Thanks for the pcaps. Real quick: The issue with the UDP is because the traffic is using non-standard ports and all the current auto methods rely on a known server port to determine who is client & server since there isn't a 3 way handshake to rely on like in TCP. Not sure if the 4.0-alpha (trunk) branch of code compiles at this moment, but it adds a "first" auto-mode which just assumes the first packet it sees is the client which appears to work for this pcap.
Anyways, refreshing my memory by looking at the tcpprep/UDP code and all I can say is it sucks. Basically all it does is look at DNS traffic- everything else is just 'client'. If you're dealing with UDP traffic and you have a little scripting skill, I'd highly recommend parsing the output of tcpdump and building a custom /etc/services file and using that with --port & --services flags. It probably should be using the first logic in the 4.0 branch, but I'm not making any real strides on that right now. As for the bug with not rewriting certain IP addresses, I tracked it down to an issue with the --skipbroadcast flag. Either don't specify it (for the examples you've given, there's no need really) or apply this change: http://tcpreplay.synfin.net/changeset/2543 Hopefully the above at least points you in the right direction. Let me know if you need anything clarified or I missed anything. -Aaron On Tue, Jul 19, 2011 at 11:10 AM, Aaron Turner <synfina...@gmail.com> wrote: > On Tue, Jul 19, 2011 at 10:19 AM, Mike Komer <mko...@juniper.net> wrote: >> It might not be those specific ones, but I'm sure I can get you some >> capture(s) or another that do the same thing. > > That would be great. > > >> There is one specific case I will try and find. It is a UDP packet, followed >> by to fragments (no valid layer 4 or up), followed by a response from the >> other side. tcpprep tries to send it all out secondary and if I recall it >> won't renumber the 4th packet's source. > > Sounds like a repeat of the two packet example above. Fragments are > ignored for auto mode ratio calculations. > >> I'll try and get you something for examples. >> >> I will see what happens with splitting with ports for these specific cases. >> But, many of the captures are not sent normal ports and some don't even have >> ports. > > Assuming it's IPv4/v6 you can also split by IP blocks using --cidr. > > Basically, when you use auto mode, tcpprep processes the pcap file > twice via a 3 step process: > > 1. Once to build a tree containing the conversations between end > points and the number of times each IP address behaved like a client > or server. > > 2. Then that tree is walked and for each node (IP address) it decides > if it behaved more like a client or server. > > 3. Then the pcap is processed a second time and for each packet the > source IP address is looked up in the tree and the direction is > written to the cache file. > > > -- > Aaron Turner > http://synfin.net/ Twitter: @synfinatic > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & > Windows > Those who would give up essential Liberty, to purchase a little temporary > Safety, deserve neither Liberty nor Safety. > -- Benjamin Franklin > "carpe diem quam minimum credula postero" > -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
