Inline... On Thu, Jul 30, 2009 at 9:23 AM, Sydney Puente<sydneypue...@yahoo.com> wrote: > Hello, > > I have tcpreplay-3.4.3 on centos 3.8 that compiled no problem. > So what I want to do is to snarf loadsa SNMP traps on a very busy interface > ie 100 000s of trap per hour. > with tcpdump > /usr/sbin/tcpdump -nnvvXSs 1514 -i eth0 udp and port 162 -w > /var/tmp/snmp.cap
Just a small note, I recommend using "-s 0" over "-s 1514". It deals with jumbo frames, vlan tags, etc better. > find few traps I am interested in with wireshark, and save those few traps. > rewrite the destination UDP port from 162 to 163 > and fire the traps at this port. The idea being that I can create some code > that processes these traps by listening on this port. > So: > tcprewrite --infile=/var/tmp/pcap/BGP_opensent_28Jul09.pcap > --outfile=new.pcap --portmap=162:163 Looks good so far... > and: > tcpreplay-3.4.3]# tcpreplay --intf1=eth0 new.pcap > sending out eth0 > processing file: new.pcap > Actual: 4 packets (776 bytes) sent in 915.45 seconds > Rated: 0.8 bps, 0.00 Mbps, 0.00 pps > Statistics for network device: eth0 > Attempted packets: 4 > Successful packets: 4 > Failed packets: 0 > Retried packets (ENOBUFS): 0 > Retried packets (EAGAIN): 0 > > Something has already gone a bit wrong cos a packet every 2-3 mins is below > expectation. What was the expectation? How many packets are in the pcap file? What are their timestamps? By default, tcpreplay sends traffic at the original speed. If you want to go faster, look at the --pps option or --topspeed. > And also on the target box I dont think the packets arrive, cos the > /var/tmp/snmp163.cap stays empty. > > /usr/sbin/tcpdump -nnvvXSs 1514 -i eth0 udp and port 163 -w > /var/tmp/snmp163.cap Have you looked at the new.pcap in Wireshark? I'm not aware of any bugs in --portmap, but doesn't mean they don't exist. Are you running tcpdump on the target box or the system running tcpreplay? If your pcap is relatively small, emailing it to me would help me recreate your issue. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
