Basically what that means is that tcpprep has classified BOTH 192.168.1.221 and 134.253.181.25 in the same category. Tcpprep actually looks at the entire pcap and does some basic analysis to classify IP's as "clients" or "servers", but sometimes the traffic contains both client & server functionality for the same IP. A common example would be a SMTP server which is both accepting mail and relaying mail out. In such a case, tcpprep will look at the ratio to decide.
You can also get situations where the traffic for a given IP where there isn't an obvious client/server relationship. In those cases, tcpprep looks at the IP's nearby to see if it can figure it out. The theory being that servers tend to be on their own subnets, so any IP on the same subnet as another server is more likely to be a server too. In these cases, tcpprep's --ratio and --minmask/--maxmask can help tune how things are categorized. -- Aaron Turner http://synfin.net/ Twitter: @synfinatic Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin On Wed, Apr 30, 2014 at 1:18 PM, Bradley, Jon <[email protected]> wrote: > Hi all, > > We're attempting to use tcpprep to partition nodes on a network into clients > and servers, but are getting some unexpected results. > > We are not using tcpreplay to replay the traffic, we would only like to > leverage the tcpprep's algorithms for distinguishing servers and clients. > > We are using a command like: > > tcpprep --auto=bridge --pcap=100meg.pcap --cachefile=100meg.cache > tcpprep --print-info=100meg.cache > dirs.txt > > We then combine it with a dump of the IP addresses like this: > > tshark -n -o > "column.format:srcaddr,\"%s\",srcport,\"%uS\",dstaddr,\"%d\",dstport,\"%uD\"" > -r 100meg.pcap > ips.txt > paste -d' == ' ips.txt dirs.txt > both.txt > > Now I have a file like this: > .... > 134.253.26.250 80 192.168.1.36 57090 Packet 139991 -> Secondary > 192.168.1.36 57090 134.253.26.250 80 Packet 139992 -> Primary > 134.253.26.250 80 192.168.1.36 57090 Packet 139993 -> Secondary > 134.253.26.250 80 192.168.1.36 57090 Packet 139994 -> Secondary > 192.168.1.36 57090 134.253.26.250 80 Packet 139995 -> Primary > .... > > I think this is telling me the whether the first (if primary) or second (if > secondary) ip address is the client. > > However, I run into situations like this: > > 192.168.1.221 53344 134.253.181.25 53 Packet 14067 -> Secondary [LINE A] > 134.253.181.25 53 192.168.1.221 53344 Packet 14068 -> Secondary [LINE B] > > Where we can see that 192.168.1.221 is classified as a client of > 134.253.181.25 in LINE A, > But the roles are reversed on LINE B. > > I was under the impression from the documentation that an IP address would be > classified as either a "server" or a "client" for the entire life of the pcap > file, but here the roles are reversed *even with respect to eachother*. > > We have tried using the different modes of --auto, with no luck. > > Am I mis-using the tool? Is there a better way to get at a clean > partitioning of servers/clients? Am I missing something conceptually? > > ---OUTPUT OF tcpprep -V ----- > tcpprep version: 4.0.4 (build git:v4.0.4) > Copyright 2013-2014 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta > Inc. > Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net> > The entire Tcpreplay Suite is licensed under the GPLv3 > Cache file supported: 04 > Not compiled with libdnet. > Compiled against libpcap: 1.1.1 > 64 bit packet counters: enabled > Verbose printing via tcpdump: enabled > ------------------------------------------ > > > Thanks for any help /suggestions. > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Tcpreplay-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Tcpreplay-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
