[ what’s tcpreplay ? ]
http://tcpreplay.synfin.net/
Tcpreplay replys a pcap file.
This tool is useful for testing DUT such as Firewall , IDS etc.
[ how to install tcpreplay on Ubuntu 11.04 ]
You can install tcpreplay through apt-get.
[ how to use : replay UDP packets ]
let’s send DNS ( DUP ) packets.
client 192.168.11.100 -------- unbound 192.168.11.14
prepare a capture file.
capture data
extract a request packet ( client -> server )
Let’s replay client_dns.pcap
on client
on server
useful options :
--loop=number : how many times you replay pcap file
--topspeed : replay pcap as quickly as possible
--mbps=10.0 : bandwidth
If the pcap file(s) you are looping are small enough to fit in available RAM, consider using the --enable-file-cache option. This option caches each packet in RAM so that subsequent reads don't have to hit the slower disk. It does have a slight performance hit for the first iteration of the loop since it has to call malloc() for each packet, but after that it seems to improve performance by around 5-10%. Of course if you don't have enough free RAM, then this will cause your system to swap which will dramatically decrease performance.
http://tcpreplay.synfin.net/
Tcpreplay replys a pcap file.
This tool is useful for testing DUT such as Firewall , IDS etc.
[ how to install tcpreplay on Ubuntu 11.04 ]
You can install tcpreplay through apt-get.
| root@hat1:~# tail -1 /etc/lsb-release DISTRIB_DESCRIPTION="Ubuntu 11.04" root@hat1:~# apt-get install tcpreplay |
| /usr/bin/tcpreplay /usr/bin/tcpprep /usr/bin/tcprewrite /usr/bin/tcpreplay-edit /usr/bin/tcpbridge |
[ how to use : replay UDP packets ]
let’s send DNS ( DUP ) packets.
client 192.168.11.100 -------- unbound 192.168.11.14
prepare a capture file.
| root@hat1:~# dig @192.168.11.14 www.isc.org +dnssec +multiline |
capture data
| root@hat1:~# tshark -r dns.pcap 1 0.000000 192.168.11.100 -> 192.168.11.14 DNS Standard query A www.isc.org 2 0.000693 192.168.11.14 -> 192.168.11.100 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=20a8) |
extract a request packet ( client -> server )
| root@hat1:~# tshark -R "ip.src==192.168.11.100" -r dns.pcap -w client_dns.pcap |
| root@hat1:~# tshark -r client_dns.pcap Running as user "root" and group "root". This could be dangerous. 1 0.000000 192.168.11.100 -> 192.168.11.14 DNS Standard query A www.isc.org |
Let’s replay client_dns.pcap
on client
| root@hat1:~# tcpreplay --pps=1 --intf1=eth0 client_dns.pcap sending out eth0 processing file: client_dns.pcap Actual: 1 packets (82 bytes) sent in 0.07 seconds Rated: 1171.4 bps, 0.01 Mbps, 14.29 pps Statistics for network device: eth0 Attempted packets: 1 Successful packets: 1 Failed packets: 0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0 |
on server
| root@hat2:~# tshark -i eth0 port 53 0.000000 192.168.11.100 -> 192.168.11.14 DNS Standard query A www.isc.org 0.000120 192.168.11.14 -> 192.168.11.100 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=20ab) |
useful options :
--loop=number : how many times you replay pcap file
--topspeed : replay pcap as quickly as possible
--mbps=10.0 : bandwidth
If the pcap file(s) you are looping are small enough to fit in available RAM, consider using the --enable-file-cache option. This option caches each packet in RAM so that subsequent reads don't have to hit the slower disk. It does have a slight performance hit for the first iteration of the loop since it has to call malloc() for each packet, but after that it seems to improve performance by around 5-10%. Of course if you don't have enough free RAM, then this will cause your system to swap which will dramatically decrease performance.
Another useful option is --quiet. This suppresses printing out to the screen each time tcpreplay starts a new iteration. This can have a dramatic performance boost for systems with slower consoles.
--loop=0 menas replay forever untile you enter Ctrl-Z
an output of dnstop on server
DNS request is one packet. --pps=50000 means sending 50,000 queries per sec.
unbound log
--loop=0 menas replay forever untile you enter Ctrl-Z
| root@hat1:~# tcpreplay --loop=0 --enable-file-cache --quiet --intf1=eth0 client_dns.pcap |
an output of dnstop on server
| Source Query Name Count % -------------- ----------- --------- ------ 192.168.11.100 www.isc.org 152 100.0 |
DNS request is one packet. --pps=50000 means sending 50,000 queries per sec.
| root@hat1:~# tcpreplay --loop=0 --enable-file-cache --pps=50000 --quiet --intf1=eth0 client_dns.pcap |
unbound log
| hat2 unbound: [3644:0] notice: sendto failed: Resource temporarily unavailable |
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.