tcpreplay

List available network interfaces

$ tcpreplay --listnics

$ tcpreplay [[-i|--intf1]] [eth0] [traffic.pcap]

$ tcpreplay [[-i|--intf1]] [eth0] [[-v|--verbose]] [traffic.pcap]

$ tcpreplay [[-i|--intf1]] [eth0] [[-t|--topspeed]] [traffic.pcap]

$ tcpreplay [[-i|--intf1]] [eth0] [[-M|--mbps]] [10] [traffic.pcap]

$ tcpreplay [[-i|--intf1]] [eth0] [[-l|--loop]] [num_times] [traffic.pcap]

tcpreplay [options] <pcap_file(s)>

-i <interface>
    Specifies the network interface to send the packets out of. For example, eth0 or enp0s3.

-c <cachefile>
    Specifies a cache file generated by tcpprep, which contains flow and index information crucial for performance and accurate replay.

-t
    Truncates packets during replay, ensuring they are no larger than the configured MTU of the output interface. This helps prevent fragmentation issues.

-l <loops>
    Loops the replay of the pcap file(s) for a specified number of times. Use 0 for infinite looping.

-p <speed>
    Sets the playback speed. Can be a factor (e.g., 1.0 for original, 0.5 for half, 10 for 10x), or a specific throughput like 100MBPS or 10KBITS.

--stats <interval>
    Prints detailed statistics every specified number of seconds during the replay process, showing packets sent, bytes, and drops.

--srcip <ip_rewrite>
    Rewrites the source IP addresses of packets. Can be a single IP, a range (e.g., 192.168.1.0/24), or a file containing a list of IPs.

--dstip <ip_rewrite>
    Rewrites the destination IP addresses of packets, similar to --srcip.

-e <dst_mac>
    Rewrites the destination MAC address of all packets to the specified address. Useful when targeting a specific device.

-E <src_mac>
    Rewrites the source MAC address of all packets to the specified address.

tcpreplay is a powerful utility within the tcpreplay suite designed to replay previously captured network traffic, stored in pcap files, onto a live network interface. It is an invaluable tool for network engineers, security professionals, and developers for a variety of tasks including network performance testing, simulating real-world network traffic for intrusion detection system (IDS) and firewall testing, and replicating network issues for troubleshooting. The command offers extensive control over the replay process, allowing users to adjust playback speed, loop traffic, and rewrite MAC and IP addresses to fit the target network environment. For optimal performance and accurate statistics, especially in high-throughput scenarios, tcpreplay often works in conjunction with tcpprep, which pre-processes the pcap files to create a cache for efficient packet injection.

Using tcpreplay typically requires root privileges due to its need to send raw network packets. Performance can be heavily influenced by hardware capabilities, network interface drivers, and the complexity/size of the pcap files; packet drops may occur if the system cannot keep up with the desired replay speed. It is highly recommended to pre-process pcap files with tcpprep for optimal replay accuracy and performance, especially for large files or high-speed scenarios. MAC and IP address rewriting is a common requirement to match the target network environment, so proper configuration is crucial.

tcpreplay is widely used for:
1. IDS/Firewall Testing: Simulating real attacks or benign traffic to test security devices' detection and prevention capabilities.
2. Network Performance Benchmarking: Stress testing network devices and infrastructure with realistic traffic loads to assess their capacity and stability.
3. Troubleshooting and Reproduction: Recreating specific network conditions or problems captured in a pcap file to diagnose issues in a controlled environment.
4. Forensic Analysis: Replaying traffic to analyze network behavior or malicious activity in a isolated setup without affecting live systems.

For high-speed replay, consider:
1. Using a cache file generated by tcpprep with the -c option, which provides flow and index information for faster processing.
2. Employing specialized packet injection methods like netmap or PF_RING if your kernel and network card support them, as they bypass parts of the kernel's networking stack for higher throughput.
3. Ensuring the output network interface is capable of handling the desired speed without packet drops, and that the CPU has sufficient power to process the packets.

The tcpreplay suite, including tcpreplay itself, was originally developed by Aaron Turner in the early 2000s. It was designed to provide a robust and high-performance solution for network traffic replay, addressing needs in network security testing, performance benchmarking, and forensics. Over the years, it has evolved with features like cache files (via tcpprep) for efficient processing, support for various packet injection methods (e.g., netmap, PF_RING), and extensive packet rewriting capabilities, solidifying its role as a go-to tool for network traffic simulation.

tcpprep(1), tcpdump(1), wireshark(1), tshark(1)