Just released: tcpreplay 3.0 Beta 1

From: ADT (synfinatic_at_gmail.com)
Date: 02/28/05

  • Next message: Jonathon Giffin: "Re: interesting paper on testing sig-based IDS"
    Date: Sun, 27 Feb 2005 16:06:04 -0800
    To: focus-ids@securityfocus.com

    Well things have stablized enough I think to start getting other
    people's feedback on the new 3.0 branch to release 3.0 Beta 1.

    For those of you not familar with it, tcpreplay is a suite of BSD
    licensed tools for *NIX operating systems (although there is a Win32 port)
    which gives you the ability to use previously captured traffic in libpcap
    format to test a variety of network devices. It allows you to classify traffic
    as client or server, rewrite Layer 2, 3 and 4 headers and finally replay
    the traffic back onto the network and through other devices such as
    switches, routers, firewalls, NIDS and IPS's.

    What's new you ask? Well plenty...

    The biggest change is all the packet editing code has been moved to a
    new application called tcprewrite. This should hopefully make things
    simpler and easier to use, but definately will improve replay speed. As
    a matter of fact, even if you're not editing packets, 3.0 should be
    faster then 2.3.3.

    The other big change is using GNU Autogen/Autoopts for processing the
    command line and config files. Also, since the man pages are built
    directly from the code, they should always be accurate and up to date.
    Note: flowreplay does not currently use Autoopts, so the man page is
    inaccurate. But since flowreplay is still in alpha and doesn't really
    work, I'm not worrying about it too much. :)

    Anyways, most of all the features from 2.3.3 should be working in this
    Beta, but a few like bridge mode have been pulled for now. If your
    favorite feature isn't in Beta 1, drop me a line and I'll make sure it's
    back in Beta 2.

    I've worked on updating the FAQ and have started a real manual, but both
    still need work to be complete and accurate. The man pages are pretty
    good though. If you've got questions, please email the list. If you
    want to take a peek, it's all posted on the website.

    Lastly, I'm asking for comments on wether or not tcpreplay should ship
    with libnet and libpcap. A lot of people it seems have problems linking
    tcpreplay with libnet and libpcap (often because they have multiple
    versions installed) or have problems with running an older version which
    is less then ideal for tcpreplay.

    The advantage of course is that these problems go away. The
    disadvantage is that the tarball will be bigger and compile time will
    longer too. I'd rather not do this since it's just more work for me,
    but I get enough questions about it where I'm open to the idea.

    As always, get it here:

    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.

  • Next message: Jonathon Giffin: "Re: interesting paper on testing sig-based IDS"