On Fri, Jun 12, 2009 at 8:52 AM, Darien Kindlund<dar...@kindlund.com> wrote: [snip excellent problem description]
Since you've reduced the problem set a great deal, yes, something like that is reasonable. Forcing the client to behave in a deterministic fashion is a big help as is a single request/reply per socket connection. Limiting yourself further to only a single use case is huge. Of course, the more limits you place the less useful this is to a wide audience. > So, my questions are: > 1) Based on the simple solution I've described, are there any other > factors my original assumptions did not take into account? In other > words, could it work, given the original assumptions? The other issue, is pretending to be multiple network devices (the DNS server, default gateway, yahoo & google servers in your example). So there are two ways to solve this problem: 1) your pcap to server application, opens up TCP/UDP sockets in order to answer responses. Since you're using DNS, in your example, you could make sure yahoo & google resolve to yourself. 2) your pcap to server application uses raw frame injection and promiscuous mode on the network interface to read & write packets onto the network. This allows you to pretend to be hosts on other networks. #1 is simpler in that now you don't have to write your own TCP/IP stack or worry about ARP's as much (your OS will handle that for you). #2 is simpler because you don't have to worry about protocols which embed IP address information in the packets which later cause problems (DNS, FTP, SIP all have this problem as can others) since you'll be able to spoof the original IP address of the server(s) in the pcap. You'll probably have to write a simple ARP responder too. > 2) Could any of the tcpreplay code be used to accomplish a fraction of > this goal? (Such as identifying and extracting the application layer > content for each request to build the corresponding array entries?) There are probably other tools I'd look at as the starting point- tcpreplay isn't really designed to work at the flow/session level. I probably would look at libnids and tcpflow. Both have issues though, libnids has a horrible API IMHO and tcpflow only works with live networks (not pcaps). But both are flow/session aware. Honestly, if you only wanted to do that single test case, the simplest thing would be to install Bind & Apache and configure bind to resolve yahoo & google to your local box and have Apache serve up the appropriate pages via vhosts. That would take an experienced sysadmin an hour or less. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
