well, that'll have to wait.
Currently i've wasted more time than I had on this issue because the
suggested fix doesn't seem to be working on my ubuntu 10.04 box. I can
however confirm it works on a fedora core 15 machine, maybe because of
a newer kernel (2.6.32-32 vs 2.6.38.6-26.rc1)

On Tue, Jul 5, 2011 at 7:24 PM, Aaron Turner <synfina...@gmail.com> wrote:
> On Tue, Jul 5, 2011 at 6:26 AM, Adam Katz <adamka...@gmail.com> wrote:
>> I've asked on netdev and thanks to Jamal, I now have a solution. You
>> can see the answer here:
>> http://marc.info/?l=linux-netdev&m=130987003108156
>>
>> but just in case (and to help future googlers of this issue) i'll
>> summarize the problem and solution here:
>>
>> tcpreplay opens its sending socket using the "ETH_P_ALL" option. This
>> means that tc filters that apply only to ip packets are skipped:
>>
>> sudo tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip
>> dport 22 0xffff flowid 1:1
>>
>> but if the rule is changed to scan all traffic:
>>
>> sudo tc filter add dev eth0 protocol all parent 1: prio 1 u32 match ip
>> dport 22 0xffff flowid 1:1
>>
>> it should work, but it will slow down the filter.
>>
>> A somewhat cleaner (and more long-term) solution is to provide a user
>> level option in tcpreplay to open its socket using ETH_P_IP. This will
>> limit the socket to send only ip traffic but will allow such rules to
>> work.
>>
>> On that note, I think that my trouble with tc can also apply to
>> problems people have been having with iptables with tcpreplay/libpcap
>> injected traffic.
>
> Interesting!
>
> You could try editing src/common/sendpacket.c sendpacket_open_pf()
> around line 658 and change it to ETH_P_IP.  I'd be curious to hear if
> that actually fixes this problem.  If so, then maybe I can make that
> an option in a future version.
>
>
> --
> Aaron Turner
> http://synfin.net/         Twitter: @synfinatic
> http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & 
> Windows
> Those who would give up essential Liberty, to purchase a little temporary
> Safety, deserve neither Liberty nor Safety.
>     -- Benjamin Franklin
> "carpe diem quam minimum credula postero"
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support

Reply via email to