cbiedl
/
tcpreplay


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213
							<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!--Converted with LaTeX2HTML 2002-2 (1.70)
original version by:  Nikos Drakos, CBLU, University of Leeds
* revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
  Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>3 Understanding tcpprep</TITLE>
<META NAME="description" CONTENT="3 Understanding tcpprep">
<META NAME="keywords" CONTENT="FAQ">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2002-2">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">

<LINK REL="STYLESHEET" HREF="FAQ.css">

<LINK REL="next" HREF="node5.html">
<LINK REL="previous" HREF="node3.html">
<LINK REL="up" HREF="FAQ.html">
<LINK REL="next" HREF="node5.html">
</HEAD>

<BODY >

<DIV CLASS="navigation"><!--Navigation Panel-->
<A NAME="tex2html175"
  HREF="node5.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html171"
  HREF="FAQ.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html165"
  HREF="node3.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html173"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html176"
  HREF="node5.html">4 Common Error and</A>
<B> Up:</B> <A NAME="tex2html172"
  HREF="FAQ.html">Tcpreplay 3.x FAQ</A>
<B> Previous:</B> <A NAME="tex2html166"
  HREF="node3.html">2 Bugs, Feature Requests,</A>
 &nbsp; <B>  <A NAME="tex2html174"
  HREF="node1.html">Contents</A></B> 
<BR>
<BR></DIV>
<!--End of Navigation Panel-->
<!--Table of Child-Links-->
<A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A>

<UL CLASS="ChildLinks">
<LI><A NAME="tex2html177"
  HREF="node4.html#SECTION00041000000000000000"><SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">1</SPAN> What is tcpprep?</A>
<LI><A NAME="tex2html178"
  HREF="node4.html#SECTION00042000000000000000"><SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">2</SPAN> How does tcpprep work? </A>
<LI><A NAME="tex2html179"
  HREF="node4.html#SECTION00043000000000000000"><SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">3</SPAN> Does tcpprep modify my libpcap file?</A>
<LI><A NAME="tex2html180"
  HREF="node4.html#SECTION00044000000000000000"><SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">4</SPAN> Why use tcpprep?</A>
<LI><A NAME="tex2html181"
  HREF="node4.html#SECTION00045000000000000000"><SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">5</SPAN> Can a cache file be used for multiple (different) libpcap files? </A>
<LI><A NAME="tex2html182"
  HREF="node4.html#SECTION00046000000000000000"><SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">6</SPAN> Why would I want to use tcpreplay with two network cards? </A>
<LI><A NAME="tex2html183"
  HREF="node4.html#SECTION00047000000000000000"><SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">7</SPAN> How big are the cache files?</A>
</UL>
<!--End of Table of Child-Links-->
<HR>

<H1><A NAME="SECTION00040000000000000000">
<SPAN CLASS="arabic">3</SPAN> Understanding tcpprep</A>
</H1>

<P>

<H2><A NAME="SECTION00041000000000000000">
<SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">1</SPAN> What is tcpprep?</A>
</H2>

<P>
Tcpreplay can send traffic out two network cards, however it requires
the calculations be done in real-time. These calculations can be expensive
and can significantly reduce the throughput of tcpreplay.

<P>
Tcpprep is a libpcap pre-processor for tcpreplay which enables using
two network cards to send traffic without the performance hit of doing
the calculations in real-time.

<P>

<H2><A NAME="SECTION00042000000000000000">
<SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">2</SPAN> How does tcpprep work? </A>
</H2>

<P>
Tcpprep reads in a libpcap (tcpdump) formatted capture file and does
some processing to generate a tcpreplay cache file. This cache file
tells tcpreplay which interface a given packet should be sent out
of. 

<P>

<H2><A NAME="SECTION00043000000000000000">
<SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">3</SPAN> Does tcpprep modify my libpcap file?</A>
</H2>

<P>
No. 

<P>

<H2><A NAME="SECTION00044000000000000000">
<SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">4</SPAN> Why use tcpprep?</A>
</H2>

<P>
There are three major reasons to use tcpprep:

<P>

<OL>
<LI>Tcpprep can split traffic based upon more methods and criteria then
tcpreplay.
</LI>
<LI>By pre-processing the pcap, tcpreplay has a higher theoretical maximum
throughput.
</LI>
<LI>By pre-processing the pcap, tcpreplay can be more accurate in timing
when replaying traffic at normal speed.
</LI>
</OL>

<P>

<H2><A NAME="SECTION00045000000000000000">
<SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">5</SPAN> Can a cache file be used for multiple (different) libpcap files? </A>
</H2>

<P>
Cache files have nothing linking them to a given libpcap file, so
there is nothing to stop you from doing this. However running tcpreplay
with a cache file from a different libpcap source file is likely to
cause a lot of problems and is not supported. 

<P>

<H2><A NAME="SECTION00046000000000000000">
<SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">6</SPAN> Why would I want to use tcpreplay with two network cards? </A>
</H2>

<P>
Tcpreplay traditionally is good for putting traffic on a given network,
often used to test a network intrusion detection system (NIDS). However,
there are cases where putting traffic onto a subnet in this manner
is not good enough- you have to be able to send traffic *through*
a device such as a IPS, router, firewall, or bridge.

<P>
In these cases, being able to use a single source file (libpcap) for
both ends of the connection solves this problem.

<P>

<H2><A NAME="SECTION00047000000000000000">
<SPAN CLASS="arabic">3</SPAN>.<SPAN CLASS="arabic">7</SPAN> How big are the cache files?</A>
</H2>

<P>
Very small. Actual size depends on the number of packets in the dump
file. Two bits of data is stored for each packet. On a test using
a 900MB dump file containing over 500,000 packets, the cache file
was only 150K. 

<P>

<DIV CLASS="navigation"><HR>
<!--Navigation Panel-->
<A NAME="tex2html175"
  HREF="node5.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html171"
  HREF="FAQ.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html165"
  HREF="node3.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html173"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html176"
  HREF="node5.html">4 Common Error and</A>
<B> Up:</B> <A NAME="tex2html172"
  HREF="FAQ.html">Tcpreplay 3.x FAQ</A>
<B> Previous:</B> <A NAME="tex2html166"
  HREF="node3.html">2 Bugs, Feature Requests,</A>
 &nbsp; <B>  <A NAME="tex2html174"
  HREF="node1.html">Contents</A></B> </DIV>
<!--End of Navigation Panel-->
<ADDRESS>
Aaron Turner
2006-07-17
</ADDRESS>
</BODY>
</HTML>