[unisog] network traffic simulations

Nathan W. Labadie ab0781 at wayne.edu
Thu Mar 9 16:51:31 GMT 2006


Getting the capture file shouldn't be a problem. We've already got a box 
set up as an IDS that watches our gig uplink with a fiber tap. Works 
quite nicely too :).

After digging around on the tcpreplay page it looks like we should be 
able to load up a box with two nics, copy over a (large) pcap file, and 
replay all of the traffic through a network device set inline with the 
two nics. Has anyone tried this particular setup?

Thanks,
Nate 

On Thursday 09 March 2006 11:39, Peter Van Epp wrote:
> On Thu, Mar 09, 2006 at 09:30:21AM -0500, Nathan W. Labadie wrote:
> > Quick question:
> >
> > We're currently looking into a platform for doing simulations of
> > network traffic. This would include creating a large number of
> > random flows, packets, src/dst ports, etc to mimic the typical
> > behavior of a university network. We're basically looking for a way
> > to "burn in" new network equipment before it's placed in
> > production. Does anyone have any experience or recommendations?
> >
> > Thanks much,
> > Nate
> >
> > --
> > Nathan W. Labadie
> > Sr. Security Specialist
> > Network Services
> > Wayne State University
> > http://security.wayne.edu
> >
> > "They that can give up essential liberty to obtain a little
> > temporary safety deserve neither liberty nor safety."
> > - Benjamin Franklin, 1759
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
>
> 	As has been suggested, tcpreplay will do this for you. Input data
> can be convieniently (for some value of convienient :-)) collected
> with 2 tcpdump machines capturing the full duplex stream from a tap
> inserted at a suitably high traffic point in your network and then
> merged with tcpmerge (which I fixed to do exactly this with tcpreplay
> :-)) to get the single stream that tcpreplay wants. That will get the
> closest simulation to real traffic (because it is :-)) that you can
> get. You need to watch privacy issues around the tcpdump data though
> (I captured full packets which means that data is very sensitive and
> needs to be carefully secured so it doesn't leak out, or editted with
> something like netdude to make it less sensitive). Performance on all
> fronts on fast links is also an issue :-). A span port on a switch
> (which will give the required single stream) may be an even easier
> way of doing this (I have a multiport optical tap in my network
> already so the full duplex capture was easier for me).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
Nathan W. Labadie
Sr. Security Specialist
Network Services
Wayne State University
http://security.wayne.edu

"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759


More information about the unisog mailing list