On Wed, Nov 28, 2012 at 11:54:04AM +0000, Matej Kosik wrote: > Hi, > > I am experiencing some deterministic packet drop: > - when I tcpreplay on "lo" some pcap (0.pcap) file, > that traffic does not reach listening applications > - when I change source IP address from whatever it was to, e.g., > 10.0.10.6, 10.0.10.7 etc, > then when I try to replay the modified pcap file (1.pcap), > that traffic does reache applications. > > I would like to find out the cause of this. > The only thing which could be causing thing I was aware of was > "iptables". However, when I apt-get removed it, nothing changed. > > What else should I check?
Have a look at the TCP sequence numbers and the TCP Handshake. To establish a connection: * The client sends a SYN packet to the server with a random sequence number (A). * The server replies with a SYN-ACK packet with an acknowledgement number set to one more than the client's sequence number (A + 1) and its own random sequence number (B). * The client sends an ACK packet to the server with an acknowledgement number set to one more than the servers sequence number (B + 1) and a sequence number of the received acknowlegement number (A + 1). So, when you replay the traffic, that third stage goes wrong (basically, you send the wrong B+1 value). Have a look at "http://tcpreplay.synfin.net/wiki/FAQ#Doestcpreplaysupportsendingtraffictoaserver"
signature.asc
Description: Digital signature