Snort mailing list archives
Re: [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 6 Dec 2007 13:03:38 -0500
I just tried this and it worked. 1) log some ping packets: daemonlogger -i en0 -c 20 icmp 2) replay the packets daemonlogger -R daemonlogger.pcap.1196963946 -o en0 3) run tcpdump to capture and compare the output tcpdump -nvi en0 icmp What kind of interface is vr0 (what link type)? On Dec 6, 2007, at 12:22 PM, Jordi Espasa Clofent wrote:
You might want to check out DaemonLogger, it's got a replay mode as well as a real-time tap mode as well as being a packet logger itself. Basically, DaemonLogger can capture traffic off of one interface direct to the disk (logger mode), retransmit it out another interface in real-time (tap mode) or replay a pcap file (replay mode). You can get it at http://www.snort.org/users/roesch/Site/Daemonlogger/ Daemonlogger.html.Very great tool Martin! I cannot understand exactly the way to do what I want. I've tried it in my own personal computer at home (with only 1 NIC, vr0). 1) Sniffing the traffic in very big chunks of time/data (1GB) $ daemonlogger -i vr0 -c 1000000000 2. Replay the traffic on the same NIC $ daemonlogger -R daemonlogger.pcap.1196961141 -o vr0 To check the re-injection process I quit the ethernet wire and launch a tcpdump instance at the same time I lauch the step number 2; I think the tcpdump should show traffic, so it's completely localhost traffic. $ tcpdump -i vr0 -v ...but no traffic is showed. ¿It means that the re-injection process is incorrect? ¿How to do it? -- Thanks Jordi Espasa Clofent ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Semi-OT: Re-inject tcpdump captured traffic Jordi Espasa Clofent (Dec 06)
- <Possible follow-ups>
- Re: Semi-OT: Re-inject tcpdump captured traffic Nathaniel Richmond (Dec 06)
- Re: Semi-OT: Re-inject tcpdump captured traffic Jordi Espasa Clofent (Dec 06)
- Re: Semi-OT: Re-inject tcpdump captured traffic JJ Cummings (Dec 06)
- Re: Semi-OT: Re-inject tcpdump captured traffic JJ Cummings (Dec 06)
- Re: Semi-OT: Re-inject tcpdump captured traffic Jordi Espasa Clofent (Dec 06)
- Re: [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic Martin Roesch (Dec 06)
- Re: [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic Jordi Espasa Clofent (Dec 06)
- Re: [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic Martin Roesch (Dec 06)
- Re: [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic Jordi Espasa Clofent (Dec 06)
- Re: [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic Jon Hart (Dec 06)
- Re: [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic Jordi Espasa Clofent (Dec 06)
- Re: Semi-OT: Re-inject tcpdump captured traffic Jordi Espasa Clofent (Dec 06)