Thanks Aaron. I need to investigate how to trim the file. I opened the
file in Wireshark but the "edit packet" option is grayed out. When you ask
if I have confirmed that the virtual security server sees the traffic the
answer is yes. Again, what I did was execute a manual test (with a policy
in place on the virtual security server to block network viruses) from the
Windows vm. The test was simple. I just opened a browser and went to
eicar.org and clicked on the link to downlad the test file, eicar.com.txt
(and this was the traffic that I tried to capture with eicar). This
yielded a message on the Windows vm indicating that the virus had been
blocked. I will attempt o use that tcpliveplay tool.
Thanks.
randy
On Tue, Apr 14, 2015 at 12:53 PM, Aaron Turner <synfina...@gmail.com> wrote:
> Hi Randy,
>
> So first, I'd recommend trimming your pcap to only include the
> eicar.com request. You have over 2600 packets in that pcap and that
> makes testing much more difficult since your actual test traffic is
> less then 1% of that.
>
> Second, I'm not sure I fully understand your test bed. How does your
> virtual security appliance "see" the eicar.com file? Have you
> confirmed that this appliance sees all the traffic?
>
> Third, your statement about an "eicar server" is a red flag for me.
> That sounds like you expect tcpreplay to make a HTTP connection to
> your server. Tcpreplay can not do that. It can only pretend to be
> *both* the client and server. If you need to connect to a server,
> then tcpliveplay is the correct tool.
>
> Regards,
> Aaron
>
> --
> Aaron Turner
> http://synfin.net/ Twitter: @synfinatic
> Those who would give up essential Liberty, to purchase a little temporary
> Safety, deserve neither Liberty nor Safety.
> -- Benjamin Franklin
>
>
> On Tue, Apr 14, 2015 at 7:03 AM, Randy Sanginario
> <randy.sangina...@gmail.com> wrote:
> > Hi There,
> >
> > I am trying to replay the following pcap file in a private subnet of mine
> > for testing purposes. The pcap was captured on a guest (call it
> Win7-a)in
> > my vmWare cluster and replayed from another guest in the same cluster.
> All
> > of my guest virtual machines in the cluster are Windows7 clones setup
> with
> > one NIC (eth0). To replay the pcap I run "tcpreplay -i eth0 -K --loop1
> > mytestpcap.pcap. The pcap pretty much contains a GET to download an
> eicar
> > virus file. I'm am trying to see that with our security virtual
> appliance
> > catches the virus but this does not seem to happen when I replay. It is
> my
> > understanding that I don't have to run tcpreplay from the source machine
> it
> > self (I.e. Win7-a). I've run tcpreplay and re-captured the traffic and
> all
> > looks good there but again the traffic should flow from Win7-a through my
> > security virtual appliance and to the eicar server. However the fact
> that
> > the virus is not being detected tells me there is something that I am not
> > understanding. When I execute this test by hand (i.e. accessing the
> > eicar.com.txt virus) from Win7-a, the security virtual appliance does
> > catch/block the threat. I should note that I did not do any tcpprep or
> > tcprewrite work on this pcap.
> >
> > Any help on this matter would be greatly appreciated as I would love to
> use
> > this tool to drive many pcaps through my cluster for the sake of
> persistence
> > testing.
> >
> > Thanks much.
> >
> > randy
> >
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> > Develop your own process in accordance with the BPMN 2 standard
> > Learn Process modeling best practices with Bonita BPM through live
> exercises
> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> > _______________________________________________
> > Tcpreplay-users mailing list
> > Tcpreplay-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
