How to block a pcap pumped by tcpreplay from one server by iptables on the other?












0















I am new to stack exchange.
What I am trying is:
I am pumping traffic from one server by the following command:
tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
I want to block all SIP traffic which uses 5060 by default as source or destination.



But the ip in the pcap is not destination ip:
My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



[root@serevr1]# tshark -r outbound_incoming1.pcap



  1          0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 | 

  2          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK | 

  3          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK | 

  4          0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 | 

  5          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK | 

  6          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK | 

  7          3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK | 

  8          3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 | 

  9          6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 | 

 10          6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



Please help me out to do so.






linux iptables tcpdump sip tcpreplay







share|improve this question





























    0















    I am new to stack exchange.
    What I am trying is:
    I am pumping traffic from one server by the following command:
    tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



    And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
    I want to block all SIP traffic which uses 5060 by default as source or destination.



    But the ip in the pcap is not destination ip:
    My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



    [root@serevr1]# tshark -r outbound_incoming1.pcap
    

    
  1          0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 | 
    
  2          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK | 
    
  3          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK | 
    
  4          0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 | 
    
  5          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK | 
    
  6          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK | 
    
  7          3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK | 
    
  8          3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 | 
    
  9          6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 | 
    
 10          6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


    I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



    Please help me out to do so.






    linux iptables tcpdump sip tcpreplay







    share|improve this question



























      0












      0








      0








      I am new to stack exchange.
      What I am trying is:
      I am pumping traffic from one server by the following command:
      tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



      And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
      I want to block all SIP traffic which uses 5060 by default as source or destination.



      But the ip in the pcap is not destination ip:
      My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



      [root@serevr1]# tshark -r outbound_incoming1.pcap
      

      
  1          0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 | 
      
  2          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK | 
      
  3          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK | 
      
  4          0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 | 
      
  5          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK | 
      
  6          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK | 
      
  7          3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK | 
      
  8          3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 | 
      
  9          6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 | 
      
 10          6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


      I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



      Please help me out to do so.






      linux iptables tcpdump sip tcpreplay







      share|improve this question
















      I am new to stack exchange.
      What I am trying is:
      I am pumping traffic from one server by the following command:
      tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



      And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
      I want to block all SIP traffic which uses 5060 by default as source or destination.



      But the ip in the pcap is not destination ip:
      My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



      [root@serevr1]# tshark -r outbound_incoming1.pcap
      

      
  1          0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 | 
      
  2          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK | 
      
  3          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK | 
      
  4          0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 | 
      
  5          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK | 
      
  6          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK | 
      
  7          3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK | 
      
  8          3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 | 
      
  9          6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 | 
      
 10          6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


      I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



      Please help me out to do so.






      linux iptables tcpdump sip tcpreplay




      linux iptables tcpdump sip tcpreplay






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 23 at 14:07









      Pimp Juice IT

      25k114177




      25k114177










      asked Jan 23 at 13:10









      Debiprasanna MohantyDebiprasanna Mohanty

      1




      1






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer
























          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397455%2fhow-to-block-a-pcap-pumped-by-tcpreplay-from-one-server-by-iptables-on-the-other%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer
























          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15
















          0














          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer
























          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15














          0












          0








          0







          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer













          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 25 at 16:58









          fredkfredk

          1011




          1011













          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15



















          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15

















          Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

          – Debiprasanna Mohanty
          Jan 31 at 5:02





          Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

          – Debiprasanna Mohanty
          Jan 31 at 5:02













          HOST A--------->SWITCH-------->HOST B

          – Debiprasanna Mohanty
          Jan 31 at 5:13





          HOST A--------->SWITCH-------->HOST B

          – Debiprasanna Mohanty
          Jan 31 at 5:13













          SWITCH-->Mirrored Port-->Sniffing application

          – Debiprasanna Mohanty
          Jan 31 at 5:15





          SWITCH-->Mirrored Port-->Sniffing application

          – Debiprasanna Mohanty
          Jan 31 at 5:15


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397455%2fhow-to-block-a-pcap-pumped-by-tcpreplay-from-one-server-by-iptables-on-the-other%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Список кардиналов, возведённых папой римским Каликстом III

          Image
          Папа Каликст III Кардиналы, возведённые Папой римским Каликстом III  — 9 прелатов и мирян были возведены в сан кардинала на двух Консисториях за трёхлетний понтификат Каликста III. Самой крупной консисторией были Консистория от 17 декабря 1456 года, на которой было возведено шесть кардиналов. Папа Каллист III хотел назвать отца Жан Сорета, O.Carm., епископом или кардиналом, но он отказался, потому что хотел посвятить себя своему ордену и продвижению религиозного рвения и соблюдения устава монашеского ордена. Консистория от 17 сентября 1456 года | Луис Хуан дель Мила, племянник Его Святейшества, епископ Сегорбе (королевство Арагон); Жайме Португальский, администратор архиепархии Лиссабона (королевство Португалия); Родриго де Борха-и-Борха, племянник Его Святейшества, ризничий Валенсии (Папская область). Консистория от 17 декабря 1456 года | Ринальдо Пишичелло, архиепископ Неаполя (Неаполитанское королевство); Хуан де Мелья, епископ Саморы (королевство Ка
          Read more

          Deduzione

          Image
          .mw-parser-output .nota-disambigua{clear:both;margin-bottom:.5em;border:1px solid #CCC;padding-left:4px}.mw-parser-output .nota-disambigua i{vertical-align:middle} Disambiguazione – Se stai cercando il teorema, vedi Teorema di deduzione . Disambiguazione – Se stai cercando il concetto di deduzione in economia, vedi deduzione fiscale . Il ragionamento deduttivo umano assimilato a un meccanismo Il metodo deduttivo o deduzione è il procedimento razionale che fa derivare una certa conclusione da premesse più generiche, dentro cui quella conclusione è implicita. Il termine significa letteralmente «condurre da», perché proviene dal latino "de" (traducibile con da , preposizione indicante provenienza, o moto di discesa dall'alto verso il basso) e "ducere" ( condurre ). Questo metodo parte da postulati e princìpi primi e, attraverso una serie di rigorose concatenazioni logiche, procede verso determinazioni più particolari attinenti alla realtà tangi
          Read more

          Mysql.sock missing - “Can't connect to local MySQL server through socket”

          Image
          .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 Operating System - OSX 10.11.2 MAMP version - 3.5 I'm following along with this guide, setting up wordpress with Xammp on PC and MAMP on Mac, where I'm in step "Mac - 4" is asked to input: "In the Terminal run: /Applications/MAMP/Library/bin/mysqladmin -u root -p password {Your Windows MySQL password here}" However, this (with out bracket text) results in error message: error: 'Can't connect to local MySQL server through socket '/Applications/MAMP/tmp/mysql/mysql.sock' (2)' Check that mysqld is running and that the socket: '/Applications/MAMP/tmp/mysql/mysql.sock'
          Read more