What I meant was: does the appliance see the traffic when replayed with tcpreplay? Specifically, if you run tcpdump on the appliance, do you see the HTTP traffic being sent by tcpreplay? -- Aaron Turner http://synfin.net/ Twitter: @synfinatic Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
On Tue, Apr 14, 2015 at 10:39 AM, Randy Sanginario <randy.sangina...@gmail.com> wrote: > Thanks Aaron. I need to investigate how to trim the file. I opened the > file in Wireshark but the "edit packet" option is grayed out. When you ask > if I have confirmed that the virtual security server sees the traffic the > answer is yes. Again, what I did was execute a manual test (with a policy > in place on the virtual security server to block network viruses) from the > Windows vm. The test was simple. I just opened a browser and went to > eicar.org and clicked on the link to downlad the test file, eicar.com.txt > (and this was the traffic that I tried to capture with eicar). This yielded > a message on the Windows vm indicating that the virus had been blocked. I > will attempt o use that tcpliveplay tool. > > Thanks. > > randy > > On Tue, Apr 14, 2015 at 12:53 PM, Aaron Turner <synfina...@gmail.com> wrote: >> >> Hi Randy, >> >> So first, I'd recommend trimming your pcap to only include the >> eicar.com request. You have over 2600 packets in that pcap and that >> makes testing much more difficult since your actual test traffic is >> less then 1% of that. >> >> Second, I'm not sure I fully understand your test bed. How does your >> virtual security appliance "see" the eicar.com file? Have you >> confirmed that this appliance sees all the traffic? >> >> Third, your statement about an "eicar server" is a red flag for me. >> That sounds like you expect tcpreplay to make a HTTP connection to >> your server. Tcpreplay can not do that. It can only pretend to be >> *both* the client and server. If you need to connect to a server, >> then tcpliveplay is the correct tool. >> >> Regards, >> Aaron >> >> -- >> Aaron Turner >> http://synfin.net/ Twitter: @synfinatic >> Those who would give up essential Liberty, to purchase a little temporary >> Safety, deserve neither Liberty nor Safety. >> -- Benjamin Franklin >> >> >> On Tue, Apr 14, 2015 at 7:03 AM, Randy Sanginario >> <randy.sangina...@gmail.com> wrote: >> > Hi There, >> > >> > I am trying to replay the following pcap file in a private subnet of >> > mine >> > for testing purposes. The pcap was captured on a guest (call it >> > Win7-a)in >> > my vmWare cluster and replayed from another guest in the same cluster. >> > All >> > of my guest virtual machines in the cluster are Windows7 clones setup >> > with >> > one NIC (eth0). To replay the pcap I run "tcpreplay -i eth0 -K --loop1 >> > mytestpcap.pcap. The pcap pretty much contains a GET to download an >> > eicar >> > virus file. I'm am trying to see that with our security virtual >> > appliance >> > catches the virus but this does not seem to happen when I replay. It is >> > my >> > understanding that I don't have to run tcpreplay from the source machine >> > it >> > self (I.e. Win7-a). I've run tcpreplay and re-captured the traffic and >> > all >> > looks good there but again the traffic should flow from Win7-a through >> > my >> > security virtual appliance and to the eicar server. However the fact >> > that >> > the virus is not being detected tells me there is something that I am >> > not >> > understanding. When I execute this test by hand (i.e. accessing the >> > eicar.com.txt virus) from Win7-a, the security virtual appliance does >> > catch/block the threat. I should note that I did not do any tcpprep or >> > tcprewrite work on this pcap. >> > >> > Any help on this matter would be greatly appreciated as I would love to >> > use >> > this tool to drive many pcaps through my cluster for the sake of >> > persistence >> > testing. >> > >> > Thanks much. >> > >> > randy >> > >> > >> > >> > >> > >> > >> > >> > ------------------------------------------------------------------------------ >> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> > Develop your own process in accordance with the BPMN 2 standard >> > Learn Process modeling best practices with Bonita BPM through live >> > exercises >> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >> > event?utm_ >> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> > _______________________________________________ >> > Tcpreplay-users mailing list >> > Tcpreplay-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> ------------------------------------------------------------------------------ >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> Develop your own process in accordance with the BPMN 2 standard >> Learn Process modeling best practices with Bonita BPM through live >> exercises >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >> event?utm_ >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
