Saturday, February 2, 2013

Backtrack Forensics: tcpreplay suite

Menu: Forensics -> Network Forensics
Directory: /pentest/sniffers/tcpreplay
Official Website: http://tcpreplay.synfin.net/
License: GNU GLP v3

From the website: "Tcpreplay is a suite of tools written by  Aaron Turner for UNIX (and Win32 under Cygwin) operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 headers and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS's. Tcpreplay supports both single and dual NIC modes for testing both sniffing and inline devices."

The suite consists of the following tools:
tcpbridge - bridge two networks with tcprewrite
tcpprep - tool to use preprocess pcap files, and will create cache files, which will be used by tcpreplay or tcprewrite. It will classify packets as client -> server or server -> client.
tcprewrite - pcap editor to rewrite layer 2, 3 or 4 details
tcpreplay - replays packets to network
tcpreplay-edit - replays and edits pcap files to the network

not found in Backtract 5 R3:
"tcpliveplay - Replays network traffic stored in a pcap file on live networks using new TCP connections
tcpcapinfo - raw pcap file decoder and debugger"

Basically we can capture a traffic between a client and server, and replay it anywhere in the network. For actually testing a network, we will need to run tcpreplay in two locations, in the server and in the client side, where the client side will replay packets of the original client, and the server the other part. The MAC address, IP addresses and port numbers can be changed, thus this way we can create the same flow anywhere in the network, and check how the different locations behave.

To simply replay all packets from a capture:
./tcpreplay --intf1=eth0 test.pcap


A good article about testing Cisco WAAS with tcpreplay:

No comments: