Sign in to follow this  
Followers 0
2point0

Replaying Traffic

6 posts in this topic

Hi Everyone,

I currently need a way to play a 500 meg .cap file against another host (not the one from which it originated on). I am not terribly familiar with this process so please try and follow what may be a confusing description.

I need to work on a custom snort rule set and eliminate some of the more common/frequent false positives or alerts that are of no concern. I have 2 servers at my disposal for doing so. One is high traffic and cannot have snort installed on it (we'll call it web1). The other is less traffic but can have snort installed on it (server2).

What I am trying to do is capture traffic from web1 and rewrite the destination IP addresses so that they match the IPs on server2 so that I can copy it over to server2 and use BASE to help me monitor alerts. Once the traffic from web1 has been captured, I have moved it to server2 via scp.

The first problem was discovering that I couldn't simply rewrite the IP addresses without screwing up the checksum. The command I am currently using to replay the traffic is:

tcpreplay --fixcsum --dstipmap=x.x.x.x/29:y.y.y.y/29 --mbps=3.0 --intf1=eth0 snortcapture.cap (web1 = x, server2 = y)

I am out of ideas as to how I can replay this traffic and have snort listen for it appropriately as it is not logging any alerts that may exist within the .cap file. I also added the appropriate IPs to HOME_NET in my snort.conf for server2.

Thanks in advance for any suggestions!

0

Share this post


Link to post
Share on other sites
well on windows this wouldnt be hard to do at all with commview for wifi.

I am not sure if I missed what you were saying, but it needs to be played back locally rather than remotely (against the machine from another) which is why I am trying to rewrite the destination IPs.

0

Share this post


Link to post
Share on other sites

As lucky fucking charms said it would work fine on windows. I have however had the same problem that you are having with Ubuntu. So windows would be your best bet. :ninja:

0

Share this post


Link to post
Share on other sites

You could write a C program with libpcap.h that rewrites the destination address and recalculates the checksum.

0

Share this post


Link to post
Share on other sites

could you please give a little more information.

and have you took a look at netcat.

0

Share this post


Link to post
Share on other sites

tcprewrite can do this with the -C switch; check out the man page:

http://linux.die.net/man/1/tcprewrite

and have you took a look at netcat.

netcat can't re-broadcast .cap files

EDIT: It looks like you're using the wrong program for the job. Apparently Tcpreplay is unable to change sequence numbers, ACK numbers, etc. in real-time to match the state of the conversation. I've found a similar project called Flowreplay, but it's dead. I can't imagine it's easy to make software like this (because of the trouble of replaying packets containing stateful protocols, as mentioned in the article), but I wonder if there have been any other attempts at creating similar software.

Is there any protocol, or even OSI layer, that you're looking at in particular? Your best bet may be to hack together some scripts that read just the body data of whatever protocol you're using, and then send that data using a socket of some type.

Edited by Spyril
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0