tcpreplay version: 4.1.0 (build git:v4.1.0)
This is from the tcpprep man page
-x string, --include=string
Include only packets matching rule. This option may appear up to 1 times.
This option must not appear in combination with any of the following options:
exclude.
Override default of processing all packets stored in the capture file and
only send/edit packets which match the provided rule. Rules can be one of:
S:<CIDR1>,... - Source IP must match specified IPv4/v6 CIDR(s)
D:<CIDR1>,... - Destination IP must match specified IPv4/v6 CIDR(s)
B:<CIDR1>,... - Both source and destination IP must match specified
IPv4/v6 CIDR(s)
E:<CIDR1>,... - Either IP must match specified IPv4/v6 CIDR(s)
P:<LIST> - Must be one of the listed packets where the list corresponds
to the packet number in the capture file.
-x P:1-5,9,15,72-
would process packets 1 thru 5, the 9th and 15th packet, and packets 72
until the end of the file
Emphasis mine.
After doing all this, to the attached capture:
tcprewrite --enet-vlan=del
--pnat=10.48.144.240/32:1.0.1.5/32,10.48.144.248/32:1.0.1.6/32,172.21.61.25/32:4.0.1.12/32
-b --infile='tmp/LINK.pcap' --outfile='tmp/IP.pcap'
tcprewrite --dlt=enet --enet-vlan=del
--enet-dmac=02:00:00:bb:bb:00,02:00:00:cc:cc:00
--enet-smac=02:00:00:aa:aa:00,02:00:00:dd:dd:00 --cachefile=tmp/INPUT.cache
--infile='tmp/IP.pcap' --outfile='tmp/REPLAY.pcap'
tcpprep --cidr=1.0.0.0/8 --include=P:4-16,21-33 --cachefile='tmp/INPUT.cache'
--pcap='tmp/IP.pcap'
I would expect only packets 4-16,21-33 to be modified and/or given a direction
in the cache. But they all have and there is nothing indicating that it will
not replay everything.
And, indeed, the entire capture is replayed. This makes no difference:
--include='P:4-16,21-33' vs --include=P:4-16,21-33
This also does not stop anything:
tcpprep --cidr=1.0.0.0/8 --include=E:1.0.0.0/8 --cachefile='tmp/INPUT.cache'
--pcap='tmp/IP.pcap'
This does:
tcpprep --cidr=1.0.0.0/8 --include=S:1.0.0.0/8 --cachefile='tmp/INPUT.cache'
--pcap='tmp/IP.pcap'
I cannot find where this was recently discussed or fixed in the archives. Seems
like a bug.
-Mike
two-gets.pcap
Description: two-gets.pcap
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Tcpreplay-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
