Jump to content


Photo
- - - - -

Replaying Traffic


  • Please log in to reply
6 replies to this topic

#1 2point0

2point0

    Will I break 10 posts?

  • Members
  • 9 posts

Posted 24 September 2008 - 04:57 PM

Hi Everyone,

I currently need a way to play a 500 meg .cap file against another host (not the one from which it originated on). I am not terribly familiar with this process so please try and follow what may be a confusing description.

I need to work on a custom snort rule set and eliminate some of the more common/frequent false positives or alerts that are of no concern. I have 2 servers at my disposal for doing so. One is high traffic and cannot have snort installed on it (we'll call it web1). The other is less traffic but can have snort installed on it (server2).

What I am trying to do is capture traffic from web1 and rewrite the destination IP addresses so that they match the IPs on server2 so that I can copy it over to server2 and use BASE to help me monitor alerts. Once the traffic from web1 has been captured, I have moved it to server2 via scp.

The first problem was discovering that I couldn't simply rewrite the IP addresses without screwing up the checksum. The command I am currently using to replay the traffic is:

tcpreplay --fixcsum --dstipmap=x.x.x.x/29:y.y.y.y/29 --mbps=3.0 --intf1=eth0 snortcapture.cap (web1 = x, server2 = y)

I am out of ideas as to how I can replay this traffic and have snort listen for it appropriately as it is not logging any alerts that may exist within the .cap file. I also added the appropriate IPs to HOME_NET in my snort.conf for server2.

Thanks in advance for any suggestions!

#2 LUCKY_FUCKIN_CHARMS

LUCKY_FUCKIN_CHARMS

    TCP/IP....PI/MP

  • Members
  • 1,493 posts
  • Gender:Male
  • Location:Las Vegas

Posted 24 September 2008 - 05:19 PM

well on windows this wouldnt be hard to do at all with commview for wifi.

#3 2point0

2point0

    Will I break 10 posts?

  • Members
  • 9 posts

Posted 24 September 2008 - 06:19 PM

well on windows this wouldnt be hard to do at all with commview for wifi.

I am not sure if I missed what you were saying, but it needs to be played back locally rather than remotely (against the machine from another) which is why I am trying to rewrite the destination IPs.

#4 n1njastr1k3forc3

n1njastr1k3forc3

    The phorce is with me!

  • Members
  • 71 posts
  • Location:N1nja town

Posted 27 September 2008 - 09:09 PM

As lucky fucking charms said it would work fine on windows. I have however had the same problem that you are having with Ubuntu. So windows would be your best bet. :ninja:

#5 duper

duper

    Dangerous free thinker

  • Members
  • 816 posts
  • Location:NYC

Posted 27 September 2008 - 09:38 PM

You could write a C program with libpcap.h that rewrites the destination address and recalculates the checksum.

#6 superkippah

superkippah

    HACK THE PLANET!

  • Members
  • 58 posts

Posted 27 September 2008 - 10:00 PM

could you please give a little more information.

and have you took a look at netcat.

#7 Spyril

Spyril

    Hakker addict

  • Members
  • 588 posts
  • Location:North Dakota

Posted 27 September 2008 - 10:14 PM

tcprewrite can do this with the -C switch; check out the man page:

http://linux.die.net/man/1/tcprewrite

and have you took a look at netcat.

netcat can't re-broadcast .cap files

EDIT: It looks like you're using the wrong program for the job. Apparently Tcpreplay is unable to change sequence numbers, ACK numbers, etc. in real-time to match the state of the conversation. I've found a similar project called Flowreplay, but it's dead. I can't imagine it's easy to make software like this (because of the trouble of replaying packets containing stateful protocols, as mentioned in the article), but I wonder if there have been any other attempts at creating similar software.

Is there any protocol, or even OSI layer, that you're looking at in particular? Your best bet may be to hack together some scripts that read just the body data of whatever protocol you're using, and then send that data using a socket of some type.

Edited by Spyril, 27 September 2008 - 11:33 PM.





BinRev is hosted by the great people at Lunarpages!