How to block a pcap pumped by tcpreplay from one server by iptables on the other?












0















I am new to stack exchange.
What I am trying is:
I am pumping traffic from one server by the following command:
tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
I want to block all SIP traffic which uses 5060 by default as source or destination.



But the ip in the pcap is not destination ip:
My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



[root@serevr1]# tshark -r outbound_incoming1.pcap



  1          0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 | 

  2          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK | 

  3          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK | 

  4          0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 | 

  5          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK | 

  6          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK | 

  7          3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK | 

  8          3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 | 

  9          6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 | 

 10          6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



Please help me out to do so.






linux iptables tcpdump sip tcpreplay







share|improve this question





























    0















    I am new to stack exchange.
    What I am trying is:
    I am pumping traffic from one server by the following command:
    tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



    And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
    I want to block all SIP traffic which uses 5060 by default as source or destination.



    But the ip in the pcap is not destination ip:
    My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



    [root@serevr1]# tshark -r outbound_incoming1.pcap
    

    
  1          0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 | 
    
  2          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK | 
    
  3          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK | 
    
  4          0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 | 
    
  5          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK | 
    
  6          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK | 
    
  7          3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK | 
    
  8          3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 | 
    
  9          6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 | 
    
 10          6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


    I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



    Please help me out to do so.






    linux iptables tcpdump sip tcpreplay







    share|improve this question



























      0












      0








      0








      I am new to stack exchange.
      What I am trying is:
      I am pumping traffic from one server by the following command:
      tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



      And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
      I want to block all SIP traffic which uses 5060 by default as source or destination.



      But the ip in the pcap is not destination ip:
      My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



      [root@serevr1]# tshark -r outbound_incoming1.pcap
      

      
  1          0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 | 
      
  2          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK | 
      
  3          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK | 
      
  4          0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 | 
      
  5          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK | 
      
  6          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK | 
      
  7          3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK | 
      
  8          3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 | 
      
  9          6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 | 
      
 10          6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


      I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



      Please help me out to do so.






      linux iptables tcpdump sip tcpreplay







      share|improve this question
















      I am new to stack exchange.
      What I am trying is:
      I am pumping traffic from one server by the following command:
      tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



      And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
      I want to block all SIP traffic which uses 5060 by default as source or destination.



      But the ip in the pcap is not destination ip:
      My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



      [root@serevr1]# tshark -r outbound_incoming1.pcap
      

      
  1          0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 | 
      
  2          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK | 
      
  3          0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK | 
      
  4          0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 | 
      
  5          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK | 
      
  6          0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK | 
      
  7          3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK | 
      
  8          3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 | 
      
  9          6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 | 
      
 10          6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


      I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



      Please help me out to do so.






      linux iptables tcpdump sip tcpreplay




      linux iptables tcpdump sip tcpreplay






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 23 at 14:07









      Pimp Juice IT

      25k114177




      25k114177










      asked Jan 23 at 13:10









      Debiprasanna MohantyDebiprasanna Mohanty

      1




      1






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer
























          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397455%2fhow-to-block-a-pcap-pumped-by-tcpreplay-from-one-server-by-iptables-on-the-other%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer
























          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15
















          0














          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer
























          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15














          0












          0








          0







          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer













          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 25 at 16:58









          fredkfredk

          1011




          1011













          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15



















          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15

















          Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

          – Debiprasanna Mohanty
          Jan 31 at 5:02





          Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

          – Debiprasanna Mohanty
          Jan 31 at 5:02













          HOST A--------->SWITCH-------->HOST B

          – Debiprasanna Mohanty
          Jan 31 at 5:13





          HOST A--------->SWITCH-------->HOST B

          – Debiprasanna Mohanty
          Jan 31 at 5:13













          SWITCH-->Mirrored Port-->Sniffing application

          – Debiprasanna Mohanty
          Jan 31 at 5:15





          SWITCH-->Mirrored Port-->Sniffing application

          – Debiprasanna Mohanty
          Jan 31 at 5:15


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397455%2fhow-to-block-a-pcap-pumped-by-tcpreplay-from-one-server-by-iptables-on-the-other%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Сан-Квентин

          Image
          Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но
          Read more

          Алькесар

          Image
          Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове
          Read more

          Josef Freinademetz

          Image
          San Ujöp (Giuseppe/Josef) Freinademetz Josef Freinademetz in abiti cinesi   Religioso e missionario   Nascita 15 aprile 1852 Morte 28 gennaio 1908 Venerato da Chiesa cattolica Beatificazione 1975 Canonizzazione 5 ottobre 2003 Ricorrenza 28 gennaio Manuale Ujöp Freinademetz noto anche come Giuseppe o Josef Freinademetz (Oies, 15 aprile 1852 – Taikia, 28 gennaio 1908) è stato un presbitero austriaco, membro della Società del Verbo Divino, fu missionario in Cina; è venerato come santo dalla Chiesa cattolica. .mw-parser-output .citazione-table{margin-bottom:.5em;font-size:95%}.mw-parser-output .citazione-table td{padding:0 1.2em 0 2.4em}.mw-parser-output .citazione-lang{vertical-align:top}.mw-parser-output .citazione-lang td{width:50%}.mw-parser-output .citazione-lang td:first-child{padding:0 0 0 2.4em}.mw-parser-output .citazione-lang td:nth-child(2){padding:0 1.2em} «Io amo la Cina e i cinesi; voglio morire in mezzo a loro, e tra loro
          Read more