WireShark is not capturing my PCAP file I replayed using Tcpreplay?

asked 2019-11-19 02:32:37 +0000

sarah gravatar image

updated 2019-11-19 15:39:54 +0000

One of my metrics is to test out Wireshark's accuracy of packet captures. I want to replay the pcap file I have with the images I know I have inside it on my eth0 network. I set up Ettercap, Wireshark and sleeted my targeted hosts. however wireshark cannot even track the attempt of pcap files

please advise what I have missed here

edit retag flag offensive close merge delete


  • Does Wireshark capture anything on the interface, not just with TCPreplay?
  • I assume you use a non-Windows platform? Which one? What Wireshark version are we talking about?
  • Do other tools detect the traffic on the interface?
  • How do you replay the capture file on the interface?
Jaap gravatar imageJaap ( 2019-11-19 05:37:44 +0000 )edit

Yes, Wireshark can capture other packets such at http and ftp sessions without Tcpreplay. i set up a virtual box on my MacBook Pro. I am accessing wireshark through kali as its preloaded. version 2.6.8. by other tools do you mean like tool as in Xplico. on the terminal I run tcpreplay --intf1=eth0 pcap.pcap

the packet states its sent, but not been detected on wireshark.

sarah gravatar imagesarah ( 2019-11-19 15:23:26 +0000 )edit

do you think I may need to set an IP address in the pcap files or can I set an IP address on command line when typing up the tcpreplay?

sarah gravatar imagesarah ( 2019-11-19 15:27:12 +0000 )edit

Take a closer look at what tcpreplay is sending:

tcpreplay -v -A e -i eth0 pcap.pcap

Exclude Wireshark from the initial testing. Use tcpdump on the same machine running tcpreplay (excluding port 22 if you are connected with ssh)

tcpdump -i eth0 -p  -Q out -e  not port 22

Once it's working with tcpdump then try the capture with Wireshark.
Verify that the capture interface is running in promiscuous mode.
If Wireshark is not running on the same machine as tcpreplay then check here:
for information on setting up a SPAN port if needed.

Chuckc gravatar imageChuckc ( 2019-11-19 16:52:39 +0000 )edit

thank you. I reinstalled kali and tested tcpdump to capture pcap.pcap with and it worked. afterwards I tested it with wireshark and it captured all imaged and files within my pcap file.

sarah gravatar imagesarah ( 2019-11-23 23:44:03 +0000 )edit