Tuesday, 4 March 2014


tcpreplay - Replay network traffic stored in pcap files
SYNOPSIS
      tcpreplay [-flag [value]]... [--opt-name [[=| ]value]]...
              <pcap_file(s)>
      tcpreplay is a tool for replaying network traffic from files saved with tcpdump or other tools which write pcap(3) files.

DESCRIPTION
      The basic operation of tcpreplay is to resend  all  packets  from  the input file(s) at the speed at which they were recorded, or a specified data rate, up to as fast as the hardware is capable.
      Optionally, the traffic can be split between two interfaces, written to files, filtered and edited in various ways, providing the means to test firewalls, NIDS and other network devices.
    tcpreplay is stateless because it is unable to handle updating TCP sequence and acknowledgement numbers so it does not support replaying network traffic to a server,to achieve this we have to go to flowreplay
    If you want to send traffic on two interfaces tcpreplay needs to be told which packets should go out which interface using a tcpprep cache file
    tcpreplay comes with two options 1.tcpreplay 2.tcpreplay-edit(includes packet editing functionality of tcprewrite)

*****************************************************************************************
tcprewrite - Rewrite the packets in a pcap file.
SYNOPSIS
      tcprewrite [-flag [value]]... [--opt-name [[=| ]value]]...
      All arguments must be options.

DESCRIPTION
      Tcprewrite is a tool to rewrite packets stored in pcap(3) file format, such as crated by tools such as tcpdump(1) and ethereal(1).
      Once a pcap file has had it's packets rewritten, they can be replayed back out on the network using tcpreplay(1)
*****************************************************************************************
Using tcpreplay

Step 1:
    Use tcpdump or libpcap to capture the packets and store in a file
    The following command captures 25 packets in interface eth2
    sudo tcpdump -c 25 -w 04032014.pcap -i eth2

Step 2:
    Using tcpreplay , replay the network traffic
    The following command replays the network traffic
    Here eth2 is the interface to send the traffic out
    sudo tcpreplay --intf1=eth2 04032014.pcap

OUTPUT OF tcpreplay

sending out eth2
processing file: 04032014.pcap

Actual: 25 packets (1302 bytes) sent in 4.81 seconds
Rated: 270.7 bps, 0.00 Mbps, 5.20 pps
Statistics for network device: eth2
   Attempted packets:         25
   Successful packets:        25
   Failed packets:            0
   Retried packets (ENOBUFS): 0
   Retried packets (EAGAIN):  0


Using tcprewrite with tcpreplay

Step 1:
    Use tcpdump or libpcap to capture the packets and store in a file
    The following command captures 25 packets in interface eth2
    sudo tcpdump -c 25 -w 04032014.pcap -i eth2

Step 2:
    Using tcprewrite to edit the captured packets
The following command rewrite any source IP address and MAC address in traffic     dump to 192.168.1.10 and 84:A5:C8:BB:58:1A, respectively:
   
tcprewrite --infile=04032014.pcap --outfile=04032014_rewritten.pcap --srcipmap=0.0.0.0/0:192.168.1.123 --enet-smac=84:A5:C8:BB:58:1A

Step 3:
    Using tcpreplay , replay the network traffic
    The following command replays the network traffic
    Here eth2 is the interface to send the traffic out
    sudo tcpreplay --intf1=eth2 04032014_rewritten.pcap

Step 4:
    Lookup the replayed traffic in wireshark
    Apply the filter expression as ip.src == 192.168.1.123
    You will be able to see the filtered traffic with source IP Address as 192.168.1.123
Posted by at No comments:
Labels: ,
Location: Chennai, Tamil Nadu, India
Subscribe to: Comments (Atom)