Network Packet sending tool in linux and network packet sending tool in linux

Network Packet sending tool in linux and network packet sending tool in linux
Chapter 2. Description

This document applies only to Tcpreplay3.x.

Chapter 2. Tcpreplay tools 2nd. Overview

First, we recommend a Website: movie. This article is based on the reference of this website and obtained through some experiments.

Tcpreplay is a general term for a series of tools, including tcpreplay, tcprewrite, and tcpprep. This is also the reason why the first letter of Tcpreplay is capitalized. It is used to replay network packets on Unix or Unix-like systems. These packages are captured by software such as tcpdump, ethereal, and wireshark, namely, pcap data packets.

Because Tcpreplay has the packet replay function, it is often used to simulate test environments such as IDS attacks and is widely used to test the security of firewalls and IDS tools.

2.2. Features

When installing the Tcpreplay package, these tools are installed by default, as shown in table 1. Table 1 also provides the functions of each tool.

Tools	Function
Tcpreplay	Resend the data packet in the pcap file.
Tcprewrite	Rewrite the header information of pcap data packets at Layer 2-4, that is, MAC address, IP address, and PORT.
Tcpprep	Differentiate the direction of pcap data packets, namely, the client and server.

Table 1 Functions of Tcpreplay tools

2.3. Combination of tools

From table 1, we can see that tcpreplay is responsible for sending data packets, tcprewrite is used to rewrite data packets, and tcpprep is used to differentiate between the client and the server.

1)Because the content in the data packet is bidirectional (client-> server, server-> client), tcprewrite rewrite the data, tcpreplay should differentiate the direction when sending the data packet (that is, distinguish between the client and the server ), therefore, these two tools generally work on the basis of tcpprep.

2)Tcpreplay can send any pcap data packet. if it wants to change the content to be sent, it must use tcprewrite to rewrite the data packet and then send the modified data packet.

2.4. Additional instructions

Tcpreplay in Tcpreplay2.x will distinguish between the client and the server, rewrite data packets, send data packets, and other functions are integrated. Tcpreplay3.x makes the above improvements for simplicity of design and ease of use.

Chapter 4. installation and configuration of Tcpreplay 3rd. Preparation

Tcpreplay uses other libraries to implement its functions.

1)Libpcap library. Libpcap library is recommended and almost required. Tcpreplay uses it to send data packets. Download and install libpcap0.7.2 or later.

2)Tcpdump. It is strongly recommended but not a required tool. Tcpreplay uses it to decode data packets, and we can also use its packet capture function to work with Tcpreplay. Of course, software such as ethereal can also implement such functions, but tcpdump is undoubtedly the most cost-effective.

3)Libnet library. A library is not recommended. Tcpreplay can also be used to send data packets. However, because libnet has many bugs and is no longer maintained, Tcpreplay may be removed in future versions.

For more information, see http://tcpreplay.synfin.net /.

3.2. Installation Steps

First, download the installation package. The source code installation package of Tcpreplay can be downloaded at http://tcpreplay.synfin.net.

Decompress the installation package. The false installation package name is tcpreplay-3.0.tar.gz, the directory is/urs/local/src, the operating system is redhat9, unzip the installation package can directly enter "tar-xzvf tcpreplay-3.3.0.tar.gz ".

Enter the decompressed folder. Enter the command cd tcpreplay-3.3.0 ".

Follow the general software installation steps as follows.

$./Configure

$ Make

$ Make install

The above is the most simplified installation. If you have other installation and configuration requirements, see INSTALL and README documents in the installation package.

Chapter 4. Use of Tcpreplay

This section describes how to use an instance. First, describe the running environment and test ideas of this instance. This instance uses a tcpreplay-3.3.0 that runs on a remote linux server to send http. content in pcap, and I use tcpdump on the server to capture the packets sent by tcpreplay; in local windows, I use wireshark (enhanced version of ethereal) to observe the various data packets downloaded from the server (that is, the packets captured by tcpdump and the modified tcprewrite packages downloaded through ftp or ssh ).

4.1. instruction style

The command styles of the Tcpreplay series tools are consistent, and they are concise. You can enter a command similar to "man tcpreplay" or "tcpreplay-h" to check the help information. The following uses tcpreplay as an example.

The options of the command are short and complete. For example, the short option for version query is "-V", and the complete form is "-- version ".

Some options have parameters, and the two options have different input parameters. Take the cached file option as an example. For short options, the form is "-c pathname"; for complete options, the form is "-- cachefile = pathname ". Pathname is the path of the cached file.

4.2. differentiate between clients and servers

Enter the following command.

$ Tcpprep -- port-cachefile = cache_test.cache -- pcap = http. pcap

For detailed use of tcpprep, see the relevant manual (such as man Manual ).

-- Port indicates that tcpprep uses the port-split mode to distinguish between the client and server. In this mode, all <1024 ports are considered as client-> server packages; otherwise, they are considered as server-> client packages. Tcppgrep has multiple modes, such as auto, cidr, regex, port, and mac. For details about various modes, see the relevant manual (such as man Manual ).

-- Pcap = http. pcap indicates that tcpprep processes the file http. pcap.

-- Cachefile = cache_test_cache indicates that the information processed by tcpgrep is stored in the cache_test_cahe file. This file will be used in tcprewrite and tcpreplay.

The entire command means to use the port-splitted mode to process the http. pcap file (differentiate the client and server in http. pcap), and then save the processing result to the cache_test_cache file.

4.3. Rewrite the data packet content

Enter the following command.

$ Tcprewrite -- endpoints = 192.168.0.1: 192.168.0.2 -- cachefile = cache_test.cache \

-- Infile = http. pcap -- outfile = http_rewrite.pcap

For detailed use of tcprewrite, see the relevant manual (such as the man Manual ).

-- Endpoints = 192.168.0.1: 192.168.0.2 means to change the Client ip address to 192.168.0.1 and the server ip address to 192.168.88.0.2. Note that Tcpreplay of 3.x automatically modifies the IP address checksum. You can use wireshark to view http_rewrite.pcap and get the Modification result.

-- Cachefile = cache_test_cache indicates that tcprewrite uses the processing result -- cache_test.cache in the previous step of tcpprep to differentiate the direction.

-- Infile = http. pcap indicates that the pcap file to be processed is http. pcap.

-- Outfile = http_rewrite_pcap indicates that the processing result is stored in the http_rewrite_pcap file. This file will be the source of the data packet sent by tcpreplay.

4.4. Send data packets

Enter the following command.

$ Tcpreplay-intf1 = eth0-intf2 = eth0-t-cachefile = cache_test.cache http_rewrite_pcap

For detailed use of tcpreplay, see the relevant manual (such as the man Manual ).

-- Intf1 = eth0 indicates that the main interface is eth0. The client-> server data packet is sent through this interface. The distinction between the server and the client is obtained from the processing result cache_test.cache of tcpprep.

-- Intf2 = eth0 indicates that the slave interface is eth0, and the server-> client data packets are sent through this interface.

-- Cachefile = cache_test_cache indicates that tcpreplay uses the processing result -- cache_test.cache in the previous step of tcpprep to differentiate the direction.

Http_rewrite.pcap indicates that tcpreplay sends data packets from the file http_rewrite.pcap.

4.5. Use tcpdump properly

We can reasonably use tcpdump to work with tcpreplay. Here are two examples.

4.5.1. packet capture

Use tcpdump to capture the tcp packets sent by tcpreplay on port eth0 and require the destination address of these packets to be 192.168.0.2. You can enter the following command.

Tcpdump-I eth0-w tcpdump. pcap-s 0' (tcp and (dst host 192.168.0.2 ))'

-W tcpdump. pcap stores captured packets to tcpdump. in the pcap file,-s 0 refers to capturing each packet as much as possible (as far as possible without truncation), and the content in the last single quotation marks is a filtering rule.

4.5.2. Select a package

Another example is to extract the tcp packet (http packet) whose port number is 80 from the test. pcap file and send it to tcpreplay.

$Tcpdump-r test. pcap-w http_only.pcap-s 0 tcp port 80

-R test. pcap refers to reading packets from test. pcap. This command reads packets from test. pcap, filters out the packets that meet the requirements according to the "tcp port 80" filter rule, and saves these packets to the http_only.pcap file.

Then we can use tcpreplay to send the http packet in http_only.pcap.

4.6. TCPReplay the main function of TCPReplay is to resend the PCAP package for performance or functional testing. However, in the test environment, the structure of the original subcontracting system is generally different. For example, the two-layer MAC address of the tested machine is different from the MAC address of the packet capture machine. Therefore, when the two-layer MAC address is not the target MAC address, the tested machine discards packet. Only when the protocol stack matches the target MAC with the MAC of the local machine can packet be handed over to the upper layer for processing. To implement the test, TCPReplay and TCPRewrite are required. You can use MAN to query the detailed usage of the two tools and TCPReplay. Here, we use a tested instance to introduce their usage. Shows the test topology.
The configuration of the TCPReplay machine is as follows:
OS: Ubuntu9.04
Kernel version: 2.6.28
TCPReplay version: 3.3.2 (commands of different versions may be slightly different. For more information, see MAN)
NIC: Intel e1000e dual Gigabit
PCAP file: test. tcpdump

Test Step 1: pre-process and generate Cache. The command is
Tcpprep-a client-I test. tcpdump-o test. cache

This command divides the PCAP file into the client and server. The default value is the client. Packet will be sent from the client and server respectively.

Step 2: rewrite the IP address and MAC address. The command is as follows:
Tcprewrite-e 192.85.1.2: 192.85.2.2 -- enet-dmac = 00: 15: 17: 2b: ca: 14,00: 15: 17: 2b: ca: 15 -- enet-smac = 00: 10: f3: 19: 79: 86,00: 10: f3: 19: 79: 87-c test. cache-I test. tcpdump-o 1. pcap

This command sets eth0 as the server interface, eth1 as the client interface, and overwrites the IP address and MAC. You can use tools such as wireshark to open 1. pcap and check whether the modification is successful.

Step 3: replay packet. First, you can put the file in the/dev/shm directory to get a higher sending speed. The maximum speed is about doubled. The replay command is:
Tcpreplay-I eth0-I eth1-l 1000-t-c/dev/shm/test. cache/dev/shm/1. pcap

This command sends the file 1000 times cyclically at the maximum rate.


The above steps pass the test to ensure that they can pass.