Published on April 10th, 2017 | 1,053 views
Edit and Replay Network Traffic: tcpreplay
Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 packets and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS’s. Tcpreplay supports both single and dual NIC modes for testing both sniffing and in-line devices.
Tcpreplay is used by numerous firewall, IDS, IPS, NetFlow and other networking vendors, enterprises, universities, labs and open source projects. Tcpreplay is designed to work with network hardware and normally does not penetrate deeper than Layer 2. Yazan Siam with sponsorship from Cisco developed tcpliveplay to replay TCP pcap files directly to servers. Use this utility if you want to test the entire network stack and into the application.
- Support for netmap modified network drivers for 10GigE wire-speed performance
- Increased accuracy for playback speed
- Increased accuracy of results reporting
- Flow statistics including Flows Per Second (fps)
- Flow analysis for analysis and fine tuning of flow expiry timeouts
- Hundreds of thousands of flows per second (dependent flow sizes in pcap file)
The Tcpreplay suite includes the following tools:
Network playback products:
- tcpreplay – replays pcap files at arbitrary speeds onto the network with an option to replay with random IP addresses
- tcpreplay-edit – replays pcap files at arbitrary speeds onto the network with numerous options to modify packets packets on the fly
- tcpliveplay – replays TCP network traffic stored in a pcap file on live networks in a manner that a remote server will respond to
Pcap file editors and utilities:
- tcpprep – multi-pass pcap file pre-processor which determines packets as client or server and splits them into creates output files for use by tcpreplay and tcprewrite
- tcprewrite – pcap file editor which rewrites TCP/IP and Layer 2 packet headers
- tcpbridge – bridge two network segments with the power of tcprewrite
- tcpcapinfo – raw pcap file decoder and debugger
More detailed instructions can be found on project wiki.
Simple directions for Unix users:
./configure make sudo make install
Build Quick TX feature
Quick TX allows Tcpreplay to bypass the kernel network stack and write directly to the network driver. Doing so allows up to wire-rate transmissions (tested up to 10Gbps). This feature still an experimental and may not work with every kernel version or with every network driver.
If you would like to have Quick TX installed, do the following:
./configure --enable-quick-tx make sudo make install
To use the Quick TX module, run tcpreplay with interface names prefixed with ‘qtx:’, e.g.
tcpreplay -i qtx:eth0
Build netmap feature
This feature will detect netmap capable network drivers on Linux and BSD systems. If detected, the network driver is bypassed for the execution duration of tcpreplay and tcpreplay-edit, and network buffers will be written to directly. This will allow you to achieve full line rates on commodity network adapters, similar to rates achieved by commercial network traffic generators.
Note that bypassing the network driver will disrupt other applications connected through the test interface. Don’t test on the same interface you ssh’ed into.
Download latest and install netmap from http://info.iet.unipi.it/~luigi/netmap/ If you extracted netmap into /usr/src/ or /usr/local/src you can build normally. Otherwise you will have to specify the netmap source directory, for example:
./configure --with-netmap=/home/fklassen/git/netmap make sudo make install
You can also find netmap source here.