1TRAFFIC_LEARNER(7) User Commands TRAFFIC_LEARNER(7)
2
3
4
6 traffic_learner - Samba tool to assist with traffic generation.
7
9 traffic_learner {-o OUTPUT_FILE ...} [-h] [--dns-mode {inline|count}]
10 [SUMMARY_FILE] [SUMMARY_FILE ...]
11
13 This tool is part of the samba(7) suite.
14
15 This tool assists with generation of Samba traffic. It takes a
16 traffic-summary file (produced by traffic_summary.pl) as input and
17 produces a traffic-model file that can be used by traffic_replay for
18 traffic generation.
19
20 The model file summarizes the types of traffic ('conversations' between
21 a host and a Samba DC) that occur on a network. The model file
22 describes the traffic in a way that allows it to be scaled so that
23 either more (or fewer) packets get sent, and the packets can be sent at
24 a faster (or slower) rate than that seen in the network.
25
27 -h|--help
28 Print a summary of command line options.
29
30 SUMMARY_FILE
31 File containing a network traffic-summary. The traffic-summary file
32 should be generated by traffic_summary.pl from a packet capture of
33 actual network traffic. More than one file can be specified, in
34 which case the traffic will be combined into a single
35 traffic-model. If no SUMMARY_FILE is specified, this tool will read
36 the traffic-summary from STDIN, i.e. you can pipe the output from
37 traffic_summary.pl directly to this tool.
38
39 -o|--out OUTPUT_FILE
40 The traffic-model that is produced will be written to this file.
41 The OUTPUT_FILE can then be passed to traffic_replay to generate
42 (and manipulate) Samba network traffic.
43
44 --dns-mode [inline|count]
45 How DNS traffic should be handled by the model.
46
48 To take a traffic-summary file and produce a traffic-model file, use:
49
50 traffic_learner traffic-summary.txt -o traffic-model.txt
51
52 To generate a traffic-model from a packet capture, you can pipe the
53 traffic summary to STDIN using:
54
55 tshark -r capture.pcapng -T pdml | traffic_summary.pl | traffic_learner
56 -o traffic-model.txt
57
59 The output model file describes a Markov model estimating the
60 probability of a packet occurring given the last two packets.
61
62 The count of each continuation after a pair of successive packets is
63 stored, and the ratios of these counts is used to calculate
64 probabilities for the next packet.
65
66 The model is stored in JSON format, and also contains information about
67 the packet rate and DNS traffic rate.
68
69 Example ngram listing
70 The following listing shows a contrived example of a single ngram
71 entry.
72
73 "ngrams": {
74 "ldap:0\tdcerpc:11": {
75 "lsarpc:77": 1,
76 "ldap:2": 370,
77 "ldap:3": 62,
78 "wait:3": 2,
79 "-": 1
80 }, [...]
81 }
82
83
84 This counts the observed continuations after an ldap packet with opcode
85 0 (a bind) followed by a dcerpc packet with opcode 11 (also a bind).
86 The most common next packet is "ldap:2" which is an unbind, so this is
87 the most likely packet type to be selected in replay. At the other
88 extreme, lsarpc opcode 77 (lookup names) has been seen only once, and
89 it is unlikely but possible that this will be selected in replay.
90
91 There are two special packet types here. "wait:3" refers to a temporary
92 pause in the conversation, where the "3" pseudo-opcode indicates the
93 length of the wait on an exponential scale. That is, a "wait:4" pause
94 would be about 2.7 times longer that a "wait:3", which in turn would be
95 similarly longer than a "wait:2".
96
97 The other special packet is "-", which represents the limit of the
98 conversation. In the example, this indicates that one observed
99 conversation ended after this particular ngram. This special opcode is
100 also used at the beginning of conversations, which are indicated by the
101 ngram "-\t-".
102
104 This man page is complete for version 4.12.2 of the Samba suite.
105
107 traffic_replay(7).
108
110 The original Samba software and related utilities were created by
111 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
112 Source project similar to the way the Linux kernel is developed.
113
114 The traffic_learner tool was developed by the Samba team at Catalyst IT
115 Ltd.
116
117 The traffic_learner manpage was written by Tim Beale.
118
119
120
121Samba 4.12.2 04/28/2020 TRAFFIC_LEARNER(7)