## Get TCP DUMP Capture for traps on port 162 using
tcpdump -s8192 -w <file name-1 > udp port 162
## Run rewrite script against this dump file to change the MAC and IP Address
rewrite.sh <file name> <New file name>
you need to install a module called tcpreply from tcpreply.org
========================
## rewrite.sh
#!/bin/bash
tcprewrite --pnat 216.83.186.66/32:216.203.1.131/32 --dmac 08:00:20:d2:19:93 -i$1 -o$2
here ## I am changing the production trap server IP to 216.203.1.131 lab server ip and adding lb servers MAC ADDR.
$1 is captured file name and $2 is new capture file with lab servers IP and MAC address.
tvprewrite --pnat=<OLDIP>/32:<NEWIP>/32 --enet-dmac <NEW-MAC> -i <old-PCAP-File> -o <new-PCAP-File>
=======================
## read this new file to confirm if headers have changed
tcpdump -r <New file name> -vv ( TWO Vs)
tcpdump -r <pcap-File> -vv > readable.out
cat readable.out | awk '{print $3}' | sort | uniq (this is to check what source ip sending data)
## Replay this file to genrate the traps
tcpreply -i etho -o <New file name>
This will send the traps to mttrapd probe running on port 162 on Lab server.
tcpdump -nvvv dst port 162
- I have seen mttrapd probe didn't process these alarms because the firewalld was running and blocking the traffic
systemctl stop firewalld
No comments:
Post a Comment