This page contains a collection of tools that are helpful in experiment development, running and control. These tools are either developed by DETER/EMIST participants or are third-party tools we link to. If you find some of these tools particularly helpful or problematic, please let us know. Also, if you have tools that you have developed and would like to share, email us.

SEER is our premier tool for experiment development and control. It includes a Python backend that runs on experimental nodes (many OS flavors are supported) and a Java GUI that runs on a user's machine. Using SEER one can easily generate legitimate and attack traffic, and collect and visualize statistics. It is fully supported by DETER.

Tool developed and maintained by DETER/EMIST participants
Tool developed but no longer maintained by DETER/EMIST participants
A third party tool, may or may not be maintained

Click on links below (each line is a link) to jump to a short description of a given tool or to a group of tools in a given category.

All-In-One Experiment Development and Control Kits
Experiment Automation/Visualization Utilities
Purdue Tool Suite
Legitimate Traffic Generators
Performance Testing Tools
TCP Opera
Attack Traffic Generators
DoS and DDoS Traffic
Custom Traffic
Worm Traffic Simulators
Traffic Forensic Tools
Topology Generators and Converters
Rocketfuel-to-ns (lots AS topologies!)
DDoS Defense Benchmarks

All-In-One Experiment Development and Control Kits

The Security Experimentation EnviRonment (SEER), developed by SPARTA, Inc., is an experimenter's workbench that provides an integrated environment for network security experiment design and control. It includes agents for traffic generation, attack generation, traffic collection and analysis. There is also a GUI to help run the experiment from your desktop and visualize traffic on the nodes. It is fairly easy to learn how to use SEER. It provides a GUI as a great entry point for novice users - experiments can be set up, run and their effect visualized using an intuitive point-and-click interface. SEER's scripting language, based on Perl, is a powerful tool for repetitive, large-scale, flexible experimentation. SEER traffic generators currently support various legitimate traffic types, and a variety of DoS attacks. SPARTA's in the process of adding controls for other types of security experiments (e.g., worms, DNS attacks, routing attacks) to SEER.
Runs on: all platforms, written in Java
Best for: legitimate traffic generation, DoS traffic generation, visualization of traffic levels in topology
For questions contact: Brett Willson at SPARTA

ESVT (Experiment Specification and Visualization Tools), developed by Penn State University, is an experimenter's workbench that provides an integrated environment to interact with DETER or EMULAB testbeds and to conduct network security emulation/simulation experiments. EVST provides a modular, component-based topology editor, a TCL script generator, a worm experiment designer, and a visualization tool for experimental results. The GUI offers a topology editor toolbar to draw network topologies and then generate a TCL script from a designed network topology in several formats. ESVT 2.0 version has an offline tcpdump-to-NetFlow converter, can support the output of the GT-ITM topology generator, and has has more advanced visualization and data mining features to process (tcpdump) experimental output. ESVT is well suited for worm experiments.
Runs on: Windows XP and Windows 2000, written in C++
Best for: worm experiment generation and visualization
For questions contact: Lunquan Li at PSU

Experiment Automation/Visualization Utilities

The Purdue Tool Suite, includes a Scriptable Event System (SES), measurement utilities, and a collection of scripts that can be used to process and visualize the measured data. SES helps experimenters controll all test machines from a central location so that large-scale experiments can be orchestrated, synchronized and executed in a repeatable manner. Measurement tool tmeas records a number of system level statistics about packets, bytes and TCP connections seen on host interfaces, CPU and memory usage. Tool cwnd_track tracks the control window for TCP connections. Data analysis scripts are helpful in analyzing data from BGP logs files and the tmeas tool, preparing them for plotting programs.
Runs on:UNIX
Best for:experiment scripting, TCP/CPU/Memory statistics collection
For questions contact: Roman Chertov at Purdue University

Legitimate Traffic Generators

SEER, see above, generates legitimate traffic using Harpoon or custom-made Web, DNS, Ping, IRC, FTP and VoIP agents.

Tcpreplay is a suite of BSD licensed tools, which gives you the ability to inject previously captured traffic in libpcap format to test a variety of network devices. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 headers and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS's. Tcpreplay supports both single and dual NIC modes for testing both sniffing and inline devices. .
Runs on: UNIX-flavored OSes and Win32 with Cygwin
Best for: replaying traces to regenerate same or similar traffic
For questions contact: Tcpreplay support

Performance testing tools (ttcp, nttcp, nuttcp and iperf), generate a volume of traffic with given characteristics to test network performance. This traffic is generally not "well-formed" in the application sense, but follows transport protocol semantics.
Runs on: UNIX-flavored OSes
Best for: bulk volume traffic generation

Webstone, benchmark owned by Mindcraft Inc., measures performance of web server software and hardware products. Webstone consists of a program called the webmaster which can be installed on a client in the network or on a separate computer. The webmaster distributes web client software as well as configuration files for testing to the client computers, that contact the web server to retrieve web pages or files in order to test web server performance. Webstone also tests operating system software, CPU and network speeds. While it was developed with the idea of measuring the performance of web servers, it can be used to generate background traffic in a network as the multiple clients keep contacting the server over a period of time thereby simulating web traffic in the network.
Runs on: UNIX-flavored OSes and Windows NT
Best for:Web traffic generation

NTGC - Network Traffic Compiler Generator, developed at UC Davis, can generate a traffic stream that statistically represents real network traffic. It was designed for DDoS and worm defense experiments. It extracts traffic attributes from pre-captured traffic traces in tcpdump (pcap) format and converts these attributes into configuration files driving low-level traffic generators such as ttcp or D-ITG.
Runs on: UNIX-flavored OSes
Best for:generating traffic similar to collected trace
For questions contact: Allen Ting at UC Davis

TCPOpera - Interactive Internet Traffic Replay, developed at UC Davis, is an interactive Internet traffic replay tool. The primary goals of TCPopera are (1) replaying TCP connections in a stateful manner, and (2) supporting traffic models for trace manipulation. TCPopera emulates the TCP protocol stack to replay traces interactively, considering TCP-level connection parameters and IP-level flow parameters to dynamically decide when to play each packet.
Runs on: UNIX-flavored OSes
Best for: generating traffic similar to collected trace

Harpoon, developed at University of Wisconsin, is a flow-level traffic generator. It uses a set of distributional parameters that can be automatically extracted from Netflow traces to generate flows that exhibit the same statistical qualities present in measured Internet traces, including temporal and spatial characteristics. Harpoon can be used to generate representative background traffic for application or protocol testing, or for testing network switching hardware. Note, however, that while traffic dynamics will resemble the one found in traces, Harpoon traffic runs over HTTP and application behavior may be different from the real one.
Runs on: UNIX-flavored OSes
Best for: generating traffic from traces or from high-level specifications.

Attack Traffic Generators

DoS and DDoS Traffic

SEER, see above, generates attack traffic using Flooder tool, developed by SPARTA, and Cleo tool developed by UCLA. Look at SEER's Web page for a more detailed description of these tools. For security reasons we are not releasing their source code, but tools are very versatile and we are open to adding new features, should you need them.

The following collection of real DDoS tools has little new to offer with regard to attack traffic generation, when compared to SEER's capabilities. In general, SEER can generate same traffic variations as this tools, and more, and is easier to control and customize. If, however, you are testing a defense that looks at control traffic of DoS networks these tools may be useful to you. They are all downloadable from third-party Web sites and are not maintained.

    Trinoo deploys a master/slave architecture, where an attacker sends commands to the master via TCP and masters and slaves communicate via UDP. Both master and slaves are password protected to prevent them from being taken over by another attacker. Trinoo generates UDP packets of a given size to random ports on one or multiple target addresses, during a specified attack interval.

    TFN2K is an improved version of the TFN attack tool. It includes several features designed specifically to make TFN2K traffic difficult to recognize and filter, to remotely execute commands, to obfuscate the true source of the traffic, to transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP, and features to confuse attempts to locate other nodes in a TFN2K network by sending decoy packets. TFN2K obfuscates the true traffic source by spoofing source addresses. Attackers can choose between random spoofing and spoofing within a specified range of addresses (to defeat ingress filtering). In addition to flooding, TFN2K can also perform some vulnerability attacks by sending malformed or invalid packets.

    Stacheldraht combines features of Trinoo and TFN tools and adds encrypted communication between the attacker and the masters. Stacheldraht uses TCP for encrypted communication between the attacker and the masters, and TCP or ICMP for communication between master and agents. Another added feature is the ability to perform automatic updates of agent code. Available attacks are UDP flood, TCP SYN flood, ICMP ECHO flood and Smurf attacks.

    Mstream generates a flood of TCP packets with the ACK bit set. Masters can be controlled remotely by one or more attackers using a password- protected interactive login. The communications between attacker and masters, and a master and agents, are configurable at compile time and have varied signif- icantly from incident to incident. Source addresses in attack packets are spoofed at random. The TCP ACK attack exhausts network resources and will likely cause a TCP RST to be sent to the spoofed source address (potentially also creating outgoing bandwidth consumption at the victim).

Custom Traffic at Network and Link Level

Packit (Packet Toolkit) is a network auditing tool. Its value is derived from its ability to customize, inject, monitor, and manipulate IP traffic. By allowing you to define (spoof) nearly all TCP, UDP, ICMP, IP, ARP, RARP, and Ethernet header options, Packit can be useful in testing firewalls, intrusion detection/prevention systems, port scanning, simulating network traffic, and general TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP.

Worm Traffic Simulators

KMSim, developed by Penn State University, is a simulation code, consisting of coupled Kermack-McKendrick epidemic equations, to model the spread of a bandwidth-limited, randomly scanning Internet worm.
Runs on:UNIX
Best for:Simulating simple worms
For questions contact: Lunqan Li at Penn State University.

PAWS, developed by University of Delaware, is a time discrete packet-level simulator. Compared with other worm modeling and simulations, PAWS replicates more details of the Internet environment and has less simplification on worm characteristics and vulnerable hosts behaviors. PAWS simulates a realistic Internet model and the background traffic load, enabling investigation of possible congestion effects and sufferings of legitimate traffic during worm spread. PAWS further supports various user-customizable parameters that enables testing of different worm characteristics, host and network diversity models.
Runs on:UNIX
Best for:Simulating various worms, replicating details of Internet environment
For questions contact: Songjie Wei at University of Delaware

Traffic Forensic Tools

Network Traffic Digesting (NTD) Tool, developed by Penn State University, is an off-line network traffic analysis tool capable of analyzing both TCPDUMP and Cisco NetFlow export format traces in Windows. The NTD tool can detect the significant clusters, i.e., clusters whose traffic is greater than a threshold (either in terms of packet number or bytes) that is user-specified. The thresholds can be specified for in a unidimensional fashion (for source IP, destination IP, source port, destination port or protocol) and also in multidimensional fashion for the five-tuple.
Runs on:UNIX
Best for: traffic analysis to detect large clusters of similar packets For questions contact: Jishen Wang at Penn State University

Topology Generators and Convertors

Rocketfuel-to-ns , developed by Purdue University, is a utility to convert RocketFuel-format data files into a set of configuration files runnable on am emulation testbed like the DETER testbed. Experiment configurations generated with this tool have the advantage of not being totally synthetic representations of the Internet; they provide a router-level topology based off real measurement data. This distribution also contains many sample NS files that represent real AS topologies.
Runs on: UNIX
Best for: collecting real AS topologies and importing them into DETER.

Inet , developed by University of Michigan, is a generator of representative Autonomous System (AS) level Internet topologies.
Runs on:FreeBSD, Linux, Mac OS and Solaris
Best for: synthetic topology generation, following a power law.

Brite , developed by Boston University, is a generator of flat AS, flat Router and hierarchical topologies, interoperable with various topology generators and simulators.
Best for: synthetic topology generation using different models and a GUI.

GT-ITM: Georgia Tech Internetwork Topology Models, developed by Georgia Tech, generates graphs that model the topological structure of internetworks.
Runs on:SunOS and Linux
Best for: synthetic topology generation for small size topologies.


DDoS Defense Benchmarks, developed by University of Delaware, contain:

  1. A benchmark suite with a set of scenarios to be used for defense evaluation, integrated with SEER,
  2. A set of performance metrics that characterize an attack's impact and a defense's performance, and
  3. A set of tools used for benchmark development, integration of benchmarks with the DETER testbed and calculation of performance metrics from tcpdump traces collected during DDoS experimentation.

Runs on: any platform
Best for: testing DDoS defenses
For questions contact: Jelena Mirkovic at ISI