Re: [SLUG] Network Traffic Capture / replay

From: Robert Foxworth (rfoxwor1@tampabay.rr.com)
Date: Tue May 24 2005 - 00:07:33 EDT


> Hello,
>
> I have a question about capturing / replaying network traffic.
>
> Is there an Open Source utility that will allow you to capture network
> traffic (complete with source and destination IP as well as type of
> traffic and port) and then play it back (not just log it) later for
> review?
>
> Is this something Snort or Ethereal will allow you to do?
>
> Dave

Hi Dave,

It's not completely clear if by "play it back" you are
referring to the ability to decode the captured file
to allow later analysis of the contents, or if you
mean to actually re-create the traffic stream and
reinject it back onto the network.

To add to what Steve wrote, you can use tcpdump
with the -w option to write the capture to a binary file
(instead of reading to stdout) and then later, use
tcpdump with the -r [read] option to read from the
file and then show the data on stdout i.e. the screen.
Or use ethereal to read the file, for a more user-friendly
decode. Be sure to use a valid -s (snaplen) of 1518
and not the default.

If you actually want to send traffic back onto the network,
look at tcpreplay. While some of the commercially
available capture programs allow transmitting an
arbitrary frame (and the better ones allow specifying
an arbitrary ethertype, instead of being fixed at 0x0800
which is the ethertype for the IP protocol) only a few
let you actually re-send a captured file. One of these is,
surprisingly, an old, inexpensive DOS-based program
called PacketView which worked with 16-bit ISA NICs
and with packet drivers. I am able to re-play capture
files I created in 1994-95, full of DecNET, Apollo Domain,
LanTastic, old Novell, stuff that has disappeared from
modern networks, and decode them with the
contemporary dissectors in Ethereal (the old DOS
programs would read back the hex but not interpret it).
I could select a single frame or range of frames and re-
transmit it, n times, at n speed. (10 MB only).

It's sort of spooky to see all the telnet then floating around,
and the near-absence of http traffic on these old captures.
Fortunately I saved quite a few floppies of this stuff,
and a working instance of the software/8416 SMC nic.
Ethereal won't read the files off of disc but I can retransmit
them into a running capture with full source MAC
replacement (this is important).

Hypothetically speaking, you can seriously confuse things
on the net that surreptitiously collect information
about your system, once you capture an instance of
it. For example, a very well-known laptop manufacturer
doing usage stats (? maybe) via UDP on ports 370 and 371
every three hours, when polled, and appears to be
OS-independent (factory install retaining the "hidden"
partition). You can also confuse things like bridges
using spanning-tree if you re-transmit an old topology
change frame that is no longer relevant. Sort of
like a slow-speed-DoS. This is probably why these
programs don't often provide this ability, as a defence
against nitwits who would arbitrarily feed stuff back onto
the net over and over without knowing the consequences.

It is often useful to not lose your backward compatability.
Never know when it can prove useful. IOW, DOS Lives!

Enough rambling it is getting late. Hope this is helpful.

- Bob Foxworth send at 2005-05-24 0007

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:06:30 EDT