Wireshark-users: Re: [Wireshark-users] Playing trace/capture file in tcpreplay and reading out w/

From: Netfortius <netfortius@xxxxxxxxx>
Date: Sat, 23 Sep 2006 10:57:02 -0500
On Friday 22 September 2006 09:33, Richard Bejtlich wrote:
> Netfortius wrote:
> > You're probably right - I do remember having been able to do something
> > similar on Linux
>
> Linux's loopback device has a link-layer type of Ethernet; the BSD one
> doesn't.
>
> > (not with wireshark
>
> There's nothing Wireshark-specific about this; you'd probably see the
> same problem if you used tcpdump rather than Wireshark.
>
> >  - but originating in tcpreplay - which defintely
> > points the problem to this one), so it is probably a kernel modification
> > and/or libnet problem with the BSD *under* MacOSX' hood ... :(
>
> What you need is a version of tcpreplay that will at least try to
> translate Ethernet packet headers to BSD loopback packet headers; you're
> unlikely ever to see a version of OS X (or any other BSD) with loopback
> devices using a link-layer type other than BPF_NULL or BPF_LOOP.
>
> You can use tap0 on FreeBSD to get loopback-like functionality.
>
> http://taosecurity.blogspot.com/2006/09/using-tap0-with-tcpreplay.html
>
> Sincerely,
>
> Richard

Thanks to Richard I got a direction to follow. As my question pertained to 
MacOSX - which does not provide a tap0 by default - I had to resort to:

http://www-user.rhrk.uni-kl.de/~nissler/tuntap/

The problem is that my initial attempts have not been fully successful, but 
this is a matter way off-topic for the wireshark mailing list. I wanted to 
provide the link above just for completeness and closure of this thread.

Thanks again to both Guy and Richard for their help.

Stefan