Wireshark · Wireshark-users: [Wireshark-users] Playing trace/capture file in tcpreplay and reading out w/wireshark, using lo0

Wireshark-users: [Wireshark-users] Playing trace/capture file in tcpreplay and reading out w/wire

From: "Richard Bejtlich" <taosecurity@xxxxxxxxx>

Date: Fri, 22 Sep 2006 10:33:23 -0400

Netfortius wrote:

You're probably right - I do remember having been able to do something similar
on Linux

Linux's loopback device has a link-layer type of Ethernet; the BSD one
doesn't.

(not with wireshark

There's nothing Wireshark-specific about this; you'd probably see the
same problem if you used tcpdump rather than Wireshark.

 - but originating in tcpreplay - which defintely
points the problem to this one), so it is probably a kernel modification
and/or libnet problem with the BSD *under* MacOSX' hood ... :(

What you need is a version of tcpreplay that will at least try to
translate Ethernet packet headers to BSD loopback packet headers; you're
unlikely ever to see a version of OS X (or any other BSD) with loopback
devices using a link-layer type other than BPF_NULL or BPF_LOOP.

You can use tap0 on FreeBSD to get loopback-like functionality.

http://taosecurity.blogspot.com/2006/09/using-tap0-with-tcpreplay.html

Sincerely,

Richard

Follow-Ups:
- Re: [Wireshark-users] Playing trace/capture file in tcpreplay and reading out w/wireshark, using lo0
  - From: Netfortius

Prev by Date: Re: [Wireshark-users] IEC 60870-5-104 Plugin?
Next by Date: [Wireshark-users] How to replace IP addresses in a trace file?
Previous by thread: Re: [Wireshark-users] Playing trace/capture file in tcpreplay and reading out w/wireshark, using lo0
Next by thread: Re: [Wireshark-users] Playing trace/capture file in tcpreplay and reading out w/wireshark, using lo0
Index(es):
- Date
- Thread