jump to navigation

Control and replay network traffic with tcpreplay February 14, 2011

Posted by Tournas Dimitrios in Linux admin tools.

Tcpreplay is a suite of utilities for UNIX -like systems for editing and replaying network traffic which was previously captured by tools like tcpdump and  wireshark (formerly ethereal). The goal of tcpreplay is to provide the means for  reliable and repeatable traffic for testing a variety of network devices such as switches, router, firewalls, network intrusion detection and prevention systems (IDS and IPS) . It is important to note that tcpreplay is completely stateless and is unable to handle updating TCP sequence and acknowledgement numbers , so it does not support replaying traffic to a server . If you are interested in this kind of functionality, check out flowreplay instead.

Tcpreplay provides the tools to classify traffic as client or server, edit packets at layers 2-3-4 of the OSI model  and replay the traffic at arbitrary speeds onto a network for sniffing or through a device.I hope that this introduction gave you a picture of the  capabilities of this suite of tools , and  that you understand that this tool on the wrong hands can bring your network security in real trouble . The tools that are contained in the package are :

  • tcpbridge —> allows you to connect two network segments and bridge them.
  • tcpprep —>characterizes packets as client->server or server->client
  • tcpreplay —> send packets : takes a pcap file and replays it as is. If you have 1 flow between two IP addresses, it will replay that. If you have 100,000 flows between 10,000 clients/servers it’ll do that too. It doesn’t decode the packets at any level, so it doesn’t really care how many IP addresses are in the pcap. It doesn’t even need to be IP traffic. If you want to send traffic on two interfaces (to send traffic through a device), tcpreplay needs to be told which packets go out which interface using a tcpprep cache file
  • tcpreplay-edit —> tcpreplay now comes in two flavors: tcpreplay and tcpreplay-edit. The only difference between the two is that tcpreplay-edit embeds all the packet editing functionality found in tcprewrite. This is nice because you can edit and send all in one step, but it does have a performance hit.
  • tcprewrite —> edit packets ( mostly at L2-L4)

The tcpreplay package for CentOs 5.x is provided ready for download from the EPEL repository . It depends on the libpcap library , but usually your download manager (yum) , will handle the dependencies automatically .

tcpreplay examples
# tcpreplay   -i  eth0 sample.pcap replay a given pcap as it was captured

  1. # tcpreplay –topspeed -i   eth0  sample.pcap
  2. #tcpreplay –mbps=10.0 -i eth0 sample.pcap
  3. # tcpreplay –multiplier=7.3 -i eth0 sample.pcap
  4. # tcpreplay –pps=25 -i eth0 sample.pcap
  5. # tcpreplay –oneatatime –verbose -i eth0 sample.pcap
You can also replay the traffic at different speeds then it was originally captured 

  1. To replay traffic as quickly as possible
  2. To replay traffic at a rate of 10Mbps
  3. To replay traffic 7.3 times as fast as it was captured
  4. To replay at 25 packets per second
  5. To replay packets, one at a time while decoding it (useful for debugging purposes)
#tcpreplay –loop=10 -i eth0 sample.pcap To replay the sample.pcap file 10 times
#tcpreplay –loop=0 -i  eth0 sample.pcap To replay the sample.pcap forever or until CTRL-C is pressed


1. Araz - May 8, 2014

do you replay the traffic on the same machine? I need to send the captured traffic to another machine with it’s ip address in the same LAN as my sender machine. please help.

Araz - May 8, 2014

I mean I have a sender and a receiver node; so I need to first, Generate, and second, receive the traffic, in order to process it and log the performance.

tournasdimitrios1 - May 8, 2014

“tcpreplay”: gives you the ability to replay previously captured traffic , that captured traffic has the libpcap format (can’t be read with “cat”).Traffic is usually captured with tools like tcpdump or Wireshark . Tcpreplay let you define the speed , times of replay and filter a few parameters of the packets . The man page is a good reference to get you started , and the online man page has also detailed examples .
A basic example : tcpreplay –intf1=eth0 sample.pcap (double dash intf1=eth0)

2. Araz - May 8, 2014

Thank you very much for your answer dear tournasdimitrios1.
I am trying to change all “destination IPs” in my pcap file to only one IP, using tcprewrite. And then when I have saved/rewrote the pcap file with new destination IPs, I can use tcpreplay to send it to my desired dest.
Can you please help me on this?

I see The command needs to be like:
$ tcprewrite –pnat=, –infile=input.pcap –outfile=output.pcap

How in this command can I say that change all destination IPs to ?

3. Araz - May 8, 2014

Oh, I managed it.
tcprewrite –infile=smallFlows.pcap –outfile=new.pcap –dstipmap= –enet-dmac=destMAC

and now I use tcpreplay to send the traffic and it works.
Now I need to use an application to process received data and measure the performance. Any suggestion?

tournasdimitrios1 - May 8, 2014
Araz - May 8, 2014

Actually no.

In order to prove that virtualization makes better use of the same hardware, I need to first measure the performance of “an application like iptables”.
And then use the same application on VMs running on the same hardware and now measure the performance of all set.

The result I am hoping to get is through this scenario is that “more volume” of traffic can be processed using multiple instances of an application on the same hardware.

Now I am a sucker for your suggestions to choose better application than iptable, since iptables does not give me statistics easily and because it is written in the kernel of Linux, it works awesome and has very high performance already. I need an application that at one point will raise hands up and say I can’t go further.

4. hayet - May 20, 2014

tcpreplay how to use a fixed value of traffic (0.1/0.2/0.3/35 ……)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s