tcpreplay − replay packets back out onto the network from pcap files |
tcpreplay −i intf [ options ] [ <file1> <file2> ... | − ] |
tcpreplay is a tool for replaying network traffic from files saved with tcpdump or other tools which write pcap(3) files. The basic operation of tcpreplay is to resend all packets from the input file(s) at the speed at which they were recorded, or a specified data rate, up to as fast as the hardware is capable. Optionally, the traffic can be split between two interfaces, written to files, filtered and edited in various ways, providing the means to test firewalls, NIDS and other network devices. |
−A or tcpdump_args |
When enabling verbose mode (−v) you may also
specify one or more additional arguments to pass to
tcpdump to modify the way packets are decoded. By
default, −n and −l are used. Be sure to quote
the arguments like: −A "−axxx" so that
they are not interpreted by tcpreplay. The following
arguments are vaild: |
−c or cachefile
Specify the tcpprep cache to use to process packets. |
−C or cidr |
Given a list of CIDR networks, packets with a source address matching an entry in the list are sent out the primary interface. All other packets are sent via the secondary interface. CIDR lists are comma−separated and do not contain spaces, 192.168.0.0/28,10.0.0.0/16 and 10.1.1.0/29, for example. Overrides the −c option. |
−D or datadump_mode |
When used in conjunction with −w and −W, rather then dumping the entire packets to the files, only the layer 7 data is dumped. |
−e or endpoints |
Specifies a pair of IP addresses seperated by a colon which are then used to rewrite all IP traffic to appear to be between the two IP’s. |
−f |
Specify a file that contains configuration options. Option tokens are listed next to the corresponding command−line flag. |
−F or fixchecksums |
Fixes IP and TCP/UDP checksums in packets. Auto−forced with −s, −u, −T −N or −4 |
−h |
Prints help/usage |
−i or intf |
Specify the prmary interface in which to send packets. |
−I or primary_mac |
Specify the destination MAC to use for packets being sent out the primary interface. |
−j or second_intf |
Specify the secondary interface in which to send packets. |
−J or second_mac |
Specify the destination MAC to use for packets being sent out the secondary interface. |
−k or primary_smac |
Specify the source MAC to use for packets being sent out the primary interface. |
−K or second_smac |
Specify the source MAC to use for packets being sent out the secondary interface. |
−l or loop |
Resend the capture file(s) loop count times. Setting this to 0 (zero) will cause tcpreplay to loop infinitely. |
−L or limit_send |
Causes tcpreplay to exit after sending the specified number of packets |
−m or multiplier |
Resend the packets at a multiple of the speed at which they were recorded, specified as a floating−point number. |
−M or no_martians |
Disable sending martian packets (source networks: 0/8, 127/8, 255/8) |
−n or not_nosy |
Don’t listen in promiscuous mode when sniffing with −S |
−N or nat |
Specify the nat transation table(s) where a table is one
or more pairs of CIDR’s seperated by a colon and each
pair is sererated by a comma: |
−o or offset |
Jump to packet at the nearest specified byte offset and start replaying packets from there. |
−O or one_output |
Processes packets internally for dual interfaces/files for purposes of NAT and MAC rewriting, but only write packets to a single interface or file. |
−p or packetrate |
Specify the replay rate in packets per second. Negates all other speed options. |
−P |
Print the PID of the tcpreplay process at startup. Useful when wanting to use SIGUSR1 and SIGCONT to pause/restart. |
−r or rate |
Resend the packets at rate megabits per−second, specified as a floating−point number. |
−R or topspeed |
Resend the packets as fast as possible. Negates all other speed options. |
−s or seed |
Specify a seed value to allow rewriting the source and destination IP addresses (only in IP header) to pseudo−random values. Will also recalculate the IP header as necessary. |
−S or sniff_snaplen |
Instead of reading from a saved tcpdump file, perform live capture. The argument is the number of bytes to capture off the wire. The name of the capture interface will be the nominal filename. Please read the FAQ for more details/warnings about this feature. |
−t or mtu |
Specify the MTU in bytes of the interface(s) being used. Default is 1500 which is standard for 10/100 Ethernet. |
−T or truncate |
If a packet is larger then the MTU of the interface, the frame will be truncated so that it can be sent. With out this, these frames are skipped. Not to be confused with −u which pads/truncates packets which are larger then the snaplen used to capture the packet. |
−u or untruncate |
When a packet is truncated in the capture file because the snaplen was too small, this option will pad the end of the packet with zeros, or truncate (trunc) it by re−adjusting the length in the IP header. The trunc option will only alter IPv4 packets, all others will be sent unmodified. |
−v or verbose |
Verbose mode, dump decoded packets via tcpdump to STDOUT. |
−V |
Print version info and exit. |
−w or write |
Specify the output file to write the primary packets to instead of the network. You still must specify the primary interface via −i. If −D is set before it, it will write only the layer 7 data. |
−W or secondary_write |
Specify the output file to write the secondary packets to instead of the network. You still must specify the secondary interface via −j. If −D is set before it, it will write only the layer 7 data. |
−x or include |
Specifies which packets from the capture file(s) to send. Can be one of: |
S:<CIDR1>,... Src IP must match specified CIDR(s) |
D:<CIDR1>,... Dst IP must match specified CIDR(s) |
B:<CIDR1>,... Both src and dst addresses must match |
E:<CIDR1>,... Either src or dst address must match |
P:<list> Must be one of the listed packets where the list corresponds to the packet number in the capture file. Ex: −x P:1−5,9,15 would only send packets 1 through 5, 9 and 15. |
F:"<filter>" BPF filter. See the tcpdump(1) man page for syntax. |
−X or exclude |
Specifies which packets from the capture file(s) to NOT send. Can be one of: |
S:<CIDR1>,... Src IP must match specified CIDR(s) |
D:<CIDR1>,... Dst IP must match specified CIDR(s) |
B:<CIDR1>,... Both src and dst addresses must match |
E:<CIDR1>,... Either src or dst address must match |
P:<list> Must be one of the listed packets where the list corresponds to the packet number in the capture file. Ex: −X P:1−5,9,15 would send all packets except 1 through 5, 9 and 15. |
−1 or one_at_a_time |
Resend one packet at a time, once for each keypress. |
−2 or l2data |
Specifies a string of comma seperated numbers in hex to be used instead of the Layer 2 header in the packet. Useful for converting between 802.x types or adding a header when the pcap file doesn’t contain a header (as in the case of DLT_RAW). Currently this only supports the following pcap(3) types: DLT_EN10MB, DLT_LINUX_SLL, DLT_CHDLC and DLT_RAW. |
−4 or portmap |
Specify a port mapping, where the mapping looks like: |
Tcpreplay understands the following signals: |
SIGUSR1 |
Suspend tcpreplay. |
SIGCONT |
Restart tcpreplay after it has been suspended. |
tcpdump(1), tcpprep(1), capinfo(1), editcap(1) |
Aaron Turner <aturner@pobox.com> |
The current version is available via HTTP: |
http://www.sourceforge.net/projects/tcpreplay/ |
Please see the tcpreplay FAQ for a list of limitations and any possible work−arounds: http://tcpreplay.sourceforge.net/ |