Re: Remote IDS Testing



fragrouter + tcpreplay would do the trick. I don't think fragroute
(no r) will work properly with tcpreplay on the same box, but you
might give it a try.

You can get fragrouter (unsupported afaik) here:
http://packetstorm.widexs.nl/UNIX/IDS/nidsbench/nidsbench.html

Newer (and supported) versions of tcpreplay from here:
http://tcpreplay.sourceforge.net/

Fragroute (supported):
http://www.monkey.org/~dugsong/fragroute/

Of course none of these tools really make it easy to determine what
packet(s) actually cause the problem, but you can step through the
pcap file manually using tcpreplay.

-Aaron


On 12/13/05, Schupp, Hank <Hank.Schupp@xxxxxxxxxxxxxxx> wrote:
> Am trying to determine a method to transmit PCAP files with
> (measurable?)
> fragmentation.
>
> I have sets of captures now for various protocols (IM, EMAIL, HTTP, etc)
> and wish to transmit them in a fragmented format to test the ability of
> an
> analysis tool to properly defragment and rebuild the sessions.
> Optimally,
> I'd like to be able to set a fragmentation percentage and replay a set
> of
> pcap files to gauge the failure point. Out-of-order packet generation
> in the same tool would just be a big plus!
>
> Any thoughts? Your input will be greatly appreciated.
>
> Whether possible solutions are open source, commercial, or a mix- I'd
> love
> to hear about it. Thanks much

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------