Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use pcap file as input instead of interface #6

Closed
moolinet opened this issue Oct 15, 2019 · 3 comments
Closed

How to use pcap file as input instead of interface #6

moolinet opened this issue Oct 15, 2019 · 3 comments
Labels
question Further information is requested

Comments

@moolinet
Copy link

Hello,

I have a tcpdump capture of erspan traffic.
I would like to pass it through gulp to decapsulte the erspan headers
and output the result back into a pcap file for further analysis with wireshark.

How can I do that?

Thanks,
@jmakov
Copy link
Owner

jmakov commented Oct 15, 2019

I believe there's a -d flag for that - " -d decapsulate Cisco ERSPAN GRE packets (sets -f value)".

@jmakov jmakov added the question Further information is requested label Oct 15, 2019
@moolinet
Copy link
Author

Yes I plan on using the -d flag to decapsulate ERSPAN (GRE) packets
but I was looking for a way to use a pcap file as source instead of eth0

for example:
instead of gulp -i eth0 -d
something like gulp -i capture.pcap -d

according to usage() I should be able to read from stdin:

cat capture.pcap | gulp -i - -d -o .
gulp:	Sending raw pcap data to a terminal is not a good idea.
	If you really want to do that, pipe gulp through cat but you
	probably want to redirect stdout to a file or another program instead.
	Perhaps you meant to pipe into 'tcpdump -r-' or 'ngrep -I-' ?

I finally got it working. requires root and when reading from stdin we need to specify file output -o

$ cat capture.pcap | sudo gulp  -d -i - -o . -n out

9857 packets captured
ring buffer use: 1.3% of 100 MB

which creates file pcap000.pcap

unfortunately the result pcap file is filled with invalid L2 frames. as if payload has been truncated.

viewing the original capture.pcap file with wireshark correctly show the GRE packets with complete payload.

passing the same file through gulp without -d results in a new pcap file with the same encapsulated packets as the source.

@jmakov
Copy link
Owner

jmakov commented Oct 16, 2019

Thanks for the more verbose description of your situation - now I understand your problem. I don't have a good answer yet how to solve your problem - it would need further investigation and funding for the project.

If that's not an option for you, what I can suggest is trying to contact one of the original authors and copy-paste your question there - he seems to be still active on his blog: https://blog.crox.net/archives/72-gulp-tcpdump-alternative-for-lossless-capture-on-Linux.html. We can then update the docs or the code with his solution here (if he doesn't decide to maintain his own project on GitHub as it's currently the case).

@jmakov jmakov closed this as completed Dec 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmakov @moolinet