Monday, 7 December 2009

Juletip 7: Vi sender sender sender pakker pakker pakker

« Juletip 6: Vi bygger IPv6 pakker med PCS | Main | Juletip 8: Faster, Pussycat! Kill! Kill! »

sorry det er mandag og alting har drillet, der kommer ikke noget Juletip 7 idag, hvis jeg føler mig inspireret opdateres indlægget måske senere på måneden med et tip :-(

Update onsdag 9. dec: her kommer så Juletip 7, lidt forsinket:

Vi har nu set på nogle eksempler på pakker man kan bygge med PCS, men ofte er det jo et stort bøvl, hvis man "bare skal have noget trafik". Derfor vil jeg idag præsentere et lækkert program der som input tager noget eksisterende trafik, i PCAP filer selvfølgelig, og smider det ud på netværket igen.

Programmet findes på BackTrack og hedder tcpreplay og har en del options: 

hlk@bt4-pre:~$ tcpreplay
ERROR:  The intf1 option is required
tcpreplay: Command line arguments required
tcpreplay (tcpreplay) - Replay network traffic stored in pcap files
USAGE:  tcpreplay [ - [] | --[{=| }] ]... 

   -q, --quiet                Quiet mode
   -T, --timer=str            Select packet timing mode: select, ioport, rdtsc, gtod, nano, abstime
       --sleep-accel=num      Reduce the amount of time to sleep by specified usec
       --rdtsc-clicks=num     Specify the RDTSC clicks/usec
   -v, --verbose              Print decoded packets via tcpdump to STDOUT
   -A, --decode=str           Arguments passed to tcpdump decoder
   -K, --enable-file-cache    Enable caching of packets to internal memory
   -c, --cachefile=str        Split traffic via a tcpprep cache file
   -i, --intf1=str            Server/primary traffic output interface
   -I, --intf2=str            Client/secondary traffic output interface
   -l, --loop=num             Loop through the capture file X times
       --pktlen               Override the snaplen and use the actual packet len
   -L, --limit=num            Limit the number of packets to send
   -x, --multiplier=str       Modify replay speed to a given multiple
   -p, --pps=num              Replay packets at a given packets/sec
   -M, --mbps=str             Replay packets at a given Mbps
   -t, --topspeed             Replay packets as fast as possible
   -o, --oneatatime           Replay one packet at a time for each user input
   -P, --pid                  Print the PID of tcpreplay at startup
   -V, --version              Print version information
   -h, --less-help            Display less usage information and exit
   -H, --help                 Display usage information and exit
   -!, --more-help            Extended usage information passed thru pager
       --save-opts[=arg]      Save the option state to a config file
       --load-opts=str        Load options from a config file

Options are specified by doubled hyphens and their name
or by a single hyphen and the flag character.

tcpreplay is a tool for replaying network traffic from files saved with
tcpdump or other tools which write pcap(3) files.

Men frygt ej! Først laver man en capture fil, eksempelvis med Wireshark eller tcpdump - og HUSK -s option så du får hele pakken med!: 

hlk@bt4-pre:~$ sudo tcpdump -w ping-pong.cap -s 1500 icmp and src 10.0.42.91 &
[1] 23396
hlk@bt4-pre:~$ tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
ping -c 10 10.0.42.1
PING 10.0.42.1 (10.0.42.1) 56(84) bytes of data.
64 bytes from 10.0.42.1: icmp_seq=1 ttl=255 time=4.99 ms
64 bytes from 10.0.42.1: icmp_seq=2 ttl=255 time=3.35 ms
64 bytes from 10.0.42.1: icmp_seq=3 ttl=255 time=3.65 ms
64 bytes from 10.0.42.1: icmp_seq=4 ttl=255 time=3.24 ms
64 bytes from 10.0.42.1: icmp_seq=5 ttl=255 time=3.39 ms
64 bytes from 10.0.42.1: icmp_seq=6 ttl=255 time=3.20 ms
64 bytes from 10.0.42.1: icmp_seq=7 ttl=255 time=3.16 ms
64 bytes from 10.0.42.1: icmp_seq=8 ttl=255 time=3.22 ms
64 bytes from 10.0.42.1: icmp_seq=9 ttl=255 time=3.15 ms
64 bytes from 10.0.42.1: icmp_seq=10 ttl=255 time=3.36 ms

--- 10.0.42.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9015ms
rtt min/avg/max/mdev = 3.151/3.474/4.991/0.525 ms
hlk@bt4-pre:~$ fg
sudo tcpdump -w ping-pong.cap -s 1500 icmp and src 10.0.42.91
^C10 packets captured
10 packets received by filter
0 packets dropped by kernel

Nu har vi således en fil med 10 ICMP ECHO request, vi tog kun ICMP og min source:

wireshark-ping-pong.png

Denne fil kan vi så afspille efter behov med programmet tcpreplay: 

hlk@bt4-pre:~$ sudo tcpreplay -i eth0 ping-pong.cap 
sending out eth0 
processing file: ping-pong.cap
Actual: 10 packets (960 bytes) sent in 9.18 seconds
Rated: 106.4 bps, 0.00 Mbps/sec, 1.11 pps

Statistics for network device: eth0
	Attempted packets:         10
	Successful packets:        10
	Failed packets:            0
	Retried packets (ENOBUFS): 0
	Retried packets (EAGAIN):  0

Super, det lader til at det virker :-) (og jeg checkede med tcpdump på 10.0.42.1 at pakkerne kom frem :-) )

Det næste du så kan gøre er at lege med hastighed, sætte den til max med -t option eller gange med option -x. Du kan også loope, så 1000 pakker med max speed bliver: 

hlk@bt4-pre:~$ sudo tcpreplay -i eth0 -t -l 100 ping-pong.cap 
sending out eth0 
processing file: ping-pong.cap
...
processing file: ping-pong.cap
processing file: ping-pong.cap
processing file: ping-pong.cap
processing file: ping-pong.cap
Actual: 1000 packets (98000 bytes) sent in 0.47 seconds
Rated: 2075479.7 bps, 15.83 Mbps/sec, 21178.36 pps

Statistics for network device: eth0
	Attempted packets:         1000
	Successful packets:        1000
	Failed packets:            0
	Retried packets (ENOBUFS): 0
	Retried packets (EAGAIN):  0

Konklusionen idag er at man ikke altid behøver at bygge pakkerne selv, men man kan vælge at gentage en opsamlet datastrøm.

Posted by hlk at CET 15:12 07/12/2009 in Toolbox entries

Responses (0)

 

[Trackback URL for this entry]

Your comment:

(not displayed)
 
 
 

Live Comment Preview:

 
« september »
mationtofr
  12345
6789101112
13141516171819
20212223242526
27282930