Re: Retransmissions while blocking TCP Stack's RST?

[Jared Stanbrough <jareds () pdx edu>]

On Wed, 30 Oct 2002, Brad Arlt wrote:

> On Wed, Oct 30, 2002 at 06:33:38AM -0800, Cynic wrote:
> > Hi,
> >
> > I am looking for an application for *NIX, that can replay captured
> > packets, while dropping, the TCP Stacks responses.  Let's assume I
> > replay a SYN, and receive a SYN-ACK, my host's TCP Stack immediatley
> > replies with a RST since it was not aware a connection was to be
> > opened.  So I am looking for some low-level retransmission
> > application for *nix such as Network monitor for NT. (I believe it
> > does this.)
>
> http://tcpreplay.sourceforge.net/
>
> TCP Replay resends a libpcap or snoop capture file.  As far as I know
> it doesn't listen to a darn thing, so you are good to go.

This doesn't address the issue of keeping the originating machine from
trying to take part in the replayed TCP session. The question isn't how to
replay the data, it's how to keep the originating host from screwing it up
by tearing down the illigitimate connection.

One easy way to do this would be to setup iptables to block outbound TCP
packets that have the RST flag set (of course, this would mess up replayed
data which contains RSTs..but I'm sure you can think of creative solutions
for that :)

--jared

> You can trim the capture file however you like using the tools that
> come with it, Snoop, or tcpdump.
> -----------------------------------------------------------------------
>    __o                Bradley Arlt                    Security Team Lead
>  _ \<_                arlt () cpsc ucalgary ca                University Of Calgary
> (_)/(_)       I should be biking right now.   Computer Science