Tcpreplay not work for sniffing interface

750 views
Skip to first unread message

Abdulvehhab Agin

unread,
Aug 25, 2016, 2:53:46 AM8/25/16
to security-onion
Hi,

I installed lastest SO, with a server and a sensor.

Sensor has a management interface (eth0), two sniffing interfaces (eth1,eth2).

when i want to run
tcpreplay -ieth1 -M10 /opt/samples/*

throw an error Invaild interface name/alias eth1

but "ifconfig -a" shows there is eth0,eth1,eth2


Thanlks

Wes

unread,
Aug 25, 2016, 6:25:03 AM8/25/16
to security-onion

Have you tried running it with "sudo"?

Ex. sudo tcpreplay -ieth1 -M10 /opt/samples/*

Thanks,
Wes

Abdulvehhab Agin

unread,
Aug 25, 2016, 8:17:01 AM8/25/16
to security-onion
Yes, i tried but not working.

When i type in bash:



$ ipconfig : it gives

eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.66.133 Bcast:192.168.66.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe74:2ed2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:90 errors:0 dropped:0 overruns:0 frame:0
TX packets:253 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21983 (21.9 KB) TX bytes:30701 (30.7 KB)
Interrupt:19 Base address:0x2000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:43 errors:0 dropped:0 overruns:0 frame:0
TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6143 (6.1 KB) TX bytes:6143 (6.1 KB)



--------------------------------


$ifconfig -a -> gives
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.66.133 Bcast:192.168.66.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe74:2ed2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:166 errors:0 dropped:0 overruns:0 frame:0
TX packets:337 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40531 (40.5 KB) TX bytes:44351 (44.3 KB)
Interrupt:19 Base address:0x2000

eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:19 Base address:0x2080

eth2 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16 Base address:0x2400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:92 errors:0 dropped:0 overruns:0 frame:0
TX packets:92 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13621 (13.6 KB) TX bytes:13621 (13.6 KB)

********************************************************************


When i tried:

sudo tcpreplay -ieth0 -M10 /opt/samples/*

no problem but


When i tried:

sudo tcpreplay -ieth1 -M10 /opt/samples/* OR
sudo tcpreplay -ieth2 -M10 /opt/samples/*

Fatal Error in tcpreplay.c:post_args() line 455:
Invalid interface name/alias: eth1





25 Ağustos 2016 Perşembe 13:25:03 UTC+3 tarihinde Wes yazdı:

Abdulvehhab Agin

unread,
Aug 25, 2016, 9:31:12 AM8/25/16
to security-onion
I solved problem:

Vmware blocked promicious mode in defaut

When i change:

/etc/init.d/vmware

vmwareStartVmnet() {
vmwareLoadModule $vnet
"$BINDIR"/vmware-networks --start >> $VNETLIB_LOG 2>&1
chmod a+rw /dev/vmnet*
}


It allows promicuos mode:
http://xmodulo.com/how-to-use-virtual-ethernet-adapters-in-promiscuous-mode-on-vmware.html

And i will up eth1, and eth2 via

ifconfig eth1 up
ifconfig eth2 up

tcpreplay is working


Thanks

25 Ağustos 2016 Perşembe 15:17:01 UTC+3 tarihinde Abdulvehhab Agin yazdı:
Reply all
Reply to author
Forward
0 new messages