On 2/15/06, Prashant Khandelwal <prashant@juniper.net> wrote:
<snip>
Obviously the biggest limitation of tcpreplay is it doesn't come with
a library of pcaps. Maybe one of these days I can figure out the
logistics to make that happen and encourage people to actually submit
pcaps (which people tend to worry might have some kind of confidential
IP in them) rather then just leech off everyone else. If anyone has
any bright ideas I'd love to hear them.
</snip>
Well if its matter of hiding ip address and sensitive information then,
I guess tests which are run with private ip address in labs can be
captured and shared... just a thought...
Well IP addresses are only a part of it. Rewriting a pcap stream to
change the IP addresses to be RFC1918 is actually pretty easy
(tcpreplay can do it for you if you'd like). But some protocols
embed the server FQDN/IP in the application layer (HTTP's Host header
for example). And things like usernames and passwords are probably a
bit more worrisome and tend to be more difficult to edit in a pcap
file.
Overall, unless you're capturing traffic in a dedicated lab
environment, most organizations (at least the ones I've talked to)
wouldn't be happy with wide distribution of traffic captures from
inside or at the perimeter of their network.
--
Aaron Turner
http://synfin.net/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
