0

I'm curious if anybody out there familiar with virtualization know of any options of recording an emulated machine (QEMU, KVM, VMware) so that when I boot up a machine, I record myself using the terminal to send an email using the postfix package (linux). I've tried the following options with no success:

TcpReplay & flowreplay: Can't get past the ACK & SYN handshakes needed when communicating to the mail server to successfully replay.

PANDA.re: Unfortunately this software does not virtualize a network card, and thus cannot replay anything that communicates outside the machine

rr project: only records non-deterministic processes, and would not be able to replay the test I described above.

I've heard of software such as ReVirt and ReTrace, but I do not believe those softwares are available to the average user.

a_polo
  • 1
  • 2
    This is an [XY problem](https://en.wikipedia.org/wiki/XY_problem). Replaying sending an email is not your goal - it's your idea of a solution to some problem, which you haven't disclosed. It's not unlikely that this problem actually has a better solution that you didn't think of, but we're figuring out problems with this solution. What's your real goal? – gronostaj Jul 22 '21 at 15:04
  • Sure thing, my goal is to find a network replaying tool that can make server handshakes (SYN, ACK) in order to successfully replay previously recorded pcaps. I thought replaying a sending of an email would be a sufficient test to see if a software meets that requirement or not. – a_polo Jul 22 '21 at 15:37
  • 1
    This won't work with encrypted connections anyway. – Daniel B Jul 22 '21 at 19:06

1 Answers1

0

To replay a pcap file, all you need to do is search replay pcap.

This would find you Tcpreplay and GopherCap and others.

Wireshark itself is quite skeptical about replay, in the post Effective Way to Replay Pcap Files?

TCP is problematic to replay/inject due to the hosts maintaining connection state, as you have found.

Another solution is to avoid replaying TCP all together and develop a (maybe) simple client or server utility in the programming language of your choice to play the other side of your test.

Try out the utilities that you find and see how well they do the job.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • Thanks for the answer but unfortunately tcpReplay does not serve my needs. I can try gopherCap but I'm afraid it may be the same result, where it will replay the pcap verbatim without changing the SYN and ACK packets and the server rejects the handshake, resulting in a bad replay. – a_polo Jul 22 '21 at 15:52
  • Another tool from the list: [tshark.dev > Edit Pcap](https://tshark.dev/edit). – harrymc Jul 22 '21 at 16:04