How to tunnel multicast traffic

multicastnetcattcpdumptcpreplay

I am trying to receive multicast on 1 machine, forward it to another machine, and then replay it on that machine.

test_env: the machine which has access to the original multicast stream
mcast_sender: the machine which I'm trying to forward the multicast to and re-multicast from

What I've tried so far:

Combining tcpdump, netcat and tcpreplay I've attempted the following:

on test_env:

I have a python script which performs an IGMP join and just sits there forever, reading from the socket and discarding the data (just keeping the socket open)

$ ./mcast_sub INADDR_ANY 239.194.5.1 21001 &

Now the interface in question will be receiving multicast data, so I can run a tcp_dump:

$ sudo tcpdump -i eth5 host 239.194.5.1 > /tmp/capture.pcap

I can now run tail on the pcap file, and pipe it to netcat

$ tail -f /tmp/capture.pcap -n+1 | nc -l 12345

on mcast_sender:

On mcast_sender I can then receive this data from the netcat port, and dump it to a local file there:

$ nc test_env 12345 > /tmp/capture.pcap

Using tcpreplay I can then read the capture file on mcast_sender and replay it

$ sudo tcpreplay --intf1=eth8 /tmp/capture.pcap

My problem:

The tcpdump – netcat pipeline seems to be working. I've verified that I am writing a file on mcast_sender.

However, when I attempt to run tcpreplay on it, I get an error:

$ sudo tcpreplay --intf1=eth8 /tmp/capture.pcap
Failed: Error opening pcap file: unknown file format

Questions:

Is it possible to do what I'm trying here?
Why is the file written on mcast_sender invalid?
Is there a better way to achieve what I'm trying to do here?

Best Answer

This isn't working because you need to set tcpdump's stdout to be line buffered

From man tcpdump:

-l     Make stdout line buffered.  
         Useful if you want to see the data while capturing it.  

       E.g.
            tcpdump -l | tee dat 
            tcpdump -l > dat & tail -f dat

You can also do away with the intermediate file and netcat by piping the output of tcpdump directly into tcpreplay.

This is achieved by running the tcpdump over an ssh session, dumping the output to stdout, and piping that to stdin of tcpreplay:

Run a command over an ssh session:

$ ssh remote_server "command"

Run tcpdump and output to stdout, line buffered:

$ sudo tcpdump ... -l -w -

Run tcpreplay reading from stdin:

$ sudo tcpreplay ... -

Putting it all together:

$ ssh test_env "sudo tcpdump -i eth5 host 239.194.5.1 -l -w -" | 
    sudo tcpreplay --intf1=eth8 -

Related Solutions

Tcpreplaying using VMware

I haven't tried this in VMware Workstation lately, but typically this is a result of one of the following:

The VM you are trying to capture from isn't putting the NIC in promiscuous mode, so can't see packets that aren't destined for it. You can solve this by either running tcpdump as root in the VM or by changing your tcpreplay to use the MAC address of the VM as the destination for the packets it is sending (tcpreplay comes with tcprewrite, which makes this sort of change easy). Alternately, you could make the dest MAC address of the packets being replayed the broadcast address, ff:ff:ff:ff:ff:ff (WARNING: VERY DANGEROUS. Unless you really understand what you are doing, I recommend unplugging from the physical network before doing this).
The host isn't allowing the VM to put the interface into promiscuous mode. I'm not sure how to adjust this in VMware Workstation, but in ESX[i] there is an option on the vSwitch for "Allow Promiscuous Mode". You could also work around this by changing the destination MAC address of the tcpreplay stream as mentioned in 1.
The permissions on the vmnet in the host aren't correct to allow promiscuous mode to work (assuming you are using Linux as the host OS). There are a bunch of VMware KB articles on this, and solving it is inconsistent at best. You might be able to do it by chmodding the /dev/vmnetX interface to 777, but you are probably better off just making your replay traffic destined for the MAC of the VM if one of the other answers doesn't solve it first.

Good luck,

--jed

Tcpdump How to use it to capture all traffic headers

My best bet would be to use something like:

 tcpdump -ieth0 -s96 -w traffic.dump 'ip or icmp or tcp or udp'

Where the "tricky" part will be to chose a correct value for the "-s" (snaplen) parameter (snaplen is the maximum length of the packet tcpdump will capture).

From the tcpdump man pages:

Snarf snaplen bytes of data from each packet rather than the default of 68 (with NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in.

In this example i'm using 96 to be "almost" sure that I would capture 100% of ethernet+ip+(icmp || udp || tcp) header values.

In case your traffic have IP or TCP options (i.e. timestamps) and you want to also capture this info, then you will have to play with the snaplen parameter (i.e. increase/decrease it).

In case the length of the headers of your packet is less than snaplen, you may also capture part of the payload.

Finally, to read the traffic captured, I would use something like:

tcpdump -e -nn -vv -r traffic.dump

Where the important part is to use the "-e" option so you can get the ethernet headers printed.

This page gives you an idea about the size of the ethernet/tcp/udp headers under different circumstances and may help you to arrive to a "correct" value for the snaplen parameter.