medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update tech_docs/linux/tap_interfaces.md

Browse Source
This commit is contained in:
medusa
2025-06-30 05:01:37 +00:00
parent 7e1c7e71c8
commit 4bf5a22afd
1 changed files with 395 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

394
tech_docs/linux/tap_interfaces.md
View File

@@ -76,3 +76,397 @@ ping 192.168.2.1 -I 192.168.1.1
### Conclusion
Using TAP interfaces in conjunction with Linux bridges provides a flexible, powerful way to simulate network setups, integrate with virtual machines, and manage network traffic flows within and between networks. This setup allows for detailed control over traffic, enabling advanced network management and testing capabilities.
---
# TAP Interface Lab with Traffic Generation & Stress Testing
Building on your existing TAP interface setup, this expanded lab includes comprehensive traffic generation capabilities for stress testing your network infrastructure.
## Prerequisites & Enhanced Tool Installation
```bash
# Basic tools (from your original setup)
sudo apt-get update
sudo apt-get install iproute2 openvpn bridge-utils
# Additional tools for traffic generation and monitoring
sudo apt-get install -y \
iperf3 \
netperf \
hping3 \
tcpdump \
wireshark-common \
tshark \
nmap \
ettercap-text-only \
scapy \
mtr \
fping \
bmon \
iftop \
vnstat \
stress-ng \
apache2-utils
```
## Enhanced Lab Setup
### Step 1: Create Multiple TAP Interfaces for Complex Testing
```bash
# Create multiple TAP interfaces for different test scenarios
for i in {0..3}; do
sudo openvpn --mktun --dev tap$i
sudo ip link set tap$i up
done
```
### Step 2: Create Multiple Bridges with Different Configurations
```bash
# Create bridges for different network segments
sudo ip link add name br-external type bridge
sudo ip link add name br-internal type bridge
sudo ip link add name br-dmz type bridge
sudo ip link add name br-test type bridge
# Bring up all bridges
for br in br-external br-internal br-dmz br-test; do
sudo ip link set $br up
done
```
### Step 3: Assign TAP Interfaces to Bridges
```bash
# Attach TAP interfaces to different bridges
sudo ip link set tap0 master br-external
sudo ip link set tap1 master br-internal
sudo ip link set tap2 master br-dmz
sudo ip link set tap3 master br-test
```
### Step 4: Configure IP Addressing for Test Networks
```bash
# Assign IP addresses to bridges
sudo ip addr add 10.1.0.1/24 dev br-external # External network
sudo ip addr add 10.2.0.1/24 dev br-internal # Internal network
sudo ip addr add 10.3.0.1/24 dev br-dmz # DMZ network
sudo ip addr add 10.4.0.1/24 dev br-test # Test network
# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
# Add routing between networks
sudo ip route add 10.2.0.0/24 via 10.1.0.1 dev br-external
sudo ip route add 10.3.0.0/24 via 10.1.0.1 dev br-external
sudo ip route add 10.4.0.0/24 via 10.1.0.1 dev br-external
```
## Traffic Generation Methods
### Method 1: Basic Throughput Testing with iperf3
```bash
# Start iperf3 server on one bridge
sudo ip netns add server-ns
sudo ip link set tap1 netns server-ns
sudo ip netns exec server-ns ip addr add 10.2.0.10/24 dev tap1
sudo ip netns exec server-ns ip link set tap1 up
sudo ip netns exec server-ns iperf3 -s -p 5001
# Run client from another namespace
sudo ip netns add client-ns
sudo ip link set tap0 netns client-ns
sudo ip netns exec client-ns ip addr add 10.1.0.10/24 dev tap0
sudo ip netns exec client-ns ip link set tap0 up
# Generate traffic (various patterns)
sudo ip netns exec client-ns iperf3 -c 10.2.0.10 -p 5001 -t 60 -P 10 # 10 parallel streams
sudo ip netns exec client-ns iperf3 -c 10.2.0.10 -p 5001 -u -b 100M -t 60 # UDP traffic
```
### Method 2: Packet-Level Stress Testing with hping3
```bash
# High-rate SYN flood simulation
sudo hping3 -S -p 80 --flood 10.2.0.10
# ICMP flood
sudo hping3 -1 --flood 10.2.0.10
# UDP flood with random source ports
sudo hping3 -2 -p ++1 --flood 10.2.0.10
# TCP with specific patterns
sudo hping3 -S -p 443 -i u100 10.2.0.10 # 100 microsecond intervals
```
### Method 3: Advanced Traffic Patterns with Scapy
Create a Python script for custom traffic generation:
```python
#!/usr/bin/env python3
from scapy.all import *
import threading
import time
def generate_mixed_traffic(target_ip, duration=60):
"""Generate mixed traffic patterns"""
end_time = time.time() + duration
while time.time() < end_time:
# HTTP-like traffic
http_pkt = IP(dst=target_ip)/TCP(dport=80, flags="S")
send(http_pkt, verbose=0)
# HTTPS traffic
https_pkt = IP(dst=target_ip)/TCP(dport=443, flags="S")
send(https_pkt, verbose=0)
# DNS queries
dns_pkt = IP(dst=target_ip)/UDP(dport=53)/DNS(rd=1, qd=DNSQR(qname="example.com"))
send(dns_pkt, verbose=0)
time.sleep(0.001) # 1ms between packets
def generate_burst_traffic(target_ip, burst_size=1000, interval=5):
"""Generate bursty traffic patterns"""
while True:
for _ in range(burst_size):
pkt = IP(dst=target_ip)/TCP(dport=RandShort(), flags="S")
send(pkt, verbose=0)
time.sleep(interval)
# Usage
if __name__ == "__main__":
target = "10.2.0.10"
# Start multiple traffic generators
t1 = threading.Thread(target=generate_mixed_traffic, args=(target, 300))
t2 = threading.Thread(target=generate_burst_traffic, args=(target, 500, 10))
t1.start()
t2.start()
```
### Method 4: Application-Layer Stress Testing
```bash
# HTTP load testing with Apache Bench
ab -n 10000 -c 100 http://10.2.0.10/
# More advanced HTTP testing
# First, set up a simple HTTP server in target namespace
sudo ip netns exec server-ns python3 -m http.server 8080 &
# Then generate load
ab -n 50000 -c 200 -t 300 http://10.2.0.10:8080/
```
## Monitoring and Analysis Tools
### Real-time Network Monitoring
```bash
# Monitor interface statistics
watch -n 1 'cat /proc/net/dev'
# Monitor bridge traffic
sudo bmon -p br-external,br-internal,br-dmz,br-test
# Real-time packet capture
sudo tcpdump -i br-external -w /tmp/traffic-external.pcap &
sudo tcpdump -i br-internal -w /tmp/traffic-internal.pcap &
# Interface bandwidth monitoring
sudo iftop -i br-external
```
### Performance Monitoring Script
```bash
#!/bin/bash
# monitor_lab.sh - Comprehensive lab monitoring
LOG_FILE="/tmp/lab_performance.log"
INTERVAL=5
monitor_bridges() {
while true; do
echo "$(date): Bridge Statistics" >> $LOG_FILE
for bridge in br-external br-internal br-dmz br-test; do
if ip link show $bridge >/dev/null 2>&1; then
stats=$(cat /sys/class/net/$bridge/statistics/rx_bytes 2>/dev/null || echo "0")
echo "$bridge RX bytes: $stats" >> $LOG_FILE
stats=$(cat /sys/class/net/$bridge/statistics/tx_bytes 2>/dev/null || echo "0")
echo "$bridge TX bytes: $stats" >> $LOG_FILE
fi
done
echo "---" >> $LOG_FILE
sleep $INTERVAL
done
}
monitor_system() {
while true; do
echo "$(date): System Performance" >> $LOG_FILE
echo "CPU: $(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)" >> $LOG_FILE
echo "Memory: $(free | grep Mem | awk '{printf "%.2f%%", $3/$2 * 100.0}')" >> $LOG_FILE
echo "Load: $(uptime | awk -F'load average:' '{print $2}')" >> $LOG_FILE
echo "---" >> $LOG_FILE
sleep $INTERVAL
done
}
# Start monitoring in background
monitor_bridges &
monitor_system &
echo "Monitoring started. Log file: $LOG_FILE"
echo "Stop with: pkill -f monitor_lab.sh"
```
## Stress Test Scenarios
### Scenario 1: Bandwidth Saturation Test
```bash
#!/bin/bash
# bandwidth_test.sh
echo "Starting bandwidth saturation test..."
# Multiple parallel iperf3 streams
for i in {1..10}; do
sudo ip netns exec client-ns iperf3 -c 10.2.0.10 -p $((5000+i)) -t 300 -P 4 &
done
# Monitor for 5 minutes
sleep 300
# Kill all iperf3 processes
pkill iperf3
echo "Bandwidth test completed"
```
### Scenario 2: Packet Rate Stress Test
```bash
#!/bin/bash
# packet_rate_test.sh
echo "Starting packet rate stress test..."
# High packet rate with small packets
sudo hping3 -i u10 -S -p 80 10.2.0.10 & # 100,000 pps
sudo hping3 -i u10 -1 10.2.0.10 & # ICMP flood
sudo hping3 -i u10 -2 -p ++1 10.2.0.10 & # UDP flood
# Let it run for 2 minutes
sleep 120
# Stop all hping3 processes
pkill hping3
echo "Packet rate test completed"
```
### Scenario 3: Connection Exhaustion Test
```bash
#!/bin/bash
# connection_test.sh
echo "Starting connection exhaustion test..."
# Generate many concurrent connections
for port in {8000..8100}; do
timeout 300 nc -l $port &
done
# Generate connections to exhaust resources
for i in {1..1000}; do
timeout 10 nc 10.2.0.10 $((8000 + (i % 100))) &
done
wait
echo "Connection test completed"
```
## Performance Tuning for High Load
```bash
# Increase network buffer sizes
echo 'net.core.rmem_default = 262144' | sudo tee -a /etc/sysctl.conf
echo 'net.core.rmem_max = 16777216' | sudo tee -a /etc/sysctl.conf
echo 'net.core.wmem_default = 262144' | sudo tee -a /etc/sysctl.conf
echo 'net.core.wmem_max = 16777216' | sudo tee -a /etc/sysctl.conf
# Increase connection tracking limits
echo 'net.netfilter.nf_conntrack_max = 1048576' | sudo tee -a /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 1200' | sudo tee -a /etc/sysctl.conf
# Optimize for high packet rates
echo 'net.core.netdev_max_backlog = 5000' | sudo tee -a /etc/sysctl.conf
echo 'net.core.netdev_budget = 600' | sudo tee -a /etc/sysctl.conf
# Apply settings
sudo sysctl -p
```
## Cleanup Script
```bash
#!/bin/bash
# cleanup_lab.sh
echo "Cleaning up TAP interface lab..."
# Kill all traffic generation processes
pkill iperf3
pkill hping3
pkill tcpdump
pkill nc
# Remove network namespaces
sudo ip netns del server-ns 2>/dev/null || true
sudo ip netns del client-ns 2>/dev/null || true
# Remove TAP interfaces
for i in {0..3}; do
sudo openvpn --rmtun --dev tap$i 2>/dev/null || true
done
# Remove bridges
for br in br-external br-internal br-dmz br-test; do
sudo ip link set $br down 2>/dev/null || true
sudo ip link del $br 2>/dev/null || true
done
echo "Lab cleanup completed"
```
## Usage Examples
1. **Quick bandwidth test**: Run the bandwidth saturation scenario while monitoring with bmon
2. **Packet processing limits**: Use the packet rate test to find your system's packet processing ceiling
3. **Connection limits**: Test how many concurrent connections your setup can handle
4. **Mixed workload**: Combine different traffic types to simulate real-world conditions
## Advanced Analysis
Use the captured packet traces for detailed analysis:
```bash
# Analyze captured traffic
tshark -r /tmp/traffic-external.pcap -q -z conv,ip
tshark -r /tmp/traffic-external.pcap -q -z io,phs
# Generate performance reports
vnstat -i br-external --json > /tmp/vnstat-report.json
```
This expanded lab provides comprehensive stress testing capabilities while maintaining the flexibility of your original TAP interface setup. You can scale the tests based on your hardware capabilities and specific testing requirements.