No. The appliance is a hardened product and I am not able to run tcpdump
on it.
On Tue, Apr 14, 2015 at 1:43 PM, Aaron Turner <synfina...@gmail.com> wrote:
> What I meant was: does the appliance see the traffic when replayed
> with tcpreplay? Specifically, if you run tcpdump on the appliance, do
> you see the HTTP traffic being sent by tcpreplay?
> --
> Aaron Turner
> http://synfin.net/ Twitter: @synfinatic
> Those who would give up essential Liberty, to purchase a little temporary
> Safety, deserve neither Liberty nor Safety.
> -- Benjamin Franklin
>
>
> On Tue, Apr 14, 2015 at 10:39 AM, Randy Sanginario
> <randy.sangina...@gmail.com> wrote:
> > Thanks Aaron. I need to investigate how to trim the file. I opened the
> > file in Wireshark but the "edit packet" option is grayed out. When you
> ask
> > if I have confirmed that the virtual security server sees the traffic the
> > answer is yes. Again, what I did was execute a manual test (with a
> policy
> > in place on the virtual security server to block network viruses) from
> the
> > Windows vm. The test was simple. I just opened a browser and went to
> > eicar.org and clicked on the link to downlad the test file,
> eicar.com.txt
> > (and this was the traffic that I tried to capture with eicar). This
> yielded
> > a message on the Windows vm indicating that the virus had been blocked.
> I
> > will attempt o use that tcpliveplay tool.
> >
> > Thanks.
> >
> > randy
> >
> > On Tue, Apr 14, 2015 at 12:53 PM, Aaron Turner <synfina...@gmail.com>
> wrote:
> >>
> >> Hi Randy,
> >>
> >> So first, I'd recommend trimming your pcap to only include the
> >> eicar.com request. You have over 2600 packets in that pcap and that
> >> makes testing much more difficult since your actual test traffic is
> >> less then 1% of that.
> >>
> >> Second, I'm not sure I fully understand your test bed. How does your
> >> virtual security appliance "see" the eicar.com file? Have you
> >> confirmed that this appliance sees all the traffic?
> >>
> >> Third, your statement about an "eicar server" is a red flag for me.
> >> That sounds like you expect tcpreplay to make a HTTP connection to
> >> your server. Tcpreplay can not do that. It can only pretend to be
> >> *both* the client and server. If you need to connect to a server,
> >> then tcpliveplay is the correct tool.
> >>
> >> Regards,
> >> Aaron
> >>
> >> --
> >> Aaron Turner
> >> http://synfin.net/ Twitter: @synfinatic
> >> Those who would give up essential Liberty, to purchase a little
> temporary
> >> Safety, deserve neither Liberty nor Safety.
> >> -- Benjamin Franklin
> >>
> >>
> >> On Tue, Apr 14, 2015 at 7:03 AM, Randy Sanginario
> >> <randy.sangina...@gmail.com> wrote:
> >> > Hi There,
> >> >
> >> > I am trying to replay the following pcap file in a private subnet of
> >> > mine
> >> > for testing purposes. The pcap was captured on a guest (call it
> >> > Win7-a)in
> >> > my vmWare cluster and replayed from another guest in the same cluster.
> >> > All
> >> > of my guest virtual machines in the cluster are Windows7 clones setup
> >> > with
> >> > one NIC (eth0). To replay the pcap I run "tcpreplay -i eth0 -K
> --loop1
> >> > mytestpcap.pcap. The pcap pretty much contains a GET to download an
> >> > eicar
> >> > virus file. I'm am trying to see that with our security virtual
> >> > appliance
> >> > catches the virus but this does not seem to happen when I replay. It
> is
> >> > my
> >> > understanding that I don't have to run tcpreplay from the source
> machine
> >> > it
> >> > self (I.e. Win7-a). I've run tcpreplay and re-captured the traffic
> and
> >> > all
> >> > looks good there but again the traffic should flow from Win7-a through
> >> > my
> >> > security virtual appliance and to the eicar server. However the fact
> >> > that
> >> > the virus is not being detected tells me there is something that I am
> >> > not
> >> > understanding. When I execute this test by hand (i.e. accessing the
> >> > eicar.com.txt virus) from Win7-a, the security virtual appliance does
> >> > catch/block the threat. I should note that I did not do any tcpprep
> or
> >> > tcprewrite work on this pcap.
> >> >
> >> > Any help on this matter would be greatly appreciated as I would love
> to
> >> > use
> >> > this tool to drive many pcaps through my cluster for the sake of
> >> > persistence
> >> > testing.
> >> >
> >> > Thanks much.
> >> >
> >> > randy
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> >> > Develop your own process in accordance with the BPMN 2 standard
> >> > Learn Process modeling best practices with Bonita BPM through live
> >> > exercises
> >> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> >> > event?utm_
> >> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> >> > _______________________________________________
> >> > Tcpreplay-users mailing list
> >> > Tcpreplay-users@lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> >> Develop your own process in accordance with the BPMN 2 standard
> >> Learn Process modeling best practices with Bonita BPM through live
> >> exercises
> >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> >> event?utm_
> >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> >> _______________________________________________
> >> Tcpreplay-users mailing list
> >> Tcpreplay-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> > Develop your own process in accordance with the BPMN 2 standard
> > Learn Process modeling best practices with Bonita BPM through live
> exercises
> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> > _______________________________________________
> > Tcpreplay-users mailing list
> > Tcpreplay-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
