcpreplay support Pcap-Ng/NTAR files?
Yes. The Tcpreplay suite uses libpcap for reading & writing pcap files. If you have libpcap 1.1.0 or higher, then tcpreplay, tcprewrite, etc can read pcap-ng files. If you have an older version of libpcap, you should upgrade to the latest version as earlier versions of libpcap have bugs with pcap-ng files. "
So: (assuming that you're using a version of libpcap >= 1.1.0) I'm not sure what the problem is. You might still want to try specifying pcap output format to see if that makes a difference.
Also: Are you able to read the original capture file (before editing) with tcpreplay ? (What is the format of the original file ? (Use 'capinfos filename' to determine the file type).