tomahawk is a tool for replaying network traffic from files saved with tcpdump(8).
The basic operation of tomahawk is to resend all packets from input file(s) from two network interfaces as fast as possible, ensuring that the packets arrive at an intermediate device (any layer-2 bridging device, but typically a network-based intrusion prevention system) in exactly the same order they appeared on the network at the time of capture.
While loading a file, Tomahawk automatically partitions the traffic between two interfaces. Tomahawk then replays a window of packets out one interface and waits for one or more packets to be received at the other interface. When a packet is received, the window moves forward, allowing new packets (from either interface) to be sent.
As part of its replay, Tomahawk modifies the IP addresses on the packets. This allows many copies of a single trace to be replayed in parallel, each stream with its block of IP addresses. This feature is useful for "scaling up" a packet trace from a comparatively low speed network. For example, suppose you have a trace of traffic from a 100 Mbps network with 500 hosts. By using the maxActive to 10, you can simulate a network with 5000 hosts on a gigabit backbone.
If a packet is dropped in the intermediate network for any reason, tomahawk will retransmit the lost packet up to maxRetrans times. This feature differentiates between a NIPS dropping a packet due to congestion versus deliberately dropping it because it contains an attack.
Tomahawk accepts two types of options: global and stream options. The global options include the following:
The following options applying to individual streams. Each option is
collected and applied to a stream specified in the file parameter.
For example, to play
file1 2 times,
file2 2 times, and
file3 3 times, you would use the flags
-l 2 -f file1 -f file2 -l 3 -f file3
The following command plays the file outlook.pcap once:
To play this pcap five times in succession, you would use:
tomahawk -l 5 -f outlook.pcap
The "-l" parameter controls the number of loops.
If the trace contains an attack and is replayed through an IPS, the IPS should block the attack. Because an IPS often blocks a stream (identified by a host/port quadruple), Tomahawk gives each replay of the attack its own unique host/port quadruple. Assuming that the pcap contains 2 addresses, Tomahawk rewrites the packets so that the first replay of the attack is from 10.0.0.1 to 10.0.0.2, the second replay is from 10.0.0.3 to 10.0.0.4, and so on.
You can control the start address with the "-a" flag. For example:
tomahawk -l 5 -f outlook.pcap -a 18.104.22.168
starts replay attacks at 22.214.171.124.
The example above plays 5 copies of outlook.pcap sequentially; Tomahawk waits for the first replay to complete before sending the second. You can use the "-n" flag to set Tomahawk to send the replay packets in parallel. For example:
tomahawk -n 3 -l 5 -f outlook.pcap
replays outlook.pcap 5 times, with up to 3 versions running simultaneously.
You can also use Tomahawk to play multiple attacks simultaneously. For example:
tomahawk -n 3 -l 5 -f outlook.pcap -f slammer.pcap
This command plays up to 3 copies of Outlook, 3 copies of Slammer, and 3 copies of CodeRed simultaneously. In terms of the tool, it plays 9 simultaneous replays in all, 6 of which (Slammer and CodeRed) are attacks.
The flags that control looping (-l) and parallel replay (-n) apply to subsequent packet traces as they are loaded (-f). For example, consider the following:
tomahawk -n 3 -l 5 -f outlook.pcap -n 2 -l 4 -f slammer.pcap -f codered.pcap
This command line tells tomahawk:
o to play outlook 5 times, with up to 3 copies running simultaneously
o to play slammer 4 times, with up to 2 copies running simultaneously
o to play codered 4 times, with up to 2 copies running simultaneously
Up to 7 pcaps and 4 attacks are running simultaneously, and a total of 8 attacks are run.
tomahawk -l 1 -r 5 -t 1000 -f outlook.pcap
sets Tomahawk to wait (at least) 1000 milliseconds before declaring a packet lost ("-t 1000") and to retransmit the packet 5 times ("-r 5") before giving up and printing a timeout message.
To limit the data rate generated by Tomahawk, use the "-R" flag. For example, to generate 100 Mbps of clean traffic, use the following:
tomahawk -n 50 -l 10000 -f http.pcap -R 100
The value of "-R" is a floating point number. To generate 100 Kbps of traffic, use the following:
tomahawk -n 50 -l 10000 -f http.pcap -R 0.1
The current version is available via HTTP: