Thanks Aaron, I'm going to ask Dev if there's anyway to get a build that
will allow me to look at the traffic. I appreciate your help and quick
replies.
-randy
On Tue, Apr 14, 2015 at 2:21 PM, Aaron Turner <synfina...@gmail.com> wrote:
> Well that's going to make debugging difficult- especially in a virtual
> environment where you can't put a network tap, etc on the wire to take
> a look.
> My off hand guess is that either:
> 1. Because you're using tcpreplay, the target host is sending TCP
> Reset packets and killing the connection. You appliance is stateful
> enough to know it can ignore the actual HTTP GET request.
>
> 2. The traffic isn't going through the appliance at all, because the
> MAC addresses in the ethernet frames are wrong and aren't being routed
> correctly by the hypervisor.
>
>
> --
> Aaron Turner
> http://synfin.net/ Twitter: @synfinatic
> Those who would give up essential Liberty, to purchase a little temporary
> Safety, deserve neither Liberty nor Safety.
> -- Benjamin Franklin
>
>
> On Tue, Apr 14, 2015 at 11:02 AM, Randy Sanginario
> <randy.sangina...@gmail.com> wrote:
> > No. The appliance is a hardened product and I am not able to run
> tcpdump on
> > it.
> >
> > On Tue, Apr 14, 2015 at 1:43 PM, Aaron Turner <synfina...@gmail.com>
> wrote:
> >>
> >> What I meant was: does the appliance see the traffic when replayed
> >> with tcpreplay? Specifically, if you run tcpdump on the appliance, do
> >> you see the HTTP traffic being sent by tcpreplay?
> >> --
> >> Aaron Turner
> >> http://synfin.net/ Twitter: @synfinatic
> >> Those who would give up essential Liberty, to purchase a little
> temporary
> >> Safety, deserve neither Liberty nor Safety.
> >> -- Benjamin Franklin
> >>
> >>
> >> On Tue, Apr 14, 2015 at 10:39 AM, Randy Sanginario
> >> <randy.sangina...@gmail.com> wrote:
> >> > Thanks Aaron. I need to investigate how to trim the file. I opened
> the
> >> > file in Wireshark but the "edit packet" option is grayed out. When
> you
> >> > ask
> >> > if I have confirmed that the virtual security server sees the traffic
> >> > the
> >> > answer is yes. Again, what I did was execute a manual test (with a
> >> > policy
> >> > in place on the virtual security server to block network viruses) from
> >> > the
> >> > Windows vm. The test was simple. I just opened a browser and went to
> >> > eicar.org and clicked on the link to downlad the test file,
> >> > eicar.com.txt
> >> > (and this was the traffic that I tried to capture with eicar). This
> >> > yielded
> >> > a message on the Windows vm indicating that the virus had been
> blocked.
> >> > I
> >> > will attempt o use that tcpliveplay tool.
> >> >
> >> > Thanks.
> >> >
> >> > randy
> >> >
> >> > On Tue, Apr 14, 2015 at 12:53 PM, Aaron Turner <synfina...@gmail.com>
> >> > wrote:
> >> >>
> >> >> Hi Randy,
> >> >>
> >> >> So first, I'd recommend trimming your pcap to only include the
> >> >> eicar.com request. You have over 2600 packets in that pcap and that
> >> >> makes testing much more difficult since your actual test traffic is
> >> >> less then 1% of that.
> >> >>
> >> >> Second, I'm not sure I fully understand your test bed. How does
> your
> >> >> virtual security appliance "see" the eicar.com file? Have you
> >> >> confirmed that this appliance sees all the traffic?
> >> >>
> >> >> Third, your statement about an "eicar server" is a red flag for me.
> >> >> That sounds like you expect tcpreplay to make a HTTP connection to
> >> >> your server. Tcpreplay can not do that. It can only pretend to be
> >> >> *both* the client and server. If you need to connect to a server,
> >> >> then tcpliveplay is the correct tool.
> >> >>
> >> >> Regards,
> >> >> Aaron
> >> >>
> >> >> --
> >> >> Aaron Turner
> >> >> http://synfin.net/ Twitter: @synfinatic
> >> >> Those who would give up essential Liberty, to purchase a little
> >> >> temporary
> >> >> Safety, deserve neither Liberty nor Safety.
> >> >> -- Benjamin Franklin
> >> >>
> >> >>
> >> >> On Tue, Apr 14, 2015 at 7:03 AM, Randy Sanginario
> >> >> <randy.sangina...@gmail.com> wrote:
> >> >> > Hi There,
> >> >> >
> >> >> > I am trying to replay the following pcap file in a private subnet
> of
> >> >> > mine
> >> >> > for testing purposes. The pcap was captured on a guest (call it
> >> >> > Win7-a)in
> >> >> > my vmWare cluster and replayed from another guest in the same
> >> >> > cluster.
> >> >> > All
> >> >> > of my guest virtual machines in the cluster are Windows7 clones
> setup
> >> >> > with
> >> >> > one NIC (eth0). To replay the pcap I run "tcpreplay -i eth0 -K
> >> >> > --loop1
> >> >> > mytestpcap.pcap. The pcap pretty much contains a GET to download
> an
> >> >> > eicar
> >> >> > virus file. I'm am trying to see that with our security virtual
> >> >> > appliance
> >> >> > catches the virus but this does not seem to happen when I replay.
> It
> >> >> > is
> >> >> > my
> >> >> > understanding that I don't have to run tcpreplay from the source
> >> >> > machine
> >> >> > it
> >> >> > self (I.e. Win7-a). I've run tcpreplay and re-captured the traffic
> >> >> > and
> >> >> > all
> >> >> > looks good there but again the traffic should flow from Win7-a
> >> >> > through
> >> >> > my
> >> >> > security virtual appliance and to the eicar server. However the
> fact
> >> >> > that
> >> >> > the virus is not being detected tells me there is something that I
> am
> >> >> > not
> >> >> > understanding. When I execute this test by hand (i.e. accessing
> the
> >> >> > eicar.com.txt virus) from Win7-a, the security virtual appliance
> does
> >> >> > catch/block the threat. I should note that I did not do any
> tcpprep
> >> >> > or
> >> >> > tcprewrite work on this pcap.
> >> >> >
> >> >> > Any help on this matter would be greatly appreciated as I would
> love
> >> >> > to
> >> >> > use
> >> >> > this tool to drive many pcaps through my cluster for the sake of
> >> >> > persistence
> >> >> > testing.
> >> >> >
> >> >> > Thanks much.
> >> >> >
> >> >> > randy
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> ------------------------------------------------------------------------------
> >> >> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> >> >> > Develop your own process in accordance with the BPMN 2 standard
> >> >> > Learn Process modeling best practices with Bonita BPM through live
> >> >> > exercises
> >> >> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> >> >> > event?utm_
> >> >> >
> >> >> >
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> >> >> > _______________________________________________
> >> >> > Tcpreplay-users mailing list
> >> >> > Tcpreplay-users@lists.sourceforge.net
> >> >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> >> >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
> >> >>
> >> >>
> >> >>
> >> >>
> ------------------------------------------------------------------------------
> >> >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> >> >> Develop your own process in accordance with the BPMN 2 standard
> >> >> Learn Process modeling best practices with Bonita BPM through live
> >> >> exercises
> >> >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> >> >> event?utm_
> >> >>
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> >> >> _______________________________________________
> >> >> Tcpreplay-users mailing list
> >> >> Tcpreplay-users@lists.sourceforge.net
> >> >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> >> >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
> >> >
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> >> > Develop your own process in accordance with the BPMN 2 standard
> >> > Learn Process modeling best practices with Bonita BPM through live
> >> > exercises
> >> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> >> > event?utm_
> >> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> >> > _______________________________________________
> >> > Tcpreplay-users mailing list
> >> > Tcpreplay-users@lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> >> Develop your own process in accordance with the BPMN 2 standard
> >> Learn Process modeling best practices with Bonita BPM through live
> >> exercises
> >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> >> event?utm_
> >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> >> _______________________________________________
> >> Tcpreplay-users mailing list
> >> Tcpreplay-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> > Develop your own process in accordance with the BPMN 2 standard
> > Learn Process modeling best practices with Bonita BPM through live
> exercises
> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> > _______________________________________________
> > Tcpreplay-users mailing list
> > Tcpreplay-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Tcpreplay-users mailing list
> Tcpreplay-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Tcpreplay-users mailing list
Tcpreplay-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tcpreplay-users
Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
