Modifying Packet Captures with tcprewrite
Recently I wanted to look at the structure of sFlow packets. Of course I can read the specs, but it’s often easier to look at some real packets. So I set up a simple network, configured sFlow, created some traffic across the network, and used tcpdump to capture the sFlow packets.
Unfortunately I had a bit of a brain fade, and configured sFlow to use port 2055, not port 6343. So it looked like this:
vagrant@ubuntu:~$ tcpdump -r sflow.cap reading from file sflow.cap, link-type EN10MB (Ethernet) 13:48:37.812602 IP 10.254.4.125.44695 > 10.254.4.170.2055: UDP, length 148 13:48:57.813663 IP 10.254.4.125.44695 > 10.254.4.170.2055: UDP, length 148 13:48:59.061629 IP 10.254.4.125.44695 > 10.254.4.170.2055: UDP, length 232 13:49:17.806908 IP 10.254.4.125.44695 > 10.254.4.170.2055: UDP, length 148 13:49:37.804433 IP 10.254.4.125.44695 > 10.254.4.170.2055: UDP, length 148 13:49:57.806000 IP 10.254.4.125.44695 > 10.254.4.170.2055: UDP, length 148 13:50:17.808959 IP 10.254.4.125.44695 > 10.254.4.170.2055: UDP, Continue reading