How to capture and replay network traffic on Linux

When you are testing or debugging middlebox hardware such as routers, switches, or IDS/IPS, it is extremely useful to perform the testing with reproducible network traffic. Using repeatable traffic minimizes any kind of uncertainty in the testing environment, thereby making testing results easier to interprete and analyze.

In Linux, there is a suites of command-line utilities called tcpreplay which can replay captured network traffic.

In this tutorial, I will show you how to capture live network traffic, and replay the captured network traffic elsewhere by using tcpreplay.

Capture Live Network Traffic

First, install tcpreplay and tcpdump on Linux. To install tcpreplay, follow the instruction here.

The next step is to capture live network traffic, and dump it to a pcap file. To do so, run tcpdump command as follows. I assume that eth0 is the sniffing interface which is set to promiscuous mode.

$ sudo tcpdump -w dump.pcap -i eth0

Rewrite Packets in Traffic Dump

Next, rewrite packets captured in a pcap file, so that we can replay them between a pair of any two arbitrary hosts (different from the original traffic source and sink). Run a series of the following commands to perform such packet rewriting.

1. Rewrite any destination IP address and MAC address in traffic dump to 192.168.1.20 and E0:DB:55:CC:13:F1, respectively:

$ tcprewrite --infile=dump.pcap --outfile=temp1.pcap --dstipmap=0.0.0.0/0:192.168.1.20 --enet-dmac=E0:DB:55:CC:13:F1

2. Rewrite any source IP address and MAC address in traffic dump to 192.168.1.10 and 84:A5:C8:BB:58:1A, respectively:

$ tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap=0.0.0.0/0:192.168.1.10 --enet-smac=84:A5:C8:BB:58:1A

3. Update the checksum of every packet:

$ tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum

After you are done with packet rewriting, you can go ahead and replay the finalized packet dump as follows.

$ sudo tcpreplay --intf1=eth0 final.pcap

Customize Traffic Replay Settings

The tcpreplay command offers various options to customize replay settings (e.g., speed, duration, performance).

To loop through a pcap file 100 times:

$ sudo tcpreplay --loop=100 --intf1=eth0 final.pcap

To cache a pcap file in RAM after the first time, so that subsequent loops do not incur disk I/O latency:

$ sudo tcpreplay --loop=100 --enable-file-cache --intf1=eth0 final.pcap

To replay traffic five times as fast as the original traffic was captured

$ sudo tcpreplay --multiplier=5.0 --intf1=eth0 final.pcap

To replay traffic at a rate of 10Mbps:

$ sudo tcpreplay --mbps=10.0 --intf1=eth0 final.pcap

To replay traffic at 100 packets per second:

$ sudo tcpreplay --pps=100 --intf1=eth0 final.pcap

To replay traffic in infinite loops or until CTRL-C is pressed:

$ sudo tcpreplay --loop=0 --intf1=eth0 final.pcap

Replay traffic as quickly as possible:

$ sudo tcpreplay --topspeed --intf1=eth0 final.pcap

Summary

In this tutorial, I demonstrated how to modify packet traces in a systematic way using tcprewrite, and inject them on to the network with tcpreplay. Combined with other pcap manipulation tools, they will give you an effective means to do various network testing and troubleshooting in a more controlled environment.

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of Xmodulo.com. He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.
Your name can also be listed here. Write for us as a freelancer.

8 thoughts on “How to capture and replay network traffic on Linux

  1. The tcprewrite solves the problem of catching the traffic from other host and replay to a different one?

    Isn't any problem with layer 2? Like MAC?

    Thanks!

    • Sure you can capture traffic from one host, and replay it on another host, as long as you rewrite the packet header fields in the traffic beforehand, using tcprewrite. You can rewrite src/dst IP address, MAC address, port, etc. It will also automatically recalculate checksums.

      • And how the rewrite works?

        ALL the destinations will be changed?
        Because I have many destinations, like internet access.

        • You can use CIDR expressions to choose which hosts get translated and which not.

          To change all destinations:
          --dstipmap=0.0.0.0/0:192.168.1.20

          To change a specific destination:
          --dstipmap=10.10.10.1:192.168.1.20

  2. Hi

    How can I replay a pcap file inside the PPTP vpn tunnel which was captured on Ethernet interface? I have tried but got some incompatibilities regarding MTU.
    Thanks

    • That's because available MTU is smaller than that of packets you are injecting. You have a few options to deal with the MTU issue:

      Truncate packets to a custom MTU size (e.g. 1000 bytes):
      $ tcprewrite --mtu=1000 --mtu-trunc --infile=input.pcap --outfile=output.pcap

      Alternatively, use IP fragmentation to break up each large packet into smaller ones. As of v3.3.0 you can use fragroute to segment IP packets into smaller ones to fit into available MTU. If you want to do this, create frag.cfg with the contents
      ip_frag 1000
      and run tcprewrite as follows:

      $ tcprewrite --fragroute=frag.cfg --infile=input.pcap --outfile=output.pcap

  3. How do I do something like this: tcpreplay test.pcap -ip=172.16.1.15 -port:3333? Where I want to send the pcaps from one host (say 172.16.1.10) to a remote host (172.16.1.15) where a process is listening on port 3333?

Leave a comment

Your email address will not be published. Required fields are marked *