1

I have a server and I need to simulate real network traffic. I've been asked to do this using a CAIDA Dataset. I have downloaded the public Dataset which can be found here: CAIDA Public Dataset

I also need to rewrite the source ip address in the .pcap file to be the one of the server. I tried doing it the way it's described at the end of this page: tcprewrite wiki

I run:

tcprewrite --infile=oc48-mfn.dirA.20020814-160000.UTC.anon.pcap --outfile=oc48-mfn.dirA.20020814-160000.UTC.anon_rewrite.pcap --dstipmap=0.0.0.0/0:10.101.30.60 --enet-dmac=00:0c:29:00:b1:bd

And I get:

Warning: oc48-mfn.dirA.20020814-160000.UTC.anon.pcap was captured using a snaplen of 48 bytes. This may mean you have truncated packets.

Fatal Error: From ./plugins/dlt_hdlc/hdlc.c:dlt_hdlc_encode() line 255: Non-HDLC packet requires --hdlc-address

So after some tries like this I finally run these to get an error free tcprewrite:

tcpprep --auto=bridge --pcap=oc48-mfn.dirA.20020814-160000.UTC.anon.pcap --cachefile=cache1.cache

Which gives:

Warning: oc48-mfn.dirA.20020814-160000.UTC.anon.pcap was captured using a snaplen of 48 bytes. This may mean you have truncated packets.

Warning: oc48-mfn.dirA.20020814-160000.UTC.anon.pcap was captured using a snaplen of 48 bytes. This may mean you have truncated packets.

And then I run:

tcprewrite --infile=oc48-mfn.dirA.20020814-160000.UTC.anon.pcap --outfile=oc48-mfn.dirA.20020814-160000.UTC.anon_rewrite.pcap --dstipmap=0.0.0.0/0:10.101.30.60 --enet-dmac=00:0c:29:00:b1:bd --cachefile=cache1.cache --hdlc-control=0 --hdlc-address=0xBF

And I get:

Warning: oc48-mfn.dirA.20020814-160000.UTC.anon.pcap was captured using a snaplen of 48 bytes. This may mean you have truncated packets.

So it seems like a success, except the warning that shows up in every command. I open the new .pcap file with tcpdump to check that the destination IP addresses have changed to the one of the server and it has been done.

So then I run tcpreplay:

tcpreplay -i ens160 --loop 5  --unique-ip oc48-mfn.dirA.20020814-160000.UTC.anon.pcap

And I run tcpdump on the server to see the traffic from the .pcap file, but the traffic looks like this:

13:30:50.194780 05:8c:55:6f:40:00 (oui Unknown) > 0f:00:08:00:45:00 (oui

Unknown), ethertype Unknown (0x3406), length 60:

0x0000: ed11 f484 7785 f477 0d79 0050 0487 007c ....w..w.y.P...|

0x0010: e7d5 d203 c32b 5010 27f7 aa51 0000 4854 .....+P.'..Q..HT

0x0020: 5450 0000 0000 0000 0000 0000 0000 TP............

I have tried the smallFlow.pcap from the sample captures of tcpreplay: Sample Captures

and it worked just fine.

So any suggestions on how to properly use the CAIDA .pcap files?

Giannis Pappas
  • 137
  • 10

1 Answers1

0

Your stated goal is "I need to simulate real network traffic", but you're using pcaps where "the payload has been removed from all packets" (per the CAIDA web page you linked to).

These two statements are in conflict with each other. All your packets are literally no larger then 48bytes which is merely enough for the TCP/IP header (and then even so, may not be sufficient in all cases). This is what the warning is telling you. You can't put the data back.

You'll need to find a new source of pcaps.

Aaron Turner
  • 319
  • 1
  • 3
  • Ok, apparently I was misinformed. The reason we need to simulate real network traffic is that we have setup [Apache Spot](http://spot.incubator.apache.org/) and we need the traffic to flow through the network while we attack it, to evaluate Apache Spot's performance for research purposes. Given this, could you suggest me a new source of pcaps? – Giannis Pappas Nov 13 '17 at 22:33
  • Run tcpdump on your own network? Your own network traffic is the most realistic network traffic. Most of the public pcaps are neutered in some manner for privacy reasons or won't be large/diverse enough to be useful IMHO. – Aaron Turner Nov 14 '17 at 23:21