I need to build a test environment with a very precise packet loss based on specific TCP sequence or, optionally, on payload content. I couldn't figure out how to do it with tc or iptables. What tool should I use?
Thanks.
Asked
Active
Viewed 2,016 times
1
-
What exactly do you need? Do you need some iptables rules to match specific tcp sequnece numbers?!? – dsmsk80 Sep 02 '13 at 09:31
-
Exactly. Iptables would be great but as I said I couldn't figure out how to do it with iptables. – jackhab Sep 02 '13 at 12:34
1 Answers
1
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html
Moving on to the TCP header
Let's say I'd like to look at bytes 4-7 of the TCP header (the TCP sequence number)...
The final expression (check for TCP, check for unfragmented packet or first fragment, and jump over the IP header, checking that bytes 4-7 of the TCP header are equal to 41) is:
iptables -m u32 --u32 "6&0xFF=0x6 && 4&0x1FFF=0 && 0>>22&0x3C@4=0x29"
suprjami
- 3,536
- 21
- 29
-
The problem with binary byte match is that TCP sequences always start from some random number so if I want to always lose the first 1K bytes of the file I will not be able to tell which sequence to match. We need to follow the stream from the beginning to be able to figure it out. – jackhab Jan 09 '14 at 14:33
-
Ok, I think you need to take a step backwards and explain the problem you're actually trying to solve. We've gotten a bit ahead of that because you've decided that dropping traffic based on sequence number is the only way to solve it. Your customers aren't paying you to match arbitrary TCP sequence numbers, they are paying you to provide a network service. What about that network service isn't working? – suprjami Jan 17 '14 at 13:22