Well that's going to make debugging difficult- especially in a virtual environment where you can't put a network tap, etc on the wire to take a look. My off hand guess is that either: 1. Because you're using tcpreplay, the target host is sending TCP Reset packets and killing the connection. You appliance is stateful enough to know it can ignore the actual HTTP GET request.
2. The traffic isn't going through the appliance at all, because the MAC addresses in the ethernet frames are wrong and aren't being routed correctly by the hypervisor. -- Aaron Turner http://synfin.net/ Twitter: @synfinatic Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin On Tue, Apr 14, 2015 at 11:02 AM, Randy Sanginario <[email protected]> wrote: > No. The appliance is a hardened product and I am not able to run tcpdump on > it. > > On Tue, Apr 14, 2015 at 1:43 PM, Aaron Turner <[email protected]> wrote: >> >> What I meant was: does the appliance see the traffic when replayed >> with tcpreplay? Specifically, if you run tcpdump on the appliance, do >> you see the HTTP traffic being sent by tcpreplay? >> -- >> Aaron Turner >> http://synfin.net/ Twitter: @synfinatic >> Those who would give up essential Liberty, to purchase a little temporary >> Safety, deserve neither Liberty nor Safety. >> -- Benjamin Franklin >> >> >> On Tue, Apr 14, 2015 at 10:39 AM, Randy Sanginario >> <[email protected]> wrote: >> > Thanks Aaron. I need to investigate how to trim the file. I opened the >> > file in Wireshark but the "edit packet" option is grayed out. When you >> > ask >> > if I have confirmed that the virtual security server sees the traffic >> > the >> > answer is yes. Again, what I did was execute a manual test (with a >> > policy >> > in place on the virtual security server to block network viruses) from >> > the >> > Windows vm. The test was simple. I just opened a browser and went to >> > eicar.org and clicked on the link to downlad the test file, >> > eicar.com.txt >> > (and this was the traffic that I tried to capture with eicar). This >> > yielded >> > a message on the Windows vm indicating that the virus had been blocked. >> > I >> > will attempt o use that tcpliveplay tool. >> > >> > Thanks. >> > >> > randy >> > >> > On Tue, Apr 14, 2015 at 12:53 PM, Aaron Turner <[email protected]> >> > wrote: >> >> >> >> Hi Randy, >> >> >> >> So first, I'd recommend trimming your pcap to only include the >> >> eicar.com request. You have over 2600 packets in that pcap and that >> >> makes testing much more difficult since your actual test traffic is >> >> less then 1% of that. >> >> >> >> Second, I'm not sure I fully understand your test bed. How does your >> >> virtual security appliance "see" the eicar.com file? Have you >> >> confirmed that this appliance sees all the traffic? >> >> >> >> Third, your statement about an "eicar server" is a red flag for me. >> >> That sounds like you expect tcpreplay to make a HTTP connection to >> >> your server. Tcpreplay can not do that. It can only pretend to be >> >> *both* the client and server. If you need to connect to a server, >> >> then tcpliveplay is the correct tool. >> >> >> >> Regards, >> >> Aaron >> >> >> >> -- >> >> Aaron Turner >> >> http://synfin.net/ Twitter: @synfinatic >> >> Those who would give up essential Liberty, to purchase a little >> >> temporary >> >> Safety, deserve neither Liberty nor Safety. >> >> -- Benjamin Franklin >> >> >> >> >> >> On Tue, Apr 14, 2015 at 7:03 AM, Randy Sanginario >> >> <[email protected]> wrote: >> >> > Hi There, >> >> > >> >> > I am trying to replay the following pcap file in a private subnet of >> >> > mine >> >> > for testing purposes. The pcap was captured on a guest (call it >> >> > Win7-a)in >> >> > my vmWare cluster and replayed from another guest in the same >> >> > cluster. >> >> > All >> >> > of my guest virtual machines in the cluster are Windows7 clones setup >> >> > with >> >> > one NIC (eth0). To replay the pcap I run "tcpreplay -i eth0 -K >> >> > --loop1 >> >> > mytestpcap.pcap. The pcap pretty much contains a GET to download an >> >> > eicar >> >> > virus file. I'm am trying to see that with our security virtual >> >> > appliance >> >> > catches the virus but this does not seem to happen when I replay. It >> >> > is >> >> > my >> >> > understanding that I don't have to run tcpreplay from the source >> >> > machine >> >> > it >> >> > self (I.e. Win7-a). I've run tcpreplay and re-captured the traffic >> >> > and >> >> > all >> >> > looks good there but again the traffic should flow from Win7-a >> >> > through >> >> > my >> >> > security virtual appliance and to the eicar server. However the fact >> >> > that >> >> > the virus is not being detected tells me there is something that I am >> >> > not >> >> > understanding. When I execute this test by hand (i.e. accessing the >> >> > eicar.com.txt virus) from Win7-a, the security virtual appliance does >> >> > catch/block the threat. I should note that I did not do any tcpprep >> >> > or >> >> > tcprewrite work on this pcap. >> >> > >> >> > Any help on this matter would be greatly appreciated as I would love >> >> > to >> >> > use >> >> > this tool to drive many pcaps through my cluster for the sake of >> >> > persistence >> >> > testing. >> >> > >> >> > Thanks much. >> >> > >> >> > randy >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > ------------------------------------------------------------------------------ >> >> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> >> > Develop your own process in accordance with the BPMN 2 standard >> >> > Learn Process modeling best practices with Bonita BPM through live >> >> > exercises >> >> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >> >> > event?utm_ >> >> > >> >> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> >> > _______________________________________________ >> >> > Tcpreplay-users mailing list >> >> > [email protected] >> >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> >> Develop your own process in accordance with the BPMN 2 standard >> >> Learn Process modeling best practices with Bonita BPM through live >> >> exercises >> >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >> >> event?utm_ >> >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> >> _______________________________________________ >> >> Tcpreplay-users mailing list >> >> [email protected] >> >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> > >> > >> > >> > >> > ------------------------------------------------------------------------------ >> > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> > Develop your own process in accordance with the BPMN 2 standard >> > Learn Process modeling best practices with Bonita BPM through live >> > exercises >> > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >> > event?utm_ >> > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> > _______________________________________________ >> > Tcpreplay-users mailing list >> > [email protected] >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> ------------------------------------------------------------------------------ >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> Develop your own process in accordance with the BPMN 2 standard >> Learn Process modeling best practices with Bonita BPM through live >> exercises >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >> event?utm_ >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> _______________________________________________ >> Tcpreplay-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > Tcpreplay-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Tcpreplay-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
