1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
'\" t
.\" Title: traffic_learner
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\" Date: 02/25/2024
.\" Manual: User Commands
.\" Source: Samba 4.19.5
.\" Language: English
.\"
.TH "TRAFFIC_LEARNER" "7" "02/25/2024" "Samba 4\&.19\&.5" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
traffic_learner \- Samba tool to assist with traffic generation\&.
.SH "SYNOPSIS"
.HP \w'\ 'u
traffic_learner {\-o\ OUTPUT_FILE\ \&.\&.\&.} [\-h] [\-\-dns\-mode\ {inline|count}] [SUMMARY_FILE] [SUMMARY_FILE\ \&.\&.\&.]
.SH "DESCRIPTION"
.PP
This tool is part of the
\fBsamba\fR(7)
suite\&.
.PP
This tool assists with generation of Samba traffic\&. It takes a traffic\-summary file (produced by
traffic_summary\&.pl) as input and produces a traffic\-model file that can be used by
traffic_replay
for traffic generation\&.
.PP
The model file summarizes the types of traffic (\*(Aqconversations\*(Aq between a host and a Samba DC) that occur on a network\&. The model file describes the traffic in a way that allows it to be scaled so that either more (or fewer) packets get sent, and the packets can be sent at a faster (or slower) rate than that seen in the network\&.
.SH "OPTIONS"
.PP
\-h|\-\-help
.RS 4
Print a summary of command line options\&.
.RE
.PP
SUMMARY_FILE
.RS 4
File containing a network traffic\-summary\&. The traffic\-summary file should be generated by
traffic_summary\&.pl
from a packet capture of actual network traffic\&. More than one file can be specified, in which case the traffic will be combined into a single traffic\-model\&. If no SUMMARY_FILE is specified, this tool will read the traffic\-summary from STDIN, i\&.e\&. you can pipe the output from traffic_summary\&.pl directly to this tool\&.
.RE
.PP
\-o|\-\-out OUTPUT_FILE
.RS 4
The traffic\-model that is produced will be written to this file\&. The OUTPUT_FILE can then be passed to
traffic_replay
to generate (and manipulate) Samba network traffic\&.
.RE
.PP
\-\-dns\-mode [inline|count]
.RS 4
How DNS traffic should be handled by the model\&.
.RE
.SH "EXAMPLES"
.PP
To take a traffic\-summary file and produce a traffic\-model file, use:
.PP
traffic_learner traffic\-summary\&.txt \-o traffic\-model\&.txt
.PP
To generate a traffic\-model from a packet capture, you can pipe the traffic summary to STDIN using:
.PP
tshark \-r capture\&.pcapng \-T pdml | traffic_summary\&.pl | traffic_learner \-o traffic\-model\&.txt
.SH "OUTPUT FILE FORMAT"
.PP
The output model file describes a Markov model estimating the probability of a packet occurring given the last two packets\&.
.PP
The count of each continuation after a pair of successive packets is stored, and the ratios of these counts is used to calculate probabilities for the next packet\&.
.PP
The model is stored in JSON format, and also contains information about the packet rate and DNS traffic rate\&.
.SS "Example ngram listing"
.PP
The following listing shows a contrived example of a single ngram entry\&.
.sp
.if n \{\
.RS 4
.\}
.nf
"ngrams": {
"ldap:0\etdcerpc:11": {
"lsarpc:77": 1,
"ldap:2": 370,
"ldap:3": 62,
"wait:3": 2,
"\-": 1
}, [\&.\&.\&.]
}
.fi
.if n \{\
.RE
.\}
.PP
This counts the observed continuations after an ldap packet with opcode 0 (a bind) followed by a dcerpc packet with opcode 11 (also a bind)\&. The most common next packet is "ldap:2" which is an unbind, so this is the most likely packet type to be selected in replay\&. At the other extreme, lsarpc opcode 77 (lookup names) has been seen only once, and it is unlikely but possible that this will be selected in replay\&.
.PP
There are two special packet types here\&. "wait:3" refers to a temporary pause in the conversation, where the "3" pseudo\-opcode indicates the length of the wait on an exponential scale\&. That is, a "wait:4" pause would be about 2\&.7 times longer that a "wait:3", which in turn would be similarly longer than a "wait:2"\&.
.PP
The other special packet is "\-", which represents the limit of the conversation\&. In the example, this indicates that one observed conversation ended after this particular ngram\&. This special opcode is also used at the beginning of conversations, which are indicated by the ngram "\-\et\-"\&.
.SH "VERSION"
.PP
This man page is complete for version 4\&.19\&.5 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBtraffic_replay\fR(7)\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
.PP
The traffic_learner tool was developed by the Samba team at Catalyst IT Ltd\&.
.PP
The traffic_learner manpage was written by Tim Beale\&.
|
