Packet Capture Replay (no Tap)


#1

Can RockNSM conduct/ingest offline replay of packet captures? I have a customer that would like side by side analysis of their network. However, they do not want us to connect to their network. They will syphon off raw pcap data and hand it off to us for analysis. I have considered using tcpreplay to play back the traffic. I didn’t want to assume, but will RockNSM have any issue with this type of scenario?


#2

tcpreplay will work just fine.


#3

you can do tcpreplay or you can tell Bro and/or Suricata to process the PCAPs directly (which will preserve timestamps).

Read in PCAP with bro:

mkdir /tmp/pcap
# Put PCAP in there ^^
cd /tmp/pcap
# Create a temporary working dir for bro
mkdir logs; chmod 777 logs; cd logs
for item in ../*.pcap; do
  # Read in PCAP as the bro user and send to Kafka
  sudo -u bro -g bro /usr/bin/bro -C -r ${item} local
done

Read in the PCAP as suricata is similar:

mkdir /tmp/pcap
# Put PCAP in there ^^
cd /tmp/pcap
# Create a temporary working dir for suricata
mkdir logs; chmod 777 logs; cd logs
for item in ../*.pcap; do
  # Read in PCAP as the suricata user and append to normal eve.json
  sudo -u suricata -g suricata /usr/bin/suricata  -k -r ${item}
done

NOTE: The the -C and the -k flags of Bro and Suricata respectively will disable checksum validation, which is often needed for processing PCAP if not captured perfectly.

EDIT: Added chmod 777 to fix permissions warnings/errors