When you are testing or debugging middlebox hardware such as routers, switches, or IDS/IPS, it is extremely useful to perform the testing with reproducible network traffic. Using repeatable traffic minimizes any kind of uncertainty in the testing environment, thereby making testing results easier to interprete and analyze.
In Linux, there is a suites of command-line utilities called tcpreplay which can replay captured network traffic.
In this tutorial, I will show you how to capture live network traffic, and replay the captured network traffic elsewhere by using tcpreplay.
Capture Live Network Traffic
First, install tcpreplay and tcpdump on Linux. To install tcpreplay, follow the instruction here.
The next step is to capture live network traffic, and dump it to a pcap file. To do so, run tcpdump command as follows. I assume that eth0 is the sniffing interface which is set to promiscuous mode.
Rewrite Packets in Traffic Dump
Next, rewrite packets captured in a pcap file, so that we can replay them between a pair of any two arbitrary hosts (different from the original traffic source and sink). Run a series of the following commands to perform such packet rewriting.
1. Rewrite any destination IP address and MAC address in traffic dump to 192.168.1.20 and E0:DB:55:CC:13:F1, respectively:
2. Rewrite any source IP address and MAC address in traffic dump to 192.168.1.10 and 84:A5:C8:BB:58:1A, respectively:
3. Update the checksum of every packet:
After you are done with packet rewriting, you can go ahead and replay the finalized packet dump as follows.
Customize Traffic Replay Settings
The tcpreplay command offers various options to customize replay settings (e.g., speed, duration, performance).
To loop through a pcap file 100 times:
To cache a pcap file in RAM after the first time, so that subsequent loops do not incur disk I/O latency:
To replay traffic five times as fast as the original traffic was captured
To replay traffic at a rate of 10Mbps:
To replay traffic at 100 packets per second:
To replay traffic in infinite loops or until CTRL-C is pressed:
Replay traffic as quickly as possible:
In this tutorial, I demonstrated how to modify packet traces in a systematic way using tcprewrite, and inject them on to the network with tcpreplay. Combined with other pcap manipulation tools, they will give you an effective means to do various network testing and troubleshooting in a more controlled environment.
Subscribe to Xmodulo
Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.
Did you find this tutorial helpful? Then please be generous and support Xmodulo!
Latest posts by Dan Nanni (see all)
- How to install Suricata intrusion detection system on Linux - September 3, 2015
- How to switch from NetworkManager to systemd-networkd on Linux - August 31, 2015
- How to set up a system status page of your infrastructure - August 25, 2015