I forgot to mention that I didn't sort out test cases yet. The current test case (single zero length packet) is not ideal. We might have a single test case, say a single TCP SYN packet. However if there are distinct areas of functionality in passt (eg. TCP connect, ARP, DNS, DHCP, ...), *and* if those are geometrically very far apart in the search space, then you could argue for having one test case per major feature. Capturing that into tap files will be a fun afternoon for someone. More on this topic here: https://aflplus.plus/docs/fuzzing_in_depth/#2-preparing-the-fuzzing-campaign - - - Also ... while we do have --fd functionality, even better would be to modify passt so it can read input from stdin and drop output. See: https://aflplus.plus/docs/best_practices/#fuzzing-a-network-service The socketpair / --fd approach is a bit cleaner. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top