Sophie

Sophie

distrib > Mandriva > 9.1 > ppc > by-pkgid > 6ede323c5734c8b62f3bf646b494721e > files > 7

tcpreplay-1.3.2-1mdk.ppc.rpm


			tcpprep FAQ v1.4

What is tcpprep?
	tcpreplay with patches can send traffic out two network cards, however
	it requires the calculations be done in real-time.  These calculations
	can be expensive and can significantly reduce the throughput of 
	tcpreplay.

	tcpprep is a libpcap pre-processor for tcpreplay which enables this 
	feature	in tcpreplay, and significantly increases throughput through 
	the use of a cache file.

How does tcpprep work?
	tcpprep reads in a libpcap (tcpdump) formatted capture file and
	does some processing to generate a tcpreplay cache file.  This cache
	file tells tcpreplay which interface a given packet should be sent 
	out of.

Does tcpprep modify my libpcap file?
	No.

Can a cache file be used for multiple (different) libpcap files?
	Cache files have nothing linking them to a given libpcap file, so
	there is nothing to stop you from doing this.  However running 
	tcpreplay with a cache file from a different libpcap source
	file is likely to cause a lot of problems and is not supported.

Why would I want to use tcpreplay with two network cards?
	tcpreplay traditionally is good for putting traffic on a given network,
	often used to test a network intrusion detection system (NIDS). 
	However, there are cases where putting traffic onto a subnet in this
	manner is not good enough- you have to be able to send traffic
	*through* a device such as a router, firewall, or bridge.

	In these cases, being able to use a single source file (libpcap) for 
	both ends of the connection solves this problem.

How big are the cache files?
	Very small.  Actual size depends on the number of packets in the dump
	file.  One bit of data is stored for each packet.  On a test using a
	900MB dump file containing over 500,000 packets, the cache file was 
	only 74K.
	
What are these 'modes' tcpprep has?
	tcpprep has four modes:
		- CIDR (-c)
		- Regex (-r)
		- Auto/Bridge (-a -n bridge)
		- Auto/Router (-a -n router)

	CIDR mode requires the user to provide a list of networks.  Any IP
	in one of these networks gets sent out the primary interface.

	Regex mode requires the usre to provde a regular expression.  Any IP
	matching the regex gets sent out the primary interface.

	Auto modes:
		Auto modes are useful for when you don't know much about 
		the contents of the dump file in question and you want to 
		split traffic up based upon servers and clients.

		Systems are classified into three types:
			- Clients
			- Servers
			- Unknown

	Auto/Router mode trys to find the largest network(s) that contain
	all the servers and no clients.  Any unknown is automatically 
	re-classifed as servers if they're inside the network(s) or as
	clients if they're outside.

	Auto/Bridge mode makes the assumption that the clients and servers
	are horribly intermixed on the network and there's no way to subnet
	them.  While this takes less processing time to create the cache file
	it is unable to deal with unknown systems.

How does Auto/Bridge mode work?
	tcpprep does an initial pass over the libpcap file to build a binary
	tree (one node per IP).  For each IP, it keeps track of how many times
	it was a client or server.  It then does a second pass of the file 
	using the data in the tree and the ratio to determine if an IP is 
	a client or server.

How does Auto/Router mode work?
	tcpprep does the same first pass as Auto/Bridge mode.  It then trys
	to convert the binary tree into a list of networks.  Finally it uses
	the CIDR mode in a second pass of the libpcap file.

What operating systems has tcpprep been tested on?
	- Linux 2.4.x
	- Solaris 7
	- FreeBSD 4.4
	- OpenBSD 2.9

What additional requirements does tcpprep have?
	tcpprep requires the libredblack library which is available from:
	http://libredblack.sourceforge.net/

	tcpprep and the patched version of tcpreplay also requires a more
	recent version of Libnet then is shipped with tcpreplay 1.0.1.
	Libnet 1.0.2a is available from: 
	http://www.packetfactory.net/projects/libnet/

	I also highly recommend installing a more recent version of libpcap:
	http://www.tcpdump.org/  (0.6.2 is the latest as of this writing)

When I run tcpprep or tcpreplay I get the following error:
	error while loading shared libraries: libredblack.so.1: 
	cannot open shared object file: No such file or directory

	You most likely didn't install libredblack seperately and forgot to
	update your system's library cache.  On some systems this can be fixed
	by running 'ldconfig'.  You may also need to update your library cache
	config file (/etc/ld.so.conf or the equivalent on your system).

Who wrote tcpprep?
	Aaron Turner <aturner@pobox.com> wrote it as well as the patch
	allowing tcpreplay to use multiple interfaces.

What is the latest version of tcpprep?
	Now that tcpprep is shipped with tcpreplay, the versioning has been
	sync'd.  Hence the latest version of tcpprep as of this writing 
	(8/21/2002) is 1.2a.  If your copy of tcpprep is not the same version
	as tcpreplay it is older than 1.2a even if it's version is greater
	than 1.2a.  Yes, it's confusing, deal with it.

EOF

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional