Re: [Snort-users] [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured
This is a discussion on Re: [Snort-users] [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured within the Snort forums, part of the System Security and Security Related category; I just tried this and it worked. 1) log some ping packets: daemonlogger -i en0 -c 20 icmp 2) replay ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-06-2007
|
|||
|
|||
Re: [Snort-users] [RGSPAM] Re: Semi-OT: Re-inject tcpdump captured
I just tried this and it worked.
1) log some ping packets: daemonlogger -i en0 -c 20 icmp 2) replay the packets daemonlogger -R daemonlogger.pcap.1196963946 -o en0 3) run tcpdump to capture and compare the output tcpdump -nvi en0 icmp What kind of interface is vr0 (what link type)? On Dec 6, 2007, at 12:22 PM, Jordi Espasa Clofent wrote: >> You might want to check out DaemonLogger, it's got a replay mode as = >> well >> as a real-time tap mode as well as being a packet logger itself. >> Basically, DaemonLogger can capture traffic off of one interface = >> direct >> to the disk (logger mode), retransmit it out another interface in >> real-time (tap mode) or replay a pcap file (replay mode). >> >> You can get it at >> http://www.snort.org/users/roesch/Site/Daemonlogger/ = >> Daemonlogger.html. > > Very great tool Martin! > I cannot understand exactly the way to do what I want. I've tried it = > in > my own personal computer at home (with only 1 NIC, vr0). > > 1) Sniffing the traffic in very big chunks of time/data (1GB) > > $ daemonlogger -i vr0 -c 1000000000 > > 2. Replay the traffic on the same NIC > > $ daemonlogger -R daemonlogger.pcap.1196961141 -o vr0 > > To check the re-injection process I quit the ethernet wire and = > launch a > tcpdump instance at the same time I lauch the step number 2; I think = > the > tcpdump should show traffic, so it's completely localhost traffic. > > $ tcpdump -i vr0 -v > > ...but no traffic is showed. > > =BFIt means that the re-injection process is incorrect? > =BFHow to do it? > > -- = > Thanks > Jordi Espasa Clofent > > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: The Future of Linux Business White Paper > from Novell. From the desktop to the data center, Linux is going > mainstream. Let it simplify your IT future. > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...=3Dsnort-users > -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 05:21 AM.
