On Thu, Nov 10, 2011 at 10:41 AM, John Lumby <johnlu...@hotmail.com> wrote: > I have a question regarding how to split a pcap based on direction in order > to replay only one of the directions. > I am running tcpreplay version: 3.4.3 (build 2375). Not sure how to find > out tcpdump version. > My workload is a client-server workload in which one windows client is > sending UDP bootpc protocols to the server who is replying whatever. I > captured the traffic on the server by specifying the eth0 interface so it > has all the traffic as seen at that interface. > Now I want to tcpreplay all the client-> server requests to the same server, > without the (real) clients. I can run the tcpreplay on the server > itself or somewhere else. I thought I would run it on a different > machine, call it pseudo-client, on which I would set up a virtual > bridge interface e.g. virbr0, giving that interface the exact same MAC addr > and IP addr as the (real) windows client, and sending the client traffic > outbound via virbr0. > I see the description of tcpprep to create a cache file representing the > split, so I did that, specifying > --mac=<client_mac> --reverse --pcap=tcpdumpfile > --cachefile=client1.cache > which seemed to work > and then tried this tcpreplay > tcpreplay --intf2=virbr0 --cachefile=client1.cache ### > since I want only client traffic, which is --intf2 > but it didn't like it : ERROR: The intf1 option is required > So I set up another virbr1 to take the server traffic with an iptable rule > to drop all traffic from virbr1, and then it seems to work, but no > traffic reaches the server, although tcpreplay reports it has sent the > traffic out. > Am I doing this the right way? Or is this something tcpreplay is not > really intended for?
There are two quick ways to do this: 1. specify another interface which isn't being used for the test for --intf1 2. when you run tcpprep, use the --exclude option to "drop" all traffic from the server and specify the same interface twice. Something like tcpprep --exclude=S:5.4.3.2/32 would drop all traffic from 5.4.3.2 and then use tcpreplay --intf1=vibr0 --intf2=vibr0 ... -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
