From: ADT (synfinatic@gmail.com)
Date: Sat Sep 04 2004 - 21:16:05 EDT
If you're using tcpreplay for performance testing, there are a few
things you should be aware of:
1) Read the FAQ and learn how to tune your OS network stack for best
replay performance. There is also a listing of common error/warning
messages and detailed meanings.
2) tcpreplay will detect a failure to send a packet (ie: your hardware
can't keep up) and will continue trying to resend the packet until the
hardware catches up.
3) tcpreplay makes a "best effort" in terms of replaying traffic at
the speed you request. There are a number of things which can make
things difficult:
a) your pcap only has a few packets
b) your OS doesn't have a very granular nanosleep() implimentation
c) and probably others I'm forgetting
Generally speaking I do not recommend using tcpdump to validate unless
you are testing an inline device and you want to know about
packetloss.
-Aaron
-- synfin.net On Thu, 2 Sep 2004 21:59:05 -0700, Peter Van Epp <vanepp@sfu.ca> wrote: > On Wed, Sep 01, 2004 at 01:54:35PM -0700, John Madden wrote: > > I've gotten alot of suggestions to test the > > signatures, i've got some to test the load but they > > were $$$, anything out there for free ? > > > > With a software and not an appliance how does one test > > the load to know when the IDS can no longer verify > > packets and they are being dropped ? Is this included > > in the software ? > > > > Thanks again everyone :) > > > > As several people have mentioned tcpreplay from sourceforge.net is > open source and thus free (at least of capital cost). > You test to destruction by starting slowly and assume or check that > the IDS catches everything. You then replay the same tcpdump file at ever > increasing speeds until the IDS output changes (usually by failing to detect > one or more signatures). At that point something in the loop is losing packets. > Now you need to verify that it is the IDS and not somewhere else in your > test setup (hint: if tcpdump or better, a wire speed sniffer in parallel with > the IDS network interface sees all the packets you think you sent, then > probably the failure is in the IDS). At any given speed you probably want to > make multiple runs and make sure the IDS reports identically on all of them > since the packet loss will be random and may not occur during a signature > (isn't performance testing fun? :-) ) > ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:04 EDT