[Snort-users] tcpreplay

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue May 6 14:21:17 EDT 2003

Hi Matt,

AFAIK tcpreplay is using a special socket/libnet to put the packets on
wire. No kernel influence there. There is indeed a kind of
"preprocessor" for tcpreplay, which I, however, never got to work.



Matt Kettler wrote:

> At 02:20 PM 5/6/2003 -0500, Hanumantha R. Manchala wrote:
>> I want to use tcpreplay to stress test snort.
>> But I am unable to send the traffic to a destination MAC address
>> given by the -I switch of tcpreplay. Does any one know how to send
>> traffic
>> to a particular MAC on the LAN? Or is it possible to send traffic to a
>> specific IP? Thanks guys for ur help.
>> good day!
> tcpreplay plays back a packet capture file... those packet captures
> dictate what IPs the packets are going to.
> Now, a unix station will use ARP to resolve what MAC to send those
> packets to. If you look through the dump files, you can add static ARP
> entries into the arp table of the machine running tcpreplay to force it
> to send those packets to the machine you want.
> So you can use a command like this:
> arp -s 00:00:00:00:00
> To force any packets sent to to go to a MAC address of all
> zeros, regardless of wether or not the adapter at that MAC is configured
> for that IP address.
> You might need to configure your system to have a subnet as well
> in order to keep your tcpreplay machine from trying to use a gateway,
> but this will break your ability to talk to the internet until you put
> it back (since it won't talk to the gateway).

Edin Dizdarevic

