Simple Method to push any PCAP through a Router

Published by Matt Clemons on

Introduction: Have you ever wanted to test how a system reacts, displays information, or handles attacks by pushing a bunch of PCAP (Packet Capture) files through a router or an Intrusion Detection and Prevention System (IDPS)? In this blog post, we’ll show you an easy and free method to accomplish this.

Step 1: Finding Suitable PCAP Files: To begin, you’ll need some PCAP files for testing. A good starting point is the website Netresec, where you can find a collection of PCAP files for various scenarios.

Step 2: The Main Script: Below is the primary script that will facilitate the process:

#!/bin/bash
echo "Welcome to Thunderdome"

for i in `ls -d -- */`; do cd $i && ./script.sh && cd ..; done

Step 3: The Script to be Executed: This script is called by the main script and performs the PCAP manipulation and replay.

#!/bin/bash
tcpprep --port --pcap=test.pcap --cachefile=in.cache

tcprewrite --cachefile=in.cache --endpoints 10.0.66.100:10.0.77.100 --infile=test.pcap --outfile=out.pcap

tcprewrite --enet-smac=00:50:56:99:96:65 --enet-dmac=00:50:56:99:e8:71 --infile=out.pcap --outfile=out2.pcap

/usr/bin/tcpreplay -i eth0 -K --mbps 6 --loop 1 out2.pcap

Step 4: Explanation of the Script:

  • The script creates a cache file for the PCAP you want to run through using tcpprep.
  • It then rewrites the source and destination IP addresses in test.pcap and generates out.pcap. The source is taken from eth0, or any other specified source, and the destination IP is set to the device’s IP that you want to send the PCAP through.
  • The script further rewrites the MAC addresses in out2.pcap. The destination MAC address is set to the device’s MAC address you want to push the traffic through.
  • Finally, it replays the traffic at 6 Mbps one time using tcpreplay.

Conclusion: Although there might be simpler ways to execute these commands, this method is easy to understand and gets the job done effectively. By following these steps, you can push PCAP files through a router or IDS to observe and evaluate system behavior in response to different scenarios. This method proves particularly useful in network testing and security assessment.

Please ensure you use this technique responsibly and avoid testing on production systems or networks. Happy testing!

Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Uncategorized

Open ports when you can’t open ports

Accessing resources remotely without cumbersome jumpboxes and dealing with restrictive red tape has been a recurring challenge for many. In this blog post, I will introduce a method to seamlessly extend your Wide Area Network Read more…

Uncategorized

ASM Cheat sheet

Back to basics.  Everything needed to learn ASM is available for free online.  Art of ASM book:http://www.plantation-productions.com/Webster/www.artofasm.com/Windows/HTML/AoATOC.html It starts you off with High Level Assembly which is more like a traditional programming language.  Towards the end, you’ll Read more…

Uncategorized

Bro Intel Domain Feeds to RPZ

Say you  keep loads of domain indicators in file lists for Bro to consume.  If some user hits a bad domain, bro alerts.  But you want to auto block the domain.  That’s where RPZ could Read more…