Ask Your Question
0

Effective Way to Replay Pcap Files?

asked 2020-09-28 18:14:58 +0000

curiousWireSharker gravatar image

Hi All,

I'm new to this forum but I was curious if anybody has had any experience (or theories) on how to get pcap files replayed over a network?

I've tried using TCPReplay before but it doesn't work as I intended it to work. A good test for me is to replay a test email to myself, write those packets to a pcap file, and then try to replay them using TCPReplay. However, whenever I do that I don't see a copy of the email in my inbox. My theory is that there is an issue with the SYN and ACK flags of the recorded packets and the email client (or something) is picking it up as duplicate packets and won't resend them.

Does anybody have any advice or any software that can effectively resend an email if there is a pcap file of an email being sent?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-09-29 12:40:02 +0000

Bob Jones gravatar image

TCP is problematic to replay/inject due to the hosts maintaining connection state, as you have found.

Google has tools that may or may not solve this if you search for it. Within the tcpreplay suite, there is a utility for this:

https://tcpreplay.appneta.com/wiki/tcpliveplay-man.html

Another solution is to avoid replaying TCP all together and develop a (maybe) simple client or server utility in the programming language of your choice to play the other side of your test.

edit flag offensive delete link more

Comments

Thank you for your reply! Unfortunately I've tried searching for other solutions but haven't come across any. Do you have any that come off the top of your head?

Can you explain your last paragraph? If I'm recording all traffic, are you saying have another client that generates new TCP packets to run alongside my other replayed packets?

curiousWireSharker gravatar imagecuriousWireSharker ( 2020-09-29 13:00:25 +0000 )edit

Google had some, such as

https://www.cs.ucdavis.edu/~wu/public...

And others. I don't know if any of them work or not.

What we usually do is write our own TCP client/servers for the protocol under review if a separate tester does not exist. For your example, SMTP (don't know if you are using that or not) could be used to deliver email so we might write a simple SMTP client to send data to the email server. This small app would then handle building the TCP session and handling everything you need from that standpoint. It might also be possible to integrate something like TLS or other security protocols which, if done right, you should never be able to replicate by some type of packet replay.

Bob Jones gravatar imageBob Jones ( 2020-09-29 17:21:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-09-28 18:14:58 +0000

Seen: 12,911 times

Last updated: Sep 29 '20