How to capture and playback network traffic in Linux (using tcpreplay)

Useful for debugging and testing.

$ sudo apt-get install tcpreplay | sudo yum install tcpreplay (needs EPEL)
# set network interface in promiscuous mode, http://en.wikipedia.org/wiki/Promiscuous_mode
net-tools: $ ifconfig eth0 promisc | ifconfig eth0 -promisc
iproute2: $ ip link set dev eth0 promisc on | ip link set dev eth0 promisc off | ip link show dev eth0

# setup promiscuous mode permanently in rhel/centos
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
  PROMISC=yes
$ systemctl restart network
(and in debian/ubuntu)
$ cat /etc/network/interfaces ... 
 auto eth0
 iface eth0 inet manual
 up ifconfig eth0 promisc up
 down ifconfig eth0 promisc down

# capture live network traffic, and dump it to a pcap file
$ sudo tcpdump -w dump.pcap -i eth0
# Rewrite any destination IP address and MAC address
$ tcprewrite --infile=dump.pcap --outfile=temp1.pcap --dstipmap=0.0.0.0/0:192.168.1.20 --enet-dmac=E0:DB:55:CC:13:F1

# Rewrite any source IP address and MAC address
$ tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap=0.0.0.0/0:192.168.1.10 --enet-smac=84:A5:C8:BB:58:1A

# Rewriting TCP/UDP Ports
$ tcprewrite --infile=example.pcap --outfile=new.pcap --portmap=80:8080

# Update the checksum of every packet
$ tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum

# Replay
$ sudo tcpreplay --intf1=eth0 final.pcap

# Replay looping 100 times
$ sudo tcpreplay --loop=100 --intf1=eth0 final.pcap

# Replay 5x faster then original
$ sudo tcpreplay --multiplier=5.0 --intf1=eth0 final.pcap

# Replay at 10Mbps
$ sudo tcpreplay --mbps=10.0 --intf1=eth0 final.pcap

# Replay at 100 packets/sec
$ sudo tcpreplay --pps=100 --intf1=eth0 final.pcap

# Infinite replay
$ sudo tcpreplay --loop=0 --intf1=eth0 final.pcap

from tcpreplay@xmodulo

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s