Installing Tomahawk IPS test tool on Debian 7

For a current IPS/IDS project I was looking for a test system to benchmark various IDS/IPS engines. The idea was to record network captures carrying malware samples in HTTP, SMTP or other protocols, and replaying them against the various detection engines. Problem with that is that tools like tcpreplay, bittwist or Ostinato all replay the trace on a single network card, which means that both “client” and “server” side of the communication are injected into the same NIC of the detection engine.

What I want is a packet replay engine that uses two NICs to replay the packet capture into the detection engine from both sides, simulating a “real” conversation.That engine does exist, and it is called Tomahawk Test Tool created by TippingPoint. Unfortunately, it doesn’t seem to be updated anymore, with the last change being from 2006. And, to make things a bit more complicated, it doesn’t easily compile on current Debian systems (in my case, this is Debian 7, or “Wheezy”) because the libraries it uses have been changed in the meantime. I guess it will be the same with later versions.

So here is my tutorial of how to setup Tomahawk on Wheezy from scratch (Update: this only seems to work on 32 bit Debian, not 64 bit – see comments by Sebastian below):

  1. Install the Debian base system, with no optional packages at all (maybe the SSH service, but no Desktop, DNS server, etc.). I usually deselect all of them, including SSH.
  2. After that being done, add a couple of packages that are necessary for compiling Tomahawk:
    apt-get install ssh gcc flex bison make
  3. Go to /usr/src and get the Tomahawk source:
    cd /usr/src
  4. Get old LibPCAP and LibNet libraries. Since they are outdated I put them on my own server for easier access, but you can search for them yourself in other places if you prefer that, of course.
  5. Unpack everything:
    tar xzf tomahawk1.1.tar.gz
    tar xzf libnet-1.0.2a.tar.gz
    tar xzf libpcap-0.8.1.tar.gz
    rm *.gz
  6. Compile LibPCAP:
    cd /usr/src/tomahawk/libpcap-0.8.1
    make install
  7. Compile LibNet
    cd /usr/src/tomahawk/Libnet-1.0.2a
    make install
  8. Compile Tomahawk:
    cd /usr/src/tomahawk/tomahawk1.1
    make install
  9. Test:
    ./tomahawk -l 1 -f test.pcap

On the box I installed Tomahawk I have 3 interfaces. I use eth0 as management interface, while eth1 and eth2 are my replay interfaces. A typical replay command would look like this:

tomahawk -l 1 -f ipstest1.pcap -i eth1 -j eth2

I can recommend the following Whitepaper published by the ICSA labs about the inner workings of Tomahawk.

Have fun.

Discussions — 16 Responses

  • Geary February 11, 2014 on 1:50 pm

    I just wanted to take a moment and thank you for this. I’m building a specialized Tomahawk appliance for HP TippingPoint, and wanted to use Linux Mint. This tutorial made it easy.



    • Jasper Bongertz Geary February 11, 2014 on 2:02 pm

      Hi Geary,

      thank you, and you’re welcome!


  • Palvarado December 31, 2014 on 6:24 pm

    what is the max traffic that can be sent out. I seen that the limit is 500Mbps can that be increased like tcpreplay.

    • Jasper Bongertz Palvarado January 2, 2015 on 12:05 am

      I have no idea. I doubt Tomahawk is a tool to test maximum traffic, it is to test if certain patterns are detected. The max Mbps probably depends on the hardware you run Tomahawk on.

  • Sebastian February 5, 2015 on 4:13 pm

    After use command in tomahawk make I have got many errors similiar too:
    error: ‘struct udphdr’ has no member named ‘uh_sum’

    Could You tell me how to fix it?

    • Jasper Bongertz Sebastian February 7, 2015 on 5:04 pm

      Sorry, I have no idea – I was happy when it worked for me and wrote down how I managed to get Tomahawk running.

    • aun Sebastian October 4, 2016 on 11:17 am

      I was able to fix this – there is a line that is referenced in the first error message when you run make. It is meant to be some sort of message, but for some reason it is split into multiple lines. Move the entire message that is in quotes on to one line seems to fix it.

      • Jasper Bongertz aun October 4, 2016 on 12:51 pm

        Thanks, aun!

  • Sebastian February 9, 2015 on 12:05 pm

    What version of Debian 7 has You used, 32 or 64 bits?

    • Jasper Bongertz Sebastian February 9, 2015 on 12:06 pm

      It was 32 bits if I remember correctly. Maybe it doesn’t work with 64 bit, but I didn’t check.

  • Sebastian February 9, 2015 on 12:13 pm

    Thanks for information
    I will check it on version Debian 7.8 32 bit because I do not have version 7

  • Sebastian February 9, 2015 on 5:22 pm

    For Debian 7 32 bit it works. Have You got maybe any database of pcap? Could You share it?

    • Jasper Bongertz Sebastian February 9, 2015 on 5:57 pm

      Thanks, that’s good to know!

      I have a couple of pcaps, but I can’t share them unfortunately since they contain sensitive information (and sanitizing them would essentially make them useless by having to cut away too much stuff)

      Chris Sanders has a couple of pcaps that might be of interest to you at

  • Sebastian February 10, 2015 on 11:11 am

    Thanks for this information.


  • sven August 29, 2017 on 4:51 pm

    Hi, I have managed to install it on ubuntu 15.04. The problem is when replaying a pcap, I have the output saying the packets have been sent, but I don’t see them on the network or when I run tcpdump. (And I have 4 interfaces on the box)

    Does it require to configure the interfaces or does it automaticaly rewrite the ip addresses to fit the interfaces on my network?


    • Jasper sven August 29, 2017 on 4:57 pm

      If I remember correctly (haven’t used Tomahawk for a while now) it generates arbitrary IPs for the PCAP you’re replaying – I doubt that they’ll match your network. The idea is to send packets through an inspection device from both sides, so IPs shouldn’t matter.

      If you try to generate packets that are valid on your network, Tomahawk isn’t the tool for you. You should look at Ostinato in that case.