Last updated on November 29, 2020 by Dan Nanni
When you are testing or debugging middlebox hardware such as routers, switches, or intrusion detection systems (Snort or Suricata), it is extremely useful to perform the testing with reproducible network traffic. Using repeatable traffic minimizes any kind of uncertainty in the testing environment, thereby making testing results easier to interpret and analyze.
In Linux, there is a suites of command-line utilities called
tcpreplay which can replay captured network traffic.
In this tutorial, I will show you how to capture live network traffic and replay the captured network traffic elsewhere with
tcpdump on your Linux system. To install
tcpreplay, follow the instructions in this tutorial.
The next step is to capture live network traffic, and dump it to a
pcap file. To do so, run
tcpdump command as follows. I assume that
eth0 is the sniffing interface which is set to
$ sudo tcpdump -w dump.pcap -i eth0
Next, rewrite packets captured in a
pcap file. The reason why rewriting step is necessary is because source/destination IP/MAC addresses in the original
pcap file may be mismatched with those in the environment where you want to replay the
pcap file. You can use the following set of commands to perform such packet rewriting. Replace IP/MAC addresses with your own.
1. Rewrite any destination IP address and MAC address in
E0:DB:55:CC:13:F1, respectivelyi, and store the result to
$ tcprewrite --infile=dump.pcap --outfile=temp1.pcap --dstipmap=0.0.0.0/0:192.168.1.20 --enet-dmac=E0:DB:55:CC:13:F1
2. Rewrite any source IP address and MAC address in input traffic dump to
$ tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap=0.0.0.0/0:192.168.1.10 --enet-smac=84:A5:C8:BB:58:1A
3. Update the checksum of every packet:
$ tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum
The above command recomputes the IP checksum of every packet. This step is necessary if you have rewritten any source/destination IP addresses.
After you are done with packet rewriting, you can go ahead and replay the finalized packet dump as follows.
$ sudo tcpreplay --intf1=eth0 final.pcap
tcpreplay command offers various options to customize replay settings (e.g., speed, duration, performance).
To loop through a
pcap file 100 times:
$ sudo tcpreplay --loop=100 --intf1=eth0 final.pcap
To cache a
pcap file in RAM after the first time, so that subsequent loops do not incur disk I/O latency:
$ sudo tcpreplay --loop=100 --enable-file-cache --intf1=eth0 final.pcap
To replay traffic five times as fast as the original traffic was captured:
$ sudo tcpreplay --multiplier=5.0 --intf1=eth0 final.pcap
To replay traffic at a rate of 10Mbps:
$ sudo tcpreplay --mbps=10.0 --intf1=eth0 final.pcap
To replay traffic at 100 packets per second:
$ sudo tcpreplay --pps=100 --intf1=eth0 final.pcap
To replay traffic in infinite loops or until
Ctrl-c is pressed:
$ sudo tcpreplay --loop=0 --intf1=eth0 final.pcap
To replay traffic as quickly as possible:
$ sudo tcpreplay --topspeed --intf1=eth0 final.pcap
In this tutorial, I demonstrated how to modify packet traces in a systematic way using
tcprewrite, and inject them on to the network with
tcpreplay. Combined with other
pcap manipulation tools, they will give you an effective means to do various network testing and troubleshooting in a more controlled environment.