Wireshark-users: [Wireshark-users] Playing trace/capture file in tcpreplay and reading out w/wire
From: "Richard Bejtlich" <taosecurity@xxxxxxxxx>
Date: Fri, 22 Sep 2006 10:33:23 -0400
Netfortius wrote:
You're probably right - I do remember having been able to do something similar
on Linux
Linux's loopback device has a link-layer type of Ethernet; the BSD one
doesn't.
(not with wireshark
There's nothing Wireshark-specific about this; you'd probably see the
same problem if you used tcpdump rather than Wireshark.
 - but originating in tcpreplay - which defintely
points the problem to this one), so it is probably a kernel modification
and/or libnet problem with the BSD *under* MacOSX' hood ... :(

What you need is a version of tcpreplay that will at least try to
translate Ethernet packet headers to BSD loopback packet headers; you're
unlikely ever to see a version of OS X (or any other BSD) with loopback
devices using a link-layer type other than BPF_NULL or BPF_LOOP.

You can use tap0 on FreeBSD to get loopback-like functionality.

http://taosecurity.blogspot.com/2006/09/using-tap0-with-tcpreplay.html

Sincerely,

Richard