Get Creative with Capture and Recreate when Testing Network Equipment
by Kirby KuehlIn my last blog post, I discussed several new Recreate features, some we just announced today. I am going to back things up a bit and explain some of Recreate's internals. Hopefully, armed with some insight into the inner workings of Recreate, it will help you to creatively evaluate and/or test your networking equipment.
Recreate's primary purpose is to allow the end user to import libpcap formatted network traffic files obtained from tools such as tcpdump and wireshark
When I was an IPS developer, I relied heavily on packet captures for various day-to-day tasks such as:
- Testing the accuracy of protocol decoding engines using different operations within the protocol from different vendors and/or implementations of the protocol.
- Testing the detection capability of security signatures.
- Testing the performance of the protocol decoding engines.
- Looping complicated traffic continuously to test for memory leaks.
- Fixing and validating bugs; a reproduceable bug in a packet capture was always a godsend.
All BreakingPoint users are obviously not IPS developers, but Recreate can perform valuable tasks that are similar to the testing needs from my past life. The test criteria for DUTs such as routers, switches, firewalls, IDS/IPS, load balancers, etc. should be similar.
These pcap files can be obtained from customers, developers, QA, field engineers, security signatures writers, etc. They may contain varying amounts of actual client/server traffic or packets created and/or modified by various tools such as scapy, netdude, tcprewrite, hping, and nemesis.
Importing Packet Capture Files
When a pcap is imported into Recreate, the original pcap file is saved for raw playback mode.
- Recreate's Ramp Parameters control the number and rate of sessions and how they are started, maintained, and closed.
- Sessions Parameters control minimum and maximum simultaneous sessions and test criteria target values.
- The IPv4 and TCP Parameters can be altered to adjust the characteristics of the flows within the test.
- The Data Rate parameters control minimum and maximum data rates.
Multiple Recreate Test components can be run simultaneously or mixed in with other test components and run simultaneously through the device under test (DUT) on different interfaces.
Since pcap formatted files are more familiar to everyone and we store this information internally a little different, I will discuss pcap files first.
TCPDUMP Captures and Replay Capture File without Modification Mode
Below is an example of a tcpdump capture. This information would be replayed exactly "as-is" in raw playback mode. It should be noted that the const struct pcap_pkthdr contains timing information that Recreate honors if the General Behavior Parameter Value is set to Use Capture File settings. Recreate will also not import packet captures if the number of bytes on the wire was more than the number of bytes captured. If using tcpdump, set the snaplen to capture the whole packet by passing the parameter -s 0
The Modification Options affect how the raw playback mode retransmits the pcap in its entirety. The BPF filter string allows you to only send traffic that matches your BPF filter without modifying the pcap on disk. The pcap can be replayed over and over again by setting loop count to a number greater than 1. The Session Ramp, Session Configuration, IPv4, TCP, and Data Rate parameters are ignored in raw playback mode. While this mode cannot send packets nearly as fast as normal mode, it is valuable for testing L2, L3, and L4 header issues that cannot be easily tested in normal mode.
Examining a TCPDUMP packet capture file in detail
Let's examine the beginning of a single HTTP session in tcpdump.
Below we see the TCP three-way handshake and an HTTP GET request to www.google.com.
$ tcpdump -Xvvv -r bpt2.pcap "tcp port 80" | more 10:14:37.567201 IP (tos 0x0, ttl 64, id 39249, offset 0, flags [DF], proto TCP (6), length 60) 10.10.10.42.46340 > yx-in-f104.google.com.http: S, cksum 0xd303 (correct), 974896626:974896626(0) win 58400x0000: 4500 003c 9951 4000 4006 1552 0a0a 0a2a E..<.Q@.@..R...* 0x0010: 4a7d 2d68 b504 0050 3a1b bdf2 0000 0000 J}-h...P:....... 0x0020: a002 16d0 d303 0000 0204 05b4 0402 080a ................ 0x0030: 000f 24a3 0000 0000 0103 0306 ..$......... 10:14:37.600386 IP (tos 0x0, ttl 55, id 22877, offset 0, flags [none], proto TCP (6), length 60) yx-in-f104.google.com.http > 10.10.10.42.46340: S, cksum 0x3946 (correct), 1132689922:1132689922(0) ack 974896627 win 5672 0x0000: 4500 003c 595d 0000 3706 9e46 4a7d 2d68 E.. yx-in-f104.google.com.http: ., cksum 0x 7d9e (correct), 1:1(0) ack 1 win 92 0x0000: 4500 0034 9952 4000 4006 1559 0a0a 0a2a E..4.R@.@..Y...* 0x0010: 4a7d 2d68 b504 0050 3a1b bdf3 4383 7a03 J}-h...P:...C.z. 0x0020: 8010 005c 7d9e 0000 0101 080a 000f 24c4 ...\}.........$. 0x0030: b83c 24b0 .<$. 10:14:37.600515 IP (tos 0x0, ttl 64, id 39251, offset 0, flags [DF], proto TCP (6), length 671) 10.10.10.42.46340 > yx-in-f104.google.com.http: P, cksum 0x5bc3 (correct), 1:620(619) ack 1 win 92 0x0000: 4500 029f 9953 4000 4006 12ed 0a0a 0a2a E....S@.@......* 0x0010: 4a7d 2d68 b504 0050 3a1b bdf3 4383 7a03 J}-h...P:...C.z. 0x0020: 8018 005c 5bc3 0000 0101 080a 000f 24c4 ...\[.........$. 0x0030: b83c 24b0 4745 5420 2f20 4854 5450 2f31 .<$.GET./.HTTP/1 0x0040: 2e31 0d0a 486f 7374 3a20 7777 772e 676f .1..Host:.www.go 0x0050: 6f67 6c65 2e63 6f6d 0d0a 5573 6572 2d41 ogle.com..User-A 0x0060: 6765 6e74 3a20 4d6f 7a69 6c6c 612f 352e gent:.Mozilla/5. 0x0070: 3020 2858 3131 3b20 553b 204c 696e 7578 0.(X11;.U;.Linux 0x0080: 2069 3638 363b 2065 6e2d 5553 3b20 7276 .i686;.en-US;.rv 0x0090: 3a31 2e39 2e31 2920 4765 636b 6f2f 3230 :1.9.1).Gecko/20 0x00a0: 3039 3036 3330 2046 6564 6f72 612f 332e 090630.Fedora/3. 0x00b0: 352d 312e 6663 3131 2046 6972 6566 6f78 5-1.fc11.Firefox 0x00c0: 2f33 2e35 0d0a 4163 6365 7074 3a20 7465 /3.5..Accept:.te 0x00d0: 7874 2f68 746d 6c2c 6170 706c 6963 6174 xt/html,applicat 0x00e0: 696f 6e2f 7868 746d 6c2b 786d 6c2c 6170 ion/xhtml+xml,ap 0x00f0: 706c 6963 6174 696f 6e2f 786d 6c3b 713d plication/xml;q= 0x0100: 302e 392c 2a2f 2a3b 713d 302e 380d 0a41 0.9,*/*;q=0.8..A 0x0110: 6363 6570 742d 4c61 6e67 7561 6765 3a20 ccept-Language:. 0x0120: 656e 2d75 732c 656e 3b71 3d30 2e35 0d0a en-us,en;q=0.5.. 0x0130: 4163 6365 7074 2d45 6e63 6f64 696e 673a Accept-Encoding: 0x0140: 2067 7a69 702c 6465 666c 6174 650d 0a41 .gzip,deflate..A 0x0150: 6363 6570 742d 4368 6172 7365 743a 2049 ccept-Charset:.I 0x0160: 534f 2d38 3835 392d 312c 7574 662d 383b SO-8859-1,utf-8; 0x0170: 713d 302e 372c 2a3b 713d 302e 370d 0a4b q=0.7,*;q=0.7..K 0x0180: 6565 702d 416c 6976 653a 2033 3030 0d0a eep-Alive:.300.. 0x0190: 436f 6e6e 6563 7469 6f6e 3a20 6b65 6570 Connection:.keep 0x01a0: 2d61 6c69 7665 0d0a 436f 6f6b 6965 3a20 -alive..Cookie:. 0x01b0: 5052 4546 3d49 443d 6461 6230 3736 3834 PREF=ID=dab07684 0x01c0: 3433 3630 3861 6530 3a55 3d32 3233 3565 43608ae0:U=2235e 0x01d0: 6434 3334 3338 3835 6464 653a 544d 3d31 d4343885dde:TM=1 0x01e0: 3234 3736 3730 3236 383a 4c4d 3d31 3234 247670268:LM=124 0x01f0: 3736 3730 3330 373a 533d 7032 7879 3235 7670307:S=p2xy25 0x0200: 486c 6474 7871 4f76 7558 3b20 4e49 443d HldtxqOvuX;.NID= 0x0210: 3234 3d64 4170 5869 6574 7438 6837 3173 24=dApXiett8h71s 0x0220: 4759 6448 3832 7861 4b50 5565 7534 5a44 GYdH82xaKPUeu4ZD 0x0230: 6d2d 6b69 4e70 4b32 4467 4868 5275 356a m-kiNpK2DgHhRu5j 0x0240: 3169 484a 7945 4d67 5341 5635 3537 4173 1iHJyEMgSAV557As 0x0250: 504d 735f 5979 4a65 4c57 4f7a 7032 4f53 PMs_YyJeLWOzp2OS 0x0260: 6458 3562 4255 7353 494e 776b 626c 7663 dX5bBUsSINwkblvc 0x0270: 5149 4566 614d 5949 5454 6d37 5347 3339 QIEfaMYITTm7SG39 0x0280: 7a73 6c4e 7032 6445 7871 5a37 5751 2d46 zslNp2dExqZ7WQ-F 0x0290: 724d 5a3b 2054 5a3d 3330 300d 0a0d 0a rMZ;.TZ=300....
Import the above pcap file into Recreate
Examining a Recreate packet capture file in detail
Behind the scenes, two things happen. First, the original pcap file is copied to the BreakingPoint Elite. Second, a directory structure is created that sorts the capture file into protocols. The protocols are identified first, via regular expressions; if there are no matches, IANA well known port assignments are used. Within each protocol directory, we store files that contain information about a flow.A flow is defined as having matching source and destination IPv4 or IPv6 addresses and matching source and destination TCP or UDP ports. Our network processor then uses the information contained within these files, along with the Recreate Parameters and the Network Neighborhood settings, to recreate the network traffic for your tests.
Here is the identical flow as seen in the above example, although in our internal format. As you can see, we only store the minimum amount of Layer 3 information. The IP addresses and Port numbers are used to identify the individual flows and are rewritten according to the Network Neighborhood settings. The file also stores the Ethernet Type (Layer 2 information), the IP Protocol, the direction Client or Server, and the TCP flags if applicable.
flow 0: reqs: ***DP flags: 0x08 eth_type: 0x0800, ip_p: 0x06 10.10.10.42 46340 > 74.125.45.104 80flow 0: buffer: C->S 619 bytes, flags: 0x04 NoT
[0000] 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET...HT TP.1.1..
[0010] 48 6F 73 74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65 Host..ww w.google
[0020] 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74 .com..Us er.Agent
[0030] 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 58 ..Mozill a.5.0..X
[0040] 31 31 3B 20 55 3B 20 4C 69 6E 75 78 20 69 36 38 11..U..L inux.i68
[0050] 36 3B 20 65 6E 2D 55 53 3B 20 72 76 3A 31 2E 39 6..en.US ..rv.1.9
[0060] 2E 31 29 20 47 65 63 6B 6F 2F 32 30 30 39 30 36 .1..Geck o.200906
[0070] 33 30 20 46 65 64 6F 72 61 2F 33 2E 35 2D 31 2E 30.Fedor a.3.5.1.
[0080] 66 63 31 31 20 46 69 72 65 66 6F 78 2F 33 2E 35 fc11.Fir efox.3.5
[0090] 0D 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 ..Accept ..text.h
[00a0] 74 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F tml.appl ication.
[00b0] 78 68 74 6D 6C 2B 78 6D 6C 2C 61 70 70 6C 69 63 xhtml.xm l.applic
[00c0] 61 74 69 6F 6E 2F 78 6D 6C 3B 71 3D 30 2E 39 2C ation.xm l.q.0.9.
[00d0] 2A 2F 2A 3B 71 3D 30 2E 38 0D 0A 41 63 63 65 70 ....q.0. 8..Accep
[00e0] 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 t.Langua ge..en.u
[00f0] 73 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 s.en.q.0 .5..Acce
[0100] 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 pt.Encod ing..gzi
[0110] 70 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 p.deflat e..Accep
[0120] 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 t.Charse t..ISO.8
[0130] 38 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 859.1.ut f.8.q.0.
[0140] 37 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 7...q.0. 7..Keep.
[0150] 41 6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E Alive..3 00..Conn
[0160] 65 63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 ection.. keep.ali
[0170] 76 65 0D 0A 43 6F 6F 6B 69 65 3A 20 50 52 45 46 ve..Cook ie..PREF
[0180] 3D 49 44 3D 64 61 62 30 37 36 38 34 34 33 36 30 .ID.dab0 76844360
[0190] 38 61 65 30 3A 55 3D 32 32 33 35 65 64 34 33 34 8ae0.U.2 235ed434
[01a0] 33 38 38 35 64 64 65 3A 54 4D 3D 31 32 34 37 36 3885dde. TM.12476
[01b0] 37 30 32 36 38 3A 4C 4D 3D 31 32 34 37 36 37 30 70268.LM .1247670
[01c0] 33 30 37 3A 53 3D 70 32 78 79 32 35 48 6C 64 74 307.S.p2 xy25Hldt
[01d0] 78 71 4F 76 75 58 3B 20 4E 49 44 3D 32 34 3D 64 xqOvuX.. NID.24.d
[01e0] 41 70 58 69 65 74 74 38 68 37 31 73 47 59 64 48 ApXiett8 h71sGYdH
[01f0] 38 32 78 61 4B 50 55 65 75 34 5A 44 6D 2D 6B 69 82xaKPUe u4ZDm.ki
[0200] 4E 70 4B 32 44 67 48 68 52 75 35 6A 31 69 48 4A NpK2DgHh Ru5j1iHJ
[0210] 79 45 4D 67 53 41 56 35 35 37 41 73 50 4D 73 5F yEMgSAV5 57AsPMs.
[0220] 59 79 4A 65 4C 57 4F 7A 70 32 4F 53 64 58 35 62 YyJeLWOz p2OSdX5b
[0230] 42 55 73 53 49 4E 77 6B 62 6C 76 63 51 49 45 66 BUsSINwk blvcQIEf
[0240] 61 4D 59 49 54 54 6D 37 53 47 33 39 7A 73 6C 4E aMYITTm7 SG39zslN
[0250] 70 32 64 45 78 71 5A 37 57 51 2D 46 72 4D 5A 3B p2dExqZ7 WQ.FrMZ.
[0260] 20 54 5A 3D 33 30 30 0D 0A 0D 0A .TZ.300. ...
flow 0: delay 33 milliseconds
Defining the Test Criteria for the imported pcap (bpt2.pcap)
Summary of Session Ramp Distribution Settings
The specified parameters tell Recreate to Ramp Up for 10 seconds during which time it should perform a Full Open (perform TCP three-way handshake, but don't send any data). The test to maintains each session for 10 seconds. During the 10 second Ramp Down stage, Recreate closes all sessions.
After the test was completed, I exported the packet buffer off of my test interfaces. Opening this file up in wireshark, you can see the 10 TCP sessions being initiated to and from the IP address ranges defined within Network Neighborhood.
Examining Test Results
The following wireshark filter was used : (tcp.flags == 2 or tcp.flags == 18 or tcp.flags == 16) and tcp.port == 80
Following any one of the above streams in wireshark will show the exact some contents as detailed in the above flow description.
This demonstrates some of the power, flexibility, and extensibility of the Recreate test component and explains how the individual parameters within Recreate and Network Neighborhood interact. Hopefully this will inspire you to use the Recreate component in other creative ways during your tests.
blog comments powered by Disqus
