wiki:WikiStart

Welcome to Tcpreplay

Tcpreplay is a suite of BSD  GPLv3 licensed tools written by  Aaron Turner for UNIX (and Win32 under  Cygwin) operating systems which gives you the ability to use previously captured traffic in  libpcap format to test a variety of network devices. It allows you to classify traffic as client or server, rewrite Layer 2, 3 and 4 headers and finally replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS's. Tcpreplay supports both single and dual NIC modes for testing both sniffing and inline devices.

Tcpreplay is used by numerous firewall, IDS, IPS and other networking vendors, enterprises, universities, labs and open source projects. If your organization uses Tcpreplay, please let me know who you are and what you use it for so that I can continue to add features which are useful.

Details

The Tcpreplay suite includes the following tools:

  • tcpprep - multi-pass pcap file pre-processor which determines packets as client or server and creates cache files used by tcpreplay and tcprewrite
  • tcprewrite - pcap file editor which rewrites TCP/IP and Layer 2 packet headers
  • tcpreplay - replays pcap files at arbitrary speeds onto the network
  • tcpliveplay - Replays network traffic stored in a pcap file on live networks using new TCP connections
  • tcpreplay-edit - replays & edits pcap files at arbitrary speeds onto the network
  • tcpbridge - bridge two network segments with the power of tcprewrite
  • tcpcapinfo - raw pcap file decoder and debugger

Usage

Generally speaking, most people would first run tcpprep against a pcap file to create a cache file which splits traffic between client and server if they are testing an inline device like a firewall or IPS. Then depending on their network setup and where the pcap was captured, they would use tcprewrite to edit the packets so that the device under test will examine them properly. Finally, tcpreplay is used to replay the pcap onto the network to do the test, while tcpliveplay is used to replay pcaps with TCP-only traffic onto the network. For more info, check out these use cases.

How you can help

Info