RE: [Tomahawk-users] traffic generation at layer3
Brought to you by:
bsmith1180,
dkolbly
Menu
▾
▴
RE: [Tomahawk-users] traffic generation at layer3
|
From: Brian S. <bs...@ti...> - 2005-09-08 19:22:22
|
This is a current limitation of tomahawk. Tomahawk rewrites the IP
addresses from a pool and then sets the MAC addresses based on the two
NICs. For example, suppose you have a pcap that has a TCP conversation
between computers A and B. If you give tomahawk command line parameters
to send from eth1 and eth2, starting at IP 10.0.0.1, then the first
packet out eth1 will be a SYN from 10.0.0.1 to 10.0.0.2; the source/dest
MACs will be that of eth1 and eth2, respectively. The SYN-ACK will come
out eth2, source/dest IP =3D 10.0.0.2->10.0.0.1, and the source/dest =
MACs
will be that of eth2 and eth1, respectively. The idea is that the
layer-2 network just switches packets based on MAC, ignoring the IP
layer, so I can rewrite IP addrs all I want and not break anything.
=20
I've thought about how to modify this for a layer-3 network, but haven't
gotten around to it. Basically, you'd need to add command line
parameters to specify two pools of addresses, one for the subnet
associated with eth1 and another for the subnet associated with eth2.
Suppose they we 10.0.0.0/24 and 11.0.0.0/24. You'd also need the MACs
of the default gateway associated with each subnet, which would
presumably be that of the DUT. Then you'd need tomahawk to either
respond to ARPs from the DUT, or set the next hop route for the DUT to
the IPs of eth1/eth2 (depending on the dest IP addr) and let the OS
handle the ARP response. Then you'd need to mdify tomahawk to set the
IP addrs and MACs based on all this data. A little complicated, but not
too bad.
=20
Any takers out there to try this?
=20
Brian
=20
________________________________
From: tom...@li...
[mailto:tom...@li...] On Behalf Of Nelson,
Roger
Sent: Wednesday, September 07, 2005 1:20 PM
To: tom...@li...
Cc: Brian Smith
Subject: [Tomahawk-users] traffic generation at layer3
=20
Greetings... hopefully a straight-forward question...
=20
Given the caveat: NOTE: The network connecting the two testing NICs must
be a layer-2 network.
=20
Has anyone come up with a use-case where Tomahawk was utilized in a test
environment where in addition to IPS testing, routing through one or
more firewalls was required?
=20
I have attempted same but the traffic generated is apparently not
routable; or I am missing something.
=20
Any advice welcome.
=20
Best. Roger
=20
Roger Nelson
=20
ISTG FPS - Network & Enclave Services
Internet & Network Security Engineering
rn...@in...
408.765.1724
=20
Win and have fun!
=20
|
