Re: Traffic Mirroring

To: debian-firewall@lists.debian.org
Subject: Re: Traffic Mirroring
From: Paolo <oopla@users.sf.net>
Date: Tue, 2 Sep 2008 12:06:47 +0200
Message-id: <[🔎] 20080902100646.GA17314@localhost>
Mail-followup-to: oopla@liszt.debian.org, debian-firewall@lists.debian.org
In-reply-to: <8763psb5wu.fsf@alamut.mobiliz.com.tr>
References: <87fxoxuo70.fsf@alamut.mobiliz.com.tr> <20080822151207.GA1090@localhost> <87vdxt9hgn.fsf@alamut.mobiliz.com.tr> <20080822174941.GB1090@localhost> <8763psb5wu.fsf@alamut.mobiliz.com.tr>

[sorry for late replay]
On Sat, Aug 23, 2008 at 09:29:37AM +0300, Volkan YAZICI wrote:
...
> That's a really good idea. But I even couldn't manage to direct a
> incoming connection to a single machine via DNAT. OTOH, while replaying

see posting from other

> tcpdump data, will I be able to change the source/destination address of
> the packages?

sure, those are stored in a file hence you can transform them the way you 
want, of course provided that you know how to parse TCP packets (eg
using libpcap-based apps - tshark/wireshark are the common tools to
_inspect_ TCP and much more).
You can replay through an interface (eg tun/tap) and change on the fly 
by iptables, or filter the raw dump .
Sorry, don't have a recipe handy, as in my case the culprit was the daemon 
state machine, and having the src it was more handy to tweak the code and 
read the tcpdump data instead from a socket, but you can look at tcpreplay,
either on sf.net or likely already packaged in your distro. Main info URL:
  http://tcpreplay.synfin.net/trac/wiki/manual

HTH
-- 
paolo

Reply to:

Prev by Date: Re: New User
Next by Date: REPLY ME URGENT.
Previous by thread: Re: New User
Next by thread: REPLY ME URGENT.
Index(es):
- Date
- Thread