Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature #853 direct traffic to pcap #871

Merged
merged 5 commits into from
Jun 29, 2024
Merged

Feature #853 direct traffic to pcap #871

merged 5 commits into from
Jun 29, 2024

Conversation

fklassen
Copy link
Member

@fklassen fklassen commented Jun 5, 2024

No description provided.

@fklassen fklassen force-pushed the Feature_#853_direct_traffic_to_pcap branch from 5f99ac9 to b1e1ee8 Compare June 6, 2024 02:05
@fklassen
Copy link
Member Author

I'm not quite ready to move this into 4.5.0. I am still struggling to see what value this has vs. tcprewrite. I don't want to shelve this yet, but I'll review for the flowing feature release.

@fklassen fklassen changed the base branch from 4.5.0-beta1 to 4.6.0 June 10, 2024 03:15
@fklassen fklassen marked this pull request as draft June 10, 2024 03:15
@fklassen fklassen changed the base branch from 4.6.0 to 4.6.0-alpha June 10, 2024 04:02
@jasonlue
Copy link

The use scenario:

Suppose I have a seed pcap http.pcap with only a few packets. The goal is to generate a large http_many.pcap file. http_many.pcap file repeats http.pcap, but with different IP addresses.

Solution #1:
(1) write a bash to multiply http.pcap to http.more.of.the.same.pcap with wireshark's mergecap
(2) tcprewrite http.more.of.the.same.pcap, randomize the ip address, and output as http_many.pcap.

Solution #2:
tcpreplay --unique-ip -l1000 -w http.many.pcap http.pcap

Solution #2 is siimple and straight-forward. It doesn't require another program (mergepcap) and bash file. (Or a simple app to do the same). We only deploy tcpreplay and enjoy the benefits.

@fklassen
Copy link
Member Author

OK, I never thought of that scenario. I am wondering if it may be better to add -l and --unique-ip to tcp-rewrite, or maybe we can come up with a different solution. What are your thoughts?

Currently there is a clear distinction between tcpreplay and tcprewrite. The former writes to networks, latter writes to files. I am inclined to keep it that way. Adding --unique-ip to tcpreplay caused some confusion, and some argued it should have only been in tcprewrite. But it was something I added because it suited a project we were working on.

@jasonlue
Copy link

adding -l --unique-ip looks like a good idea.

@fklassen
Copy link
Member Author

I am reconsidering this in light of feature #884, tcpreplay is producing results that are had to do with the combination tcpprep and tcprewrite. Since -w is taken, maybe the -o option can be used.

@fklassen fklassen force-pushed the Feature_#853_direct_traffic_to_pcap branch from b1e1ee8 to 6a8dbd6 Compare June 29, 2024 16:17
@fklassen fklassen changed the base branch from 4.6.0-alpha to 4.5.0-beta3 June 29, 2024 17:53
@fklassen fklassen self-assigned this Jun 29, 2024
@fklassen fklassen marked this pull request as ready for review June 29, 2024 17:54
@fklassen fklassen force-pushed the Feature_#853_direct_traffic_to_pcap branch from 7bd92e2 to 2ed8008 Compare June 29, 2024 17:56
@fklassen fklassen merged commit 26e47da into 4.5.0-beta3 Jun 29, 2024
2 checks passed
@fklassen fklassen deleted the Feature_#853_direct_traffic_to_pcap branch June 29, 2024 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@fklassen fklassen

Labels
enhancement
Projects
4.5
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fklassen @jasonlue @jasonlu-corelight