6.2.7. replay
6.2.7.1. Introduction
A file with the pcap extension is one in which raw network traffic has been captured.
The replay command enables:
Listing the available pcap files
Asking the detection engine to analyse this network traffic to rebuild the packets contained in this flow
Replaying it with the possibility of modifying the speed compared to that of the initial capture.
Below are the configuration options:
List the available pcap files
list
Choose the name of the pcap file
pcap
Choose the replay speed
speed
Choose a loop replay
forever
Note
Adding pcap is only possible with supported versions of the GCenter software.
Adding pcap is only possible via the command line with the root account, otherwise contact Gatewatcher support.
6.2.7.2. Prerequisites
Users: setup, gviewadm
Dependencies:
The detection engine is started (
UP)The
monvirtinterface is activatedAt least one pcap file must be present in the pcap directory
6.2.7.3. Command
replay pcap name.pcap {speed FACTOR} {forever}
replay list
Available commands:
forever: means to replay the pcap file until CTRL + C is pressedspeed x: x is a number specifying the replay speed of the pcap file (X times the nominal speed)
6.2.7.4. Example of displaying the list of available pcap files
Enter the following command.
[Monitoring UP] GCap-lab (gcap-cli) replay list
Validate.
Available pcaps are: test-dga-v1.pcap test-malcore-v1.pcap test-powershell-v1.pcap test-shellcode-v1.pcap test-sigflow-v1.pcap
The list of the pcap files present is displayed.
The files listed above were installed during a new installation or an update if no other pcap file is present on the GCap.
Each of these files allows you to test a different engine.Note
For the test-sigflow-v1.pcap file, it is possible to replay this pcap file but:
If one of the following 2 signatures is present in the ruleset applied to the Gcap then the alerts at the Gcenter level are visible:
sid:2020716 => ET POLICY Possible External IP Lookup ipinfo.io
sid:2013028 ==> ET POLICY curl User-Agent Outbound
If none of these signatures is present in the ruleset then there is no GCenter alert so it will not be known if the sigflow engine is working correctly
6.2.7.5. Example of replaying a pcap file with the capture speed
Enter the following command.
(gcap-cli) replay pcap name.pcap speed 4
Validate.
Test start: 2022-05-13 14:49:31.287043 ... Actual: 38024 packets (43981183 bytes) sent in 5.00 seconds Rated: 8795627.9 Bps, 70.36 Mbps, 7604.27 pps Actual: 58291 packets (66785902 bytes) sent in 10.00 seconds Rated: 6678332.4 Bps, 53.42 Mbps, 5828.87 pps Actual: 83666 packets (95744520 bytes) sent in 15.02 seconds Rated: 6374049.4 Bps, 50.99 Mbps, 5569.93 pps Actual: 110051 packets (125880214 bytes) sent in 20.02 seconds Rated: 6285776.9 Bps, 50.28 Mbps, 5495.35 pps Actual: 147566 packets (169410025 bytes) sent in 25.02 seconds Rated: 6769298.3 Bps, 54.15 Mbps, 5896.45 pps Actual: 169247 packets (193816539 bytes) sent in 30.03 seconds Rated: 6453918.8 Bps, 51.63 Mbps, 5635.77 pps Actual: 195575 packets (223882527 bytes) sent in 35.06 seconds Rated: 6385197.7 Bps, 51.08 Mbps, 5577.85 pps Actual: 221886 packets (253884171 bytes) sent in 40.09 seconds Rated: 6331801.8 Bps, 50.65 Mbps, 5533.77 pps Actual: 260874 packets (298969988 bytes) sent in 45.11 seconds Rated: 6627011.6 Bps, 53.01 Mbps, 5782.57 pps Actual: 280646 packets (321206175 bytes) sent in 50.19 seconds Rated: 6399274.4 Bps, 51.19 Mbps, 5591.20 pps Test complete: 2022-05-13 14:50:24.974433 Actual: 300745 packets (344377408 bytes) sent in 53.68 seconds Rated: 6414493.3 Bps, 51.31 Mbps, 5601.78 pps Flows: 3774 flows, 70.29 fps, 296049 flow packets, 4696 non-flow Statistics for network device: injectiface Successful packets: 300745 Failed packets: 0 Truncated packets: 0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0
The system displays the counters approximately every five seconds:
Throughput in Bps
Throughput in Mbps
Throughput in pps (packets)
then the final counters.