Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 6 Dec 2007 13:03:38 -0500
I just tried this and it worked.

1) log some ping packets:

daemonlogger -i en0 -c 20 icmp

2) replay the packets

daemonlogger -R daemonlogger.pcap.1196963946 -o en0

3) run tcpdump to capture and compare the output

tcpdump -nvi en0 icmp

What kind of interface is vr0 (what link type)?


On Dec 6, 2007, at 12:22 PM, Jordi Espasa Clofent wrote:


You might want to check out DaemonLogger, it's got a replay mode as  
well
as a real-time tap mode as well as being a packet logger itself.
Basically, DaemonLogger can capture traffic off of one interface  
direct
to the disk (logger mode), retransmit it out another interface in
real-time (tap mode) or replay a pcap file (replay mode).

You can get it at
http://www.snort.org/users/roesch/Site/Daemonlogger/ 
Daemonlogger.html.


Very great tool Martin!
I cannot understand exactly the way to do what I want. I've tried it  
in
my own personal computer at home (with only 1 NIC, vr0).

1) Sniffing the traffic in very big chunks of time/data (1GB)

$ daemonlogger -i vr0 -c 1000000000

2. Replay the traffic on the same NIC

$ daemonlogger -R daemonlogger.pcap.1196961141 -o vr0

To check the re-injection process I quit the ethernet wire and  
launch a
tcpdump instance at the same time I lauch the step number 2; I think  
the
tcpdump should show traffic, so it's completely localhost traffic.

$ tcpdump -i vr0 -v

...but no traffic is showed.

¿It means that the re-injection process is incorrect?
¿How to do it?

-- 
Thanks
Jordi Espasa Clofent


-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org



-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: