How to capture and replay network traffic on Linux

When you are testing or debugging middlebox hardware such as routers, switches, or IDS/IPS, it is extremely useful to perform the testing with reproducible network traffic. Using repeatable traffic minimizes any kind of uncertainty in the testing environment, thereby making testing results easier to interprete and analyze.

In Linux, there is a suites of command-line utilities called tcpreplay which can replay captured network traffic.

In this tutorial, I will show you how to capture live network traffic, and replay the captured network traffic elsewhere by using tcpreplay.

Capture Live Network Traffic

First, install tcpreplay and tcpdump on Linux. To install tcpreplay, follow the instruction here.

The next step is to capture live network traffic, and dump it to a pcap file. To do so, run tcpdump command as follows. I assume that eth0 is the sniffing interface which is set to promiscuous mode.

$ sudo tcpdump -w dump.pcap -i eth0

Rewrite Packets in Traffic Dump

Next, rewrite packets captured in a pcap file, so that we can replay them between a pair of any two arbitrary hosts (different from the original traffic source and sink). Run a series of the following commands to perform such packet rewriting.

1. Rewrite any destination IP address and MAC address in traffic dump to 192.168.1.20 and E0:DB:55:CC:13:F1, respectively:

$ tcprewrite --infile=dump.pcap --outfile=temp1.pcap --dstipmap=0.0.0.0/0:192.168.1.20 --enet-dmac=E0:DB:55:CC:13:F1

2. Rewrite any source IP address and MAC address in traffic dump to 192.168.1.10 and 84:A5:C8:BB:58:1A, respectively:

$ tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap=0.0.0.0/0:192.168.1.10 --enet-smac=84:A5:C8:BB:58:1A

3. Update the checksum of every packet:

$ tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum

After you are done with packet rewriting, you can go ahead and replay the finalized packet dump as follows.

$ sudo tcpreplay --intf1=eth0 final.pcap

Customize Traffic Replay Settings

The tcpreplay command offers various options to customize replay settings (e.g., speed, duration, performance).

To loop through a pcap file 100 times:

$ sudo tcpreplay --loop=100 --intf1=eth0 final.pcap

To cache a pcap file in RAM after the first time, so that subsequent loops do not incur disk I/O latency:

$ sudo tcpreplay --loop=100 --enable-file-cache --intf1=eth0 final.pcap

To replay traffic five times as fast as the original traffic was captured

$ sudo tcpreplay --multiplier=5.0 --intf1=eth0 final.pcap

To replay traffic at a rate of 10Mbps:

$ sudo tcpreplay --mbps=10.0 --intf1=eth0 final.pcap

To replay traffic at 100 packets per second:

$ sudo tcpreplay --pps=100 --intf1=eth0 final.pcap

To replay traffic in infinite loops or until CTRL-C is pressed:

$ sudo tcpreplay --loop=0 --intf1=eth0 final.pcap

Replay traffic as quickly as possible:

$ sudo tcpreplay --topspeed --intf1=eth0 final.pcap

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of Xmodulo.com. He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.
Your name can also be listed here. Write for us as a freelancer.

4 thoughts on “How to capture and replay network traffic on Linux

  1. The tcprewrite solves the problem of catching the traffic from other host and replay to a different one?

    Isn't any problem with layer 2? Like MAC?

    Thanks!

    • Sure you can capture traffic from one host, and replay it on another host, as long as you rewrite the packet header fields in the traffic beforehand, using tcprewrite. You can rewrite src/dst IP address, MAC address, port, etc. It will also automatically recalculate checksums.

      • And how the rewrite works?

        ALL the destinations will be changed?
        Because I have many destinations, like internet access.

  2. Hi

    How can I replay a pcap file inside the PPTP vpn tunnel which was captured on Ethernet interface? I have tried but got some incompatibilities regarding MTU.
    Thanks

Leave a comment

Your email address will not be published. Required fields are marked *

Current ye@r *