9.3.7. replay
A - Introduction
`replay` command enables:List the available pcap files
Asking the detection engine to analyze this network traffic to rebuild the packets contained in this flow
Replaying it with the possibility of modifying the speed compared to that of the initial capture
Below are the configuration options:
List the available pcap files
`list`
Choose the name of the pcap file
`pcap`
Choose the replay speed
`speed`
Choose a loop replay
`forever`
Note
Adding pcap is only possible with supported versions of the GCenter software.Adding pcap is only possible via the command line with the root account, otherwise contact Gatewatcher support.
B - Prerequisites
User: setup, gviewadm
Dépendances :
The detection engine is started (
`UP`)The
`monvirt`interface is activatedAt least one pcap file must be present in the pcap directory
C - Command
`replay pcap name.pcap {speed FACTOR} {forever}`
`replay list`
Available commands:
`forever`: means to replay the pcap file until CTRL + C is pressed`speed x`: x is a number specifying the replay speed of the pcap file (X times the nominal speed)
D - Proceduire to display the list of available pcap files
The command prompt is displayed.
[Monitoring UP] GCap-lab (gcap-cli)
Enter the command
replay list
Validate
Available pcaps are: test-dga-v#.pcap test-malcore-v1.pcap test-powershell-v1.pcap test-shellcode-v1.pcap test-sigflow-v1.pcap
The list of the pcap files present is displayed.The files listed above were installed during a new installation or an update if no other pcap file is present on the GCap.Each of these files allows you to test a different engine.Note
For the testsigflowv1.pcap file, it is possible to replay this pcap file but:
If one of the following 2 signatures is present in the ruleset applied to the GCap then the alerts at the GCenter level are visible:
sid:2020716 => ET POLICY Possible External IP Lookup ipinfo.io
sid:2013028 ==> ET POLICY curl User-Agent Outbound
If none of these signatures is present in the ruleset then there is no GCenter alert so it will not be known if the Sigflow engine is working correctly
E - Procedure to replay a pcap file with the capture speed
The command prompt is displayed.
(gcap-cli)
Enter the command
replay pcap name.pcap speed 4
Validate
Test start: 2022-05-13 14:49:31.287043 ... Actual: 38024 packets (43981183 bytes) sent in 5.00 seconds Rated: 8795627.9 Bps, 70.36 Mbps, 7604.27 pps Actual: 58291 packets (66785902 bytes) sent in 10.00 seconds Rated: 6678332.4 Bps, 53.42 Mbps, 5828.87 pps Actual: 83666 packets (95744520 bytes) sent in 15.02 seconds Rated: 6374049.4 Bps, 50.99 Mbps, 5569.93 pps Actual: 110051 packets (125880214 bytes) sent in 20.02 seconds Rated: 6285776.9 Bps, 50.28 Mbps, 5495.35 pps Actual: 147566 packets (169410025 bytes) sent in 25.02 seconds Rated: 6769298.3 Bps, 54.15 Mbps, 5896.45 pps Actual: 169247 packets (193816539 bytes) sent in 30.03 seconds Rated: 6453918.8 Bps, 51.63 Mbps, 5635.77 pps Actual: 195575 packets (223882527 bytes) sent in 35.06 seconds Rated: 6385197.7 Bps, 51.08 Mbps, 5577.85 pps Actual: 221886 packets (253884171 bytes) sent in 40.09 seconds Rated: 6331801.8 Bps, 50.65 Mbps, 5533.77 pps Actual: 260874 packets (298969988 bytes) sent in 45.11 seconds Rated: 6627011.6 Bps, 53.01 Mbps, 5782.57 pps Actual: 280646 packets (321206175 bytes) sent in 50.19 seconds Rated: 6399274.4 Bps, 51.19 Mbps, 5591.20 pps Test complete: 2022-05-13 14:50:24.974433 Actual: 300745 packets (344377408 bytes) sent in 53.68 seconds Rated: 6414493.3 Bps, 51.31 Mbps, 5601.78 pps Flows: 3774 flows, 70.29 fps, 296049 flow packets, 4696 non-flow Statistics for network device: injectiface Successful packets: 300745 Failed packets: 0 Truncated packets: 0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0
The system displays the counters approximately every five seconds:
Throughput in Bps
Throughput in Mbps
Throughput in pps (packets)
then the final counters.