Pentest Tools n

Published on April 10th, 2017 | Post Views: 1,327  HitsPost Views


Edit and Replay Network Traffic: tcpreplay

Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 packets and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS’s. Tcpreplay supports both single and dual NIC modes for testing both sniffing and in-line devices.

Tcpreplay is used by numerous firewall, IDS, IPS, NetFlow and other networking vendors, enterprises, universities, labs and open source projects. Tcpreplay is designed to work with network hardware and normally does not penetrate deeper than Layer 2. Yazan Siam with sponsorship from Cisco developed tcpliveplay to replay TCP pcap files directly to servers. Use this utility if you want to test the entire network stack and into the application.

As of version 4.0, Tcpreplay has been enhanced to address the complexities of testing and tuning IP Flow/NetFlow hardware. Enhancements include:

  • Support for netmap modified network drivers for 10GigE wire-speed performance
  • Increased accuracy for playback speed
  • Increased accuracy of results reporting
  • Flow statistics including Flows Per Second (fps)
  • Flow analysis for analysis and fine tuning of flow expiry timeouts
  • Hundreds of thousands of flows per second (dependent flow sizes in pcap file)


The Tcpreplay suite includes the following tools:

Network playback products:
  • tcpreplay – replays pcap files at arbitrary speeds onto the network with an option to replay with random IP addresses
  • tcpreplay-edit – replays pcap files at arbitrary speeds onto the network with numerous options to modify packets packets on the fly
  • tcpliveplay – replays TCP network traffic stored in a pcap file on live networks in a manner that a remote server will respond to
Pcap file editors and utilities:
  • tcpprep – multi-pass pcap file pre-processor which determines packets as client or server and splits them into creates output files for use by tcpreplay and tcprewrite
  • tcprewrite – pcap file editor which rewrites TCP/IP and Layer 2 packet headers
  • tcpbridge – bridge two network segments with the power of tcprewrite
  • tcpcapinfo – raw pcap file decoder and debugger


Install package

More detailed instructions can be found on project wiki.

Simple directions for Unix users:
sudo make install


Build Quick TX feature

Quick TX allows Tcpreplay to bypass the kernel network stack and write directly to the network driver. Doing so allows up to wire-rate transmissions (tested up to 10Gbps). This feature still an experimental and may not work with every kernel version or with every network driver.

If you would like to have Quick TX installed, do the following:

	./configure --enable-quick-tx
	sudo make install

To use the Quick TX module, run tcpreplay with interface names prefixed with ‘qtx:’, e.g.

	tcpreplay -i qtx:eth0


Build netmap feature

This feature will detect netmap capable network drivers on Linux and BSD systems. If detected, the network driver is bypassed for the execution duration of tcpreplay and tcpreplay-edit, and network buffers will be written to directly. This will allow you to achieve full line rates on commodity network adapters, similar to rates achieved by commercial network traffic generators.

Note that bypassing the network driver will disrupt other applications connected through the test interface. Don’t test on the same interface you ssh’ed into.

Download latest and install netmap from If you extracted netmap into /usr/src/ or /usr/local/src you can build normally. Otherwise you will have to specify the netmap source directory, for example:

./configure --with-netmap=/home/fklassen/git/netmap
sudo make install

You can also find netmap source here.

Leave a Reply

Back to Top ↑