At network tap would be more appropriate then a SPAN port. I can't really recommend specific speed options- there's a lot of variables (network card, driver, switch) which will impact your results. As always, I suggest starting somewhere, see what happens and adjust as necessary- tcpreplay will tell you how fast it was sending packets.
Generally speaking though, it probably doesn't make sense to send 50% back ground traffic and 50% attack traffic unless you're replicating a DDoS. -- Aaron Turner https://synfin.net/ Twitter: @synfinatic Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin On Mon, Jan 4, 2016 at 2:14 AM, Hashem Alaidaros <aidaros....@gmail.com> wrote: > Thanks Aaron for your kind recommendation. > > Your idea of using cross-over cable instead of port mirror is great idea to > ensure all packets are delivered. But in my research I'm requested to use > port-mirror to represent at least near real traffic production. > > For the second point, I will follow what you preferred of using two > concurrent tcpreplays instead of merging into single file. Here I have a > question, if the first tcpreplay run use -M 500, and the second tcpreplay > run use -M 500, and both go to the same interface, in this case can I say > the traffic output from the interface is 500 Mbps or 1000 Mbps? > Thanks for advance > > > On Wed, Dec 30, 2015 at 11:02 AM, Aaron Turner <synfina...@gmail.com> wrote: >> >> Well Port Mirroring (SPAN ports) don't guarantee 100% deliver of all >> packets or even the packet order. So I wouldn't use that, but instead >> use a cross-over cable between the two computers. >> >> I personally would use two copies of tcpreplay running at the same >> time because trying to merge the two pcaps into a single file in a >> useful way (actually merging, not concatenating one after the other) >> is relatively difficult. Much easier to just start generating the >> background traffic (telling tcpreplay to loop forever) and then start >> sending one or more malicous traffic pcap files. >> -- >> Aaron Turner >> https://synfin.net/ Twitter: @synfinatic >> Those who would give up essential Liberty, to purchase a little temporary >> Safety, deserve neither Liberty nor Safety. >> -- Benjamin Franklin >> >> >> On Tue, Dec 29, 2015 at 6:52 PM, Hashem Alaidaros <aidaros....@gmail.com> >> wrote: >> > Thanks Aaron for your reply. >> > Basically, these two files will further be inspected for intrusion >> > detection >> > evaluation. One file contain malicious traffic and other contain normal >> > traffic. BTW, My testbed is two computers and switch. The tcpreplay is >> > in >> > computer1 and intrusion detection in computer2 and gigabit switch in >> > between >> > to forward all packet (via port mirror) to computer2. My question, >> > Instead >> > of merging the two files into a single file, can I use two tcpreplay >> > terminals concurrently? Does the switch forward the packets the same way >> > when they are in a single merged file? >> > Thanks >> > >> > >> > On Tue, Dec 29, 2015 at 9:51 AM, Aaron Turner <synfina...@gmail.com> >> > wrote: >> >> >> >> What do you mean by "more accurate results"? What kind of performance >> >> are you hoping to achieve? >> >> -- >> >> Aaron Turner >> >> https://synfin.net/ Twitter: @synfinatic >> >> Those who would give up essential Liberty, to purchase a little >> >> temporary >> >> Safety, deserve neither Liberty nor Safety. >> >> -- Benjamin Franklin >> >> >> >> >> >> On Mon, Dec 28, 2015 at 7:18 PM, Hashem Alaidaros >> >> <aidaros....@gmail.com> >> >> wrote: >> >> > Hi, I'm Aid, >> >> > I want to replay two pcap files : Simultaneously, I just want to ask >> >> > what is >> >> > the difference between the two scenario: >> >> > 1) Merge the two files into one file, then replay only that file >> >> > using >> >> > single tcpreplay command. >> >> > 2) Run tcpreplay in two terminals: Simultaneously, one terminal >> >> > tcpreplay >> >> > the first pcap file, and the second terminal using tcpreplay the >> >> > second >> >> > pcap >> >> > file. I works for me without error. >> >> > >> >> > Which one gives more accurate results and performance? >> >> > Thanks in advance. >> >> > >> >> > Here is additional information: >> >> > Tcpreplay: >> >> > tcpreplay version: 4.1.0 (build git:v4.1.0) >> >> > Cache file supported: 04 >> >> > Not compiled with libdnet. >> >> > Compiled against libpcap: 1.1.1 >> >> > 64 bit packet counters: enabled >> >> > Packet editing: disabled >> >> > Fragroute engine: disabled >> >> > Injection method: PF_PACKET send() >> >> > Not compiled with netmap >> >> > -- >> >> > A friend in need Is a friend indeed >> >> > >> >> > >> >> > >> >> > ------------------------------------------------------------------------------ >> >> > >> >> > _______________________________________________ >> >> > Tcpreplay-users mailing list >> >> > Tcpreplay-users@lists.sourceforge.net >> >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> >> Tcpreplay-users mailing list >> >> Tcpreplay-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> > >> > >> > >> > >> > -- >> > A friend in need Is a friend indeed >> > >> > >> > ------------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Tcpreplay-users mailing list >> > Tcpreplay-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Tcpreplay-users mailing list >> Tcpreplay-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > > > > -- > A friend in need Is a friend indeed > > ------------------------------------------------------------------------------ > > _______________________________________________ > Tcpreplay-users mailing list > Tcpreplay-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ _______________________________________________ Tcpreplay-users mailing list Tcpreplay-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
