Can't use CAIDA Dataset with tcpreplay to simulate network traffic in network

1
votes

I have a server and I need to simulate real network traffic. I've been asked to do this using a CAIDA Dataset. I have downloaded the public Dataset which can be found here: CAIDA Public Dataset

I also need to rewrite the source ip address in the .pcap file to be the one of the server. I tried doing it the way it's described at the end of this page: tcprewrite wiki

I run:

tcprewrite --infile=oc48-mfn.dirA.20020814-160000.UTC.anon.pcap --outfile=oc48-mfn.dirA.20020814-160000.UTC.anon_rewrite.pcap --dstipmap=0.0.0.0/0:10.101.30.60 --enet-dmac=00:0c:29:00:b1:bd

And I get:

Warning: oc48-mfn.dirA.20020814-160000.UTC.anon.pcap was captured using a snaplen of 48 bytes. This may mean you have truncated packets.

Fatal Error: From ./plugins/dlt_hdlc/hdlc.c:dlt_hdlc_encode() line 255: Non-HDLC packet requires --hdlc-address

So after some tries like this I finally run these to get an error free tcprewrite:

tcpprep --auto=bridge --pcap=oc48-mfn.dirA.20020814-160000.UTC.anon.pcap --cachefile=cache1.cache

Which gives:

Warning: oc48-mfn.dirA.20020814-160000.UTC.anon.pcap was captured using a snaplen of 48 bytes. This may mean you have truncated packets.

Warning: oc48-mfn.dirA.20020814-160000.UTC.anon.pcap was captured using a snaplen of 48 bytes. This may mean you have truncated packets.

And then I run:

tcprewrite --infile=oc48-mfn.dirA.20020814-160000.UTC.anon.pcap --outfile=oc48-mfn.dirA.20020814-160000.UTC.anon_rewrite.pcap --dstipmap=0.0.0.0/0:10.101.30.60 --enet-dmac=00:0c:29:00:b1:bd --cachefile=cache1.cache --hdlc-control=0 --hdlc-address=0xBF

And I get:

Warning: oc48-mfn.dirA.20020814-160000.UTC.anon.pcap was captured using a snaplen of 48 bytes. This may mean you have truncated packets.

So it seems like a success, except the warning that shows up in every command. I open the new .pcap file with tcpdump to check that the destination IP addresses have changed to the one of the server and it has been done.

So then I run tcpreplay:

tcpreplay -i ens160 --loop 5  --unique-ip oc48-mfn.dirA.20020814-160000.UTC.anon.pcap

And I run tcpdump on the server to see the traffic from the .pcap file, but the traffic looks like this:

13:30:50.194780 05:8c:55:6f:40:00 (oui Unknown) > 0f:00:08:00:45:00 (oui

Unknown), ethertype Unknown (0x3406), length 60:

0x0000: ed11 f484 7785 f477 0d79 0050 0487 007c ....w..w.y.P...|

0x0010: e7d5 d203 c32b 5010 27f7 aa51 0000 4854 .....+P.'..Q..HT

0x0020: 5450 0000 0000 0000 0000 0000 0000 TP............

I have tried the smallFlow.pcap from the sample captures of tcpreplay: Sample Captures

and it worked just fine.

So any suggestions on how to properly use the CAIDA .pcap files?

1
pcapnetwork-traffictraffic-simulationtcpreplay

1 Answers

0
votes

Your stated goal is "I need to simulate real network traffic", but you're using pcaps where "the payload has been removed from all packets" (per the CAIDA web page you linked to).

These two statements are in conflict with each other. All your packets are literally no larger then 48bytes which is merely enough for the TCP/IP header (and then even so, may not be sufficient in all cases). This is what the warning is telling you. You can't put the data back.

You'll need to find a new source of pcaps.