1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<refentry id="traffic_learner.7">
<refmeta>
<refentrytitle>traffic_learner</refentrytitle>
<manvolnum>7</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
<refmiscinfo class="manual">User Commands</refmiscinfo>
<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
<refnamediv>
<refname>traffic_learner</refname>
<refpurpose>Samba tool to assist with traffic generation.
</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>traffic_learner</command>
<arg choice="req">-o OUTPUT_FILE ...</arg>
<arg choice="opt">-h</arg>
<arg choice="opt">--dns-mode {inline|count}</arg>
<arg choice="opt">SUMMARY_FILE</arg>
<arg choice="opt">SUMMARY_FILE ...</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
<para>This tool assists with generation of Samba traffic.
It takes a traffic-summary file (produced by
<command>traffic_summary.pl</command>) as input and produces a
traffic-model file that can be used by <command>traffic_replay</command>
for traffic generation.</para>
<para>The model file summarizes the types of traffic ('conversations'
between a host and a Samba DC) that occur on a network. The model file
describes the traffic in a way that allows it to be scaled so that
either more (or fewer) packets get sent, and the packets can be sent at
a faster (or slower) rate than that seen in the network.</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-h|--help</term>
<listitem><para>
Print a summary of command line options.
</para></listitem>
</varlistentry>
<varlistentry>
<term>SUMMARY_FILE</term>
<listitem><para>
File containing a network traffic-summary. The traffic-summary file
should be generated by <command>traffic_summary.pl</command> from a
packet capture of actual network traffic.
More than one file can be specified, in which case the traffic will
be combined into a single traffic-model. If no SUMMARY_FILE is
specified, this tool will read the traffic-summary from STDIN, i.e.
you can pipe the output from traffic_summary.pl directly to this tool.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-o|--out OUTPUT_FILE</term>
<listitem><para>
The traffic-model that is produced will be written to this file. The
OUTPUT_FILE can then be passed to <command>traffic_replay</command>
to generate (and manipulate) Samba network traffic.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--dns-mode [inline|count]</term>
<listitem><para>
How DNS traffic should be handled by the model.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLES</title>
<para>To take a traffic-summary file and produce a traffic-model
file, use:</para>
<para><command>traffic_learner traffic-summary.txt
-o traffic-model.txt</command></para>
<para>To generate a traffic-model from a packet capture, you can
pipe the traffic summary to STDIN using:</para>
<para><command>tshark -r capture.pcapng -T pdml |
traffic_summary.pl | traffic_learner -o traffic-model.txt</command></para>
</refsect1>
<refsect1>
<title>OUTPUT FILE FORMAT</title>
<para>The output model file describes a Markov model estimating the
probability of a packet occurring given the last two packets.</para>
<para>The count of each continuation after a pair of
successive packets is stored, and the ratios of these counts
is used to calculate probabilities for the next packet.
</para>
<para>The model is stored in JSON format, and also contains
information about the packet rate and DNS traffic rate.</para>
<refsect2>
<title>Example ngram listing</title>
<para>The following listing shows a contrived example of a single ngram entry.
</para>
<programlisting>
"ngrams": {
"ldap:0\tdcerpc:11": {
"lsarpc:77": 1,
"ldap:2": 370,
"ldap:3": 62,
"wait:3": 2,
"-": 1
}, <lineannotation>[...]</lineannotation>
}
</programlisting>
<para> This counts the observed continuations after an ldap
packet with opcode 0 (a bind) followed by a dcerpc packet with
opcode 11 (also a bind). The most common next packet is
"<code>ldap:2</code>" which is an unbind, so this is the most
likely packet type to be selected in replay. At the other
extreme, lsarpc opcode 77 (lookup names) has been seen only
once, and it is unlikely but possible that this will be
selected in replay.
</para>
<para> There are two special packet types here.
"<code>wait:3</code>" refers to a temporary pause in the
conversation, where the "<code>3</code>" pseudo-opcode indicates
the length of the wait on an exponential scale. That is, a
"<code>wait:4</code>" pause would be about 2.7 times longer that
a "<code>wait:3</code>", which in turn would be similarly longer
than a "<code>wait:2</code>".
</para>
<para>The other special packet is "-", which represents the
limit of the conversation. In the example, this indicates that
one observed conversation ended after this particular ngram.
This special opcode is also used at the beginning of
conversations, which are indicated by the ngram "<code>-\t-</code>".
</para>
</refsect2>
</refsect1>
<refsect1>
<title>VERSION</title>
<para>This man page is complete for version &doc.version; of the Samba
suite.</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>traffic_replay</refentrytitle><manvolnum>7</manvolnum>
</citerefentry>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.</para>
<para>The traffic_learner tool was developed by the Samba team at
Catalyst IT Ltd.</para>
<para>The traffic_learner manpage was written by Tim Beale.</para>
</refsect1>
</refentry>
|
