[Snort-users] tcpreplay

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue May 6 13:49:06 EDT 2003


Hi,

"record" the traffic between two hosts with tcpdump. Remember to use the
"-s 1514", because tcpdump will only capture 68 bytes of a packet
otherwise. Use a hub to connect the "client" and the "server". Then
disconnect the one - (say server or client) and use tcpreplay to put the
packets on the wire with one machine. Remember: you can't use the same
packets twice, since the sequence numbers and other parameter won't fit
and the machines will permanently send reset packets to each other.

tcpreplay is using a special socket and will put the recorded packets
(both the requests and the answers) on the wire no matter if someone is
"listening" or not. You can even connect your stealth (do not forget the
-arp switch) sensor and the replay machine with a crossover cable. In
that case you may be able to replay the packets even faster than using a
hub.

MAC addresses does not really matter in that case.

Regards,

Edin


Hanumantha R. Manchala wrote:
> Hello all,
> 
> I want to use tcpreplay to stress test snort.
> But I am unable to send the traffic to a destination MAC address
> given by the -I switch of tcpreplay. Does any one know how to send traffic
> to a particular MAC on the LAN? Or is it possible to send traffic to a
> specific IP? Thanks guys for ur help.
> good day!
> 
> Thanks,
> Manchala.
> 
> 

-- 
Edin Dizdarevic





More information about the Snort-users mailing list