Tomahawk is a utility to bidirectionally replay saved tcpdump(8) dumpfiles at arbitrary speeds. It can be used to test the throughput and blocking capabilities of network-based intrusion prevention systems (NIPS).
Tomahawk is available from http://tomahawk.sourceforge.net. It compiles using RedHat 7.x, 8.0, and 9.0. If you port it to another platform, or make enhancements, please contribute the changes back to the open source repository. Instructions for contributing to Tomahawk are available at the Web site.
Key Attributes:
Network Testing: Background Traffic
- Collect trace from target network, replay with Tomahawk
- Bottlenecks will show up as performance problem
- Trace with 1000 full TCP connection setup and teardown
- Six (6)64 byte packet connections
- Trace has 6000 packets
- Replay 250 copies of trace in parallel
- 31,000 connections/sec test capability
- Collect trace with attack traffic, replay with Tomahawk
- If trace completes, attack was not blocked
- Replay attacks simultaneously: e.g. 20 PCAPs replayed 10x each for a total of 200 attacks
- IPS should consistently block or miss all of them