On 2/15/06, Prashant Khandelwal <[EMAIL PROTECTED]> wrote: > <snip> > Obviously the biggest limitation of tcpreplay is it doesn't come with > a library of pcaps. Maybe one of these days I can figure out the > logistics to make that happen and encourage people to actually submit > pcaps (which people tend to worry might have some kind of confidential > IP in them) rather then just leech off everyone else. If anyone has > any bright ideas I'd love to hear them. > </snip> > > Well if its matter of hiding ip address and sensitive information then, > I guess tests which are run with private ip address in labs can be > captured and shared... just a thought...
Well IP addresses are only a part of it. Rewriting a pcap stream to change the IP addresses to be RFC1918 is actually pretty easy (tcpreplay can do it for you if you'd like). But some protocols embed the server FQDN/IP in the application layer (HTTP's Host header for example). And things like usernames and passwords are probably a bit more worrisome and tend to be more difficult to edit in a pcap file. Overall, unless you're capturing traffic in a dedicated lab environment, most organizations (at least the ones I've talked to) wouldn't be happy with wide distribution of traffic captures from inside or at the perimeter of their network. -- Aaron Turner http://synfin.net/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
