I need to get data from a ModBus device (modbus slave) over TCP but this device has to be exposed as a TCP client (it eats much less from the battery in this case). It means that both machines have to connect to the third one as TCP clients an I have to build a bridge between two ports, something like this
[modbus slave] -> [4444:bridge:5555] <- [modbus master]
I did try it with the netcat on a bridge machine
$ /bin/netcat -lk 5555 | /bin/netcat -lk 4444
It works the half way: I can connect to 4444 with my slave and to 5555 with my master, and traffic flows from master to slave. However, I do not see any traffic in the opposite direction. How do I build a two-way bridge in this case?
Thanks a lot in advance!
You can run 2 netcat instances with a fifo like this:
# mkfifo fifo
# nc -l -p 4444 < fifo | nc -l -p 5555 > fifo
You can also do it using just socat.
# socat TCP4-LISTEN:4444 TCP4-LISTEN:5555
On a side note, I would imagine running a client consumes more power (which needs to keep on connecting) than server (which only waits for incoming connection). Maybe there is some other design consideration that I missed.
Related
On Unix, how to simulate the exact same network traffic that was previously recorded?
I have a LAN made of 2 machines:
A local PC with interface eth0 and IP 192.168.1.1. On this PC runs a code C that listens to eth0, grab UDP packets and produce a result with them.
A remote hardware with IP 192.168.1.10. The hardware needs an initialization step (configuration, handshake, acknowledgment) and needs to be maintained active with a heartbeat. As long as the hardware is active, it sends data (grabbed by the local PC at the other end). All the different communications are done through different ports (see picture).
On the local PC, I plug the remote running HW, run tcpdump -i eth0 -w dump.pcap & (running in background), and just after that I run the code C that uses UDP packets received from HW (in parallel tcpdump is running). This produces a result R1 on the local PC: R1 is valid and can be post-processed.
Now, after the record dump.pcap is done, I let the remote HW running (otherwise eth0 dies - ip a does no more associate an IP to eth0), I run tcpreplay -K --intf1=eth0 dump.pcap & (running in background), and just after that I re-run the code C that uses UDP packets received from tcpreplay running in parallel (at least, that's my understanding of what should occur). The traces when C runs looks correct (initialization OK, no error, running / receiving looks OK). Unfortunately, C produces another result R2... Which is different from R1: R2 is invalid and can not even be post-processed?! The size of R2 is about the size of R1 but seems to be filled with zero/uninitialized data.
Is it possible to simulate the exact same traffic that the one that was previously recorded? If yes, what did I miss or what do I do wrong?
Note: I use a bash script to run tcpdump and C just one after the other when recording, and run tcpreplay and C just one after the other when replaying (trying to do things the same ways with similar delays as much as possible).
There are 2 VMs deployed in two different compute nodes in an Openstack environment.
Interfaces of the VMs [configured with 9K MTU] are connected via switch [configured with 9K MTU].
ping with jumbo frame [without fragment] is not working between these two VMs.
ping <IP Address> -I <Interface Name> -s 8972 -M do
No. If physical switch between computes is not configured for jumbo frame
support then switch would simply drop these packets.
You need to configure all physical devices in between to have jumbo frame support (like switch and compute node NIC card).
I have a Raspberry pi and I would like open a TCP port on it for example port : 11000
I tried to find a command in the internet for doing this but I could not.
I would be thankful if some body help me in this matter
thanks !
I would suggest digging into the ins and outs of networking since there are many options and you will need to be aware of the security implications with opening up your ports to the world. IP addresses are scanned every minute of every hour of every day so be very careful.
This is a simple example using netcat (nc) on the Bash shell. Below are two (2) nodes; my Raspberry Pi 2, and one of my Ubuntu servers; which is on the same network. Both nodes don't have any open ports except for SSH.
However, you'll see how easy it is to pass information from the Ubuntu server to the Pi without authentication.
So... the Pi opens (listens) on port 11000 and sends incoming data into file capture.this. Then Ubuntu server echos a message to the Pi's LAN IP address at port 11000.
pi#raspberrypi:~ $ nc -lp 11000 > capture.this
david#ubuntuserver002:~$ echo "Hey, What's up Cuz!" | nc 10.100.71.141 11000
pi#raspberrypi:~ $ cat capture.this
Hey, What's up Cuz\!
I have UDP network traffic arriving on my machine (OSC traffic from an iPad, to be exact) and I want two programs to be able to receive that traffic. The problem is that I can't bind to the same network port with two programs at once and I can't send to multiple ports with the iOS app I'm using. How can I solve this problem?
You can use the power of the command line for this. The following snippet uses socat (probably needs to be installed beforehand) and tee (should be preinstalled on any OS X or Linux).
socat -u UDP4-RECVFROM:8123,fork - | tee >(socat -u - UDP4-SENDTO:localhost:8223) | socat -u - UDP4-SENDTO:localhost:8323
Explanation: socat listens for traffic on UDP port 8123, pipes it to tee, which pipes it to two other instances of socat forwarding it to ports 8223 and 8323 on localhost respectively. With your two programs you need to listen to those ports on localhost.
While the answer with using socat is elegant it is not clear for me, what you are trying to do:
both programs should receive all parts of the traffic and they will only receive and not reply. This can be done with the proposed socat way
both program should receive all parts of the traffic and there reply will be mixed together (how?)
each of the programs should only receive parts of the traffic, e.g. the one which the other did not get. This should be possible if both of your programs use SO_REUSEADDR, SO_REUSEPORT. Replies will then be mixed together.
or do you actually want to communicate with each of the programs seperatly - then you would have to use either multiple sockets in the iOS app (which you don't want to do) or built your own protocol which does multiplexing, e.g. each message is prefixed with there target app and on the target machine a demultiplexer application will receive all packets and forward them to the appropriate application and wrap the replies back in the multiplexing protocol.
In summary: please describe the problem your are trying to solve, not only one small technical detail of it.
The problem is that I can't bind to the same network port with two programs at once
Yes you can. Just set SO_REUSEADDR and maybe SO_REUSEPORT on both of them before you bind.
I have problem with identifying communication established by TCP.
I have to identify first completed communication, for example first complete http communication.
I have dump .pcap file with capture. I know that communication should start by three way handshake ( SYN, SYN - ACK, ACK ) and then closing of communication by double FIN flag from both side.
But I have a lot of communication in that dump file.
So here is the question. Which things i need to remember to match exact one communication ?
I thought about source IP, destination IP, protocol, maybe port but i am not sure.
Thank you for every advice.
And sorry for my english.
You stated that you need:
To identify a particular conversation
To identify the first completed conversation
You can identify a particular TCP or UDP conversation by filtering for
the 5-tuple of the connection:
Source IP
Source Port
Destination IP
Destination Port
Transport (TCP or UDP)
As Shane mentioned, this is protocol dependent e.g. ICMP does not have the concept of
ports like TCP and UDP do.
A libpcap filter like the following would work for TCP and UDP:
tcp and host 1.1.1.1 and port 53523 and dst ip 1.1.1.2 and port 80
Apply it with tcpdump:
$ tcpdump -nnr myfile.pcap 'tcp and host 1.1.1.1 and port 53523 and dst ip 1.1.1.2 and port 80'
To identify the first completed connection you will have to follow the timestamps.
Using a tool like Bro to read a PCAP would yield the answer as it will list each connection
attempt seen (complete or incomplete):
$ bro -r myfile.pcap
$ bro-cut -d < conn.log | head -1
2014-03-14T10:00:09-0500 CPnl844qkZabYchIL7 1.1.1.1 57596 1.1.1.2 80 tcp http 0.271392 248 7775 SF F ShADadfF 14 1240 20 16606 (empty) US US
Use the flag data for TCP to judge whether there was a successful handshake and tear down.
For other protocols you can make judgements based on byte counts, sent and received.
Identifying the first completed communication is highly protocol specific. You are on the right track with your filters. If your protocol is a commonly used one there are plug ins called protocol analyzers and filters that can locate "conversations" for you from a pcap data stream. If you know approximate start time and end time that would help narrow it down too.