How to block a pcap pumped by tcpreplay from one server by iptables on the other?












0















I am new to stack exchange.
What I am trying is:
I am pumping traffic from one server by the following command:
tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
I want to block all SIP traffic which uses 5060 by default as source or destination.



But the ip in the pcap is not destination ip:
My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



[root@serevr1]# tshark -r outbound_incoming1.pcap

1 0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 |
2 0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK |
3 0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK |
4 0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 |
5 0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK |
6 0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK |
7 3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK |
8 3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 |
9 6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 |
10 6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



Please help me out to do so.










share|improve this question





























    0















    I am new to stack exchange.
    What I am trying is:
    I am pumping traffic from one server by the following command:
    tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



    And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
    I want to block all SIP traffic which uses 5060 by default as source or destination.



    But the ip in the pcap is not destination ip:
    My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



    [root@serevr1]# tshark -r outbound_incoming1.pcap

    1 0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 |
    2 0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK |
    3 0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK |
    4 0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 |
    5 0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK |
    6 0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK |
    7 3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK |
    8 3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 |
    9 6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 |
    10 6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


    I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



    Please help me out to do so.










    share|improve this question



























      0












      0








      0








      I am new to stack exchange.
      What I am trying is:
      I am pumping traffic from one server by the following command:
      tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



      And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
      I want to block all SIP traffic which uses 5060 by default as source or destination.



      But the ip in the pcap is not destination ip:
      My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



      [root@serevr1]# tshark -r outbound_incoming1.pcap

      1 0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 |
      2 0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK |
      3 0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK |
      4 0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 |
      5 0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK |
      6 0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK |
      7 3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK |
      8 3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 |
      9 6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 |
      10 6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


      I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



      Please help me out to do so.










      share|improve this question
















      I am new to stack exchange.
      What I am trying is:
      I am pumping traffic from one server by the following command:
      tcpreplay -i ens3 ~/daniel/sipdump.pcap from server 1



      And I am capturing the traffic in the server 2 by tcpdump -i ens3 -nn
      I want to block all SIP traffic which uses 5060 by default as source or destination.



      But the ip in the pcap is not destination ip:
      My server 2 ip is different(192.168.101.5). As I am pumping a pcap the ips are different(source and destination).



      [root@serevr1]# tshark -r outbound_incoming1.pcap

      1 0 172.16.130.119 -> 172.16.130.119 SIP/SDP 561 Request: INVITE sip:sandeep@com:5060 |
      2 0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 100 OK |
      3 0 172.16.130.119 -> 172.16.130.119 SIP 358 Status: 183 OK |
      4 0 172.16.130.119 -> 172.16.130.119 SIP 439 Request: PRACK sip:sandeep@com:5060 |
      5 0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 200 OK |
      6 0 172.16.130.119 -> 172.16.130.119 SIP 364 Status: 180 OK |
      7 3 172.16.130.119 -> 172.16.130.119 SIP/SDP 529 Status: 200 OK |
      8 3 172.16.130.119 -> 172.16.130.119 SIP 398 Request: ACK sip:sandeep@com:5060 |
      9 6 172.16.130.119 -> 172.16.130.119 SIP 385 Request: BYE sip:kapil@com:5060 |
      10 6 172.16.130.119 -> 172.16.130.119 SIP 346 Status: 200 OK |


      I want to drop/accept the sip traffic which are the udp packets in iptables which I am not able to do so.



      Please help me out to do so.







      linux iptables tcpdump sip tcpreplay






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 23 at 14:07









      Pimp Juice IT

      25k114177




      25k114177










      asked Jan 23 at 13:10









      Debiprasanna MohantyDebiprasanna Mohanty

      1




      1






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer
























          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397455%2fhow-to-block-a-pcap-pumped-by-tcpreplay-from-one-server-by-iptables-on-the-other%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer
























          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15
















          0














          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer
























          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15














          0












          0








          0







          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.






          share|improve this answer













          Try using tcpreplay-edit to modify the destination MAC and destination IP to match your destination server. Or you can use tcprewrite (also part of Tcpreplay suite) to modify the destination MAC/IP of your PCAP file. Either way, your server will reject any traffic all other traffic (except broadcast packets).



          Note that if the target is a TCP application, simply changing the MAC and IP address is not sufficient. During TCP handshake, random sequence number are negotiated by client and server, so just pushing a PCAP file will not suffice. In those cases you may be able to use tcpliveplay, but that will require a very specially crafted PCAP file.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 25 at 16:58









          fredkfredk

          1011




          1011













          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15



















          • Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

            – Debiprasanna Mohanty
            Jan 31 at 5:02











          • HOST A--------->SWITCH-------->HOST B

            – Debiprasanna Mohanty
            Jan 31 at 5:13











          • SWITCH-->Mirrored Port-->Sniffing application

            – Debiprasanna Mohanty
            Jan 31 at 5:15

















          Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

          – Debiprasanna Mohanty
          Jan 31 at 5:02





          Changing the MAC wont help as we are doing a port mirroring and dumping the packets on mirrored port where I am sniffing/filtering all sip packets.

          – Debiprasanna Mohanty
          Jan 31 at 5:02













          HOST A--------->SWITCH-------->HOST B

          – Debiprasanna Mohanty
          Jan 31 at 5:13





          HOST A--------->SWITCH-------->HOST B

          – Debiprasanna Mohanty
          Jan 31 at 5:13













          SWITCH-->Mirrored Port-->Sniffing application

          – Debiprasanna Mohanty
          Jan 31 at 5:15





          SWITCH-->Mirrored Port-->Sniffing application

          – Debiprasanna Mohanty
          Jan 31 at 5:15


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397455%2fhow-to-block-a-pcap-pumped-by-tcpreplay-from-one-server-by-iptables-on-the-other%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Сан-Квентин

          8-я гвардейская общевойсковая армия

          Алькесар