RE: tcpreplay

["Matt Foster" <matt.foster () blade-software com>]

Hi Matt,

You may be interested to find out that IDS Informer an application Blade has
developed to allow users to test network based intrusion detection systems
allows control over both the source and destination ip addresses, you can also
define the source MAC address. IDS Informer has a database of over 700 attacks
which can be replayed.

There is an eval version on our website, www.blade-software.com which you can
download and play with, the eval is perpetual and will not expire so it should
provide you with some definite value.

Regards
Matt

_____________________________________
Matt Foster
Blade-Software Inc.
www.blade-software.com
Security Verification Management Solutions
______________________________________



-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Matt
Kettler
Sent: 06 May 2003 21:16
To: Hanumantha R. Manchala
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] tcpreplay


At 02:20 PM 5/6/2003 -0500, Hanumantha R. Manchala wrote:
> I want to use tcpreplay to stress test snort.
> But I am unable to send the traffic to a destination MAC address
> given by the -I switch of tcpreplay. Does any one know how to send traffic
> to a particular MAC on the LAN? Or is it possible to send traffic to a
> specific IP? Thanks guys for ur help.
> good day!

tcpreplay plays back a packet capture file... those packet captures dictate
what IPs the packets are going to.

Now, a unix station will use ARP to resolve what MAC to send those packets
to. If you look through the dump files, you can add static ARP entries into
the arp table of the machine running tcpreplay to force it to send those
packets to the machine you want.

So you can use a command like this:
arp -s 192.168.1.1 00:00:00:00:00

To force any packets sent to 192.168.1.1 to go to a MAC address of all
zeros, regardless of wether or not the adapter at that MAC is configured
for that IP address.

You might need to configure your system to have a 0.0.0.0 subnet as well in
order to keep your tcpreplay machine from trying to use a gateway, but this
will break your ability to talk to the internet until you put it back
(since it won't talk to the gateway).



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users