TCPREPLAY

NAME
SYNTAX
DESCRIPTION
OPTIONS
SIGNALS
SEE ALSO
AUTHORS
AVAILABILITY
LIMITATIONS

NAME

tcpreplay − replay packets back out onto the network from pcap files

SYNTAX

tcpreplay −i intf [ options ] [ <file1> <file2> ... | − ]

DESCRIPTION

tcpreplay is a tool for replaying network traffic from files saved with tcpdump or other tools which write pcap(3) files.

The basic operation of tcpreplay is to resend all packets from the input file(s) at the speed at which they were recorded, or a specified data rate, up to as fast as the hardware is capable.

Optionally, the traffic can be split between two interfaces, written to files, filtered and edited in various ways, providing the means to test firewalls, NIDS and other network devices.

OPTIONS

−A or tcpdump_args

When enabling verbose mode (−v) you may also specify one or more additional arguments to pass to tcpdump to modify the way packets are decoded. By default, −n and −l are used. Be sure to quote the arguments like: −A "−axxx" so that they are not interpreted by tcpreplay. The following arguments are vaild:
[ −aAeNqRStuvxX ]
[ −E spi@ipaddr algo:secret,...]
[ −s snaplen ]

−c or cachefile

Specify the tcpprep cache to use to process packets.

−C or cidr

Given a list of CIDR networks, packets with a source address matching an entry in the list are sent out the primary interface. All other packets are sent via the secondary interface. CIDR lists are comma−separated and do not contain spaces, 192.168.0.0/28,10.0.0.0/16 and 10.1.1.0/29, for example. Overrides the −c option.

−D or datadump_mode

When used in conjunction with −w and −W, rather then dumping the entire packets to the files, only the layer 7 data is dumped.

−e or endpoints

Specifies a pair of IP addresses seperated by a colon which are then used to rewrite all IP traffic to appear to be between the two IP’s.

−f

Specify a file that contains configuration options. Option tokens are listed next to the corresponding command−line flag.

−F or fixchecksums

Fixes IP and TCP/UDP checksums in packets. Auto−forced with −s, −u, −T −N or −4

−h

Prints help/usage

−i or intf

Specify the prmary interface in which to send packets.

−I or primary_mac

Specify the destination MAC to use for packets being sent out the primary interface.

−j or second_intf

Specify the secondary interface in which to send packets.

−J or second_mac

Specify the destination MAC to use for packets being sent out the secondary interface.

−k or primary_smac

Specify the source MAC to use for packets being sent out the primary interface.

−K or second_smac

Specify the source MAC to use for packets being sent out the secondary interface.

−l or loop

Resend the capture file(s) loop count times. Setting this to 0 (zero) will cause tcpreplay to loop infinitely.

−L or limit_send

Causes tcpreplay to exit after sending the specified number of packets

−m or multiplier

Resend the packets at a multiple of the speed at which they were recorded, specified as a floating−point number.

−M or no_martians

Disable sending martian packets (source networks: 0/8, 127/8, 255/8)

−n or not_nosy

Don’t listen in promiscuous mode when sniffing with −S

−N or nat

Specify the nat transation table(s) where a table is one or more pairs of CIDR’s seperated by a colon and each pair is sererated by a comma:
<FROMCIDR1>:<TOCIDR1>,<FROMCIDR2>:<TOCIDR2>
The first instance of this argument is used for the primary interface while the second instance is used for the secondary interface. If no second instance of this argument exists, then the NAT table is used for both.

−o or offset

Jump to packet at the nearest specified byte offset and start replaying packets from there.

−O or one_output

Processes packets internally for dual interfaces/files for purposes of NAT and MAC rewriting, but only write packets to a single interface or file.

−p or packetrate

Specify the replay rate in packets per second. Negates all other speed options.

−P

Print the PID of the tcpreplay process at startup. Useful when wanting to use SIGUSR1 and SIGCONT to pause/restart.

−r or rate

Resend the packets at rate megabits per−second, specified as a floating−point number.

−R or topspeed

Resend the packets as fast as possible. Negates all other speed options.

−s or seed

Specify a seed value to allow rewriting the source and destination IP addresses (only in IP header) to pseudo−random values. Will also recalculate the IP header as necessary.

−S or sniff_snaplen

Instead of reading from a saved tcpdump file, perform live capture. The argument is the number of bytes to capture off the wire. The name of the capture interface will be the nominal filename. Please read the FAQ for more details/warnings about this feature.

−t or mtu

Specify the MTU in bytes of the interface(s) being used. Default is 1500 which is standard for 10/100 Ethernet.

−T or truncate

If a packet is larger then the MTU of the interface, the frame will be truncated so that it can be sent. With out this, these frames are skipped. Not to be confused with −u which pads/truncates packets which are larger then the snaplen used to capture the packet.

−u or untruncate

When a packet is truncated in the capture file because the snaplen was too small, this option will pad the end of the packet with zeros, or truncate (trunc) it by re−adjusting the length in the IP header. The trunc option will only alter IPv4 packets, all others will be sent unmodified.

−v or verbose

Verbose mode, dump decoded packets via tcpdump to STDOUT.

−V

Print version info and exit.

−w or write

Specify the output file to write the primary packets to instead of the network. You still must specify the primary interface via −i. If −D is set before it, it will write only the layer 7 data.

−W or secondary_write

Specify the output file to write the secondary packets to instead of the network. You still must specify the secondary interface via −j. If −D is set before it, it will write only the layer 7 data.

−x or include

Specifies which packets from the capture file(s) to send. Can be one of:

S:<CIDR1>,... Src IP must match specified CIDR(s)

D:<CIDR1>,... Dst IP must match specified CIDR(s)

B:<CIDR1>,... Both src and dst addresses must match

E:<CIDR1>,... Either src or dst address must match

P:<list> Must be one of the listed packets where the list corresponds to the packet number in the capture file. Ex: −x P:1−5,9,15 would only send packets 1 through 5, 9 and 15.

F:"<filter>" BPF filter. See the tcpdump(1) man page for syntax.

−X or exclude

Specifies which packets from the capture file(s) to NOT send. Can be one of:

S:<CIDR1>,... Src IP must match specified CIDR(s)

D:<CIDR1>,... Dst IP must match specified CIDR(s)

B:<CIDR1>,... Both src and dst addresses must match

E:<CIDR1>,... Either src or dst address must match

P:<list> Must be one of the listed packets where the list corresponds to the packet number in the capture file. Ex: −X P:1−5,9,15 would send all packets except 1 through 5, 9 and 15.

−1 or one_at_a_time

Resend one packet at a time, once for each keypress.

−2 or l2data

Specifies a string of comma seperated numbers in hex to be used instead of the Layer 2 header in the packet. Useful for converting between 802.x types or adding a header when the pcap file doesn’t contain a header (as in the case of DLT_RAW). Currently this only supports the following pcap(3) types: DLT_EN10MB, DLT_LINUX_SLL, DLT_CHDLC and DLT_RAW.

−4 or portmap

Specify a port mapping, where the mapping looks like:
<FROMPORT1>:<TOPORT1>,<FROMPORT2>:<TOPORT2>
For example, if this mapping was specified:
80:8080
then any packets with a source or destination port of 80 would be changed to 8080. This option can be specified multiple times to specify multiple mappings. Mappings are not transitive: each source or destination port is mapped only once.

SIGNALS

Tcpreplay understands the following signals:

SIGUSR1

Suspend tcpreplay.

SIGCONT

Restart tcpreplay after it has been suspended.

SEE ALSO

tcpdump(1), tcpprep(1), capinfo(1), editcap(1)

AUTHORS

Aaron Turner <aturner@pobox.com>
Matt Undy, Anzen Computing.
Matt Bing <mbing@nfr.net>

AVAILABILITY

The current version is available via HTTP:

http://www.sourceforge.net/projects/tcpreplay/

LIMITATIONS

Please see the tcpreplay FAQ for a list of limitations and any possible work−arounds: http://tcpreplay.sourceforge.net/