Download Latest Version tomahawk1.1.tar.gz (78.3 kB)
Email in envelope

Get an email when there's a new version of Tomahawk Test Tool

Home / OldFiles
Name Modified Size InfoDownloads / Week
Parent folder
tomahawk1_1.tgz 2006-04-28 74.4 kB
0
packetutil.h 2004-11-01 4.6 kB
0
eventloop.h 2004-11-01 3.1 kB
0
alloc.h 2004-11-01 1.4 kB
0
tomahawk 2004-10-18 159.2 kB
0
index.html 2004-10-18 4.5 kB
0
tomahawk1.0.tgz 2004-10-15 54.0 kB
0
index.htm 2004-10-15 3.9 kB
0
TUTORIAL.txt 2004-10-15 13.1 kB
0
MAN.txt 2004-10-15 8.8 kB
0
tomahawk.c 2004-10-15 42.1 kB
0
tomahawk.1 2004-10-15 7.7 kB
0
test.pcap 2004-10-15 2.4 kB
0
packetutil.c 2004-10-15 13.1 kB
0
eventloop.c 2004-10-15 24.1 kB
0
TUTORIAL 2004-10-15 13.1 kB
0
REVISION 2004-10-15 29 Bytes
0
README 2004-10-15 2.9 kB
0
Makefile 2004-10-15 2.0 kB
0
LICENSE 2004-10-15 33.7 kB
0
INSTALL 2004-10-15 2.4 kB
0
ANNOUNCE 2004-10-15 3.7 kB
0
Totals: 22 Items   474.3 kB 0 
			        Tomahawk
		      Version 1.0, Sept 30, 2004
		   Brian Smith, TippingPoint, Inc.

This directory contains a public domain software tool called Tomahawk
for testing network-based intrusion prevention systems (NIPS).

In order to detail the capabilities of modern NIPS and accelerate their
deployment, we are releasing Tomahawk into the public domain (see the
file LICENSE in this directory for the legal details).

To date, the tools for testing NIPS have been expensive and limited
in functionality.  They are typically designed for testing other products,
such as switches (e.g., SmartBits/ IXIA), server infrastructure (e.g.,
WebAvalanche), or Firewalls and Intrusion Detection Systems (Firewall
Informer or IDS Informer).  None of these tools simulate the harsh
environment of real networks under attacks.

Tomahawk is designed to fill this gap.  It can be used to test the
throughput and blocking capabilities of network-based intrusion prevention
systems (NIPS).

Throughput testing

   The throughput of many NIPSs is highly dependent on the protocol mix.
   A NIPS must reassemble and inspect application level data encapsulated 
   in network traffic.  It must decode network and application level 
   protocols.  Since some protocols are more computationally intensive to 
   decode than others, the effect a NIPS has on network performance can be 
   highly dependent on the protocol mix that must flow through the NIPS.

   Tomahawk can test the throughput of a NIPS using the most realistic 
   mix of protocols possible: one obtained by taking a sample of traffic 
   from the network and replaying it.  A single Tomahawk server can generate 
   200-450 Mbps of traffic.  By using multiple servers and aggregating 
   the traffic through a switch, 1 Gbps or more of traffic can be replayed 
   through the NIPS.

   Tomahawk can also test the connections/second rating of a NIPS.  By  
   capturing a packet trace that contains a simple connection setup and 
   teardown (6 packets: SYN, SYN_ACK, ACK, FIN_ACK, FIN_ACK, ACK) and replaying 
   the traffic using Tomahawk, a single PC can generate 25-50 thousand 
   connections/second of network traffic.  With 3 inexpensive PCs, about 90K
   connections/sec can be generated, enough to test the limits of any NIPS.

Security testing

   In addition to throughput testing, Tomahawk can test the blocking
   capabilities of a NIPS by replaying attacks embedded in packet traces.
   Tomahawk reports if an attack completes or is blocked, allowing
   independent verification of the attack blocking capabilities in a NIPS.

   By replaying the same attack hundreds of times, Tomahawk can also test
   how reliably a NIPS blocks an attack.  A NIPS that blocks an attack only
   9 in 10 times is not worth much in a worm outbreak.

For more information, please visit:

   http://tomahawk.sourceforge.net/
Source: README, updated 2004-10-15