Tcpreplay

Overview

Tcpreplay is a comprehensive suite of tools for editing, merging, and replaying pcap files. It allows security professionals to simulate network traffic conditions, test intrusion detection systems, validate firewall rules, and perform controlled network simulations. The suite includes tcpreplay (traffic replay), tcpprep (pcap preprocessing), tcprewrite (packet editing), and other utilities for advanced traffic manipulation.

Installation

Debian/Ubuntu

sudo apt-get update
sudo apt-get install tcpreplay

macOS

brew install tcpreplay

From Source

git clone https://github.com/appneta/tcpreplay.git
cd tcpreplay
./configure
make
sudo make install

Verify Installation

tcpreplay --version
tcpprep --version
tcprewrite --version

Suite Components

Tool	Purpose
`tcpreplay`	Replay pcap files to network interface
`tcpprep`	Pre-process pcap files and create cache files
`tcprewrite`	Rewrite pcap packet headers and payloads
`tcpbridge`	Bridge captured traffic between interfaces
`tcpdump`	Integration with standard pcap formats

Basic Tcpreplay Usage

Simple Replay

# Replay pcap file to interface
sudo tcpreplay -i eth0 capture.pcap

# Replay at original speed
sudo tcpreplay -i eth0 --speed=1.0 capture.pcap

# Fast replay
sudo tcpreplay -i eth0 --speed=10.0 capture.pcap

Speed Control

# Quarter speed
sudo tcpreplay -i eth0 --speed=0.25 capture.pcap

# Half speed
sudo tcpreplay -i eth0 --speed=0.5 capture.pcap

# Double speed
sudo tcpreplay -i eth0 --speed=2.0 capture.pcap

# Maximum speed
sudo tcpreplay -i eth0 --speed=0 capture.pcap

Packet Iteration

# Replay twice
sudo tcpreplay -i eth0 -l 2 capture.pcap

# Replay 5 times
sudo tcpreplay -i eth0 -l 5 capture.pcap

# Continuous replay (until interrupted)
sudo tcpreplay -i eth0 -l 0 capture.pcap

Option	Function
`-i interface`	Target interface for replay
`--speed=N`	Replay speed multiplier (0=max)
`-l N`	Loop count (0=infinite)
`-m N`	Multiplier for packet duplication
`-p`	Packetrate mode

Tcpprep: Pcap Preprocessing

Create Cache File from Pcap

# Auto mode (tries to classify traffic)
tcpprep -i capture.pcap -o capture.cache -a

# Manual mode (specify client/server)
tcpprep -i capture.pcap -o capture.cache -m

# Regex mode (match based on patterns)
tcpprep -i capture.pcap -o capture.cache -r

Cisco Router Config Mode

# Generate Cisco access list
tcpprep -i capture.pcap -o capture.cache -c

Port-Based Classification

# Manual port-based mode
tcpprep -i capture.pcap -o capture.cache -p

# With custom port definitions
tcpprep -i capture.pcap -o capture.cache -m --pcap=capture.pcap

List Cache File Contents

# Display cache file information
tcpprep -i capture.pcap -o capture.cache -a
tcpdump -r capture.pcap -n | head

# Statistics
tcpprep --print-headers -o capture.cache

Option	Function
`-i file`	Input pcap file
`-o file`	Output cache file
`-a`	Auto mode (classify)
`-m`	Manual mode
`-c`	Cisco router mode
`-p`	Port-based mode

Tcprewrite: Packet Editing

Rewrite MAC Addresses

# Change source MAC
tcprewrite -i capture.pcap -o modified.pcap --enet-smac=00:11:22:33:44:55

# Change destination MAC
tcprewrite -i capture.pcap -o modified.pcap --enet-dmac=aa:bb:cc:dd:ee:ff

# Both MAC addresses
tcprewrite -i capture.pcap -o modified.pcap \
  --enet-smac=00:11:22:33:44:55 \
  --enet-dmac=aa:bb:cc:dd:ee:ff

Rewrite IP Addresses

# Change source IP
tcprewrite -i capture.pcap -o modified.pcap --srcipmap=192.168.1.0/24:10.0.0.0/24

# Change destination IP
tcprewrite -i capture.pcap -o modified.pcap --dstipmap=192.168.1.0/24:10.0.0.0/24

# Bidirectional rewriting
tcprewrite -i capture.pcap -o modified.pcap \
  --srcipmap=192.168.1.0/24:10.0.0.0/24 \
  --dstipmap=172.16.0.0/16:10.1.0.0/16

Rewrite Ports

# Change source port
tcprewrite -i capture.pcap -o modified.pcap --sport=80:8080

# Change destination port
tcprewrite -i capture.pcap -o modified.pcap --dport=443:8443

# Multiple port mappings
tcprewrite -i capture.pcap -o modified.pcap \
  --sport=80:8080 --dport=443:8443

TTL Manipulation

# Set TTL to 64
tcprewrite -i capture.pcap -o modified.pcap --ttl=64

# Increment TTL
tcprewrite -i capture.pcap -o modified.pcap --ttl=+10

Checksum Recalculation

# Fix checksums after modification
tcprewrite -i capture.pcap -o modified.pcap --fixcsum

# Recalculate all checksums
tcprewrite -i capture.pcap -o modified.pcap --fixcsum --force

Option	Function
`-i file`	Input pcap
`-o file`	Output pcap
`--enet-smac`	Source MAC
`--enet-dmac`	Destination MAC
`--srcipmap`	Source IP mapping
`--dstipmap`	Destination IP mapping
`--fixcsum`	Recalculate checksums

Combining Tools: Advanced Workflows

Prepare and Replay

# Step 1: Create cache file
tcpprep -i original.pcap -o flows.cache -a

# Step 2: Prepare pcap with cache
tcpreplay -i eth0 -c flows.cache original.pcap

# Or combined with rewriting
tcprewrite -i original.pcap -o rewritten.pcap \
  --srcipmap=192.168.1.0/24:10.0.0.0/24

tcpreplay -i eth0 -c flows.cache rewritten.pcap

IDS/IPS Testing

# Capture test traffic
tcpdump -i eth0 -w test_traffic.pcap

# Modify to match network environment
tcprewrite -i test_traffic.pcap -o modified.pcap \
  --srcipmap=192.168.1.0/24:192.168.100.0/24 \
  --enet-smac=00:11:22:33:44:55

# Replay against IDS
sudo tcpreplay -i eth0 -l 3 --speed=0.5 modified.pcap

Firewall Testing

# Create appropriate cache
tcpprep -i baseline.pcap -o baseline.cache -a

# Rewrite for test environment
tcprewrite -i baseline.pcap -o test.pcap \
  --dstipmap=0.0.0.0/0:10.0.0.0/8

# Replay through firewall
sudo tcpreplay -i eth0 -c baseline.cache test.pcap

Packet Statistics and Analysis

Get Pcap Information

# Basic information
tcpdump -r capture.pcap -n | head -20

# Packet count
tcpdump -r capture.pcap | wc -l

# Protocol statistics
tcpdump -r capture.pcap -q | cut -d' ' -f3 | sort | uniq -c

Verify Checksum Integrity

# Check for bad checksums
tcpdump -r capture.pcap -v 2>&1 | grep -i "bad"

# Verify rewritten pcap
tcpdump -r modified.pcap -v | grep -i "cksum"

Filtering and Selection

Replay Specific Flows

# Extract specific flows first
tcpdump -r capture.pcap -w http_only.pcap 'tcp port 80'

# Replay extracted traffic
sudo tcpreplay -i eth0 http_only.pcap

Size-Based Selection

# Extract packets above 1000 bytes
tcpdump -r capture.pcap -w large_packets.pcap 'len > 1000'

# Extract small packets (SYN floods, etc)
tcpdump -r capture.pcap -w small_packets.pcap 'len < 100'

Performance Optimization

Minimize Pcap Size

# Remove non-essential traffic
tcpdump -r large.pcap -w small.pcap 'tcp or udp'

# Keep only essential flows
tcpdump -r large.pcap -w filtered.pcap 'port 80 or port 443'

Replay Optimization

# Limit packet rate
sudo tcpreplay -i eth0 -p 1000 capture.pcap  # 1000 pps

# Use fast mode for testing
sudo tcpreplay -i eth0 --speed=0 capture.pcap

Memory Efficiency

# Process large files in chunks
tcpdump -r large.pcap -w chunk1.pcap 'packet number 0-10000'
tcpdump -r large.pcap -w chunk2.pcap 'packet number 10001-20000'

# Replay chunks sequentially
sudo tcpreplay -i eth0 chunk1.pcap
sudo tcpreplay -i eth0 chunk2.pcap

Practical Workflow Examples

Security Assessment

# Capture baseline traffic
sudo tcpdump -i eth0 -w baseline.pcap host 192.168.1.0/24

# Prepare for replay
tcpprep -i baseline.pcap -o baseline.cache -a

# Replay modified traffic to test detection
tcprewrite -i baseline.pcap -o modified.pcap --dstipmap=192.168.1.0/24:10.0.0.0/24
sudo tcpreplay -i eth0 -c baseline.cache modified.pcap

Load Testing

# Create synthetic load from captured traffic
tcpreplay -i eth0 -l 100 --speed=10.0 capture.pcap

# Monitor system response
watch -n 1 'netstat -an | tail -20'

Malware Simulation

# Capture legitimate traffic baseline
sudo tcpdump -i eth0 -w baseline.pcap -G 300 -w baseline_%Y%m%d_%H%M%S.pcap

# Replay at controlled rate for safe testing
sudo tcpreplay -i eth0 --speed=0.1 baseline.pcap

Disaster Recovery Testing

# Preserve production traffic
tcpdump -r production.pcap -w dr_test.pcap

# Anonymize sensitive data
tcprewrite -i production.pcap -o anon.pcap \
  --srcipmap=0.0.0.0/0:10.0.0.0/8 \
  --dstipmap=0.0.0.0/0:172.16.0.0/12

# Test DR environment
sudo tcpreplay -i eth0 -l 2 anon.pcap

Automation Scripts

Batch Pcap Preprocessing

#!/bin/bash
for pcap in *.pcap; do
  echo "Processing: $pcap"
  tcpprep -i "$pcap" -o "${pcap%.pcap}.cache" -a
  echo "Created: ${pcap%.pcap}.cache"
done

Replay with Monitoring

#!/bin/bash
PCAP=$1
INTERFACE=$2

# Start monitoring
(watch -n 1 'netstat -an | tail -10') &
MONITOR_PID=$!

# Replay
sudo tcpreplay -i "$INTERFACE" "$PCAP"

# Stop monitoring
kill $MONITOR_PID

Bulk IP Rewriting

#!/bin/bash
for file in *.pcap; do
  echo "Rewriting: $file"
  tcprewrite -i "$file" -o "rewritten_${file}" \
    --srcipmap=192.168.0.0/16:10.0.0.0/8 \
    --fixcsum
done

Common Flags Reference

Flag	Description
`-i interface`	Network interface
`-l N`	Loop iterations
`--speed=N`	Replay speed multiplier
`-c cache`	Use cache file
`-m`	Multiplier mode
`--enet-smac`	Source MAC address
`--enet-dmac`	Destination MAC address
`--srcipmap`	Source IP mapping
`--dstipmap`	Destination IP mapping
`--fixcsum`	Fix checksums

Troubleshooting

Permission Issues

# Tcpreplay requires root for interface access
sudo tcpreplay -i eth0 capture.pcap

# Or use capabilities
sudo setcap cap_net_admin=ep $(which tcpreplay)

Invalid Pcap Files

# Verify pcap integrity
file capture.pcap

# Check with tcpdump
tcpdump -r capture.pcap -n | head

# Try repair
tcpdump -r damaged.pcap -w repaired.pcap

Checksum Errors After Rewriting

# Always fix checksums after editing
tcprewrite -i capture.pcap -o modified.pcap \
  --srcipmap=192.168.1.0/24:10.0.0.0/24 \
  --fixcsum

Interface Saturation

# Reduce replay speed
sudo tcpreplay -i eth0 --speed=0.1 capture.pcap

# Limit packet rate
sudo tcpreplay -i eth0 -p 100 capture.pcap

tcpdump — Packet capture utility
Wireshark — Interactive pcap analyzer
scapy — Python packet manipulation
netcat — Network connectivity utility
iperf — Network performance testing