Mailing List Archive

scapy?

On 2024-02-23 10:33, Brandon Martin wrote:
> Before I go to the trouble of making one myself, does anybody happen
> to know of a pre-canned program to generate realistic and scalable
> amounts of broadcast/broad-multicast network background "chatter" seen
> on typical consumer and business networks?  This would be things like
> lots of ARP traffic to/from various sources/destinations within a
> subnet, SSDP, MDNS-SD, SMB browser traffic, DHCP requests, etc.?
>
> Ideally, said tool would have knobs to control the amount of traffic
> and whether a given type of traffic is present.
>
> This is mostly for torture testing "IoT" type devices by exposing them
> to lots of diverse, essentially nonsense traffic that they're likely
> to see in a real environment.
>
> --
> Brandon Martin

On Fri, 23 Feb 2024 at 19:42, Brandon Martin <lists.nanog@monmotha.net> wrote:

> Before I go to the trouble of making one myself, does anybody happen to
> know of a pre-canned program to generate realistic and scalable amounts
> of broadcast/broad-multicast network background "chatter" seen on
> typical consumer and business networks? This would be things like lots
> of ARP traffic to/from various sources/destinations within a subnet,
> SSDP, MDNS-SD, SMB browser traffic, DHCP requests, etc.?

For protocol fuzzing I've used 'Codenomicon', which since has been
acquired by synopsys: (this is about trying to offer various type of
bad PDUs to protocol)
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html

For volumetric protocol testing I've used 'Spirent Avalanche': (this
is more like https or imaps users etc)
https://www.spirent.com/products/avalanche-security-testing

There are other commercial options in this space and I'm not familiar
with recent developments.

Not sure if either really fit your bill. I guess you could ask someone
with a chatty LAN to record it, and play the pcap back.

--
++ytti

I believe you can do most of what you want using a Mikrotik and its Traffic Generator. Packet templates can be crafted mimic any of the popular protocols (L2, L3, L4), at least at the header level, with less flexibility on the payload legitimacy.

On 2/23/24 10:33 AM, Brandon Martin wrote:

Before I go to the trouble of making one myself, does anybody happen to know of a pre-canned program to generate realistic and scalable amounts of broadcast/broad-multicast network background "chatter" seen on typical consumer and business networks?  This would be things like lots of ARP traffic to/from various sources/destinations within a subnet, SSDP, MDNS-SD, SMB browser traffic, DHCP requests, etc.?

Ideally, said tool would have knobs to control the amount of traffic and whether a given type of traffic is present.

This is mostly for torture testing "IoT" type devices by exposing them to lots of diverse, essentially nonsense traffic that they're likely to see in a real environment.

--
Brandon Martin

Keysight’s Ixea Line of traffic generators with concurrent monitoring are industrial grade tools for certification testing. I’ve used them to simulate thousands of WiFi users to validate an 400 node access point deployment at a major airport. Not cheap but has all the knobs and dials you’re looking for. You can also rent them.

-mel

On Feb 24, 2024, at 8:43?AM, Jesse DuPont <jesse.dupont@celeritycorp.net> wrote:

? I believe you can do most of what you want using a Mikrotik and its Traffic Generator. Packet templates can be crafted mimic any of the popular protocols (L2, L3, L4), at least at the header level, with less flexibility on the payload legitimacy.

On 2/23/24 10:33 AM, Brandon Martin wrote:
Before I go to the trouble of making one myself, does anybody happen to know of a pre-canned program to generate realistic and scalable amounts of broadcast/broad-multicast network background "chatter" seen on typical consumer and business networks? This would be things like lots of ARP traffic to/from various sources/destinations within a subnet, SSDP, MDNS-SD, SMB browser traffic, DHCP requests, etc.?

Ideally, said tool would have knobs to control the amount of traffic and whether a given type of traffic is present.

This is mostly for torture testing "IoT" type devices by exposing them to lots of diverse, essentially nonsense traffic that they're likely to see in a real environment.

--
Brandon Martin

Here's some tools that I've used to stress test gear over the years. You
may or may not find some of them useful for your use case:

(1) T50 - be *really* careful with this one:
- Source: https://gitlab.com/fredericopissarra/t50
(2) Yersina (can be used for DHCP stress testing)
- Source: https://github.com/tomac/yersinia
- Useful info for DHCP-specific stress testing:
https://www.amirootyet.com/post/dhcp-dos-attack-with-yersinia-in-kali/
(3) wrk - L7 endpoint load testing - I typically use an Ansible playbook
to generate artificial load from multiple source systems, which also
allows you to consolidate the stdout reporting from each system
- Source: https://github.com/wg/wrk

--

-G

On 2024-02-23 17:33, Brandon Martin wrote:
> Before I go to the trouble of making one myself, does anybody happen to
> know of a pre-canned program to generate realistic and scalable amounts
> of broadcast/broad-multicast network background "chatter" seen on
> typical consumer and business networks? This would be things like lots
> of ARP traffic to/from various sources/destinations within a subnet,
> SSDP, MDNS-SD, SMB browser traffic, DHCP requests, etc.?
>
> Ideally, said tool would have knobs to control the amount of traffic
> and whether a given type of traffic is present.
>
> This is mostly for torture testing "IoT" type devices by exposing them
> to lots of diverse, essentially nonsense traffic that they're likely to
> see in a real environment.
>
> --
> Brandon Martin

I came to suggest this.




-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

----- Original Message -----

From: "Jesse DuPont" <jesse.dupont@celeritycorp.net>
To: "Brandon Martin" <lists.nanog@monmotha.net>, nanog@nanog.org
Sent: Friday, February 23, 2024 12:17:28 PM
Subject: Re: Network chatter generator

I believe you can do most of what you want using a Mikrotik and its Traffic Generator. Packet templates can be crafted mimic any of the popular protocols (L2, L3, L4), at least at the header level, with less flexibility on the payload legitimacy.


On 2/23/24 10:33 AM, Brandon Martin wrote:


Before I go to the trouble of making one myself, does anybody happen to know of a pre-canned program to generate realistic and scalable amounts of broadcast/broad-multicast network background "chatter" seen on typical consumer and business networks? This would be things like lots of ARP traffic to/from various sources/destinations within a subnet, SSDP, MDNS-SD, SMB browser traffic, DHCP requests, etc.?

Ideally, said tool would have knobs to control the amount of traffic and whether a given type of traffic is present.

This is mostly for torture testing "IoT" type devices by exposing them to lots of diverse, essentially nonsense traffic that they're likely to see in a real environment.

--
Brandon Martin

On 2024-02-23 17:33, Brandon Martin wrote:
> Before I go to the trouble of making one myself, does anybody happen to
> know of a pre-canned program to generate realistic and scalable amounts
> of broadcast/broad-multicast network background "chatter" seen on
> typical consumer and business networks?

You may want to check out TRex: https://trex-tgn.cisco.com

It's free and uses the DPDK framework, so even a 5-year-old Xeon box should be able to saturate 10g (14Mpps) which is usually enough to make most small things fall over.

IIRC, it uses PCAP files as a template for traffic generation, and replaces the header info (src/dst) with values you configure. So, if you have some captures with the background chatter you want, you can probably turn around and use those for testing. The tool includes some console programs that show throughput, drops, etc. You can scale the generation to any level you want (it just loops over the captures). You can also turn on multiple generators (each with its own capture) to simulate a mix of traffic at different sizes and rates. The distribution comes with several canned captures (imix, dns, large packets, small packets, etc).

The one thing I haven't tried with it is multicast, so that might need some extra work. Maybe you can specify a multicast MAC at L2 for the generated packets (normally you set this to the MAC of the DUT)?

Jason

The replies I've gotten have been somewhat useful, but I think the
purpose of what I'm seeking may not have been apparent.

I'm not looking to perform volumetric or even known-vulneribility tests.
I have some decent ways to do both and even know that I can make the
device in question unhappy by flooding it with large volumes of nonsense
traffic so as to overwhelm its ability to process them as quickly as
they come in. This isn't surprising given its limited resources and
100Mb connection, and the device recovers once it works through the
backlog and has some free buffers again. Humongous IP datagrams broken
into numerous small fragments is a great way to annoy almost anything, FWIW.

What I'm really looking for is a somewhat pre-canned list of typical
network chatter that embedded devices would have to copy due to being
addressed to broadcast or large multicast groups but that said devices
are likely to consider garbage and the ability to generate traffic from
those lists with various timings and breadth of field values. There's a
LOT of this type of traffic on typical consumer and enterprise networks,
and the issue is that I'm constantly finding new examples of things I'd
never dream exist that tickle corner cases in network stacks, drivers,
or even sometimes hardware.

As an example, Cisco Meraki devices send SNAP framed packets for some
proprietary loop-avoidance protocol even on networks using Ethernet II
framing and even if STP is enabled. I found out the hard way that the
Ethernet MAC on some micros doesn't like these if you have certain
receive accelerator functions enabled - it locks up and won't receive
anything you perform a fairly hard reset on it. The volume of traffic
here is tiny - just one packet every few seconds from the nearest Meraki
switch you're on - but can tickle processing bugs.

I can and have played back PCAPs from kind folks running Wireshark.
Combined with playing with the packet timing, this is useful, but it
limits me to things me and my kind friends have seen on their networks
before. The same would be true if I tried to make my own chatter
generator using something like scapy.

--
Brandon Martin

I keep running into similar issues as far as stack validation goes. (And
by stack I mean all the way up not just L2/L3).

I know that my processor has an ethernet port it can't keep up with in all
circumstances. Flooding it with more packets than it can handle isn't
useful, other than to validate how it recovers from a packet flood.

So, I too would like a similar tool. I might add some "directed at me but
intended for someone else" traffic but even if it was broadcast only it
would be useful. Even if it was just a library of actual broadcast packet
traffic in networks with lots more than arp being tossed around.


On Sun, Feb 25, 2024, 6:39 PM Brandon Martin <lists.nanog@monmotha.net>
wrote:

> The replies I've gotten have been somewhat useful, but I think the
> purpose of what I'm seeking may not have been apparent.
>
> I'm not looking to perform volumetric or even known-vulneribility tests.
> I have some decent ways to do both and even know that I can make the
> device in question unhappy by flooding it with large volumes of nonsense
> traffic so as to overwhelm its ability to process them as quickly as
> they come in. This isn't surprising given its limited resources and
> 100Mb connection, and the device recovers once it works through the
> backlog and has some free buffers again. Humongous IP datagrams broken
> into numerous small fragments is a great way to annoy almost anything,
> FWIW.
>
> What I'm really looking for is a somewhat pre-canned list of typical
> network chatter that embedded devices would have to copy due to being
> addressed to broadcast or large multicast groups but that said devices
> are likely to consider garbage and the ability to generate traffic from
> those lists with various timings and breadth of field values. There's a
> LOT of this type of traffic on typical consumer and enterprise networks,
> and the issue is that I'm constantly finding new examples of things I'd
> never dream exist that tickle corner cases in network stacks, drivers,
> or even sometimes hardware.
>
> As an example, Cisco Meraki devices send SNAP framed packets for some
> proprietary loop-avoidance protocol even on networks using Ethernet II
> framing and even if STP is enabled. I found out the hard way that the
> Ethernet MAC on some micros doesn't like these if you have certain
> receive accelerator functions enabled - it locks up and won't receive
> anything you perform a fairly hard reset on it. The volume of traffic
> here is tiny - just one packet every few seconds from the nearest Meraki
> switch you're on - but can tickle processing bugs.
>
> I can and have played back PCAPs from kind folks running Wireshark.
> Combined with playing with the packet timing, this is useful, but it
> limits me to things me and my kind friends have seen on their networks
> before. The same would be true if I tried to make my own chatter
> generator using something like scapy.
>
> --
> Brandon Martin
>