How to use tcpreplay to replay network packet files

What is tcpreplay?

Tcpreplay is a suite of open source utilities that gives administrators multiple ways to harness network information. Captures can be retransmitted for various reasons, including the following use cases:

• Test intrusion detection systems (IDSes) by resending malicious packets hidden in real traffic.
• Understand standard attack vectors by resending mock malicious packets.
• Test specific network exploits.
• Resend test transmissions to check whether router packet filters catch them.
• Transmit packets representing normal network traffic to confirm firewall settings.
• Understand packet headers and structures as part of learning more about TCP/IP networking and network IDSes.

What is pcap?

The libpcap, mainly known as pcap, API captures network packets for analysis and modification. Various network capture programs -- also known as packet sniffers -- use the API to intercept and record network traffic.

The API is primarily developed for Unix and Unix-like OSes via the libpcap library, though there is a Windows port -- Npcap is the current version; the older WinPcap is no longer in development.

Files captured using libpcap typically have the .pcap file extension, although you might also see .dmp or .cap extensions.

The libpcap library is the basis for the network capture tools that intercept traffic and tcpreplay, which resends that traffic -- possibly after the capture has been modified.

Features of tcpreplay

Administrators can choose among a number of tcpreplay options to test and troubleshoot security tools. Plan to learn these capabilities to get the most out of tcpreplay. The same can be said for learning the features of Wireshark or tcpdump.

The features of tcpreplay include the following:

• Classify replayed traffic as client or server across two network interfaces.
• Edit Open Systems Interconnection Layer 2, 3 and 4 headers.
• Replay captured traffic through switches, routers, IDSes, firewalls, intrusion protection systems (IPSes), etc.
• Replay traffic at various speeds to test IDS capabilities.

The tcpreplay suite of tools

The tcpreplay suite of tools provides a mix of capabilities. Individually, they enable you to modify and retransmit capture information. Together, after you become familiar with how to use tcpreplay, they give you options for controlling and configuring the capture replay depending on your needs.

The following are the basic tools in the suite:

• Tcpreplay to replay pcap captures on the network at defined speeds.
• Tcpreplay-edit to edit packets during replay.
• Tcprewrite to edit packet headers in pcap files before replaying.
• Tcprep to split traffic into client and server streams for replay on different network interfaces.
• Tcpliveplay to send traffic to network servers to test all layers of the TCP/IP stack.

What are packet capture tools?

You need to capture packets before using tcpreplay. Many network monitoring tools work with the pcap library; Wireshark and tcpdump are the most common. These utilities offer exceptional security and troubleshooting capabilities and are well worth your time to learn. The network traffic you intercept with these can be retransmitted by tcpreplay.

Wireshark packet analyzer

Wireshark is a powerful, user-friendly graphical tool that captures, filters and analyzes network traffic. It offers many precapture filter options, such as intercepting specific interfaces or particular protocols. After the capture, additional filters help find the appropriate protocol or source/destination node. Filtering is critical. Wireshark can pick up a lot of packets in a short time.

Wireshark saves its captures in the PCAP format, enabling them to be used by other tools, including tcpreplay. It also opens pcap files generated by utilities such as tcpdump.

Wireshark includes network analysis information to pinpoint performance problems or follow a specific conversation between devices. Download Wireshark for Linux, macOS and Windows.

Tcpdump packet capture tool

Administrators rely on tcpdump for its speed and scriptability. It's a command-line utility designed for Linux and similar OSes that displays captured packets in real time for live analysis. It also writes captures to pcap files that tools such as Wireshark and tcpreplay can use.

There's a good chance that any system where you use tcpdump also benefits from tcpreplay. Review its extensive documentation for tips and tricks.

Snort IDS/IPS

Another common open source security tool that works with pcap captures is Snort. Snort is an IDS/IPS that can open and analyze pcap files, offering information about a variety of metrics, among them protocols found and packet quantities. Snort's compatibility with pcap captures is important because tcpreplay is often used to test IDS/IPS software. Download Snort.

Other utilities

Other utilities exist that work with pcap. Investigate commercial products, like SolarWinds Network Performance Monitor, or ported applications, like WinDump. Kali Linux typically includes tcpreplay as well.

Install tcpreplay

Download tcpreplay. The source code is a compressed tarball that you must compile yourself.

Make sure your system has the appropriate compiler and supporting files by installing these packages, assuming a Debian-based Linux distribution:

sudo apt-get install build-essential libpcap-dev

Next, change to the directory containing the source files, and compile tcpreplay by using the following commands:

./configure
make
sudo make install

Confirm the installation completed successfully by running this command:

sudo make test

Another possible installation step is adding netmap if your network interface driver supports it. If you don't use netmap-capable drivers, non-tcpreplay traffic on the interface could be interrupted during the replay. Netmap prevents this, enabling full functionality during the replay. Install netmap, and then modify the tcpreplay compile process as seen below:

./configure --with-netmap={path-to-tcpreplay-source-files}
make
sudo make install

Mac users who rely on the Homebrew package manager can simply type the following:

brew install tcpreplay

Note that Windows users also need Cygwin, and tcpreplay support is limited.

How to use tcpreplay

Tcpreplay is extremely flexible, with many options to modify its behavior. The basic syntax is the tcpreplay command followed by one or more options. The argument is the name of the capture file from which the tool should pull. Here's an example:

tcpreplay -i {interface} file.pcap

This table displays some common tcpreplay options.

The following example initiates a replay using the eth0 network interface. It pulls packet information from the capture.pcap file.

tcpreplay -i eth0 capture.pcap

By default, tcpreplay stops once it has sent all the packets in the capture file. Use the -r option to read the capture file ahead of time to discover how many packets will be sent.

Specify the --loop option to cause tcpreplay to repeat the capture file the specified number of times. For example, suppose your capture file has 20 entries. To repeat the capture five times -- sending 100 entries total -- use the following syntax:

tcpreplay -i eth0 --loop=5 capture.pcap

You might want to test network performance with your capture file. By default, tcpreplay sends packets at the speed of the original capture. The --mbps or --pps options modify that speed. For example, to send five packets per second, use the following command:

tcpreplay --pps=5 -i eth0 capture.pcap

Another speed option is -t (topspeed). This flag tells tcpreplay to transmit as fast as possible rather than at the original speed of the capture file, such as here:

tcpreplay -t -i eth0 capture.pcap

View each packet transmitted from the capture file by adding the -v (verbose) option to any of the examples above.

Capturing network packets

Consider tracking inbound packets on the targeted device to view incoming traffic from the tcpreplay source computer. You could do this with Wireshark or tcpdump, or you could use an IDS/IPS with logging features. Regardless, capturing inbound network information on the destination node is useful for comparing the results against the initial replay.

Capturing network traffic is an essential part of monitoring network performance and auditing security. The ability to transmit captures for testing adds a whole new layer of functionality to monitoring. The tcpreplay suite reads and retransmits packets stored in pcap files. It enables administrators to control replay aspects, like speed and quantity.

Many security professionals and administrators are already familiar with the benefits of capturing packets, but they haven't taken the time to improve this investigative tactic.

Start to learn how to use tcpreplay today. First, compile tcpreplay on a test network segment, capture some packets with Wireshark or tcpdump and then replay them against a target system. Familiarize yourself with the additional options tcpreplay offers to get the most out of the tool. If you want to avoid downloading and compiling the various components, use your Kali Linux installation to learn the tools.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial, The New Stack and CompTIA Blogs.