Well Port Mirroring (SPAN ports) don't guarantee 100% deliver of all packets or even the packet order. So I wouldn't use that, but instead use a cross-over cable between the two computers.
I personally would use two copies of tcpreplay running at the same time because trying to merge the two pcaps into a single file in a useful way (actually merging, not concatenating one after the other) is relatively difficult. Much easier to just start generating the background traffic (telling tcpreplay to loop forever) and then start sending one or more malicous traffic pcap files. -- Aaron Turner https://synfin.net/ Twitter: @synfinatic Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin On Tue, Dec 29, 2015 at 6:52 PM, Hashem Alaidaros <[email protected]> wrote: > Thanks Aaron for your reply. > Basically, these two files will further be inspected for intrusion detection > evaluation. One file contain malicious traffic and other contain normal > traffic. BTW, My testbed is two computers and switch. The tcpreplay is in > computer1 and intrusion detection in computer2 and gigabit switch in between > to forward all packet (via port mirror) to computer2. My question, Instead > of merging the two files into a single file, can I use two tcpreplay > terminals concurrently? Does the switch forward the packets the same way > when they are in a single merged file? > Thanks > > > On Tue, Dec 29, 2015 at 9:51 AM, Aaron Turner <[email protected]> wrote: >> >> What do you mean by "more accurate results"? What kind of performance >> are you hoping to achieve? >> -- >> Aaron Turner >> https://synfin.net/ Twitter: @synfinatic >> Those who would give up essential Liberty, to purchase a little temporary >> Safety, deserve neither Liberty nor Safety. >> -- Benjamin Franklin >> >> >> On Mon, Dec 28, 2015 at 7:18 PM, Hashem Alaidaros <[email protected]> >> wrote: >> > Hi, I'm Aid, >> > I want to replay two pcap files : Simultaneously, I just want to ask >> > what is >> > the difference between the two scenario: >> > 1) Merge the two files into one file, then replay only that file using >> > single tcpreplay command. >> > 2) Run tcpreplay in two terminals: Simultaneously, one terminal >> > tcpreplay >> > the first pcap file, and the second terminal using tcpreplay the second >> > pcap >> > file. I works for me without error. >> > >> > Which one gives more accurate results and performance? >> > Thanks in advance. >> > >> > Here is additional information: >> > Tcpreplay: >> > tcpreplay version: 4.1.0 (build git:v4.1.0) >> > Cache file supported: 04 >> > Not compiled with libdnet. >> > Compiled against libpcap: 1.1.1 >> > 64 bit packet counters: enabled >> > Packet editing: disabled >> > Fragroute engine: disabled >> > Injection method: PF_PACKET send() >> > Not compiled with netmap >> > -- >> > A friend in need Is a friend indeed >> > >> > >> > ------------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Tcpreplay-users mailing list >> > [email protected] >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Tcpreplay-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > > > > -- > A friend in need Is a friend indeed > > ------------------------------------------------------------------------------ > > _______________________________________________ > Tcpreplay-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support ------------------------------------------------------------------------------ _______________________________________________ Tcpreplay-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
