On Tue, Jul 19, 2011 at 10:19 AM, Mike Komer <[email protected]> wrote: > It might not be those specific ones, but I'm sure I can get you some > capture(s) or another that do the same thing.
That would be great. > There is one specific case I will try and find. It is a UDP packet, followed > by to fragments (no valid layer 4 or up), followed by a response from the > other side. tcpprep tries to send it all out secondary and if I recall it > won't renumber the 4th packet's source. Sounds like a repeat of the two packet example above. Fragments are ignored for auto mode ratio calculations. > I'll try and get you something for examples. > > I will see what happens with splitting with ports for these specific cases. > But, many of the captures are not sent normal ports and some don't even have > ports. Assuming it's IPv4/v6 you can also split by IP blocks using --cidr. Basically, when you use auto mode, tcpprep processes the pcap file twice via a 3 step process: 1. Once to build a tree containing the conversations between end points and the number of times each IP address behaved like a client or server. 2. Then that tree is walked and for each node (IP address) it decides if it behaved more like a client or server. 3. Then the pcap is processed a second time and for each packet the source IP address is looked up in the tree and the direction is written to the cache file. -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ _______________________________________________ Tcpreplay-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
