Using tcprewrite with the seed argument is not working for me right now. I
am rewriting 2.5G pcap that is about 7 seconds long with tcprewrite
--seed=$(($RANDOM*$RANDOM)). After rewriting, my pcap goes from having
75835 flows down to 43811 because tcprewrite seems to be giving different
IP address’s the same IP which put’s some of the connections in the same
tuple.
I picked out what should be 2 small flows for an example of what is
happening throughout the rewrite multiple times. Looking at packet 4, you
can see that rewrite has given the packet the same IP as the first 3
packets. Is there a reason this is happening? I tried using the same
command on the original_sample.pcap and the rewrite worked perfectly. So
the problem only exists when the file is 2.5 GB.
My original_sample.pcap:
1 0.000000 103.0.2.140 -> 103.0.6.140 TCP edtools > http [SYN] Seq=0
Win=2048 Len=0 WS=9
2 0.005000 103.0.6.140 -> 103.0.2.140 TCP http > edtools [SYN, ACK]
Seq=0 Ack=1 Win=2048 Len=0 WS=9
3 0.023000 103.0.2.140 -> 103.0.6.140 TCP edtools > http [ACK] Seq=1
Ack=1 Win=1048576 Len=0
4 0.174000 103.0.2.143 -> 103.0.6.143 TCP edtools > http [SYN] Seq=0
Win=2048 Len=0 WS=9
5 0.179000 103.0.6.143 -> 103.0.2.143 TCP http > edtools [SYN, ACK]
Seq=0 Ack=1 Win=2048 Len=0 WS=9
6 0.208000 103.0.2.143 -> 103.0.6.143 TCP edtools > http [ACK] Seq=1
Ack=1 Win=1048576 Len=0
7 0.403000 103.0.2.140 -> 103.0.6.140 HTTP GET
/services/auth/?api_key=610346c7619bc6bd51afbbd2739f8d1f&api_sig=b993de5486706c18a08757948c04963e&perms=write&frob=72157627531937949-7b4cf50cc91b7232-326096
HTTP/1.1
8 0.475000 103.0.6.140 -> 103.0.2.140 TCP http > edtools [ACK] Seq=1
Ack=500 Win=1048576 Len=0
9 0.522000 103.0.2.143 -> 103.0.6.143 HTTP GET
/services/auth/?api_key=610346c7619bc6bd51afbbd2739f8d1f&api_sig=b993de5486706c18a08757948c04963e&perms=write&frob=72157627531937949-7b4cf50cc91b7232-326096
HTTP/1.1
10 0.528000 103.0.6.143 -> 103.0.2.143 TCP http > edtools [ACK] Seq=1
Ack=500 Win=1048576 Len=0
The rewrite_sample:
1 0.000000 39.66.178.173 -> 39.66.182.173 TCP edtools > http [SYN] Seq=0
Win=2048 Len=0 WS=9
2 0.005000 39.66.182.173 -> 39.66.178.173 TCP http > edtools [SYN, ACK]
Seq=0 Ack=1 Win=2048 Len=0 WS=9
3 0.023000 39.66.178.173 -> 39.66.182.173 TCP edtools > http [ACK]
Seq=1 Ack=1 Win=1048576 Len=0
4 0.174000 39.66.178.173 -> 39.66.182.173 TCP [TCP Port numbers reused]
edtools > http [SYN] Seq=0 Win=2048 Len=0 WS=9
5 0.179000 39.66.182.173 -> 39.66.178.173 TCP http > edtools [SYN, ACK]
Seq=0 Ack=1 Win=2048 Len=0 WS=9
6 0.208000 39.66.178.173 -> 39.66.182.173 TCP edtools > http [ACK]
Seq=1 Ack=1 Win=1048576 Len=0
7 0.403000 39.66.178.173 -> 39.66.182.173 HTTP [TCP ACKed lost segment]
[TCP Retransmission] GET
/services/auth/?api_key=610346c7619bc6bd51afbbd2739f8d1f&api_sig=b993de5486706c18a08757948c04963e&perms=write&frob=72157627531937949-7b4cf50cc91b7232-326096
HTTP/1.1
8 0.475000 39.66.182.173 -> 39.66.178.173 TCP http > edtools [ACK]
Seq=285549713 Ack=2574765636 Win=1048576 Len=0
9 0.522000 39.66.178.173 -> 39.66.182.173 HTTP GET
/services/auth/?api_key=610346c7619bc6bd51afbbd2739f8d1f&api_sig=b993de5486706c18a08757948c04963e&perms=write&frob=72157627531937949-7b4cf50cc91b7232-326096
HTTP/1.1
10 0.528000 39.66.182.173 -> 39.66.178.173 TCP http > edtools [ACK] Seq=1
Ack=500 Win=1048576 Len=0
Thanks,
Eric
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
