Hi all, We're attempting to use tcpprep to partition nodes on a network into clients and servers, but are getting some unexpected results.
We are not using tcpreplay to replay the traffic, we would only like to leverage the tcpprep's algorithms for distinguishing servers and clients. We are using a command like: tcpprep --auto=bridge --pcap=100meg.pcap --cachefile=100meg.cache tcpprep --print-info=100meg.cache > dirs.txt We then combine it with a dump of the IP addresses like this: tshark -n -o "column.format:srcaddr,\"%s\",srcport,\"%uS\",dstaddr,\"%d\",dstport,\"%uD\"" -r 100meg.pcap > ips.txt paste -d' == ' ips.txt dirs.txt > both.txt Now I have a file like this: .... 134.253.26.250 80 192.168.1.36 57090 Packet 139991 -> Secondary 192.168.1.36 57090 134.253.26.250 80 Packet 139992 -> Primary 134.253.26.250 80 192.168.1.36 57090 Packet 139993 -> Secondary 134.253.26.250 80 192.168.1.36 57090 Packet 139994 -> Secondary 192.168.1.36 57090 134.253.26.250 80 Packet 139995 -> Primary .... I think this is telling me the whether the first (if primary) or second (if secondary) ip address is the client. However, I run into situations like this: 192.168.1.221 53344 134.253.181.25 53 Packet 14067 -> Secondary [LINE A] 134.253.181.25 53 192.168.1.221 53344 Packet 14068 -> Secondary [LINE B] Where we can see that 192.168.1.221 is classified as a client of 134.253.181.25 in LINE A, But the roles are reversed on LINE B. I was under the impression from the documentation that an IP address would be classified as either a "server" or a "client" for the entire life of the pcap file, but here the roles are reversed *even with respect to eachother*. We have tried using the different modes of --auto, with no luck. Am I mis-using the tool? Is there a better way to get at a clean partitioning of servers/clients? Am I missing something conceptually? ---OUTPUT OF tcpprep -V ----- tcpprep version: 4.0.4 (build git:v4.0.4) Copyright 2013-2014 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta Inc. Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net> The entire Tcpreplay Suite is licensed under the GPLv3 Cache file supported: 04 Not compiled with libdnet. Compiled against libpcap: 1.1.1 64 bit packet counters: enabled Verbose printing via tcpdump: enabled ------------------------------------------ Thanks for any help /suggestions. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Tcpreplay-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
