How to capture and replay network traffic on Linux

When you are testing or debugging middlebox hardware such as routers, switches, or Snort IDS, it is extremely useful to perform the testing with reproducible network traffic. Using repeatable traffic minimizes any kind of uncertainty in the testing environment, thereby making testing results easier to interpret and analyze.

In Linux, there is a suites of command-line utilities called tcpreplay which can replay captured network traffic.

In this tutorial, I will show you how to capture live network traffic, and replay the captured network traffic elsewhere by using tcpreplay.

Capture Live Network Traffic

First, install tcpreplay and tcpdump on Linux. To install tcpreplay, follow the instruction here.

The next step is to capture live network traffic, and dump it to a pcap file. To do so, run tcpdump command as follows. I assume that eth0 is the sniffing interface which is set to promiscuous mode.

$ sudo tcpdump -w dump.pcap -i eth0

Rewrite Packets in Traffic Dump

Next, rewrite packets captured in a pcap file, so that we can replay them between a pair of any two arbitrary hosts (different from the original traffic source and sink). Run a series of the following commands to perform such packet rewriting.

1. Rewrite any destination IP address and MAC address in traffic dump to and E0:DB:55:CC:13:F1, respectively:

$ tcprewrite --infile=dump.pcap --outfile=temp1.pcap --dstipmap= --enet-dmac=E0:DB:55:CC:13:F1

2. Rewrite any source IP address and MAC address in traffic dump to and 84:A5:C8:BB:58:1A, respectively:

$ tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap= --enet-smac=84:A5:C8:BB:58:1A

3. Update the checksum of every packet:

$ tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum

After you are done with packet rewriting, you can go ahead and replay the finalized packet dump as follows.

$ sudo tcpreplay --intf1=eth0 final.pcap

Customize Traffic Replay Settings

The tcpreplay command offers various options to customize replay settings (e.g., speed, duration, performance).

To loop through a pcap file 100 times:

$ sudo tcpreplay --loop=100 --intf1=eth0 final.pcap

To cache a pcap file in RAM after the first time, so that subsequent loops do not incur disk I/O latency:

$ sudo tcpreplay --loop=100 --enable-file-cache --intf1=eth0 final.pcap

To replay traffic five times as fast as the original traffic was captured

$ sudo tcpreplay --multiplier=5.0 --intf1=eth0 final.pcap

To replay traffic at a rate of 10Mbps:

$ sudo tcpreplay --mbps=10.0 --intf1=eth0 final.pcap

To replay traffic at 100 packets per second:

$ sudo tcpreplay --pps=100 --intf1=eth0 final.pcap

To replay traffic in infinite loops or until CTRL-C is pressed:

$ sudo tcpreplay --loop=0 --intf1=eth0 final.pcap

Replay traffic as quickly as possible:

$ sudo tcpreplay --topspeed --intf1=eth0 final.pcap


In this tutorial, I demonstrated how to modify packet traces in a systematic way using tcprewrite, and inject them on to the network with tcpreplay. Combined with other pcap manipulation tools, they will give you an effective means to do various network testing and troubleshooting in a more controlled environment.

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.

19 thoughts on “How to capture and replay network traffic on Linux

  1. The tcprewrite solves the problem of catching the traffic from other host and replay to a different one?

    Isn't any problem with layer 2? Like MAC?


    • Sure you can capture traffic from one host, and replay it on another host, as long as you rewrite the packet header fields in the traffic beforehand, using tcprewrite. You can rewrite src/dst IP address, MAC address, port, etc. It will also automatically recalculate checksums.

      • And how the rewrite works?

        ALL the destinations will be changed?
        Because I have many destinations, like internet access.

        • You can use CIDR expressions to choose which hosts get translated and which not.

          To change all destinations:

          To change a specific destination:

  2. Hi

    How can I replay a pcap file inside the PPTP vpn tunnel which was captured on Ethernet interface? I have tried but got some incompatibilities regarding MTU.

    • That's because available MTU is smaller than that of packets you are injecting. You have a few options to deal with the MTU issue:

      Truncate packets to a custom MTU size (e.g. 1000 bytes):
      $ tcprewrite --mtu=1000 --mtu-trunc --infile=input.pcap --outfile=output.pcap

      Alternatively, use IP fragmentation to break up each large packet into smaller ones. As of v3.3.0 you can use fragroute to segment IP packets into smaller ones to fit into available MTU. If you want to do this, create frag.cfg with the contents
      ip_frag 1000
      and run tcprewrite as follows:

      $ tcprewrite --fragroute=frag.cfg --infile=input.pcap --outfile=output.pcap

  3. How do I do something like this: tcpreplay test.pcap -ip= -port:3333? Where I want to send the pcaps from one host (say to a remote host ( where a process is listening on port 3333?

  4. I'm looking at using tcpreplay in order to test a new IPS/IDS. Does the setup require to run tcpreplay on two systems (a server and a client) or can I just replay the traffic to any end host.

    Since I don't need the end host to reply. I only need the IPS/IDS to see the traffic and flag it.

    • You don't need a server and a client. Using tcpreplay, you can replay trace to any random network interface with promiscuous mode on.

      Even simpler, IDS/IPS like Snort can read a pcap file directly. No need for tcpreplay.

  5. Okay thanks I wanted to be sure on that part. Since I seen some other products that require client/server setup.

    I will be testing 3 ips/ids solutions and wanted to replay some pcaps accrosss all 3 to make sure we get the same results along with the data load. I seen that with the correct setup tcpreplay can push up to 10Gbps.

    One more question does the system running tcpreplay need to be plugged Into the ips? I was thinking about just performing a tcp rewrite to send the traffic into a test box in the DC so the IPS can catch it. I don't need the test box to replay just need the ips to catch it. But not sure if tcpreplay works that way.

    • You can interconnect two boxes back to back. On one box, run tcpreplay, and on the other box you run IDS which will catch traffic injected from the other end.

  6. hi danni, i have an internet trace dataset that i would like to replay in my emulator. So i plan to replay at the incoming emulated switch interface. As you know, there are couple of hundreds of thousands unique IP addresses to edit/to create a couple of thousands nodes to match the dataset node IP address. can it be done by any other way?
    Or can you give suggestion and advice for me to do this? Your help is really appreciated

  7. Hello Dan. I need to ask you why we have to rewrite the packets to replay them.
    Isn't it more legit to let the be ('PacketAnalysis-wise') ?

    • Depends on the purpose of packet injection. For IDS testing you will have to modify the IP addresses in traces to match the local subnet being inspected (in case the trace was collected elsewhere).

  8. Hi Dan,

    Can we use tcpdump for back to back loopback testing, if yes can you please tell me how ?

    Thanks in advance,

  9. I want to replay captured traffic from guest machine to host machine. How can I do it? I have created an interface eth0 and when I am running command "$ sudo tcpreplay --intf1=eth1 HOME_dataset.pcap" i am getting "Fatal Error: Unable to parse args: Invalid interface name/alias: eth1" error

    • You said you created an interface eth0 and then you sent packets to inf1=eth1 .
      Well why eth1? The error also tells you something is wrong with the interface name on your comand.

Leave a comment

Your email address will not be published. Required fields are marked *