Re: packet capture and replay

[robert_david_graham () yahoo com (Robert Graham)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
--- "Mila, Brian D" <brian.d.mila () lmco com> wrote:
> Does anyone know of a pacture capture utility that can capture packets
> and then replay them onto the network at a later time?  I'm not sure if 
> this is even possible, I think the sequence numbers would need to change
> along with timestamps perhaps.  But I'd like to be able to capture a stream
> of packets and then replay them later to determine if they are the cause
> of a problem to a particular machine.  Any ideas appreciated.

You are indeed correct. 90% of the protocols for which you'd like to replay
against a machine have imbedded sequence numbers that will prevent you from
doing what you want.

Therefore, anything based upon TCP will not work with such a replay. Protocols
in this class are HTTP, FTP, SMB (Windows file sharing), etc. 

Some protocol use "client-chosen sequence numbers". This means that you can
replay them as many times as you would like and get the same result. This
includes SNMP, ICMP pings, TFTP, and so on.

A large number of RPC protocols can be replayed. NFS is peculiar case, because
file handles are often persistent across connections. YMMV.

If all you want to do is flood a machine with captured pings, then replaying
will work.

There are lots of utilities that will capture/replay. TCPDUMP will capture,
which you can then replay with Anzen's 'tcpreplay' utility. Also, most protocol
analyzers can capture, then replay.

Robert Graham

PS: replay does work well for testing IDS

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com