Snort mailing list archives

Re: tcpreplay

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 06 May 2003 23:18:05 +0200


Hi Matt,

AFAIK tcpreplay is using a special socket/libnet to put the packets on
wire. No kernel influence there. There is indeed a kind of
"preprocessor" for tcpreplay, which I, however, never got to work.

Regards,

Edin

Matt Kettler wrote:

At 02:20 PM 5/6/2003 -0500, Hanumantha R. Manchala wrote:

I want to use tcpreplay to stress test snort.
But I am unable to send the traffic to a destination MAC address
given by the -I switch of tcpreplay. Does any one know how to send
traffic
to a particular MAC on the LAN? Or is it possible to send traffic to a
specific IP? Thanks guys for ur help.
good day!



tcpreplay plays back a packet capture file... those packet captures
dictate what IPs the packets are going to.

Now, a unix station will use ARP to resolve what MAC to send those
packets to. If you look through the dump files, you can add static ARP
entries into the arp table of the machine running tcpreplay to force it
to send those packets to the machine you want.

So you can use a command like this:
arp -s 192.168.1.1 00:00:00:00:00

To force any packets sent to 192.168.1.1 to go to a MAC address of all
zeros, regardless of wether or not the adapter at that MAC is configured
for that IP address.

You might need to configure your system to have a 0.0.0.0 subnet as well
in order to keep your tcpreplay machine from trying to use a gateway,
but this will break your ability to talk to the internet until you put
it back (since it won't talk to the gateway).


-- 
Edin Dizdarevic



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

making a rule for passing data on a source network David Powell (May 06)
- tcpreplay Hanumantha R. Manchala (May 06)
  - Re: tcpreplay Matt Kettler (May 06)
    - Re: tcpreplay Edin Dizdarevic (May 06)
    - RE: tcpreplay Matt Foster (May 07)
  - Re: tcpreplay Edin Dizdarevic (May 06)