Hmmm.... that's a challenge then. To be fair, I'd usually use tcpdump for this purpose.
Anyways, the only way I can think of right now given the existing tcpreplay/tcpprep code to do what you want is this *ugly* hack: Run: tcpdump -i eth0 -s0 -w primary.pcap & tcpdump -i eth1 -s0 -w secondary.pcap & tcpreplay -c cache.prep -i eth0 -j eth1 some.pcap kill %1 ; kill %2 # kill the tcpdump processes Basically you're replaying the pcap file on two interfaces and using tcpdump to read those packets and save them into separate files. You'll want to make sure your computer isn't generating any traffic on eth0/eth1 or anything like that or you'll get extra packets. As I said, this is really ugly. A much better solution would require some coding. Basically you'd enhance the sendpacket.[ch] code and tcpreplay.c to allow it to open pcap files for writing like if it was a network interface. That would avoid having to run tcpdump to capture the packets, avoid any extra or dropped packets and would mean the pcap timestamps would be carried over perfectly. This wouldn't be too hard to do, but there's a bunch of #defines in sendpacket.c which can make for confusing reading. I really need to rewrite this in a plugin architecture someday like tcpedit's DLT plugins to make that sorta thing easier. Anyways, if you look at the changes in http://tcpreplay.synfin.net/ticket/505 you'll see how I added support for a new Linux kernel driver which exposes a pseudo interface via a chardev to sendpacket/tcpreplay. Anyways, I opened a feature request ticket for this: http://tcpreplay.synfin.net/ticket/510 On Fri, May 25, 2012 at 7:53 AM, Jaime Nebrera <jnebr...@eneotecnologia.com> wrote: > Actually I would prefer to some way usr the cache file already generated > > As the pcap files are from public repositories (for IPS testing) it would be > quite a job to gather all client and server IPs in order to split it this > way, specially since tcpprep already did the job > > Even more, I would love to keep too non IP traffic like those ARP and DHCP > > Enviado desde Xperia™ S > > ________________________________ > > > -------- Original Message -------- > Subject: Re: [Tcpreplay-users] Split pcap in 2 directions > From: Michael Schultz <mjschu...@gmail.com> > To: Main forum for tcpreplay <tcpreplay-users@lists.sourceforge.net> > CC: > > On Fri, May 25, 2012 at 8:23 AM, Jaime Nebrera <jnebr...@eneotecnologia.com> > wrote: >> >> Still, the pcaps are big, like 1 to 2 Gb. Might be a bit too much for WS >> >> Any way to do so from command line so I can automate it? > > > tcpdump should work. > > The format would be something like: > > $ tcpdump -r <master-file> -w <client-file> src <client-ip> > $ tcpdump -r <master-file> -w <server-file> src <server-ip> > > The -r and -w flags tell tcpdump to read from and write to the respective > files. > > If you have other packets you could extend the BPF expressions by specifying > the destination IP of the server or client. This will only filter out > packet with the client and server IPs (missing any ARP and some DHCP > packets), but that probably won't be a problem. > > --michael > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
