posted 31 May 2013, 02:36 by Flip Pipe
[
updated 31 May 2013, 02:38
]
This week I had a new problem... analyze traffic in VLAN QinQ with tcptrace. I have traffic capture with some hundreds of megabytes and traffic was encapsulated in QinQ.
For tcptrace, this traffic was not recognized, so I cannot analyze it as it was. And from a bunch of vlans I just need to analyze one of them, in my case 1901.
Googgling during some time I didn't find my answer, so I need to create a work around.
Since libpcap 1.2.1, it is possible to filter traffic in vlan QinQ. So I just need to replay the traffic and with tcpdump just capture the vlan I need.
But, if I replay the traffic for my NIC, the results shouldn't be good and I didn't try.
But fortunately, we can create a dummy interface. (Thank you Kenyan Geek for your post)
So I did it... a new dummy0 interface in my machine with problems to mess with real traffic.
In one side I replay the capture file I had:
# tcpreplay --intf1=dummy0 capture-001-20130529-125129-eth1_2.cap
And one the other side, I just need to capture with the right filter:
# tshark -i dummy0 -w /tmp/test_03_tshark.pcap "vlan 313 && vlan 1901"
In the end, I've a capture with just with the vlan I need
Of course, tcptrace still not recognize the QinQ, but now, we just need to remove vlan information with tcprwrite
# tcprewrite --enet-vlan=del -i test_03_tshark.pcap -o capture_clean_vlans.pcap
If you need tcpreplay and friends (tcprewrite), you can find it at http://tcpreplay.synfin.net/. And tcptrace it is at http://www.tcptrace.org/
|
|