Success has plauged my efforts!

Sat Jun 3 23:05:00 EDT 2000

	It is being a productive week. I think I have identified the source
of the traffic mismatch we have been seeing with argus (and it isn't argus!)
and I just succeeded in building tcpreplay on FreeBSD. Tcpreplay will take
a tcpdump file (captured with -w) and replay it back to the net (an isolated
net one certainly hopes!). It can vary the speed with which the traffic is
replayed allowing us to find out exactly how much traffic a given configuration
can stand without losing traffic. For anyone else interested here are diffs
to tcpreplay to get it to build (with an ugly kludge) on FreeBSD Release 4.0
(the current stable FreeBSD).

1) install FreeBSD 4.0 RELEASE (www.freebsd.org), you want "kernel developer"
   and the ports collection minimum (if you have space everything is fine).

2) edit the config file /sys/i386/config to set pseudo-device bpf 4  (by 
   default it is 0) and rebuild and install the kernel (there is good 
   documentation on how to do this on the web site).

3) do a make then make install in /usr/ports/net/libnet

4) get tcpreplay from http://www.anzen.com/research/nidsbench/ and untar it
   in to (for instance) /usr/local/src/

5) use patch to install the 3 diffs (Makefile.in.dif, configure.dif and
   tcpreplay.c.dif attached below by doing patch < xxx.dif in the tcpreplay 
   source directory.

6) do ./configure, make, make install in the tcpreplay source directory

7) capture and replay tcpdump files. Note that tcpreplay is in /usr/local/sbin
   which isn't in the standard path (or perhaps I forgot to rehash).

--- cut here --- Makefile.in.dif
*** Makefile.in.orig	Wed Apr 21 15:16:41 1999
--- Makefile.in	Sat Jun  3 17:36:45 2000
***************
*** 22,30 ****
  PCAPDEP		= $(PCAPDIR)/pcap.h $(PCAPDIR)/libpcap.a

  LNETDIR		= Libnet-0.99
! LNETINCS	= -I$(LNETDIR)/include
! LNETLIBS	= -L$(LNETDIR)/lib -lnet
! LNETDEP		= $(LNETDIR)/include/libnet.h $(LNETDIR)/libnet.a

  PROGRAMS	= tcpreplay

--- 22,31 ----
  PCAPDEP		= $(PCAPDIR)/pcap.h $(PCAPDIR)/libpcap.a

  LNETDIR		= Libnet-0.99
! LNETINCS	= -I/usr/local/include
! LNETLIBS	= -L/usr/local/lib -lnet
! LNETDEP		= /usr/local/include/libnet.h /usr/local/lib/libnet.a
! DEFINES		= `/usr/local/bin/libnet-config --defines` @DEFS@

  PROGRAMS	= tcpreplay

***************
*** 32,44 ****

  tcpreplay: $(PCAPDEP) $(LNETDEP) tcpreplay.c
  	-rm -f tcpreplay
! 	$(CC) $(CFLAGS) $(DEFS) $(INCS) -o $@ tcpreplay.c $(LDFLAGS) $(LIBS)

  $(PCAPDIR)/libpcap.a:
  	cd $(PCAPDIR) ; $(MAKE)
- 
- $(LNETDIR)/libnet.a:
- 	cd $(LNETDIR) ; $(MAKE)

  clean:
  	cd $(PCAPDIR) ; $(MAKE) clean
--- 33,42 ----

  tcpreplay: $(PCAPDEP) $(LNETDEP) tcpreplay.c
  	-rm -f tcpreplay
! 	$(CC) $(CFLAGS) $(DEFINES) $(INCS) -o $@ tcpreplay.c $(LDFLAGS) $(LIBS)

  $(PCAPDIR)/libpcap.a:
  	cd $(PCAPDIR) ; $(MAKE)

  clean:
  	cd $(PCAPDIR) ; $(MAKE) clean

--- cut here --- configure.dif  

*** configure.orig	Fri Jun  2 15:01:22 2000
--- configure	Fri Jun  2 15:03:13 2000
***************
*** 1194,1200 ****
  done

! subdirs="Libnet-0.99 libpcap-0.4"

--- 1194,1200 ----
  done

! subdirs="Libnet-1.0.1b libpcap-0.4"

***************
*** 1579,1585 ****
      esac
    done

!   for ac_config_dir in Libnet-0.99 libpcap-0.4; do

      # Do not complain, so a configure script can configure whichever
      # parts of a large source tree are present.
--- 1579,1585 ----
      esac
    done

!   for ac_config_dir in Libnet-1.0.1b libpcap-0.4; do

      # Do not complain, so a configure script can configure whichever
      # parts of a large source tree are present.

--- cut here --- tcpreplay.c.dif

*** tcpreplay.c.orig	Fri Jun  2 15:18:46 2000
--- tcpreplay.c	Fri Jun  2 15:38:50 2000
***************
*** 229,235 ****
    }

    while (write_status < 0) {
!     write_status = write_link_layer((struct link_int *)user, interface,
  				    data,pcap_hdr->caplen);
  #ifdef DEBUG
      if (debug > 1) {
--- 229,235 ----
    }

    while (write_status < 0) {
!     write_status = libnet_write_link_layer((struct libnet_link_int *)user, interface,
  				    data,pcap_hdr->caplen);
  #ifdef DEBUG
      if (debug > 1) {
***************
*** 255,261 ****
  int main(int argc, char * argv[])
  {
    pcap_t * in_file;
!   struct link_int * write_if;
    float Mrate = 0;
    double starttime_local, startusec;
    char ebuf[256];
--- 255,261 ----
  int main(int argc, char * argv[])
  {
    pcap_t * in_file;
!   struct libnet_link_int * write_if;
    float Mrate = 0;
    double starttime_local, startusec;
    char ebuf[256];
***************
*** 327,333 ****
    failed_writes  = 0;
    pkts_sent = 0;
    bytes_sent = 0;
!   write_if = open_link_interface(interface,ebuf);
    if (write_if <= 0) {
      fprintf(stderr, "output i/f: %s\n",ebuf);
      exit(1);
--- 327,333 ----
    failed_writes  = 0;
    pkts_sent = 0;
    bytes_sent = 0;
!   write_if = libnet_open_link_interface(interface,ebuf);
    if (write_if <= 0) {
      fprintf(stderr, "output i/f: %s\n",ebuf);
      exit(1);
--- cut here --- 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada