If you're using TCP, the sequence numbers in the ACKs are going to be totally wrong, and just won't work. For example: > SYN (seq Sc) (from the replay) < SYN ACK (seq Ss, ack Sc) (from your stack) > SYN (seq Sc+1, ack Ss_old) (from the replay) < stack-dependant freak-out You somehow have to either make your stack's sequence number be the same from the replay, or have your replay ACK the correct sequence number. A similar issue arises if the number of bytes your stack sends doesn't match the number of bytes from the replay. -Bryan On Wednesday, October 30, 2002, at 12:30 PM, Jared Stanbrough wrote: > On Wed, 30 Oct 2002, Brad Arlt wrote: > >> On Wed, Oct 30, 2002 at 06:33:38AM -0800, Cynic wrote: >>> Hi, >>> >>> I am looking for an application for *NIX, that can replay captured >>> packets, while dropping, the TCP Stacks responses. Let's assume I >>> replay a SYN, and receive a SYN-ACK, my host's TCP Stack immediatley >>> replies with a RST since it was not aware a connection was to be >>> opened. So I am looking for some low-level retransmission >>> application for *nix such as Network monitor for NT. (I believe it >>> does this.) >> >> http://tcpreplay.sourceforge.net/ >> >> TCP Replay resends a libpcap or snoop capture file. As far as I know >> it doesn't listen to a darn thing, so you are good to go. > > This doesn't address the issue of keeping the originating machine from > trying to take part in the replayed TCP session. The question isn't > how to > replay the data, it's how to keep the originating host from screwing > it up > by tearing down the illigitimate connection. > > One easy way to do this would be to setup iptables to block outbound > TCP > packets that have the RST flag set (of course, this would mess up > replayed > data which contains RSTs..but I'm sure you can think of creative > solutions > for that :) > > --jared > >> >> You can trim the capture file however you like using the tools that >> come with it, Snoop, or tcpdump. >> ---------------------------------------------------------------------- >> - >> __o Bradley Arlt Security Team Lead >> _ \<_ arltat_private University Of Calgary >> (_)/(_) I should be biking right now. Computer Science >> >> > >
This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 13:42:01 PST