[Tcpreplay-users] tcpprep

Mike Komer Wed, 07 Jun 2017 18:23:24 -0700

tcpreplay version: 4.1.0 (build git:v4.1.0)



This is from the tcpprep man page

-x string, --include=string
      Include only packets matching rule. This option may appear up to 1 times. 
This option must not appear in combination with any of the following options: 
exclude.

      Override default of processing all packets stored in the capture file and 
only send/edit packets which match the provided rule. Rules can be one of:
      S:<CIDR1>,... - Source IP must match specified IPv4/v6 CIDR(s)
      D:<CIDR1>,... - Destination IP must match specified IPv4/v6 CIDR(s)
      B:<CIDR1>,... - Both source and destination IP must match specified 
IPv4/v6 CIDR(s)
      E:<CIDR1>,... - Either IP must match specified IPv4/v6 CIDR(s)
      P:<LIST> - Must be one of the listed packets where the list corresponds 
to the packet number in the capture file.
      -x P:1-5,9,15,72-
      would process packets 1 thru 5, the 9th and 15th packet, and packets 72 
until the end of the file

Emphasis mine.

After doing all this, to the attached capture:

tcprewrite --enet-vlan=del 
--pnat=10.48.144.240/32:1.0.1.5/32,10.48.144.248/32:1.0.1.6/32,172.21.61.25/32:4.0.1.12/32
 -b --infile='tmp/LINK.pcap' --outfile='tmp/IP.pcap'
tcprewrite --dlt=enet --enet-vlan=del 
--enet-dmac=02:00:00:bb:bb:00,02:00:00:cc:cc:00 
--enet-smac=02:00:00:aa:aa:00,02:00:00:dd:dd:00 --cachefile=tmp/INPUT.cache 
--infile='tmp/IP.pcap' --outfile='tmp/REPLAY.pcap'
tcpprep --cidr=1.0.0.0/8 --include=P:4-16,21-33 --cachefile='tmp/INPUT.cache' 
--pcap='tmp/IP.pcap'

I would expect only packets 4-16,21-33 to be modified and/or given a direction 
in the cache. But they all have and there is nothing indicating that it will 
not replay everything.
And, indeed, the entire capture is replayed. This makes no difference: 
--include='P:4-16,21-33' vs --include=P:4-16,21-33

This also does not stop anything:
tcpprep --cidr=1.0.0.0/8 --include=E:1.0.0.0/8 --cachefile='tmp/INPUT.cache' 
--pcap='tmp/IP.pcap'

This does:
tcpprep --cidr=1.0.0.0/8 --include=S:1.0.0.0/8 --cachefile='tmp/INPUT.cache' 
--pcap='tmp/IP.pcap'

I cannot find where this was recently discussed or fixed in the archives. Seems 
like a bug.

-Mike

two-gets.pcap
Description: two-gets.pcap

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support

[Tcpreplay-users] tcpprep

Reply via email to