flooding an embedded device with isic and tcpreplay causing different results



Hi everybody,

I'm trying to force a reload of an embedded SOHO router/NAT Gateway.
This is what I've done so far:
I flodded the device with isic and captured the packet flow. About 60s
later the device rebooted (obviosly because of a memory overload). I
stopped the packet capture, rebooted the SOHO and fired the pcap with
tcpdump again to the SOHO.
This behavior is reproducible - I did that scenario alt least 5 times.

So, now I wondering why the tcpreplay attack don't f*** up the SOHO.
I've 2 theories:
1. The tcpdump isn't complete because of "dropped by kernel" packets -
and these are the packets which are forcing the reload
2. tcpreplays performance is weaker than that of isic - this causes less
networkload and that is not enough to grill SOHOs mem.

these are the statistics of isic:
root@machine:/root# isic -s rand -d 192.168.1.1 -r 1337 -F 100 -I -V

..
..
284000 @ 5109.4 pkts/sec and 3321.4 k/s

^C

Caught signal 2

Used random seed 1337

Wrote 284003 packets in 69.00s @ 4116.05 pkts/s

and these are the captured packets from tcpdump:
root@machine:/root# tcpdump -i eth0 -n -s0 -w /root/crash.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes
^C
268004 packets captured

283995 packets received by filter

15991 packets dropped by kernel

there is the output of tcpreplay (replaying the captured *.pcap)
root@machine:/root# tcpreplay -i eth0 crash.pcap
sending out eth0


processing file: crash.pcap


Actual: 268004 packets (180061091 bytes) sent in 74.45 seconds


Rated: 2418422.2 bps, 18.45 Mbps/sec, 3599.59 pps





Statistics for network device: eth0


Attempted packets: 268004


Successful packets: 268004


Failed packets: 0


Retried packets (ENOBUFS): 0


Retried packets (EAGAIN): 0



As you can see at the statistic of tcpreplay and isic, that tcpreplay
sends out about 500pkt/s less than isic.

Do you have an idea why my SOHO do not break down while pounding it with
tcpreplay?

cu

wlet

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------



Relevant Pages

  • Re: flooding an embedded device with isic and tcpreplay causing different results
    ... You can try use -nn option at tcpdump too, ... now I wondering why the tcpreplay attack don't f*** up the SOHO. ... The tcpdump isn't complete because of "dropped by kernel" packets - ... listening on eth0, link-type EN10MB, capture size ...
    (Pen-Test)
  • Re: flooding an embedded device with isic and tcpreplay causing different results
    ... I'm trying to force a reload of an embedded SOHO router/NAT Gateway. ... now I wondering why the tcpreplay attack don't f*** up the SOHO. ... The tcpdump isn't complete because of "dropped by kernel" packets - ...
    (Pen-Test)
  • Re: Update: UDP 770 Potential Worm
    ... > were no packets indicating some form of replication. ... > my capture was limited due to the switched ... to see if the problem occurs on the test network, ... The proxy had already been isolated from the ...
    (Incidents)
  • Re: Continuous internet activity
    ... IP address out of the exercise (dest address for the packets). ... starts the capture. ... Wireshark is not running, and then it is "safe" to transmit ... There is a small probability of a networking problem, ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: Auditing / Logging
    ... to explicitly set these values and capture the text output seperately. ... The key is that dumping anything to console or making tcpdump generate ... wants in order to capture full packets, save them to disk, and go ...
    (Pen-Test)