[Snort-users] tcpreplay

Matt Kettler mkettler at ...4108...
Tue May 6 13:17:07 EDT 2003


At 02:20 PM 5/6/2003 -0500, Hanumantha R. Manchala wrote:
>I want to use tcpreplay to stress test snort.
>But I am unable to send the traffic to a destination MAC address
>given by the -I switch of tcpreplay. Does any one know how to send traffic
>to a particular MAC on the LAN? Or is it possible to send traffic to a
>specific IP? Thanks guys for ur help.
>good day!

tcpreplay plays back a packet capture file... those packet captures dictate 
what IPs the packets are going to.

Now, a unix station will use ARP to resolve what MAC to send those packets 
to. If you look through the dump files, you can add static ARP entries into 
the arp table of the machine running tcpreplay to force it to send those 
packets to the machine you want.

So you can use a command like this:
arp -s 192.168.1.1 00:00:00:00:00

To force any packets sent to 192.168.1.1 to go to a MAC address of all 
zeros, regardless of wether or not the adapter at that MAC is configured 
for that IP address.

You might need to configure your system to have a 0.0.0.0 subnet as well in 
order to keep your tcpreplay machine from trying to use a gateway, but this 
will break your ability to talk to the internet until you put it back 
(since it won't talk to the gateway). 





More information about the Snort-users mailing list