[Click] tcpdump file link type header format - in detail

Beyers Cronje bcronje at gmail.com
Mon Jun 25 04:49:22 EDT 2012 

Hi,

You need to give the offset of where the IP header starts. You also can't
just assume that all packets are indeed IP or TCP. So I would suggest
something in the line of the following example (note this example is for
ethernet, change to your layer 2 protocol specs accordingly):

FromDump(dump.pcap) -> Classifier(12/0800) -> MarkIPHeader(14) ->
IPClassifier(tcp) ->  CheckTCPHeader -> your other elements

Beyers

On Sun, Jun 24, 2012 at 10:11 PM, Vaithiyanathan Sundaram <
s.vaithiyanathan at knights.ucf.edu> wrote:

> Thank you so much for your response Beyers.
>
> This is what I did:
>
> 1. TCPDUMP capture commands I tried so far: (I am running linux in Virtual
> Box). I tried the same in standalone linux too.
> tcpdump -i p2p1 -w final.dump
> tcpdump -i p2p1 -f tcp -w final.dump
> tcpdump -i p2p1 ip -w final.dump
> tcpdump -i p2p1 tcp -w final.dump
> tcpdump -i p2p1 -A -w final.dump
> tcpdump -i p2p1 -x -A -w final.dump
> tcpdump -i p2p1 -x -A -nn -vvv -w final.dump
> All the commands produced different dumps indeed.
>
> 2. My different versions of the .click config files
> FromDump(/home/Vaidsu/ClickGUD/click-2.0.1/click-tutorial1/gud.dump, STOP
> true)
> -> cip  :: MarkIPHeader
> -> ctcp :: CheckTCPHeader(DETAILS true)
> -> Discard
> DriverManager(pause, print >>details.drops ctcp.drops,
>                print >>details.drops ctcp.drop_details)
> I used MarkIPHeader, CheckIPHeader and even Align(2/4/8,0) offset.
> I also tried to use FromDump -> ToDump to convert from EN10MB trace to RAW
> IP trace.
>
> 3. In addition to all these I tried to generate the same dump files in
> tshark, even WinDump and tried using it here. Also tried converting pcap
> wireshark dump and using it.
>
> 4. I tried FromTcpdump too.
>
> The errors I got so far:
> 1. Bad Ip header
> 2. warning: first line suspicious; is this a tcpdump output file?
> 3. packet parse error - while using FromTcpdump
> 4. Importantly when I get no error, I found that the details.drops
> reported that all packets are not TCP. I bet there are lots of TCP flows in
> the trace. Wireshark could detect it.
> 9420
> 9420    not TCP
> 0       bad packet length
> 0       bad TCP checksum
>
> Sorry for the long mail. wanted to completely explain my attempts to get
> your help. I am stuck here.
> 1. Do I need to create a file that capture RAW IP by avoiding link level
> headers? Or
> 2. Do I need to create my own parser to parse the dump files?
>
> Thanks in advance.
>
>
> ________________________________________
> From: click-bounces at pdos.csail.mit.edu [click-bounces at pdos.csail.mit.edu]
> on behalf of click-request at pdos.csail.mit.edu [
> click-request at pdos.csail.mit.edu]
> Sent: Sunday, June 24, 2012 12:00 PM
> To: click at pdos.csail.mit.edu
> Subject: click Digest, Vol 108, Issue 9
>
> Send click mailing list submissions to
>        click at amsterdam.lcs.mit.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://amsterdam.lcs.mit.edu/mailman/listinfo/click
> or, via email, send a message with subject or body 'help' to
>        click-request at amsterdam.lcs.mit.edu
>
> You can reach the person managing the list at
>        click-owner at amsterdam.lcs.mit.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of click digest..."
>
>
> Today's Topics:
>
>   1. tcpdump file link type header format (Vaithiyanathan Sundaram)
>   2. Re: tcpdump file link type header format (Beyers Cronje)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 23 Jun 2012 19:44:53 +0000
> From: Vaithiyanathan Sundaram <s.vaithiyanathan at knights.ucf.edu>
> Subject: [Click] tcpdump file link type header format
> To: "click at amsterdam.lcs.mit.edu" <click at pdos.csail.mit.edu>
> Message-ID:
>        <
> 2F4314DB472A5B4387DBE195EF7F79F4500AFD at BY2PRD0710MB365.namprd07.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
> My first requirement is to generate TCP traffic with respect to the input
> in the form of tcpdump.
> I tried using
> FromDump(...)
> -> CheckTCPHeader
> -> My parser
> -> TCPIPSend (according to the parser).
>
> I am working on a shared buffer research. I need a tcp traffic generator
> as per the dump. My only problem is the tcpdump type. I could only collect
> a TCP dump with EN01B (ethernet) link type header. I think click elements
> requires RAW IP header format. How do I generate that? Is there any other
> way.
>
> Please help. Thanks a lot.
>
> Vaithiyanathan
> Mailing list: s.vaithiyanathan at knights.ucf.edu
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 23 Jun 2012 22:46:28 +0200
> From: Beyers Cronje <bcronje at gmail.com>
> Subject: Re: [Click] tcpdump file link type header format
> To: "click at amsterdam.lcs.mit.edu" <click at pdos.csail.mit.edu>
> Message-ID:
>        <CAOO3n8WgdAE36QSv9R=74Fhx69sWcZT-_MPfZFiSTFo=OGRjig at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> Have you actually tried running FromDump with that capture file? What error
> are you getting?
>
> Note you should include a MarkIPHeader or CheckIPHeader element before
> CheckTCPHeader as it requires the IP header annotation to be set already.
>
> Beyers
>
> On Sat, Jun 23, 2012 at 9:44 PM, Vaithiyanathan Sundaram <
> s.vaithiyanathan at knights.ucf.edu> wrote:
>
> > Hello,
> >
> > My first requirement is to generate TCP traffic with respect to the input
> > in the form of tcpdump.
> > I tried using
> > FromDump(...)
> > -> CheckTCPHeader
> > -> My parser
> > -> TCPIPSend (according to the parser).
> >
> > I am working on a shared buffer research. I need a tcp traffic generator
> > as per the dump. My only problem is the tcpdump type. I could only
> collect
> > a TCP dump with EN01B (ethernet) link type header. I think click elements
> > requires RAW IP header format. How do I generate that? Is there any other
> > way.
> >
> > Please help. Thanks a lot.
> >
> > Vaithiyanathan
> > Mailing list: s.vaithiyanathan at knights.ucf.edu
> > _______________________________________________
> > click mailing list
> > click at amsterdam.lcs.mit.edu
> > https://amsterdam.lcs.mit.edu/mailman/listinfo/click
> >
>
>
> ------------------------------
>
> _______________________________________________
> click mailing list
> click at amsterdam.lcs.mit.edu
> https://amsterdam.lcs.mit.edu/mailman/listinfo/click
>
>
> End of click Digest, Vol 108, Issue 9
> *************************************
>
>
>
> _______________________________________________
> click mailing list
> click at amsterdam.lcs.mit.edu
> https://amsterdam.lcs.mit.edu/mailman/listinfo/click
>

More information about the click mailing list