wiki:usage

Usage Examples

New users to the tcpreplay suite often complain that it's not clear how to accomplish various tasks. Hence, this page strives to provide some real-world examples. If you have any suggestions for examples for this page or questions regarding usage, please email the  tcpreplay-users mailing list.

Passing Traffic Through an IPS/Transparent Device

Problem

You have a pcap file of HTTP client/server traffic captured from a different network that you want to replay through a IPS or other transparent inline device.

Solution

There is a three step process for this:

  1. Determine which packets are client->server and server->client
  2. Rewrite IP addresses based on their direction
  3. Send packets through inline device

Step 1

Use tcpprep to split traffic based on the source/destination port:

$ tcpprep --port --cachefile=example.cache --pcap=example.pcap

In this case, all the packets directed to a TCP or UDP port < 1024 are considered client->server, while other packets are server->client. This information is stored in a tcpprep cache file called example.cache for later use.

Note: tcpprep supports many other methods of splitting traffic then just port mode.

Step 2

Use tcprewrite to change the IP addresses to the local network:

$ tcprewrite --endpoints=172.16.0.1:172.16.5.35 --cachefile=example.cache --infile=example.pcap --outfile=new.pcap

Here, we want all traffic to appear to be between two hosts: 172.16.0.1 and 172.16.5.35. We want one IP to be the "client" and the other IP the "server", so we use the cache file created in the last step.

Step 3

Use tcpreplay to send the traffic through the IPS:

# tcpreplay --intf1=eth0 --intf2=eth1 --cachefile=example.cache new.pcap

Here we send the traffic. Since we want to split traffic between two interfaces (eth0 and eth1), we use the cache file created in Step #1 with the new.pcap created in Step #2. We can use the cache file for different pcap files because while the IP addresses of the packets have changed, their order and semantics have not.

Passing Traffic Through a Firewall/Router/Non-Transparent Device

Problem

You have a pcap file of HTTP client/server traffic captured from a different network that you want to replay through a device which routes or NAT's traffic.

Solution

There is a five step process for this:

  1. Determine which packets are client->server and server->client
  2. Determine what the new IP and MAC addresses should be
  3. Rewrite IP addresses
  4. Rewrite MAC addresses based on their direction
  5. Send packets through inline device

Step 1

Use tcpprep to split traffic based on the source/destination port:

$ tcpprep --port --cachefile=example.cache --pcap=example.pcap

In this case, all the packets directed to a TCP or UDP port < 1024 are considered client->server, while other packets are server->client. This information is stored in a tcpprep cache file called example.cache for later use.

Note: tcpprep supports many other methods of splitting traffic then just port mode.

Step 2

Determine the new IP and MAC address values.

This varies depending on the device and it's configuration. But the basic goal is to make sure the destination MAC addresses of the packets match the MAC addresses of the interfaces of the DUT and the IP addresses match the expected values. This means that for a router, you can use the --endpoints option, but for NAT devices we'll need to deal with the DUT changing the IP's. Using the following example:

Nat Example

Here, we'll assume eth2/Untrust's MAC address is 00:22:22:22:22:22 and eth1/DMZ is 00:11:11:11:11:11. Let's further assume that the firewall is NAT'ing traffic destined to 2.2.2.1 on the Untrust interface to 1.1.1.5 on the DMZ interface. It's important that the destination is not of the tcpreplay box itself or the IP stack of the system will interfear with the traffic.

Step 3

Use tcprewrite to change the IP addresses to match up what the firewall will expect.

Since the firewall in this example is NAT'ing the traffic, we need to be a bit sneaky. The problem is that the client side destination IP is different then the server side source IP. Hence we'll use the --srcipmap and --dstipmap options. In this case we'll assume the old traffic is Client:10.10.0.1 and Server:10.20.0.1.

First, rewrite the source IP's to be the new client and server:

$ tcprewrite --srcipmap=10.10.0.1/32:2.2.2.5/32,10.20.0.1/32:1.1.1.5/32 --infile=example.pcap --outfile=new.pcap

Second, rewrite the destination IP's to be the new cilent and NAT'd server addresses:

$ tcprewrite --dstipmap=10.10.0.1/32:2.2.2.5/32,10.20.0.1/32:2.2.2.1/32 --infile=new.pcap --outfile=new2.pcap

You could combine the two above commands together, but I've seperated them out for clarity.

Step 4

Use tcprewrite to change the MAC addresses to match up with the firewall.

$ tcprewrite --enet-dmac=00:11:11:11:11:11,00:22:22:22:22:22 --cachefile=example.cache --infile=new2.pacp --outfile=new3.pcap

Step 5

Use tcpreplay to send the traffic through the IPS:

# tcpreplay --intf1=eth0 --intf2=eth1 --cachefile=example.cache new3.pcap

Here we send the traffic. Since we want to split traffic between two interfaces (eth0 and eth1), we use the cache file created in Step #1 with the new3.pcap created in Steps #2-4. We can use the cache file for different pcap files because while the IP addresses of the packets have changed, their order and semantics have not.

Rewriting TCP/UDP Ports

Problem

You have some HTTP traffic on port 80 that you would like to rewrite over port 8080.

Solution

Use tcprewrite to remap the ports:

$ tcprewrite --infile=example.pcap --outfile=new.pcap --portmap=80:8080

The portmap option takes a comma delimited list of port pairs <oldport>:<newport>. Note that this option is protocol independant, so both TCP and UDP packets will be effected.

Remove specific packets from a capture file

Problem

You have a pcap file containing some packets you do not want to send or edit.

Solution

Use tcpdump!

Step 1

Let's assume that you have a pcap which has a bunch of traffic, but you only want to replay the tcp/80 (http) traffic. To do this, you would run:

$ tcpdump -r example.pcap -w http_only.pcap -s0 tcp port 80

Just adjust your BPF filter according to your needs.

Sending Traffic to a Server

Problem

You have a pcap capture and would like to replay that traffic at another server.

Solution

First, this will only work with ICMP and UDP traffic. Tcpreplay doesn't support sending TCP traffic at a server because it doesn't synchronize Syn/Ack numbers in the TCP stream.

That said, you'll need to change the destination IP and MAC addresses to match that of the target server. In this case, we'll assume the target server IP is 10.10.1.1 and it's MAC address is 00:01:02:03:04:05.

Step 1

Rewrite destination IP & MAC addresses

$ tcprewrite --infile=example.pcap --outfile=new.pcap --dstipmap=0.0.0.0/0:10.10.1.1/32 --enet-dmac=00:01:02:03:04:05


Previous: Common Arguments

Attachments