I can guess. The randomization feature isn't that smart... just a simple algorithm and doesn't check for uniqueness. I never bothered to check that it was a good implementation for large data sets.
http://tcpreplay.synfin.net/browser/branches/3.4/src/tcpedit/edit_packet.c#L125 If you have enough packets with enough IP addresses, sooner or later you'll end up with a collision (IP1 and IP2 => NewIP). I guess I could come up with a better algorithm which avoids duplicate results. Probably be a while before that happens though. On Tue, Sep 25, 2012 at 10:04 PM, Eric Formo <e...@vineyardnetworks.com> wrote: > Using tcprewrite with the seed argument is not working for me right now. I > am rewriting 2.5G pcap that is about 7 seconds long with tcprewrite > --seed=$(($RANDOM*$RANDOM)). After rewriting, my pcap goes from having > 75835 flows down to 43811 because tcprewrite seems to be giving different IP > address’s the same IP which put’s some of the connections in the same tuple. > > I picked out what should be 2 small flows for an example of what is > happening throughout the rewrite multiple times. Looking at packet 4, you > can see that rewrite has given the packet the same IP as the first 3 > packets. Is there a reason this is happening? I tried using the same > command on the original_sample.pcap and the rewrite worked perfectly. So > the problem only exists when the file is 2.5 GB. > > > > My original_sample.pcap: > 1 0.000000 103.0.2.140 -> 103.0.6.140 TCP edtools > http [SYN] Seq=0 > Win=2048 Len=0 WS=9 > > 2 0.005000 103.0.6.140 -> 103.0.2.140 TCP http > edtools [SYN, ACK] > Seq=0 Ack=1 Win=2048 Len=0 WS=9 > > 3 0.023000 103.0.2.140 -> 103.0.6.140 TCP edtools > http [ACK] Seq=1 > Ack=1 Win=1048576 Len=0 > > 4 0.174000 103.0.2.143 -> 103.0.6.143 TCP edtools > http [SYN] Seq=0 > Win=2048 Len=0 WS=9 > > 5 0.179000 103.0.6.143 -> 103.0.2.143 TCP http > edtools [SYN, ACK] > Seq=0 Ack=1 Win=2048 Len=0 WS=9 > > 6 0.208000 103.0.2.143 -> 103.0.6.143 TCP edtools > http [ACK] Seq=1 > Ack=1 Win=1048576 Len=0 > > 7 0.403000 103.0.2.140 -> 103.0.6.140 HTTP GET > /services/auth/?api_key=610346c7619bc6bd51afbbd2739f8d1f&api_sig=b993de5486706c18a08757948c04963e&perms=write&frob=72157627531937949-7b4cf50cc91b7232-326096 > HTTP/1.1 > > 8 0.475000 103.0.6.140 -> 103.0.2.140 TCP http > edtools [ACK] Seq=1 > Ack=500 Win=1048576 Len=0 > > 9 0.522000 103.0.2.143 -> 103.0.6.143 HTTP GET > /services/auth/?api_key=610346c7619bc6bd51afbbd2739f8d1f&api_sig=b993de5486706c18a08757948c04963e&perms=write&frob=72157627531937949-7b4cf50cc91b7232-326096 > HTTP/1.1 > > 10 0.528000 103.0.6.143 -> 103.0.2.143 TCP http > edtools [ACK] Seq=1 > Ack=500 Win=1048576 Len=0 > > > > The rewrite_sample: > 1 0.000000 39.66.178.173 -> 39.66.182.173 TCP edtools > http [SYN] Seq=0 > Win=2048 Len=0 WS=9 > > 2 0.005000 39.66.182.173 -> 39.66.178.173 TCP http > edtools [SYN, ACK] > Seq=0 Ack=1 Win=2048 Len=0 WS=9 > > 3 0.023000 39.66.178.173 -> 39.66.182.173 TCP edtools > http [ACK] Seq=1 > Ack=1 Win=1048576 Len=0 > > 4 0.174000 39.66.178.173 -> 39.66.182.173 TCP [TCP Port numbers reused] > edtools > http [SYN] Seq=0 Win=2048 Len=0 WS=9 > > 5 0.179000 39.66.182.173 -> 39.66.178.173 TCP http > edtools [SYN, ACK] > Seq=0 Ack=1 Win=2048 Len=0 WS=9 > > 6 0.208000 39.66.178.173 -> 39.66.182.173 TCP edtools > http [ACK] Seq=1 > Ack=1 Win=1048576 Len=0 > > 7 0.403000 39.66.178.173 -> 39.66.182.173 HTTP [TCP ACKed lost segment] > [TCP Retransmission] GET > /services/auth/?api_key=610346c7619bc6bd51afbbd2739f8d1f&api_sig=b993de5486706c18a08757948c04963e&perms=write&frob=72157627531937949-7b4cf50cc91b7232-326096 > HTTP/1.1 > > 8 0.475000 39.66.182.173 -> 39.66.178.173 TCP http > edtools [ACK] > Seq=285549713 Ack=2574765636 Win=1048576 Len=0 > > 9 0.522000 39.66.178.173 -> 39.66.182.173 HTTP GET > /services/auth/?api_key=610346c7619bc6bd51afbbd2739f8d1f&api_sig=b993de5486706c18a08757948c04963e&perms=write&frob=72157627531937949-7b4cf50cc91b7232-326096 > HTTP/1.1 > > 10 0.528000 39.66.182.173 -> 39.66.178.173 TCP http > edtools [ACK] Seq=1 > Ack=500 Win=1048576 Len=0 > > > > Thanks, > > Eric > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
