Get Creative with Capture and Recreate when Testing Network Equipment

In my last blog post, I discussed several new Recreate features, some we just announced today. I am going to back things up a bit and explain some of Recreate's internals. Hopefully, armed with some insight into the inner workings of Recreate, it will help you to creatively evaluate and/or test your networking equipment.

Recreate's primary purpose is to allow the end user to import libpcap formatted network traffic files obtained from tools such as tcpdump and wireshark

When I was an IPS developer, I relied heavily on packet captures for various day-to-day tasks such as:

Testing the accuracy of protocol decoding engines using different operations within the protocol from different vendors and/or implementations of the protocol.
Testing the detection capability of security signatures.
Testing the performance of the protocol decoding engines.
Looping complicated traffic continuously to test for memory leaks.
Fixing and validating bugs; a reproduceable bug in a packet capture was always a godsend.

All BreakingPoint users are obviously not IPS developers, but Recreate can perform valuable tasks that are similar to the testing needs from my past life. The test criteria for DUTs such as routers, switches, firewalls, IDS/IPS, load balancers, etc. should be similar.

These pcap files can be obtained from customers, developers, QA, field engineers, security signatures writers, etc. They may contain varying amounts of actual client/server traffic or packets created and/or modified by various tools such as scapy, netdude, tcprewrite, hping, and nemesis.

Importing Packet Capture Files

When a pcap is imported into Recreate, the original pcap file is saved for raw playback mode.

Recreate's Ramp Parameters control the number and rate of sessions and how they are started, maintained, and closed.
Sessions Parameters control minimum and maximum simultaneous sessions and test criteria target values.
The IPv4 and TCP Parameters can be altered to adjust the characteristics of the flows within the test.
The Data Rate parameters control minimum and maximum data rates.

Multiple Recreate Test components can be run simultaneously or mixed in with other test components and run simultaneously through the device under test (DUT) on different interfaces.

Since pcap formatted files are more familiar to everyone and we store this information internally a little different, I will discuss pcap files first.

TCPDUMP Captures and Replay Capture File without Modification Mode

Below is an example of a tcpdump capture. This information would be replayed exactly "as-is" in raw playback mode. It should be noted that the const struct pcap_pkthdr contains timing information that Recreate honors if the General Behavior Parameter Value is set to Use Capture File settings. Recreate will also not import packet captures if the number of bytes on the wire was more than the number of bytes captured. If using tcpdump, set the snaplen to capture the whole packet by passing the parameter -s 0

The Modification Options affect how the raw playback mode retransmits the pcap in its entirety. The BPF filter string allows you to only send traffic that matches your BPF filter without modifying the pcap on disk. The pcap can be replayed over and over again by setting loop count to a number greater than 1. The Session Ramp, Session Configuration, IPv4, TCP, and Data Rate parameters are ignored in raw playback mode. While this mode cannot send packets nearly as fast as normal mode, it is valuable for testing L2, L3, and L4 header issues that cannot be easily tested in normal mode.

Examining a TCPDUMP packet capture file in detail

Let's examine the beginning of a single HTTP session in tcpdump.

Below we see the TCP three-way handshake and an HTTP GET request to www.google.com.

$ tcpdump -Xvvv -r bpt2.pcap "tcp port 80" | more 
10:14:37.567201 IP (tos 0x0, ttl 64, id 39249, offset 0, 
flags [DF], proto TCP (6),
length 60) 10.10.10.42.46340 > yx-in-f104.google.com.http: 
S, cksum 0xd303 (correct), 974896626:974896626(0) win 5840 

   0x0000:  4500 003c 9951 4000 4006 1552 0a0a 0a2a  E..<.Q@.@..R...*
   0x0010:  4a7d 2d68 b504 0050 3a1b bdf2 0000 0000  J}-h...P:.......
   0x0020:  a002 16d0 d303 0000 0204 05b4 0402 080a  ................
   0x0030:  000f 24a3 0000 0000 0103 0306            ..$.........
10:14:37.600386 IP (tos 0x0, ttl 55, id 22877, offset 0, flags [none], proto
TCP (6), length 60) yx-in-f104.google.com.http > 10.10.10.42.46340: S, cksum
0x3946 (correct), 1132689922:1132689922(0) ack 974896627 win 5672 
   0x0000:  4500 003c 595d 0000 3706 9e46 4a7d 2d68  E.. yx-in-f104.google.com.http: ., cksum 0x
7d9e (correct), 1:1(0) ack 1 win 92 
   0x0000:  4500 0034 9952 4000 4006 1559 0a0a 0a2a  E..4.R@.@..Y...*
   0x0010:  4a7d 2d68 b504 0050 3a1b bdf3 4383 7a03  J}-h...P:...C.z.
   0x0020:  8010 005c 7d9e 0000 0101 080a 000f 24c4  ...\}.........$.
   0x0030:  b83c 24b0                                .<$.
10:14:37.600515 IP (tos 0x0, ttl 64, id 39251, offset 0, flags [DF], proto TCP (6),
length 671) 10.10.10.42.46340 > yx-in-f104.google.com.http: P, cksum 0x5bc3 (correct),
1:620(619) ack 1 win 92 
0x0000:  4500 029f 9953 4000 4006 12ed 0a0a 0a2a  E....S@.@......*   
   0x0010:  4a7d 2d68 b504 0050 3a1b bdf3 4383 7a03  J}-h...P:...C.z.   
   0x0020:  8018 005c 5bc3 0000 0101 080a 000f 24c4  ...\[.........$.   
   0x0030:  b83c 24b0 4745 5420 2f20 4854 5450 2f31  .<$.GET./.HTTP/1   
   0x0040:  2e31 0d0a 486f 7374 3a20 7777 772e 676f  .1..Host:.www.go   
   0x0050:  6f67 6c65 2e63 6f6d 0d0a 5573 6572 2d41  ogle.com..User-A   
   0x0060:  6765 6e74 3a20 4d6f 7a69 6c6c 612f 352e  gent:.Mozilla/5.   
   0x0070:  3020 2858 3131 3b20 553b 204c 696e 7578  0.(X11;.U;.Linux   
   0x0080:  2069 3638 363b 2065 6e2d 5553 3b20 7276  .i686;.en-US;.rv   
   0x0090:  3a31 2e39 2e31 2920 4765 636b 6f2f 3230  :1.9.1).Gecko/20   
   0x00a0:  3039 3036 3330 2046 6564 6f72 612f 332e  090630.Fedora/3.   
   0x00b0:  352d 312e 6663 3131 2046 6972 6566 6f78  5-1.fc11.Firefox   
   0x00c0:  2f33 2e35 0d0a 4163 6365 7074 3a20 7465  /3.5..Accept:.te   
   0x00d0:  7874 2f68 746d 6c2c 6170 706c 6963 6174  xt/html,applicat   
   0x00e0:  696f 6e2f 7868 746d 6c2b 786d 6c2c 6170  ion/xhtml+xml,ap   
   0x00f0:  706c 6963 6174 696f 6e2f 786d 6c3b 713d  plication/xml;q=   
   0x0100:  302e 392c 2a2f 2a3b 713d 302e 380d 0a41  0.9,*/*;q=0.8..A   
   0x0110:  6363 6570 742d 4c61 6e67 7561 6765 3a20  ccept-Language:.   
   0x0120:  656e 2d75 732c 656e 3b71 3d30 2e35 0d0a  en-us,en;q=0.5..   
   0x0130:  4163 6365 7074 2d45 6e63 6f64 696e 673a  Accept-Encoding:   
   0x0140:  2067 7a69 702c 6465 666c 6174 650d 0a41  .gzip,deflate..A   
   0x0150:  6363 6570 742d 4368 6172 7365 743a 2049  ccept-Charset:.I   
   0x0160:  534f 2d38 3835 392d 312c 7574 662d 383b  SO-8859-1,utf-8;   
   0x0170:  713d 302e 372c 2a3b 713d 302e 370d 0a4b  q=0.7,*;q=0.7..K   
   0x0180:  6565 702d 416c 6976 653a 2033 3030 0d0a  eep-Alive:.300..   
   0x0190:  436f 6e6e 6563 7469 6f6e 3a20 6b65 6570  Connection:.keep   
   0x01a0:  2d61 6c69 7665 0d0a 436f 6f6b 6965 3a20  -alive..Cookie:.   
   0x01b0:  5052 4546 3d49 443d 6461 6230 3736 3834  PREF=ID=dab07684   
   0x01c0:  3433 3630 3861 6530 3a55 3d32 3233 3565  43608ae0:U=2235e   
   0x01d0:  6434 3334 3338 3835 6464 653a 544d 3d31  d4343885dde:TM=1
   0x01e0:  3234 3736 3730 3236 383a 4c4d 3d31 3234  247670268:LM=124
   0x01f0:  3736 3730 3330 373a 533d 7032 7879 3235  7670307:S=p2xy25
   0x0200:  486c 6474 7871 4f76 7558 3b20 4e49 443d  HldtxqOvuX;.NID=
   0x0210:  3234 3d64 4170 5869 6574 7438 6837 3173  24=dApXiett8h71s
   0x0220:  4759 6448 3832 7861 4b50 5565 7534 5a44  GYdH82xaKPUeu4ZD
   0x0230:  6d2d 6b69 4e70 4b32 4467 4868 5275 356a  m-kiNpK2DgHhRu5j
   0x0240:  3169 484a 7945 4d67 5341 5635 3537 4173  1iHJyEMgSAV557As
   0x0250:  504d 735f 5979 4a65 4c57 4f7a 7032 4f53  PMs_YyJeLWOzp2OS
   0x0260:  6458 3562 4255 7353 494e 776b 626c 7663  dX5bBUsSINwkblvc
   0x0270:  5149 4566 614d 5949 5454 6d37 5347 3339  QIEfaMYITTm7SG39
   0x0280:  7a73 6c4e 7032 6445 7871 5a37 5751 2d46  zslNp2dExqZ7WQ-F
   0x0290:  724d 5a3b 2054 5a3d 3330 300d 0a0d 0a    rMZ;.TZ=300....

Import the above pcap file into Recreate

Examining a Recreate packet capture file in detail

Behind the scenes, two things happen. First, the original pcap file is copied to the BreakingPoint Elite. Second, a directory structure is created that sorts the capture file into protocols. The protocols are identified first, via regular expressions; if there are no matches, IANA well known port assignments are used. Within each protocol directory, we store files that contain information about a flow.A flow is defined as having matching source and destination IPv4 or IPv6 addresses and matching source and destination TCP or UDP ports. Our network processor then uses the information contained within these files, along with the Recreate Parameters and the Network Neighborhood settings, to recreate the network traffic for your tests.

Here is the identical flow as seen in the above example, although in our internal format. As you can see, we only store the minimum amount of Layer 3 information. The IP addresses and Port numbers are used to identify the individual flows and are rewritten according to the Network Neighborhood settings. The file also stores the Ethernet Type (Layer 2 information), the IP Protocol, the direction Client or Server, and the TCP flags if applicable.

flow 0: reqs: ***DP flags: 0x08 eth_type: 0x0800, ip_p: 0x06 10.10.10.42 46340 > 74.125.45.104 80

flow 0: buffer: C->S 619 bytes, flags: 0x04 NoT
[0000] 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET...HT TP.1.1..
[0010] 48 6F 73 74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65 Host..ww w.google
[0020] 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74 .com..Us er.Agent
[0030] 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 58 ..Mozill a.5.0..X
[0040] 31 31 3B 20 55 3B 20 4C 69 6E 75 78 20 69 36 38 11..U..L inux.i68
[0050] 36 3B 20 65 6E 2D 55 53 3B 20 72 76 3A 31 2E 39 6..en.US ..rv.1.9
[0060] 2E 31 29 20 47 65 63 6B 6F 2F 32 30 30 39 30 36 .1..Geck o.200906
[0070] 33 30 20 46 65 64 6F 72 61 2F 33 2E 35 2D 31 2E 30.Fedor a.3.5.1.
[0080] 66 63 31 31 20 46 69 72 65 66 6F 78 2F 33 2E 35 fc11.Fir efox.3.5
[0090] 0D 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 ..Accept ..text.h
[00a0] 74 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F tml.appl ication.
[00b0] 78 68 74 6D 6C 2B 78 6D 6C 2C 61 70 70 6C 69 63 xhtml.xm l.applic
[00c0] 61 74 69 6F 6E 2F 78 6D 6C 3B 71 3D 30 2E 39 2C ation.xm l.q.0.9.
[00d0] 2A 2F 2A 3B 71 3D 30 2E 38 0D 0A 41 63 63 65 70 ....q.0. 8..Accep
[00e0] 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 t.Langua ge..en.u
[00f0] 73 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 s.en.q.0 .5..Acce
[0100] 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 pt.Encod ing..gzi
[0110] 70 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 p.deflat e..Accep
[0120] 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 t.Charse t..ISO.8
[0130] 38 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 859.1.ut f.8.q.0.
[0140] 37 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 7...q.0. 7..Keep.
[0150] 41 6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E Alive..3 00..Conn
[0160] 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 ection.. keep.ali
[0170] 76 65 0D 0A 43 6F 6F 6B 69 65 3A 20 50 52 45 46 ve..Cook ie..PREF
[0180] 3D 49 44 3D 64 61 62 30 37 36 38 34 34 33 36 30 .ID.dab0 76844360
[0190] 38 61 65 30 3A 55 3D 32 32 33 35 65 64 34 33 34 8ae0.U.2 235ed434
[01a0] 33 38 38 35 64 64 65 3A 54 4D 3D 31 32 34 37 36 3885dde. TM.12476
[01b0] 37 30 32 36 38 3A 4C 4D 3D 31 32 34 37 36 37 30 70268.LM .1247670
[01c0] 33 30 37 3A 53 3D 70 32 78 79 32 35 48 6C 64 74 307.S.p2 xy25Hldt
[01d0] 78 71 4F 76 75 58 3B 20 4E 49 44 3D 32 34 3D 64 xqOvuX.. NID.24.d
[01e0] 41 70 58 69 65 74 74 38 68 37 31 73 47 59 64 48 ApXiett8 h71sGYdH
[01f0] 38 32 78 61 4B 50 55 65 75 34 5A 44 6D 2D 6B 69 82xaKPUe u4ZDm.ki
[0200] 4E 70 4B 32 44 67 48 68 52 75 35 6A 31 69 48 4A NpK2DgHh Ru5j1iHJ
[0210] 79 45 4D 67 53 41 56 35 35 37 41 73 50 4D 73 5F yEMgSAV5 57AsPMs.
[0220] 59 79 4A 65 4C 57 4F 7A 70 32 4F 53 64 58 35 62 YyJeLWOz p2OSdX5b
[0230] 42 55 73 53 49 4E 77 6B 62 6C 76 63 51 49 45 66 BUsSINwk blvcQIEf
[0240] 61 4D 59 49 54 54 6D 37 53 47 33 39 7A 73 6C 4E aMYITTm7 SG39zslN
[0250] 70 32 64 45 78 71 5A 37 57 51 2D 46 72 4D 5A 3B p2dExqZ7 WQ.FrMZ.
[0260] 20 54 5A 3D 33 30 30 0D 0A 0D 0A .TZ.300. ...
flow 0: delay 33 milliseconds

Defining the Test Criteria for the imported pcap (bpt2.pcap)

Summary of Session Ramp Distribution Settings

The specified parameters tell Recreate to Ramp Up for 10 seconds during which time it should perform a Full Open (perform TCP three-way handshake, but don't send any data). The test to maintains each session for 10 seconds. During the 10 second Ramp Down stage, Recreate closes all sessions.

After the test was completed, I exported the packet buffer off of my test interfaces. Opening this file up in wireshark, you can see the 10 TCP sessions being initiated to and from the IP address ranges defined within Network Neighborhood.

Examining Test Results

The following wireshark filter was used : (tcp.flags == 2 or tcp.flags == 18 or tcp.flags == 16) and tcp.port == 80

Following any one of the above streams in wireshark will show the exact some contents as detailed in the above flow description.

This demonstrates some of the power, flexibility, and extensibility of the Recreate test component and explains how the individual parameters within Recreate and Network Neighborhood interact. Hopefully this will inspire you to use the Recreate component in other creative ways during your tests.

Posted by Kirby Kuehl

0 comments
Tags: Anti-Malware // Application Protocol Fuzzing // IPv4/IPv6 // Tech Talk //

Videos

More >

Interact

Twitter

Facebook

Email

LinkedIn

YouTube

Newsletter