> So, to summarize, I've found tcptrace to be of some use in analyzing
> multiple copies of the same traffic (for both tcp & udp), but would
> appreciate any insight others may have in how to handle these problems.
MATE (http://wiki.ethereal.com/Mate) can help you to correlate
identical udp packets.
- Capture on all span ports of all involved switches. (as the volume
is huge you might want to use tcpdump instead of tethereal)
merge the files with mergecap.
the config for MATE would be the following:
# udpdups.mate --- a minimal MATE config to group duplicate udp packets
# first we create a pdu for every udp packet
# adding src and dst addr and pt, plus the udp checksum
# we do it on more lines to avoid wrapping
Action=PduDef; Name=udp_packet; Proto=udp; Transport=ip; src=ip.src; dst=ip.dst;
Action=PduExtra; For=udp_packet; spt=udp.src; dpt=udp.dst; chk=udp.checksum;
# then we group all pdus with identical data.
Action=GopDef; Name=udp_flow; On=udp_packet; src; dst; spt; dpt; chk;
# the group will start at the first occurence (an ip packet has always
source address)
Action=GopStart; For=udp_flow; src;
#and will never finish (as there's no "never" defined)
Action=GopStop; For=udp_flow; never;
# --- That's it
at this point let's say that you expect to see every packet 4 times.
launch ethereal -o 'mate.config: config.mate' -r merged.cap
then apply the filter "mate.udp_flow.NumOfPdus < 4".
Unfortunatelly the next exaample won't work.
tethereal -r merged.cap -w loss.cap \
-o 'mate.config: config.mate' -R 'mate.udp_flow.NumOfPdus < 4'
MATE cannot see into the futrure so at the first occurrence of a
packet NumOfPdus==1 at the second NumOfPdus==2 and at the third
NumOfPdus==3 just the fourth packet wont be seen.
In ethereal the same holds true for the first scan.But after that MATE
would have created its view of the capture and since the Gop (group of
pdus) is unique for all pdus in a group its counter would be the total
number.
I Hope this helps.
