Control and replay network traffic with tcpreplay February 14, 2011Posted by Tournas Dimitrios in Linux admin tools.
Tcpreplay is a suite of utilities for UNIX -like systems for editing and replaying network traffic which was previously captured by tools like tcpdump and wireshark (formerly ethereal). The goal of tcpreplay is to provide the means for reliable and repeatable traffic for testing a variety of network devices such as switches, router, firewalls, network intrusion detection and prevention systems (IDS and IPS) . It is important to note that tcpreplay is completely stateless and is unable to handle updating TCP sequence and acknowledgement numbers , so it does not support replaying traffic to a server . If you are interested in this kind of functionality, check out flowreplay instead.
Tcpreplay provides the tools to classify traffic as client or server, edit packets at layers 2-3-4 of the OSI model and replay the traffic at arbitrary speeds onto a network for sniffing or through a device.I hope that this introduction gave you a picture of the capabilities of this suite of tools , and that you understand that this tool on the wrong hands can bring your network security in real trouble . The tools that are contained in the package are :
- tcpbridge —> allows you to connect two network segments and bridge them.
- tcpprep —>characterizes packets as client->server or server->client
- tcpreplay —> send packets : takes a pcap file and replays it as is. If you have 1 flow between two IP addresses, it will replay that. If you have 100,000 flows between 10,000 clients/servers it’ll do that too. It doesn’t decode the packets at any level, so it doesn’t really care how many IP addresses are in the pcap. It doesn’t even need to be IP traffic. If you want to send traffic on two interfaces (to send traffic through a device), tcpreplay needs to be told which packets go out which interface using a tcpprep cache file
- tcpreplay-edit —> tcpreplay now comes in two flavors: tcpreplay and tcpreplay-edit. The only difference between the two is that tcpreplay-edit embeds all the packet editing functionality found in tcprewrite. This is nice because you can edit and send all in one step, but it does have a performance hit.
- tcprewrite —> edit packets ( mostly at L2-L4)
The tcpreplay package for CentOs 5.x is provided ready for download from the EPEL repository . It depends on the libpcap library , but usually your download manager (yum) , will handle the dependencies automatically .
|# tcpreplay -i eth0 sample.pcap||replay a given pcap as it was captured|
||You can also replay the traffic at different speeds then it was originally captured
|#tcpreplay –loop=10 -i eth0 sample.pcap||To replay the sample.pcap file 10 times|
|#tcpreplay –loop=0 -i eth0 sample.pcap||To replay the sample.pcap forever or until CTRL-C is pressed|