lost and found ( for me ? )

tcpreplay

[ what’s tcpreplay ? ]

http://tcpreplay.synfin.net/
Tcpreplay replys a pcap file.
This tool is useful for testing DUT such as Firewall , IDS etc.

[ how to install tcpreplay on Ubuntu 11.04 ]

You can install tcpreplay through apt-get.
root@hat1:~# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 11.04"

root@hat1:~# apt-get install tcpreplay

/usr/bin/tcpreplay
/usr/bin/tcpprep  
/usr/bin/tcprewrite
/usr/bin/tcpreplay-edit
/usr/bin/tcpbridge

[ how to use : replay UDP packets ]

let’s send DNS ( DUP ) packets.

client 192.168.11.100  -------- unbound 192.168.11.14

prepare a capture file.
root@hat1:~# dig @192.168.11.14 www.isc.org +dnssec +multiline


capture data
root@hat1:~# tshark -r dns.pcap
 1   0.000000 192.168.11.100 -> 192.168.11.14 DNS Standard query A www.isc.org
 2   0.000693 192.168.11.14 -> 192.168.11.100 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=20a8)

extract a request packet ( client -> server )
root@hat1:~# tshark -R "ip.src==192.168.11.100" -r dns.pcap -w client_dns.pcap

root@hat1:~# tshark -r client_dns.pcap
Running as user "root" and group "root". This could be dangerous.
 1   0.000000 192.168.11.100 -> 192.168.11.14 DNS Standard query A www.isc.org

Let’s replay client_dns.pcap

on client
root@hat1:~# tcpreplay --pps=1 --intf1=eth0 client_dns.pcap
sending out eth0
processing file: client_dns.pcap
Actual: 1 packets (82 bytes) sent in 0.07 seconds
Rated: 1171.4 bps, 0.01 Mbps, 14.29 pps
Statistics for network device: eth0
Attempted packets:         1
Successful packets:        1
Failed packets:            0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN):  0

on server
root@hat2:~# tshark -i eth0 port 53
 0.000000 192.168.11.100 -> 192.168.11.14 DNS Standard query A www.isc.org
 0.000120 192.168.11.14 -> 192.168.11.100 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=20ab)

useful options :

--loop=number : how many times you replay pcap file
--topspeed : replay pcap as quickly as possible
--mbps=10.0 : bandwidth

If the pcap file(s) you are looping are small enough to fit in available RAM, consider using the --enable-file-cache option. This option caches each packet in RAM so that subsequent reads don't have to hit the slower disk. It does have a slight performance hit for the first iteration of the loop since it has to call malloc() for each packet, but after that it seems to improve performance by around 5-10%. Of course if you don't have enough free RAM, then this will cause your system to swap which will dramatically decrease performance.

Another useful option is --quiet. This suppresses printing out to the screen each time tcpreplay starts a new iteration. This can have a dramatic performance boost for systems with slower consoles.

--loop=0 menas replay forever untile you enter Ctrl-Z
root@hat1:~# tcpreplay --loop=0 --enable-file-cache --quiet --intf1=eth0 client_dns.pcap

an output of dnstop on server
Source         Query Name      Count      %
-------------- ----------- --------- ------
192.168.11.100 www.isc.org       152  100.0

DNS request is one packet. --pps=50000 means sending 50,000 queries per sec.
root@hat1:~# tcpreplay --loop=0 --enable-file-cache --pps=50000 --quiet --intf1=eth0 client_dns.pcap

unbound log
hat2 unbound: [3644:0] notice: sendto failed: Resource temporarily unavailable

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.