Error on importing pcap files
63 views
Skip to first unread message
mois...@gmail.com
Apr 28, 2017, 7:40:36 AM4/28/17
to ostinato
Hi,
I'm new in using ostinato and want to import some pcap files in order to replay them but i want to use ostinato instead of another software (tcpreplay,...) as i would like to be able to craft some packets as well. However, I get some errors when doing so:
_ timestamps are not repected, and not even metrics
_ when there is a ipv4 frame, the fields ip version and header length are not the same : i get x04 whereas it is x45 on the wireshark. And this error looks automatic : it is present on most of the streams created after imports.
May i have some help. Thaks.
D.
I'm new in using ostinato and want to import some pcap files in order to replay them but i want to use ostinato instead of another software (tcpreplay,...) as i would like to be able to craft some packets as well. However, I get some errors when doing so:
_ timestamps are not repected, and not even metrics
_ when there is a ipv4 frame, the fields ip version and header length are not the same : i get x04 whereas it is x45 on the wireshark. And this error looks automatic : it is present on most of the streams created after imports.
May i have some help. Thaks.
D.
Srivats P
Apr 28, 2017, 11:21:55 AM4/28/17
to mois...@gmail.com, ostinato
_ timestamps are not repected, and not even metrics
Yes, I think timestamps may be a problem. I wrote this code a very long time back and vaguely recall there was a problem with respecting timestamps. I will suggest you raise a issue for this on GitHub and I will try to read/review the code when I get some time. Which other "metrics" are you referring to?
_ when there is a ipv4 frame, the fields ip version and header length are not the same : i get x04 whereas it is x45 on the wireshark. And this error looks automatic : it is present on most of the streams created after imports.
That shouldn't happen definitely. Can you post a PCAP containing just a single packet which exhibits that problem on import?
btw what version of Ostinato are you running?
Srivats
mois...@gmail.com
May 2, 2017, 3:16:37 AM5/2/17
to ostinato, mois...@gmail.com
Hello,
Here are what you are asking for :
- pcap file with a single packet (testErrImport.pcap)
- screen capture of the diff shown by ostinato on import (DiffOnImport.png)
- The wireshark captures (Captures.png) : on left: the actual file and packet, on right: the packet as received on the other computer.
For information (maybe it will help you ?), i am running ostinato 0.8 on a vm and the receiver on another vm (both ubuntu 16.04). The packet is from an internet pcap file, so ips are not the actual ips of my machines. I parameterized the receiver as the sender's gateway so that I should receive all the traffic. Moreover, sometimes some packets are not even received, I wonder if this is a consequence of the IP version/header length problem.
Thanks by advance.
D.
Here are what you are asking for :
- pcap file with a single packet (testErrImport.pcap)
- screen capture of the diff shown by ostinato on import (DiffOnImport.png)
- The wireshark captures (Captures.png) : on left: the actual file and packet, on right: the packet as received on the other computer.
For information (maybe it will help you ?), i am running ostinato 0.8 on a vm and the receiver on another vm (both ubuntu 16.04). The packet is from an internet pcap file, so ips are not the actual ips of my machines. I parameterized the receiver as the sender's gateway so that I should receive all the traffic. Moreover, sometimes some packets are not even received, I wonder if this is a consequence of the IP version/header length problem.
Thanks by advance.
D.
Srivats P
May 2, 2017, 9:29:13 AM5/2/17
to mois...@gmail.com, ostinato
I'm able to import the pcap file correctly.
I believe the problem is likely because of Wireshark/Tshark version being different.
1. Let me know the wireshark/tshark version you have -
tshark -v
2. Run the following command on the test PCAP file, redirect output to a file and attach here for analysis -
tshark -r testErrImport.pcap -otcp.desegment_tcp_streams:FALSE -Tpdml
Srivats
--
Get Ostinato News and Updates on Twitter - Follow @ostinato (http://twitter.com/ostinato)
---
You received this message because you are subscribed to the Google Groups "ostinato" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ostinato+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
http://ostinato.org/
@ostinato
@ostinato
Srivats P
May 2, 2017, 12:16:13 PM5/2/17
to mois...@gmail.com, ostinato
Thank you for the command output. Based on that I can confirm that
this is due to wireshark version difference.
In the version you are using, tshark XML output has -
<field name="ip.version" showname="0100 .... = Version: 4"
size="1" pos="14" show="4" value="4" unmaskedvalue="45"/>
<field name="ip.hdr_len" showname=".... 0101 = Header Length: 20
bytes (5)" size="1" pos="14" show="20" value="45"/>
In the version that I am using - 1.10.4 (admittedly an old version),
the XML is -
<field name="ip.version" showname="Version: 4" size="1" pos="14"
show="4" value="45"/>
<field name="ip.hdr_len" showname="Header length: 20 bytes"
size="1" pos="14" show="20" value="45"/>
Ostinato uses the "value" attribute of the "ip.version" field to
populate the first byte of the IP header. Since this seems to have
changed with 2.x, we now see this bug in Ostinato.
Please file a bug on GitHub to have this fixed - may need some time to
figure out the best way to fix this in a backward compatible fashion.
Till then as a workaround you can install an old 1.x version of tshark
and in Ostinato Preferences, set the tshark path to point to that.
Thanks,
Srivats
this is due to wireshark version difference.
In the version you are using, tshark XML output has -
<field name="ip.version" showname="0100 .... = Version: 4"
size="1" pos="14" show="4" value="4" unmaskedvalue="45"/>
<field name="ip.hdr_len" showname=".... 0101 = Header Length: 20
bytes (5)" size="1" pos="14" show="20" value="45"/>
In the version that I am using - 1.10.4 (admittedly an old version),
the XML is -
<field name="ip.version" showname="Version: 4" size="1" pos="14"
show="4" value="45"/>
<field name="ip.hdr_len" showname="Header length: 20 bytes"
size="1" pos="14" show="20" value="45"/>
Ostinato uses the "value" attribute of the "ip.version" field to
populate the first byte of the IP header. Since this seems to have
changed with 2.x, we now see this bug in Ostinato.
Please file a bug on GitHub to have this fixed - may need some time to
figure out the best way to fix this in a backward compatible fashion.
Till then as a workaround you can install an old 1.x version of tshark
and in Ostinato Preferences, set the tshark path to point to that.
Thanks,
Srivats
> --
> Get Ostinato News and Updates on Twitter - Follow @ostinato
> (http://twitter.com/ostinato)
> ---
> You received this message because you are subscribed to the Google Groups
> "ostinato" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ostinato+u...@googlegroups.com.
> Get Ostinato News and Updates on Twitter - Follow @ostinato
> (http://twitter.com/ostinato)
> ---
> You received this message because you are subscribed to the Google Groups
> "ostinato" group.
> To unsubscribe from this group and stop receiving emails from it, send an
mois...@gmail.com
May 3, 2017, 8:25:17 AM5/3/17
to ostinato, mois...@gmail.com
Downloaded v1.10.6
It works.
Thanks a lot.
It works.
Thanks a lot.
Reply all
Reply to author
Forward
0 new messages