Thanks Aaron for your kind recommendation. Your idea of using cross-over cable instead of port mirror is great idea to ensure all packets are delivered. But in my research I'm requested to use port-mirror to represent at least near real traffic production.
For the second point, I will follow what you preferred of using two concurrent tcpreplays instead of merging into single file. Here I have a question, if the first tcpreplay run use -M 500, and the second tcpreplay run use -M 500, and both go to the same interface, in this case can I say the traffic output from the interface is 500 Mbps or 1000 Mbps? Thanks for advance On Wed, Dec 30, 2015 at 11:02 AM, Aaron Turner <[email protected]> wrote: > Well Port Mirroring (SPAN ports) don't guarantee 100% deliver of all > packets or even the packet order. So I wouldn't use that, but instead > use a cross-over cable between the two computers. > > I personally would use two copies of tcpreplay running at the same > time because trying to merge the two pcaps into a single file in a > useful way (actually merging, not concatenating one after the other) > is relatively difficult. Much easier to just start generating the > background traffic (telling tcpreplay to loop forever) and then start > sending one or more malicous traffic pcap files. > -- > Aaron Turner > https://synfin.net/ Twitter: @synfinatic > Those who would give up essential Liberty, to purchase a little temporary > Safety, deserve neither Liberty nor Safety. > -- Benjamin Franklin > > > On Tue, Dec 29, 2015 at 6:52 PM, Hashem Alaidaros <[email protected]> > wrote: > > Thanks Aaron for your reply. > > Basically, these two files will further be inspected for intrusion > detection > > evaluation. One file contain malicious traffic and other contain normal > > traffic. BTW, My testbed is two computers and switch. The tcpreplay is in > > computer1 and intrusion detection in computer2 and gigabit switch in > between > > to forward all packet (via port mirror) to computer2. My question, > Instead > > of merging the two files into a single file, can I use two tcpreplay > > terminals concurrently? Does the switch forward the packets the same way > > when they are in a single merged file? > > Thanks > > > > > > On Tue, Dec 29, 2015 at 9:51 AM, Aaron Turner <[email protected]> > wrote: > >> > >> What do you mean by "more accurate results"? What kind of performance > >> are you hoping to achieve? > >> -- > >> Aaron Turner > >> https://synfin.net/ Twitter: @synfinatic > >> Those who would give up essential Liberty, to purchase a little > temporary > >> Safety, deserve neither Liberty nor Safety. > >> -- Benjamin Franklin > >> > >> > >> On Mon, Dec 28, 2015 at 7:18 PM, Hashem Alaidaros < > [email protected]> > >> wrote: > >> > Hi, I'm Aid, > >> > I want to replay two pcap files : Simultaneously, I just want to ask > >> > what is > >> > the difference between the two scenario: > >> > 1) Merge the two files into one file, then replay only that file using > >> > single tcpreplay command. > >> > 2) Run tcpreplay in two terminals: Simultaneously, one terminal > >> > tcpreplay > >> > the first pcap file, and the second terminal using tcpreplay the > second > >> > pcap > >> > file. I works for me without error. > >> > > >> > Which one gives more accurate results and performance? > >> > Thanks in advance. > >> > > >> > Here is additional information: > >> > Tcpreplay: > >> > tcpreplay version: 4.1.0 (build git:v4.1.0) > >> > Cache file supported: 04 > >> > Not compiled with libdnet. > >> > Compiled against libpcap: 1.1.1 > >> > 64 bit packet counters: enabled > >> > Packet editing: disabled > >> > Fragroute engine: disabled > >> > Injection method: PF_PACKET send() > >> > Not compiled with netmap > >> > -- > >> > A friend in need Is a friend indeed > >> > > >> > > >> > > ------------------------------------------------------------------------------ > >> > > >> > _______________________________________________ > >> > Tcpreplay-users mailing list > >> > [email protected] > >> > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > >> > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > >> > >> > >> > ------------------------------------------------------------------------------ > >> _______________________________________________ > >> Tcpreplay-users mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > >> Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > > > > > > > > > -- > > A friend in need Is a friend indeed > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Tcpreplay-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > > > ------------------------------------------------------------------------------ > _______________________________________________ > Tcpreplay-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/tcpreplay-users > Support Information: http://tcpreplay.synfin.net/trac/wiki/Support > -- A friend in need Is a friend indeed
------------------------------------------------------------------------------
_______________________________________________ Tcpreplay-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tcpreplay-users Support Information: http://tcpreplay.synfin.net/trac/wiki/Support
