How to capture and replay network traffic on Linux

Last updated on November 29, 2020 by Dan Nanni

When you are testing or debugging middlebox hardware such as routers, switches, or intrusion detection systems (Snort or Suricata), it is extremely useful to perform the testing with reproducible network traffic. Using repeatable traffic minimizes any kind of uncertainty in the testing environment, thereby making testing results easier to interpret and analyze.

In Linux, there is a suites of command-line utilities called tcpreplay which can replay captured network traffic.

In this tutorial, I will show you how to capture live network traffic and replay the captured network traffic elsewhere with tcpreplay.

Capture Live Network Traffic

First, install tcpreplay and tcpdump on your Linux system. To install tcpreplay, follow the instructions in this tutorial.

The next step is to capture live network traffic, and dump it to a pcap file. To do so, run tcpdump command as follows. I assume that eth0 is the sniffing interface which is set to promiscuous mode.

$ sudo tcpdump -w dump.pcap -i eth0

Rewrite Packets in Traffic Dump

Next, rewrite packets captured in a pcap file. The reason why rewriting step is necessary is because source/destination IP/MAC addresses in the original pcap file may be mismatched with those in the environment where you want to replay the pcap file. You can use the following set of commands to perform such packet rewriting. Replace IP/MAC addresses with your own.

1. Rewrite any destination IP address and MAC address in dump.pcap to and E0:DB:55:CC:13:F1, respectivelyi, and store the result to temp1.pcap:

$ tcprewrite --infile=dump.pcap --outfile=temp1.pcap --dstipmap= --enet-dmac=E0:DB:55:CC:13:F1

2. Rewrite any source IP address and MAC address in input traffic dump to and 84:A5:C8:BB:58:1A, respectively:

$ tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap= --enet-smac=84:A5:C8:BB:58:1A

3. Update the checksum of every packet:

$ tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum

The above command recomputes the IP checksum of every packet. This step is necessary if you have rewritten any source/destination IP addresses.

After you are done with packet rewriting, you can go ahead and replay the finalized packet dump as follows.

$ sudo tcpreplay --intf1=eth0 final.pcap

Customize Traffic Replay Settings

The tcpreplay command offers various options to customize replay settings (e.g., speed, duration, performance).

To loop through a pcap file 100 times:

$ sudo tcpreplay --loop=100 --intf1=eth0 final.pcap

To cache a pcap file in RAM after the first time, so that subsequent loops do not incur disk I/O latency:

$ sudo tcpreplay --loop=100 --enable-file-cache --intf1=eth0 final.pcap

To replay traffic five times as fast as the original traffic was captured:

$ sudo tcpreplay --multiplier=5.0 --intf1=eth0 final.pcap

To replay traffic at a rate of 10Mbps:

$ sudo tcpreplay --mbps=10.0 --intf1=eth0 final.pcap

To replay traffic at 100 packets per second:

$ sudo tcpreplay --pps=100 --intf1=eth0 final.pcap

To replay traffic in infinite loops or until Ctrl-c is pressed:

$ sudo tcpreplay --loop=0 --intf1=eth0 final.pcap

To replay traffic as quickly as possible:

$ sudo tcpreplay --topspeed --intf1=eth0 final.pcap


In this tutorial, I demonstrated how to modify packet traces in a systematic way using tcprewrite, and inject them on to the network with tcpreplay. Combined with other pcap manipulation tools, they will give you an effective means to do various network testing and troubleshooting in a more controlled environment.

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean