I've asked on netdev and thanks to Jamal, I now have a solution. You can see the answer here: http://marc.info/?l=linux-netdev&m=130987003108156
but just in case (and to help future googlers of this issue) i'll summarize the problem and solution here: tcpreplay opens its sending socket using the "ETH_P_ALL" option. This means that tc filters that apply only to ip packets are skipped: sudo tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip dport 22 0xffff flowid 1:1 but if the rule is changed to scan all traffic: sudo tc filter add dev eth0 protocol all parent 1: prio 1 u32 match ip dport 22 0xffff flowid 1:1 it should work, but it will slow down the filter. A somewhat cleaner (and more long-term) solution is to provide a user level option in tcpreplay to open its socket using ETH_P_IP. This will limit the socket to send only ip traffic but will allow such rules to work. On that note, I think that my trouble with tc can also apply to problems people have been having with iptables with tcpreplay/libpcap injected traffic. On Mon, Jul 4, 2011 at 10:11 PM, Aaron Turner <synfina...@gmail.com> wrote: > On Mon, Jul 4, 2011 at 11:38 AM, Bennett Todd <b...@rahul.net> wrote: >> Might it be possible to run the replay and the traffic shaping in separate >> virtual machines? > > No idea if that would change the results. Please give it a try and report > back! > > -- > Aaron Turner > http://synfin.net/ Twitter: @synfinatic > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & > Windows > Those who would give up essential Liberty, to purchase a little temporary > Safety, deserve neither Liberty nor Safety. > -- Benjamin Franklin > "carpe diem quam minimum credula postero" > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
