mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
201 lines
6.3 KiB
XML
201 lines
6.3 KiB
XML
|
<?xml version="1.0" encoding="iso-8859-1"?>
|
||
|
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
||
|
<refentry id="traffic_learner.7">
|
||
|
|
||
|
<refmeta>
|
||
|
<refentrytitle>traffic_learner</refentrytitle>
|
||
|
<manvolnum>7</manvolnum>
|
||
|
<refmiscinfo class="source">Samba</refmiscinfo>
|
||
|
<refmiscinfo class="manual">User Commands</refmiscinfo>
|
||
|
<refmiscinfo class="version">4.7</refmiscinfo>
|
||
|
</refmeta>
|
||
|
|
||
|
|
||
|
<refnamediv>
|
||
|
<refname>traffic_learner</refname>
|
||
|
<refpurpose>Samba tool to assist with traffic generation.
|
||
|
</refpurpose>
|
||
|
</refnamediv>
|
||
|
|
||
|
<refsynopsisdiv>
|
||
|
<cmdsynopsis>
|
||
|
<command>traffic_learner</command>
|
||
|
<arg choice="req">-o OUTPUT_FILE ...</arg>
|
||
|
<arg choice="opt">-h</arg>
|
||
|
<arg choice="opt">--dns-mode {inline|count}</arg>
|
||
|
<arg choice="opt">SUMMARY_FILE</arg>
|
||
|
<arg choice="opt">SUMMARY_FILE ...</arg>
|
||
|
</cmdsynopsis>
|
||
|
</refsynopsisdiv>
|
||
|
|
||
|
<refsect1>
|
||
|
<title>DESCRIPTION</title>
|
||
|
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
|
||
|
<manvolnum>7</manvolnum></citerefentry> suite.</para>
|
||
|
|
||
|
<para>This tool assists with generation of Samba traffic.
|
||
|
It takes a traffic-summary file (produced by
|
||
|
<command>traffic_summary.pl</command>) as input and produces a
|
||
|
traffic-model file that can be used by <command>traffic_replay</command>
|
||
|
for traffic generation.</para>
|
||
|
|
||
|
<para>The model file summarizes the types of traffic ('conversations'
|
||
|
between a host and a Samba DC) that occur on a network. The model file
|
||
|
describes the traffic in a way that allows it to be scaled so that
|
||
|
either more (or fewer) packets get sent, and the packets can be sent at
|
||
|
a faster (or slower) rate than that seen in the network.</para>
|
||
|
</refsect1>
|
||
|
|
||
|
<refsect1>
|
||
|
<title>OPTIONS</title>
|
||
|
|
||
|
<variablelist>
|
||
|
|
||
|
<varlistentry>
|
||
|
<term>-h|--help</term>
|
||
|
<listitem><para>
|
||
|
Print a summary of command line options.
|
||
|
</para></listitem>
|
||
|
</varlistentry>
|
||
|
|
||
|
<varlistentry>
|
||
|
<term>SUMMARY_FILE</term>
|
||
|
<listitem><para>
|
||
|
File containing a network traffic-summary. The traffic-summary file
|
||
|
should be generated by <command>traffic_summary.pl</command> from a
|
||
|
packet capture of actual network traffic.
|
||
|
More than one file can be specified, in which case the traffic will
|
||
|
be combined into a single traffic-model. If no SUMMARY_FILE is
|
||
|
specified, this tool will read the traffic-summary from STDIN, i.e.
|
||
|
you can pipe the output from traffic_summary.pl directly to this tool.
|
||
|
</para></listitem>
|
||
|
</varlistentry>
|
||
|
|
||
|
<varlistentry>
|
||
|
<term>-o|--out OUTPUT_FILE</term>
|
||
|
<listitem><para>
|
||
|
The traffic-model that is produced will be written to this file. The
|
||
|
OUTPUT_FILE can then be passed to <command>traffic_replay</command>
|
||
|
to generate (and manipulate) Samba network traffic.
|
||
|
</para></listitem>
|
||
|
</varlistentry>
|
||
|
|
||
|
<varlistentry>
|
||
|
<term>--dns-mode [inline|count]</term>
|
||
|
<listitem><para>
|
||
|
How DNS traffic should be handled by the model.
|
||
|
</para></listitem>
|
||
|
</varlistentry>
|
||
|
|
||
|
</variablelist>
|
||
|
</refsect1>
|
||
|
|
||
|
<refsect1>
|
||
|
<title>EXAMPLES</title>
|
||
|
|
||
|
<para>To take a traffic-summary file and produce a traffic-model
|
||
|
file, use:</para>
|
||
|
|
||
|
<para><command>traffic_learner traffic-summary.txt
|
||
|
-o traffic-model.txt</command></para>
|
||
|
|
||
|
<para>To generate a traffic-model from a packet capture, you can
|
||
|
pipe the traffic summary to STDIN using:</para>
|
||
|
|
||
|
<para><command>tshark -r capture.pcapng -T pdml |
|
||
|
traffic_summary.pl | traffic_learner -o traffic-model.txt</command></para>
|
||
|
</refsect1>
|
||
|
|
||
|
<refsect1>
|
||
|
<title>OUTPUT FILE FORMAT</title>
|
||
|
|
||
|
<para>The output model file describes a Markov model estimating the
|
||
|
probability of a packet occurring given the last two packets.</para>
|
||
|
|
||
|
<para>The count of each continuation after a pair of
|
||
|
successive packets is stored, and the ratios of these counts
|
||
|
is used to calculate probabilities for the next packet.
|
||
|
</para>
|
||
|
|
||
|
<para>The model is stored in JSON format, and also contains
|
||
|
information about the conversation rate and DNS traffic
|
||
|
rate.</para>
|
||
|
|
||
|
|
||
|
<refsect2>
|
||
|
<title>Example ngram listing</title>
|
||
|
<para>The following listing shows a contrived example of a single ngram entry.
|
||
|
</para>
|
||
|
|
||
|
<programlisting>
|
||
|
"ngrams": {
|
||
|
"ldap:0\tdcerpc:11": {
|
||
|
"lsarpc:77": 1,
|
||
|
"ldap:2": 370,
|
||
|
"ldap:3": 62,
|
||
|
"wait:3": 2,
|
||
|
"-": 1
|
||
|
}, <lineannotation>[...]</lineannotation>
|
||
|
}
|
||
|
</programlisting>
|
||
|
<para> This counts the observed continuations after an ldap
|
||
|
packet with opcode 0 (a bind) followed by a dcerpc packet with
|
||
|
opcode 11 (also a bind). The most common next packet is
|
||
|
"<code>ldap:2</code>" which is an unbind, so this is the most
|
||
|
likely packet type to be selected in replay. At the other
|
||
|
extreme, lsarpc opcode 77 (lookup names) has been seen only
|
||
|
once, and it is unlikely but possible that this will be
|
||
|
selected in replay.
|
||
|
</para>
|
||
|
<para> There are two special packet types here.
|
||
|
"<code>wait:3</code>" refers to a temporary pause in the
|
||
|
conversation, where the "<code>3</code>" pseudo-opcode indicates
|
||
|
the length of the wait on an exponential scale. That is, a
|
||
|
"<code>wait:4</code>" pause would be about 2.7 times longer that
|
||
|
a "<code>wait:3</code>", which in turn would be similarly longer
|
||
|
than a "<code>wait:2</code>".
|
||
|
</para>
|
||
|
|
||
|
<para>The other special packet is "-", which represents the
|
||
|
limit of the conversation. In the example, this indicates that
|
||
|
one observed conversation ended after this particular ngram.
|
||
|
This special opcode is also used at the beginning of
|
||
|
conversations, which are indicated by the ngram "<code>-\t-</code>".
|
||
|
</para>
|
||
|
|
||
|
|
||
|
</refsect2>
|
||
|
</refsect1>
|
||
|
|
||
|
<refsect1>
|
||
|
<title>VERSION</title>
|
||
|
|
||
|
<para>This man page is complete for version 4 of the Samba
|
||
|
suite.</para>
|
||
|
</refsect1>
|
||
|
|
||
|
<refsect1>
|
||
|
<title>SEE ALSO</title>
|
||
|
<para>
|
||
|
<citerefentry>
|
||
|
<refentrytitle>traffic_replay</refentrytitle><manvolnum>7</manvolnum>
|
||
|
</citerefentry>.
|
||
|
</para>
|
||
|
</refsect1>
|
||
|
|
||
|
<refsect1>
|
||
|
<title>AUTHOR</title>
|
||
|
|
||
|
<para>The original Samba software and related utilities
|
||
|
were created by Andrew Tridgell. Samba is now developed
|
||
|
by the Samba Team as an Open Source project similar
|
||
|
to the way the Linux kernel is developed.</para>
|
||
|
|
||
|
<para>The traffic_learner tool was developed by the Samba team at
|
||
|
Catalyst IT Ltd.</para>
|
||
|
|
||
|
<para>The traffic_learner manpage was written by Tim Beale.</para>
|
||
|
</refsect1>
|
||
|
|
||
|
</refentry>
|