When thinking about protocol security one of the commmon threats to consider is a “replay attack.” However in most cases the discussion is largely Academic.

Since tcpreplay actually does not replay application layer traffic, but PCAP files (basically link layer traffic with a small header) and last summer when I looked at flowreplay, it didn’t seem fully baked and was overkill…

I wrote up a few quick python scripts that do the following:

1. parse the “c-array’s” files if you save the “follow TCP” output in Ethereal - this actually saves you a lot of work of reassembling traffic at multiple layers–especially in the OSI protocols, where there *is* fragmentation!
2. save the client and server responses to a python “pickle file”
3. send the client messages back to the server

mdfranz@franz-d610:~/dev$ ./clientplay.py 172.16.126.132 102 followtcp.raw.pickle Sending:22 bytes Received: 14 bytes Sending:191 bytes Received: 147 bytes Sending:36 bytes Received: 32 bytes Sending:36 bytes Received: 32 bytes Sending:36 bytes Received: 39 bytes

Not rocket science but it works, and hadn’t found another tool to do this easily.

root@franz-d610:~/dev# tethereal -ni vmnet8 Capturing on vmnet8 1   0.000000 172.16.126.1 -> 172.16.126.132 TCP 33328 > 102 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=75373055 TSER=0 WS=2 2   0.001739 172.16.126.132 -> 172.16.126.1 TCP 102 > 33328 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 3   0.002973 172.16.126.1 -> 172.16.126.132 TCP 33328 > 102 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=75373059 TSER=0 4   0.008279 172.16.126.1 -> 172.16.126.132 COTP CR TPDU src-ref: 0x0004 dst-ref: 0x0000 5   0.008549 172.16.126.132 -> 172.16.126.1 COTP CC TPDU src-ref: 0x0004 dst-ref: 0x0004 6   0.019053 172.16.126.1 -> 172.16.126.132 TCP 33328 > 102 [ACK] Seq=23 Ack=15 Win=5840 Len=0 TSV=75373075 TSER=4093 7   1.020154 172.16.126.1 -> 172.16.126.132 MMS 8   1.020806 172.16.126.132 -> 172.16.126.1 MMS 9   1.021077 172.16.126.1 -> 172.16.126.132 TCP 33328 > 102 [ACK] Seq=214 Ack=162 Win=6912 Len=0 TSV=75374078 TSER=4094 10   2.020956 172.16.126.1 -> 172.16.126.132 MMS 11   2.021477 172.16.126.132 -> 172.16.126.1 MMS 12   2.021709 172.16.126.1 -> 172.16.126.132 TCP 33328 > 102 [ACK] Seq=250 Ack=194 Win=6912 Len=0 TSV=75375078 TSER=4094 13   3.021803 172.16.126.1 -> 172.16.126.132 MMS 14   3.022398 172.16.126.132 -> 172.16.126.1 MMS 15   3.022638 172.16.126.1 -> 172.16.126.132 TCP 33328 > 102 [ACK] Seq=286 Ack=226 Win=6912 Len=0 TSV=75376079 TSER=4094 16   4.024513 172.16.126.1 -> 172.16.126.132 MMS 17   4.029218 172.16.126.132 -> 172.16.126.1 MMS 18   4.029253 172.16.126.1 -> 172.16.126.132 TCP 33328 > 102 [ACK] Seq=322 Ack=265 Win=6912 Len=0 TSV=75377086 TSER=4095

Of course there is no strong authentication, so this is trivial — much easier than remembering regular expression syntax!