From 4bf5a22afd511425c6071b0cbb03cfd0e0e857a5 Mon Sep 17 00:00:00 2001 From: medusa Date: Mon, 30 Jun 2025 05:01:37 +0000 Subject: [PATCH] Update tech_docs/linux/tap_interfaces.md --- tech_docs/linux/tap_interfaces.md | 396 +++++++++++++++++++++++++++++- 1 file changed, 395 insertions(+), 1 deletion(-) diff --git a/tech_docs/linux/tap_interfaces.md b/tech_docs/linux/tap_interfaces.md index 23ea402..29da08d 100644 --- a/tech_docs/linux/tap_interfaces.md +++ b/tech_docs/linux/tap_interfaces.md @@ -75,4 +75,398 @@ ping 192.168.2.1 -I 192.168.1.1 ### Conclusion -Using TAP interfaces in conjunction with Linux bridges provides a flexible, powerful way to simulate network setups, integrate with virtual machines, and manage network traffic flows within and between networks. This setup allows for detailed control over traffic, enabling advanced network management and testing capabilities. \ No newline at end of file +Using TAP interfaces in conjunction with Linux bridges provides a flexible, powerful way to simulate network setups, integrate with virtual machines, and manage network traffic flows within and between networks. This setup allows for detailed control over traffic, enabling advanced network management and testing capabilities. + +--- + +# TAP Interface Lab with Traffic Generation & Stress Testing + +Building on your existing TAP interface setup, this expanded lab includes comprehensive traffic generation capabilities for stress testing your network infrastructure. + +## Prerequisites & Enhanced Tool Installation + +```bash +# Basic tools (from your original setup) +sudo apt-get update +sudo apt-get install iproute2 openvpn bridge-utils + +# Additional tools for traffic generation and monitoring +sudo apt-get install -y \ + iperf3 \ + netperf \ + hping3 \ + tcpdump \ + wireshark-common \ + tshark \ + nmap \ + ettercap-text-only \ + scapy \ + mtr \ + fping \ + bmon \ + iftop \ + vnstat \ + stress-ng \ + apache2-utils +``` + +## Enhanced Lab Setup + +### Step 1: Create Multiple TAP Interfaces for Complex Testing + +```bash +# Create multiple TAP interfaces for different test scenarios +for i in {0..3}; do + sudo openvpn --mktun --dev tap$i + sudo ip link set tap$i up +done +``` + +### Step 2: Create Multiple Bridges with Different Configurations + +```bash +# Create bridges for different network segments +sudo ip link add name br-external type bridge +sudo ip link add name br-internal type bridge +sudo ip link add name br-dmz type bridge +sudo ip link add name br-test type bridge + +# Bring up all bridges +for br in br-external br-internal br-dmz br-test; do + sudo ip link set $br up +done +``` + +### Step 3: Assign TAP Interfaces to Bridges + +```bash +# Attach TAP interfaces to different bridges +sudo ip link set tap0 master br-external +sudo ip link set tap1 master br-internal +sudo ip link set tap2 master br-dmz +sudo ip link set tap3 master br-test +``` + +### Step 4: Configure IP Addressing for Test Networks + +```bash +# Assign IP addresses to bridges +sudo ip addr add 10.1.0.1/24 dev br-external # External network +sudo ip addr add 10.2.0.1/24 dev br-internal # Internal network +sudo ip addr add 10.3.0.1/24 dev br-dmz # DMZ network +sudo ip addr add 10.4.0.1/24 dev br-test # Test network + +# Enable IP forwarding +echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward + +# Add routing between networks +sudo ip route add 10.2.0.0/24 via 10.1.0.1 dev br-external +sudo ip route add 10.3.0.0/24 via 10.1.0.1 dev br-external +sudo ip route add 10.4.0.0/24 via 10.1.0.1 dev br-external +``` + +## Traffic Generation Methods + +### Method 1: Basic Throughput Testing with iperf3 + +```bash +# Start iperf3 server on one bridge +sudo ip netns add server-ns +sudo ip link set tap1 netns server-ns +sudo ip netns exec server-ns ip addr add 10.2.0.10/24 dev tap1 +sudo ip netns exec server-ns ip link set tap1 up +sudo ip netns exec server-ns iperf3 -s -p 5001 + +# Run client from another namespace +sudo ip netns add client-ns +sudo ip link set tap0 netns client-ns +sudo ip netns exec client-ns ip addr add 10.1.0.10/24 dev tap0 +sudo ip netns exec client-ns ip link set tap0 up + +# Generate traffic (various patterns) +sudo ip netns exec client-ns iperf3 -c 10.2.0.10 -p 5001 -t 60 -P 10 # 10 parallel streams +sudo ip netns exec client-ns iperf3 -c 10.2.0.10 -p 5001 -u -b 100M -t 60 # UDP traffic +``` + +### Method 2: Packet-Level Stress Testing with hping3 + +```bash +# High-rate SYN flood simulation +sudo hping3 -S -p 80 --flood 10.2.0.10 + +# ICMP flood +sudo hping3 -1 --flood 10.2.0.10 + +# UDP flood with random source ports +sudo hping3 -2 -p ++1 --flood 10.2.0.10 + +# TCP with specific patterns +sudo hping3 -S -p 443 -i u100 10.2.0.10 # 100 microsecond intervals +``` + +### Method 3: Advanced Traffic Patterns with Scapy + +Create a Python script for custom traffic generation: + +```python +#!/usr/bin/env python3 +from scapy.all import * +import threading +import time + +def generate_mixed_traffic(target_ip, duration=60): + """Generate mixed traffic patterns""" + end_time = time.time() + duration + + while time.time() < end_time: + # HTTP-like traffic + http_pkt = IP(dst=target_ip)/TCP(dport=80, flags="S") + send(http_pkt, verbose=0) + + # HTTPS traffic + https_pkt = IP(dst=target_ip)/TCP(dport=443, flags="S") + send(https_pkt, verbose=0) + + # DNS queries + dns_pkt = IP(dst=target_ip)/UDP(dport=53)/DNS(rd=1, qd=DNSQR(qname="example.com")) + send(dns_pkt, verbose=0) + + time.sleep(0.001) # 1ms between packets + +def generate_burst_traffic(target_ip, burst_size=1000, interval=5): + """Generate bursty traffic patterns""" + while True: + for _ in range(burst_size): + pkt = IP(dst=target_ip)/TCP(dport=RandShort(), flags="S") + send(pkt, verbose=0) + time.sleep(interval) + +# Usage +if __name__ == "__main__": + target = "10.2.0.10" + + # Start multiple traffic generators + t1 = threading.Thread(target=generate_mixed_traffic, args=(target, 300)) + t2 = threading.Thread(target=generate_burst_traffic, args=(target, 500, 10)) + + t1.start() + t2.start() +``` + +### Method 4: Application-Layer Stress Testing + +```bash +# HTTP load testing with Apache Bench +ab -n 10000 -c 100 http://10.2.0.10/ + +# More advanced HTTP testing +# First, set up a simple HTTP server in target namespace +sudo ip netns exec server-ns python3 -m http.server 8080 & + +# Then generate load +ab -n 50000 -c 200 -t 300 http://10.2.0.10:8080/ +``` + +## Monitoring and Analysis Tools + +### Real-time Network Monitoring + +```bash +# Monitor interface statistics +watch -n 1 'cat /proc/net/dev' + +# Monitor bridge traffic +sudo bmon -p br-external,br-internal,br-dmz,br-test + +# Real-time packet capture +sudo tcpdump -i br-external -w /tmp/traffic-external.pcap & +sudo tcpdump -i br-internal -w /tmp/traffic-internal.pcap & + +# Interface bandwidth monitoring +sudo iftop -i br-external +``` + +### Performance Monitoring Script + +```bash +#!/bin/bash +# monitor_lab.sh - Comprehensive lab monitoring + +LOG_FILE="/tmp/lab_performance.log" +INTERVAL=5 + +monitor_bridges() { + while true; do + echo "$(date): Bridge Statistics" >> $LOG_FILE + for bridge in br-external br-internal br-dmz br-test; do + if ip link show $bridge >/dev/null 2>&1; then + stats=$(cat /sys/class/net/$bridge/statistics/rx_bytes 2>/dev/null || echo "0") + echo "$bridge RX bytes: $stats" >> $LOG_FILE + stats=$(cat /sys/class/net/$bridge/statistics/tx_bytes 2>/dev/null || echo "0") + echo "$bridge TX bytes: $stats" >> $LOG_FILE + fi + done + echo "---" >> $LOG_FILE + sleep $INTERVAL + done +} + +monitor_system() { + while true; do + echo "$(date): System Performance" >> $LOG_FILE + echo "CPU: $(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)" >> $LOG_FILE + echo "Memory: $(free | grep Mem | awk '{printf "%.2f%%", $3/$2 * 100.0}')" >> $LOG_FILE + echo "Load: $(uptime | awk -F'load average:' '{print $2}')" >> $LOG_FILE + echo "---" >> $LOG_FILE + sleep $INTERVAL + done +} + +# Start monitoring in background +monitor_bridges & +monitor_system & + +echo "Monitoring started. Log file: $LOG_FILE" +echo "Stop with: pkill -f monitor_lab.sh" +``` + +## Stress Test Scenarios + +### Scenario 1: Bandwidth Saturation Test + +```bash +#!/bin/bash +# bandwidth_test.sh + +echo "Starting bandwidth saturation test..." + +# Multiple parallel iperf3 streams +for i in {1..10}; do + sudo ip netns exec client-ns iperf3 -c 10.2.0.10 -p $((5000+i)) -t 300 -P 4 & +done + +# Monitor for 5 minutes +sleep 300 + +# Kill all iperf3 processes +pkill iperf3 +echo "Bandwidth test completed" +``` + +### Scenario 2: Packet Rate Stress Test + +```bash +#!/bin/bash +# packet_rate_test.sh + +echo "Starting packet rate stress test..." + +# High packet rate with small packets +sudo hping3 -i u10 -S -p 80 10.2.0.10 & # 100,000 pps +sudo hping3 -i u10 -1 10.2.0.10 & # ICMP flood +sudo hping3 -i u10 -2 -p ++1 10.2.0.10 & # UDP flood + +# Let it run for 2 minutes +sleep 120 + +# Stop all hping3 processes +pkill hping3 +echo "Packet rate test completed" +``` + +### Scenario 3: Connection Exhaustion Test + +```bash +#!/bin/bash +# connection_test.sh + +echo "Starting connection exhaustion test..." + +# Generate many concurrent connections +for port in {8000..8100}; do + timeout 300 nc -l $port & +done + +# Generate connections to exhaust resources +for i in {1..1000}; do + timeout 10 nc 10.2.0.10 $((8000 + (i % 100))) & +done + +wait +echo "Connection test completed" +``` + +## Performance Tuning for High Load + +```bash +# Increase network buffer sizes +echo 'net.core.rmem_default = 262144' | sudo tee -a /etc/sysctl.conf +echo 'net.core.rmem_max = 16777216' | sudo tee -a /etc/sysctl.conf +echo 'net.core.wmem_default = 262144' | sudo tee -a /etc/sysctl.conf +echo 'net.core.wmem_max = 16777216' | sudo tee -a /etc/sysctl.conf + +# Increase connection tracking limits +echo 'net.netfilter.nf_conntrack_max = 1048576' | sudo tee -a /etc/sysctl.conf +echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 1200' | sudo tee -a /etc/sysctl.conf + +# Optimize for high packet rates +echo 'net.core.netdev_max_backlog = 5000' | sudo tee -a /etc/sysctl.conf +echo 'net.core.netdev_budget = 600' | sudo tee -a /etc/sysctl.conf + +# Apply settings +sudo sysctl -p +``` + +## Cleanup Script + +```bash +#!/bin/bash +# cleanup_lab.sh + +echo "Cleaning up TAP interface lab..." + +# Kill all traffic generation processes +pkill iperf3 +pkill hping3 +pkill tcpdump +pkill nc + +# Remove network namespaces +sudo ip netns del server-ns 2>/dev/null || true +sudo ip netns del client-ns 2>/dev/null || true + +# Remove TAP interfaces +for i in {0..3}; do + sudo openvpn --rmtun --dev tap$i 2>/dev/null || true +done + +# Remove bridges +for br in br-external br-internal br-dmz br-test; do + sudo ip link set $br down 2>/dev/null || true + sudo ip link del $br 2>/dev/null || true +done + +echo "Lab cleanup completed" +``` + +## Usage Examples + +1. **Quick bandwidth test**: Run the bandwidth saturation scenario while monitoring with bmon +2. **Packet processing limits**: Use the packet rate test to find your system's packet processing ceiling +3. **Connection limits**: Test how many concurrent connections your setup can handle +4. **Mixed workload**: Combine different traffic types to simulate real-world conditions + +## Advanced Analysis + +Use the captured packet traces for detailed analysis: + +```bash +# Analyze captured traffic +tshark -r /tmp/traffic-external.pcap -q -z conv,ip +tshark -r /tmp/traffic-external.pcap -q -z io,phs + +# Generate performance reports +vnstat -i br-external --json > /tmp/vnstat-report.json +``` + +This expanded lab provides comprehensive stress testing capabilities while maintaining the flexibility of your original TAP interface setup. You can scale the tests based on your hardware capabilities and specific testing requirements. \ No newline at end of file