Wireshark-users: Re: [Wireshark-users] Playing trace/capture file in tcpreplay and reading out w/

From: Netfortius <netfortius@xxxxxxxxx>
Date: Wed, 20 Sep 2006 23:03:03 -0500
On Wednesday 20 September 2006 21:53, Guy Harris wrote:
> Netfortius wrote:
> > On a MacOSX, using the latest (0.99.3a) version of wireshark, I am
> > attempting to run in one terminal a:
> >
> > $sudo tcpreplay -i lo0 capture-file.cap (or even -R to speed up the
> > process)
> >
> > while in a wireshark *session* reading out of the same lo0 (local
> > interface on a MacOSX), but I am getting for all traffic IP header length
> > = 0 (should be at least 20), thus nothing interpreted.
> >
> > The capture-file.cap was previously obtained via a wireshark capture
> > session of a real TCP session, produced with *against* a real network
> > interface (en0 in the case of this specific MacOSX system I am working
> > with).
>
> Does tcpreplay support reading from a capture file on an Ethernet
> interface (with a link-layer type of DLT_EN10MB) and sending it on a BSD
> loopback interface (with a link-layer type of DLT_NULL)?
>
> If not, that's the problem.

You're probably right - I do remember having been able to do something similar 
on Linux (not with wireshark - but originating in tcpreplay - which defintely 
points the problem to this one), so it is probably a kernel modification 
and/or libnet problem with the BSD *under* MacOSX' hood ... :(

Thanks a bunch,
Stefan