'Re: [Tcpreplay-users] Error using tcprewrite to change IP address'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tcpreplay-users
Subject:    Re: [Tcpreplay-users] Error using tcprewrite to change IP address
From:       Aaron Turner <synfinatic () gmail ! com>
Date:       2009-11-16 17:28:27
Message-ID: 1ca1c1410911160928v1329e0f3l3e3d509ebf182aff () mail ! gmail ! com
[Download RAW message or body]

On Mon, Nov 16, 2009 at 7:23 AM, VU, KENNY (ATTSI) <kv007p@att.com> wrote:
> I use editcap to extract RTP packets from a wiershark file. The packets are
> renamed "UDP" under the Protocol column instead of staying as "RTP".
>
>
>
> How can I change the protocol marking back to RTP?

This is a wireshark issue, but basically you removed packets which
allowed Wireshark to know the UDP packets in question were RTP
packets.  Wireshark often uses data from one flow to know how to
decode another flow- especially for media protocols.

> I use the following command to change IP 12.120.198.12 to 12.120.198.138 in
> a Wireshark pcap file
>
>
>
> tcprewrite --infile=in.pcap --outfile=out.pcap -S 12.120.198.12
> --srcipmap=12.120.198.138
>
> The OS is Linux 2.6.9-5, and version of the tcprewrite is 3.4.0, build 2145.
>
>
>
> The following error was returned:
>
> Only one srcipmap option allowed. Options are specified by doubled hyphens
> and their name or by a single hyphen and the flag character.
>
>
>
> I tried to change the command using different combinations of "-- or -", "=
> or a blank", "= or #", but to no avail.
>
>
>
> What is the right format to use? Concrete examples in the manual would be
> helpful.

As the man page says, the --srcipmap option uses the same format as
--pnat, so you use a colon between the old/new IP:
--srcipmap=12.120.198.12:12.120.198.138

> Also I need to change the time stamps of the packets. What tool can I use,
> and how

Netdude would work.  Without knowing how you want to change the
timestamps it's hard to give you a better solution.

Good luck!


-- 
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic