I'm going to have to take a step back and try to understand what you're trying to accomplish. I'm beginning to think you're making this more complicated then it needs to/should be.
Normally, when people use tcpreplay, they want to test something. If you're *just* trying to test your IPS- perhaps check that it detects certain attacks or whatever, then you don't need any of those routers or server/client. As for the client/server, if you're using UDP/ICMP traffic exclusively, then generally it makes sense to have one or the other, but not both. In such cases, you're trying to test the client/server and not some inline device like an IPS, because tcpreplay can act like both the client & server when you split the traffic with tcpreplay/tcpprep. Again, you'd only use another computer playing the role of the client or server if you are testing it. Now, if you want to make it more complicated, you can use the routers. Your first diagram with the laptop connected to two different routers probably was correct. You shouldn't need any other devices (client & server boxes) because the traffic you generate should have enough information in the packets for the routers to learn where the faked client and server are. You need to be really careful about the routing tables on those routers though- the network you designed has multiple paths between ROUTER2 & 3 and so you'll need to make sure traffic is taking the path you want. Note: it's pretty important that the IP addresses in the packets generated by tcpreplay don't match the IP addresses of your laptop! Otherwise the laptop's operating system's TCP/IP stack will start replying to packets too and it will confuse your device under test. To answer your other question, two tcpreplay interfaces is enough to act like devices on two different networks. From what you've said so far, I don't see any reason that won't be enough. What you're going to want to run is what you said earlier: tcpprep --pcap=mini.pcap --cachefile=mini.cache --port tcprewrite --cachefile=mini.cache --infile=mini.pcap --outfile=mini_updated.pcap --enet-dmac=@MAC-ROUTER2,@MAC-ROUTER3 --endpoints=@IP-SERVER,@IP-CLIENT --enet-vlan=del tcpreplay --intf1=LAPTOP-eth0 --intf2=LAPTOP-eth1 --cachefile=mini.cache mini_updated.pcap Where your laptop is connected to ROUTER2 & ROUTER3. The IP's of the server and client are IP addresses on the subnets that your laptop is connected to on ROUTER2 & ROUTER3. So if the subnet your laptop is connected to on ROUTER2 is 10.0.0.0/24 then you'd want to pick something like 10.0.0.1. Same idea for router3. I'd also strongly suggest you test your routing/network by disconnecting your laptop from one router and plugging in another computer into that router and then make sure you can ping between the laptop and this other computer. You need to use two different computers for this test, because if you use only one computer it'll just ping itself without sending any traffic over the network. It's worth checking to make sure your IPS can see the traffic because your network diagram has multiple paths and the shortest path isn't through the IPS! Hope that helps. Aaron On Sat, Apr 2, 2011 at 7:12 AM, DjamOlsky <djamol...@gmail.com> wrote: > Aaron Turner ecrivait le 01/04/2011 18:19: > >>> IPS >>> | | >>> router1 >>> / \ >>> --router2---router3-- >>> / \ / \ >>> SERVER LAPTOP CLIENT >> >> That's a lot different from the last diagram you gave me. Are the two >> NIC interfaces from the laptop on the same or different broadcast >> domains? Are they the same or different IP subnet? > > SERVER and CLIENT are here to receive the traffic from the injection laptop. > is the LAPTOP doing the injection (with 2 NICS) enough?! > I was changing the IP addresses (tcprewrite with endpoint parameters to > redicret the traffic to the client/server machines). The IP subnets are > different. > >> I thought you were just trying to replay traffic through the IPS, what >> purpose is the server on router2? Is it supposed to process/reply to >> any traffic? > > No, the "SERVER" is here only to have a destination/source machine on > the network. > When the traffic is sent from the LAPTOP injection, it has to go > somewhere, hasn't it? > Here is my misunderstanding I think. Do I have to consider the two NIC > cards on the Injection laptop as destination/source (or server/client > interface) ? > >> Destination MAC addresses are ALWAYS the MAC address of the local >> router/gateway/next hop. Remember that ethernet is Layer2 and is not >> routed. So that tcprewrite command of yours might work with the first >> diagram, but it won't work with the most recent one. > > It means I have to suppress SERVER and CLIENT machines from my scenario > (as in my first schema) > and consider the destination/source, the two NIC cards of (the injection > laptop)? > > Any idea of the tcprewrite command I have to do using the initial schema > finally? (I am a bit lost now!) > > Thanks again for your time and your help. Cheers! > > > > > ------------------------------------------------------------------------------ > Create and publish websites with WebMatrix > Use the most popular FREE web apps or write code yourself; > WebMatrix provides all the features you need to develop and > publish your website. http://p.sf.net/sfu/ms-webmatrix-sf > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > -- Aaron Turner http://synfin.net/ Twitter: @synfinatic http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin "carpe diem quam minimum credula postero" ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
