Installing Tomahawk IPS test tool on Debian 7
For a current IPS/IDS project I was looking for a test system to benchmark various IDS/IPS engines. The idea was to record network captures carrying malware samples in HTTP, SMTP or other protocols, and replaying them against the various detection engines. Problem with that is that tools like tcpreplay, bittwist or Ostinato all replay the trace on a single network card, which means that both “client” and “server” side of the communication are injected into the same NIC of the detection engine.
What I want is a packet replay engine that uses two NICs to replay the packet capture into the detection engine from both sides, simulating a “real” conversation.That engine does exist, and it is called Tomahawk Test Tool created by TippingPoint. Unfortunately, it doesn’t seem to be updated anymore, with the last change being from 2006. And, to make things a bit more complicated, it doesn’t easily compile on current Debian systems (in my case, this is Debian 7, or “Wheezy”) because the libraries it uses have been changed in the meantime. I guess it will be the same with later versions.
So here is my tutorial of how to setup Tomahawk on Wheezy from scratch (Update: this only seems to work on 32 bit Debian, not 64 bit – see comments by Sebastian below):
- Install the Debian base system, with no optional packages at all (maybe the SSH service, but no Desktop, DNS server, etc.). I usually deselect all of them, including SSH.
- After that being done, add a couple of packages that are necessary for compiling Tomahawk:
apt-get install ssh gcc flex bison make
- Go to /usr/src and get the Tomahawk source:
cd /usr/src wget http://prdownloads.sourceforge.net/tomahawk/tomahawk1.1.tar.gz
- Get old LibPCAP and LibNet libraries. Since they are outdated I put them on my own server for easier access, but you can search for them yourself in other places if you prefer that, of course.
wget http://www.packet-foo.com/tomahawk/libnet-1.0.2a.tar.gz wget http://www.packet-foo.com/tomahawk/libpcap-0.8.1.tar.gz
- Unpack everything:
tar xzf tomahawk1.1.tar.gz tar xzf libnet-1.0.2a.tar.gz tar xzf libpcap-0.8.1.tar.gz rm *.gz
- Compile LibPCAP:
cd /usr/src/tomahawk/libpcap-0.8.1 ./configure make make install
- Compile LibNet
cd /usr/src/tomahawk/Libnet-1.0.2a ./configure make make install
- Compile Tomahawk:
cd /usr/src/tomahawk/tomahawk1.1 make make install
./tomahawk -l 1 -f test.pcap
On the box I installed Tomahawk I have 3 interfaces. I use eth0 as management interface, while eth1 and eth2 are my replay interfaces. A typical replay command would look like this:
tomahawk -l 1 -f ipstest1.pcap -i eth1 -j eth2
I can recommend the following Whitepaper published by the ICSA labs about the inner workings of Tomahawk.
I just wanted to take a moment and thank you for this. I’m building a specialized Tomahawk appliance for HP TippingPoint, and wanted to use Linux Mint. This tutorial made it easy.
thank you, and you’re welcome!
what is the max traffic that can be sent out. I seen that the limit is 500Mbps can that be increased like tcpreplay.
I have no idea. I doubt Tomahawk is a tool to test maximum traffic, it is to test if certain patterns are detected. The max Mbps probably depends on the hardware you run Tomahawk on.
After use command in tomahawk make I have got many errors similiar too:
error: ‘struct udphdr’ has no member named ‘uh_sum’
Could You tell me how to fix it?
Sorry, I have no idea – I was happy when it worked for me and wrote down how I managed to get Tomahawk running.
I was able to fix this – there is a line that is referenced in the first error message when you run make. It is meant to be some sort of message, but for some reason it is split into multiple lines. Move the entire message that is in quotes on to one line seems to fix it.
What version of Debian 7 has You used, 32 or 64 bits?
It was 32 bits if I remember correctly. Maybe it doesn’t work with 64 bit, but I didn’t check.
Thanks for information
I will check it on version Debian 7.8 32 bit because I do not have version 7
For Debian 7 32 bit it works. Have You got maybe any database of pcap? Could You share it?
Thanks, that’s good to know!
I have a couple of pcaps, but I can’t share them unfortunately since they contain sensitive information (and sanitizing them would essentially make them useless by having to cut away too much stuff)
Chris Sanders has a couple of pcaps that might be of interest to you at http://chrissanders.org/packet-captures/
Thanks for this information.
Hi, I have managed to install it on ubuntu 15.04. The problem is when replaying a pcap, I have the output saying the packets have been sent, but I don’t see them on the network or when I run tcpdump. (And I have 4 interfaces on the box)
Does it require to configure the interfaces or does it automaticaly rewrite the ip addresses to fit the interfaces on my network?
If I remember correctly (haven’t used Tomahawk for a while now) it generates arbitrary IPs for the PCAP you’re replaying – I doubt that they’ll match your network. The idea is to send packets through an inspection device from both sides, so IPs shouldn’t matter.
If you try to generate packets that are valid on your network, Tomahawk isn’t the tool for you. You should look at Ostinato in that case.