[SOLVED] tcpdump of tcpreplay output does not match input

tcpdump of tcpreplay output does not match input

I am having an issue in which on certain machines the number of bytes that tcpdump reports tcpreplay has output does not match tcpreplay's input.

Specifically, tcpdump always reports 14 bytes more than the pcap given to tcpreplay.

To replicate, I've created a simple packet in scapy using the command: packet = Ether()/IP(dst='1.2.3.4')/TCP()/Raw(load='S:' + ('-' * 64) + ':E') wrpcap("tcp.pcap", packet)

I set up virtual interfaces with: ip link add front1 type veth peer name back1 ifconfig back1 up ifconfig front1 up

Monitor the input to the interface with: sudo tcpdump -XX -Q out -i front1

Then send the generated packet with: sudo tcpreplay -i front1 tcp.pcap

The tcpdump monitor produces: 0x0000: d4ae 52c1 2005 2c59 e547 2ca4 0800 4500 ..R...,Y.G,...E. 0x0010: 006c 0001 0000 4006 d31c 9e82 04e7 0102 .l....@......... 0x0020: 0304 0014 0050 0000 0000 0000 0000 5002 .....P........P. 0x0030: 2000 b4a6 0000 533a 2d2d 2d2d 2d2d 2d2d ......S:-------- 0x0040: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d ---------------- 0x0050: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d ---------------- 0x0060: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d ---------------- 0x0070: 2d2d 2d2d 2d2d 2d2d 3a45 0000 0000 5400 --------:E....T. 0x0080: 0000 0000 0000 0000 ........

Whereas a tcpdump of the original file produces: 0x0000: d4ae 52c1 2005 2c59 e547 2ca4 0800 4500 ..R...,Y.G,...E. 0x0010: 006c 0001 0000 4006 d31c 9e82 04e7 0102 .l....@......... 0x0020: 0304 0014 0050 0000 0000 0000 0000 5002 .....P........P. 0x0030: 2000 b4a6 0000 533a 2d2d 2d2d 2d2d 2d2d ......S:-------- 0x0040: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d ---------------- 0x0050: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d ---------------- 0x0060: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d ---------------- 0x0070: 2d2d 2d2d 2d2d 2d2d 3a45 --------:E

That is, the monitor produces content identical to the file with 14 extra bytes appended.

This appears to be happening regardless of the size of the input.

I've verified that this problem does not occur on other machines, but cannot identify the settings that cause it to occur.

Some version information:

$ tcpreplay -V tcpreplay version: 3.4.4 (build 2450) (debug) Copyright 2000-2010 by Aaron Turner <aturner at synfin dot net> Cache file supported: 04 Not compiled with libdnet. Compiled against libpcap: 1.7.4 64 bit packet counters: enabled Verbose printing via tcpdump: enabled Packet editing: disabled Fragroute engine: disabled Injection method: PF_PACKET send() $ tcpdump --version tcpdump version 4.9.2 libpcap version 1.7.4 OpenSSL 1.0.2g 1 Mar 2016

Running on Ubuntu 16.04.5

Solution

This wound up being due to a bug in the linux kernel 4.15.0 as reported in the following bug report:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1782544