|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: IDS: packet capture and replay
From: Robert Graham (robert_david_graham
yahoo.com)Date: Fri Mar 24 2000 - 16:06:13 CST
- Next message: Robert Graham: "Re: IDS: Good source of intrusion detection and response steps?"
- Previous message: lennonsmailhub.icx.net: "RE: IDS: Freeware ICMP Network Monitor Needed"
- Maybe in reply to: Mila, Brian D: "IDS: packet capture and replay"
- Next in thread: Jackie Chan: "Re: IDS: packet capture and replay"
- Maybe reply: Robert Graham: "Re: IDS: packet capture and replay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
--- "Mila, Brian D" <brian.d.milalmco.com> wrote:
> Does anyone know of a pacture capture utility that can capture packets
> and then replay them onto the network at a later time? I'm not sure if
> this is even possible, I think the sequence numbers would need to change
> along with timestamps perhaps. But I'd like to be able to capture a stream
> of packets and then replay them later to determine if they are the cause
> of a problem to a particular machine. Any ideas appreciated.
You are indeed correct. 90% of the protocols for which you'd like to replay
against a machine have imbedded sequence numbers that will prevent you from
doing what you want.
Therefore, anything based upon TCP will not work with such a replay. Protocols
in this class are HTTP, FTP, SMB (Windows file sharing), etc.
Some protocol use "client-chosen sequence numbers". This means that you can
replay them as many times as you would like and get the same result. This
includes SNMP, ICMP pings, TFTP, and so on.
A large number of RPC protocols can be replayed. NFS is peculiar case, because
file handles are often persistent across connections. YMMV.
If all you want to do is flood a machine with captured pings, then replaying
will work.
There are lots of utilities that will capture/replay. TCPDUMP will capture,
which you can then replay with Anzen's 'tcpreplay' utility. Also, most protocol
analyzers can capture, then replay.
Robert Graham
PS: replay does work well for testing IDS
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
- Next message: Robert Graham: "Re: IDS: Good source of intrusion detection and response steps?"
- Previous message: lennonsmailhub.icx.net: "RE: IDS: Freeware ICMP Network Monitor Needed"
- Maybe in reply to: Mila, Brian D: "IDS: packet capture and replay"
- Next in thread: Jackie Chan: "Re: IDS: packet capture and replay"
- Maybe reply: Robert Graham: "Re: IDS: packet capture and replay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]