[Snort-users] [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic

Jordi Espasa Clofent jordi.espasa at ...14257...
Thu Dec 6 12:22:41 EST 2007

> You might want to check out DaemonLogger, it's got a replay mode as well 
> as a real-time tap mode as well as being a packet logger itself.  
> Basically, DaemonLogger can capture traffic off of one interface direct 
> to the disk (logger mode), retransmit it out another interface in 
> real-time (tap mode) or replay a pcap file (replay mode).
> You can get it at 
> http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html.

Very great tool Martin!
I cannot understand exactly the way to do what I want. I've tried it in
my own personal computer at home (with only 1 NIC, vr0).

1) Sniffing the traffic in very big chunks of time/data (1GB)

$ daemonlogger -i vr0 -c 1000000000

2. Replay the traffic on the same NIC

$ daemonlogger -R daemonlogger.pcap.1196961141 -o vr0

To check the re-injection process I quit the ethernet wire and launch a
tcpdump instance at the same time I lauch the step number 2; I think the
tcpdump should show traffic, so it's completely localhost traffic.

$ tcpdump -i vr0 -v

...but no traffic is showed.

¿It means that the re-injection process is incorrect?
¿How to do it?

Jordi Espasa Clofent

More information about the Snort-users mailing list