[Snort-users] [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured traffic

Martin Roesch roesch at ...1935...
Thu Dec 6 13:03:38 EST 2007


I just tried this and it worked.

1) log some ping packets:

daemonlogger -i en0 -c 20 icmp

2) replay the packets

daemonlogger -R daemonlogger.pcap.1196963946 -o en0

3) run tcpdump to capture and compare the output

tcpdump -nvi en0 icmp

What kind of interface is vr0 (what link type)?


On Dec 6, 2007, at 12:22 PM, Jordi Espasa Clofent wrote:

>> You might want to check out DaemonLogger, it's got a replay mode as  
>> well
>> as a real-time tap mode as well as being a packet logger itself.
>> Basically, DaemonLogger can capture traffic off of one interface  
>> direct
>> to the disk (logger mode), retransmit it out another interface in
>> real-time (tap mode) or replay a pcap file (replay mode).
>>
>> You can get it at
>> http://www.snort.org/users/roesch/Site/Daemonlogger/ 
>> Daemonlogger.html.
>
> Very great tool Martin!
> I cannot understand exactly the way to do what I want. I've tried it  
> in
> my own personal computer at home (with only 1 NIC, vr0).
>
> 1) Sniffing the traffic in very big chunks of time/data (1GB)
>
> $ daemonlogger -i vr0 -c 1000000000
>
> 2. Replay the traffic on the same NIC
>
> $ daemonlogger -R daemonlogger.pcap.1196961141 -o vr0
>
> To check the re-injection process I quit the ethernet wire and  
> launch a
> tcpdump instance at the same time I lauch the step number 2; I think  
> the
> tcpdump should show traffic, so it's completely localhost traffic.
>
> $ tcpdump -i vr0 -v
>
> ...but no traffic is showed.
>
> ¿It means that the re-injection process is incorrect?
> ¿How to do it?
>
> -- 
> Thanks
> Jordi Espasa Clofent
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell.  From the desktop to the data center, Linux is going
> mainstream.  Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org






More information about the Snort-users mailing list