Overview
Tcpreplay is a comprehensive suite of tools for editing, merging, and replaying pcap files. It allows security professionals to simulate network traffic conditions, test intrusion detection systems, validate firewall rules, and perform controlled network simulations. The suite includes tcpreplay (traffic replay), tcpprep (pcap preprocessing), tcprewrite (packet editing), and other utilities for advanced traffic manipulation.
Installation
Debian/Ubuntu
sudo apt-get update
sudo apt-get install tcpreplay
macOS
brew install tcpreplay
From Source
git clone https://github.com/appneta/tcpreplay.git
cd tcpreplay
./configure
make
sudo make install
Verify Installation
tcpreplay --version
tcpprep --version
tcprewrite --version
Suite Components
| Tool | Purpose |
|---|
tcpreplay | Replay pcap files to network interface |
tcpprep | Pre-process pcap files and create cache files |
tcprewrite | Rewrite pcap packet headers and payloads |
tcpbridge | Bridge captured traffic between interfaces |
tcpdump | Integration with standard pcap formats |
Basic Tcpreplay Usage
Simple Replay
# Replay pcap file to interface
sudo tcpreplay -i eth0 capture.pcap
# Replay at original speed
sudo tcpreplay -i eth0 --speed=1.0 capture.pcap
# Fast replay
sudo tcpreplay -i eth0 --speed=10.0 capture.pcap
Speed Control
# Quarter speed
sudo tcpreplay -i eth0 --speed=0.25 capture.pcap
# Half speed
sudo tcpreplay -i eth0 --speed=0.5 capture.pcap
# Double speed
sudo tcpreplay -i eth0 --speed=2.0 capture.pcap
# Maximum speed
sudo tcpreplay -i eth0 --speed=0 capture.pcap
Packet Iteration
# Replay twice
sudo tcpreplay -i eth0 -l 2 capture.pcap
# Replay 5 times
sudo tcpreplay -i eth0 -l 5 capture.pcap
# Continuous replay (until interrupted)
sudo tcpreplay -i eth0 -l 0 capture.pcap
| Option | Function |
|---|
-i interface | Target interface for replay |
--speed=N | Replay speed multiplier (0=max) |
-l N | Loop count (0=infinite) |
-m N | Multiplier for packet duplication |
-p | Packetrate mode |
Tcpprep: Pcap Preprocessing
Create Cache File from Pcap
# Auto mode (tries to classify traffic)
tcpprep -i capture.pcap -o capture.cache -a
# Manual mode (specify client/server)
tcpprep -i capture.pcap -o capture.cache -m
# Regex mode (match based on patterns)
tcpprep -i capture.pcap -o capture.cache -r
Cisco Router Config Mode
# Generate Cisco access list
tcpprep -i capture.pcap -o capture.cache -c
Port-Based Classification
# Manual port-based mode
tcpprep -i capture.pcap -o capture.cache -p
# With custom port definitions
tcpprep -i capture.pcap -o capture.cache -m --pcap=capture.pcap
List Cache File Contents
# Display cache file information
tcpprep -i capture.pcap -o capture.cache -a
tcpdump -r capture.pcap -n | head
# Statistics
tcpprep --print-headers -o capture.cache
| Option | Function |
|---|
-i file | Input pcap file |
-o file | Output cache file |
-a | Auto mode (classify) |
-m | Manual mode |
-c | Cisco router mode |
-p | Port-based mode |
Tcprewrite: Packet Editing
Rewrite MAC Addresses
# Change source MAC
tcprewrite -i capture.pcap -o modified.pcap --enet-smac=00:11:22:33:44:55
# Change destination MAC
tcprewrite -i capture.pcap -o modified.pcap --enet-dmac=aa:bb:cc:dd:ee:ff
# Both MAC addresses
tcprewrite -i capture.pcap -o modified.pcap \
--enet-smac=00:11:22:33:44:55 \
--enet-dmac=aa:bb:cc:dd:ee:ff
Rewrite IP Addresses
# Change source IP
tcprewrite -i capture.pcap -o modified.pcap --srcipmap=192.168.1.0/24:10.0.0.0/24
# Change destination IP
tcprewrite -i capture.pcap -o modified.pcap --dstipmap=192.168.1.0/24:10.0.0.0/24
# Bidirectional rewriting
tcprewrite -i capture.pcap -o modified.pcap \
--srcipmap=192.168.1.0/24:10.0.0.0/24 \
--dstipmap=172.16.0.0/16:10.1.0.0/16
Rewrite Ports
# Change source port
tcprewrite -i capture.pcap -o modified.pcap --sport=80:8080
# Change destination port
tcprewrite -i capture.pcap -o modified.pcap --dport=443:8443
# Multiple port mappings
tcprewrite -i capture.pcap -o modified.pcap \
--sport=80:8080 --dport=443:8443
TTL Manipulation
# Set TTL to 64
tcprewrite -i capture.pcap -o modified.pcap --ttl=64
# Increment TTL
tcprewrite -i capture.pcap -o modified.pcap --ttl=+10
Checksum Recalculation
# Fix checksums after modification
tcprewrite -i capture.pcap -o modified.pcap --fixcsum
# Recalculate all checksums
tcprewrite -i capture.pcap -o modified.pcap --fixcsum --force
| Option | Function |
|---|
-i file | Input pcap |
-o file | Output pcap |
--enet-smac | Source MAC |
--enet-dmac | Destination MAC |
--srcipmap | Source IP mapping |
--dstipmap | Destination IP mapping |
--fixcsum | Recalculate checksums |
Prepare and Replay
# Step 1: Create cache file
tcpprep -i original.pcap -o flows.cache -a
# Step 2: Prepare pcap with cache
tcpreplay -i eth0 -c flows.cache original.pcap
# Or combined with rewriting
tcprewrite -i original.pcap -o rewritten.pcap \
--srcipmap=192.168.1.0/24:10.0.0.0/24
tcpreplay -i eth0 -c flows.cache rewritten.pcap
IDS/IPS Testing
# Capture test traffic
tcpdump -i eth0 -w test_traffic.pcap
# Modify to match network environment
tcprewrite -i test_traffic.pcap -o modified.pcap \
--srcipmap=192.168.1.0/24:192.168.100.0/24 \
--enet-smac=00:11:22:33:44:55
# Replay against IDS
sudo tcpreplay -i eth0 -l 3 --speed=0.5 modified.pcap
Firewall Testing
# Create appropriate cache
tcpprep -i baseline.pcap -o baseline.cache -a
# Rewrite for test environment
tcprewrite -i baseline.pcap -o test.pcap \
--dstipmap=0.0.0.0/0:10.0.0.0/8
# Replay through firewall
sudo tcpreplay -i eth0 -c baseline.cache test.pcap
Packet Statistics and Analysis
# Basic information
tcpdump -r capture.pcap -n | head -20
# Packet count
tcpdump -r capture.pcap | wc -l
# Protocol statistics
tcpdump -r capture.pcap -q | cut -d' ' -f3 | sort | uniq -c
Verify Checksum Integrity
# Check for bad checksums
tcpdump -r capture.pcap -v 2>&1 | grep -i "bad"
# Verify rewritten pcap
tcpdump -r modified.pcap -v | grep -i "cksum"
Filtering and Selection
Replay Specific Flows
# Extract specific flows first
tcpdump -r capture.pcap -w http_only.pcap 'tcp port 80'
# Replay extracted traffic
sudo tcpreplay -i eth0 http_only.pcap
Size-Based Selection
# Extract packets above 1000 bytes
tcpdump -r capture.pcap -w large_packets.pcap 'len > 1000'
# Extract small packets (SYN floods, etc)
tcpdump -r capture.pcap -w small_packets.pcap 'len < 100'
Minimize Pcap Size
# Remove non-essential traffic
tcpdump -r large.pcap -w small.pcap 'tcp or udp'
# Keep only essential flows
tcpdump -r large.pcap -w filtered.pcap 'port 80 or port 443'
Replay Optimization
# Limit packet rate
sudo tcpreplay -i eth0 -p 1000 capture.pcap # 1000 pps
# Use fast mode for testing
sudo tcpreplay -i eth0 --speed=0 capture.pcap
Memory Efficiency
# Process large files in chunks
tcpdump -r large.pcap -w chunk1.pcap 'packet number 0-10000'
tcpdump -r large.pcap -w chunk2.pcap 'packet number 10001-20000'
# Replay chunks sequentially
sudo tcpreplay -i eth0 chunk1.pcap
sudo tcpreplay -i eth0 chunk2.pcap
Practical Workflow Examples
Security Assessment
# Capture baseline traffic
sudo tcpdump -i eth0 -w baseline.pcap host 192.168.1.0/24
# Prepare for replay
tcpprep -i baseline.pcap -o baseline.cache -a
# Replay modified traffic to test detection
tcprewrite -i baseline.pcap -o modified.pcap --dstipmap=192.168.1.0/24:10.0.0.0/24
sudo tcpreplay -i eth0 -c baseline.cache modified.pcap
Load Testing
# Create synthetic load from captured traffic
tcpreplay -i eth0 -l 100 --speed=10.0 capture.pcap
# Monitor system response
watch -n 1 'netstat -an | tail -20'
Malware Simulation
# Capture legitimate traffic baseline
sudo tcpdump -i eth0 -w baseline.pcap -G 300 -w baseline_%Y%m%d_%H%M%S.pcap
# Replay at controlled rate for safe testing
sudo tcpreplay -i eth0 --speed=0.1 baseline.pcap
Disaster Recovery Testing
# Preserve production traffic
tcpdump -r production.pcap -w dr_test.pcap
# Anonymize sensitive data
tcprewrite -i production.pcap -o anon.pcap \
--srcipmap=0.0.0.0/0:10.0.0.0/8 \
--dstipmap=0.0.0.0/0:172.16.0.0/12
# Test DR environment
sudo tcpreplay -i eth0 -l 2 anon.pcap
Automation Scripts
Batch Pcap Preprocessing
#!/bin/bash
for pcap in *.pcap; do
echo "Processing: $pcap"
tcpprep -i "$pcap" -o "${pcap%.pcap}.cache" -a
echo "Created: ${pcap%.pcap}.cache"
done
Replay with Monitoring
#!/bin/bash
PCAP=$1
INTERFACE=$2
# Start monitoring
(watch -n 1 'netstat -an | tail -10') &
MONITOR_PID=$!
# Replay
sudo tcpreplay -i "$INTERFACE" "$PCAP"
# Stop monitoring
kill $MONITOR_PID
Bulk IP Rewriting
#!/bin/bash
for file in *.pcap; do
echo "Rewriting: $file"
tcprewrite -i "$file" -o "rewritten_${file}" \
--srcipmap=192.168.0.0/16:10.0.0.0/8 \
--fixcsum
done
Common Flags Reference
| Flag | Description |
|---|
-i interface | Network interface |
-l N | Loop iterations |
--speed=N | Replay speed multiplier |
-c cache | Use cache file |
-m | Multiplier mode |
--enet-smac | Source MAC address |
--enet-dmac | Destination MAC address |
--srcipmap | Source IP mapping |
--dstipmap | Destination IP mapping |
--fixcsum | Fix checksums |
Troubleshooting
Permission Issues
# Tcpreplay requires root for interface access
sudo tcpreplay -i eth0 capture.pcap
# Or use capabilities
sudo setcap cap_net_admin=ep $(which tcpreplay)
Invalid Pcap Files
# Verify pcap integrity
file capture.pcap
# Check with tcpdump
tcpdump -r capture.pcap -n | head
# Try repair
tcpdump -r damaged.pcap -w repaired.pcap
Checksum Errors After Rewriting
# Always fix checksums after editing
tcprewrite -i capture.pcap -o modified.pcap \
--srcipmap=192.168.1.0/24:10.0.0.0/24 \
--fixcsum
Interface Saturation
# Reduce replay speed
sudo tcpreplay -i eth0 --speed=0.1 capture.pcap
# Limit packet rate
sudo tcpreplay -i eth0 -p 100 capture.pcap
- tcpdump — Packet capture utility
- Wireshark — Interactive pcap analyzer
- scapy — Python packet manipulation
- netcat — Network connectivity utility
- iperf — Network performance testing
