Subsections

1 General Info

1.1 What is this FAQ for?

Tcpreplay is a suite of powerful tools, but with that power comes complexity. While I have done my best to write good man pages for tcpreplay and it's associated utilities, I understand that many people may want more information then I can provide in the man pages. Additionally, this FAQ attempts to cover material which I feel will be of use to people using tcpreplay, as well as common questions that occur on the Tcpreplay-Users <tcpreplay-users@lists.sourceforge.net> mailing list.

1.2 What tools come with tcpreplay?

1.3 What tools no longer come with Tcpreplay?

Recently, other people and projects have developed better versions of two applications that shipped with tcpreplay 2.x:

1.4 How can I get tcpreplay's source?

The source code is available in tarball format on the tcpreplay homepage: http://tcpreplay.sourceforge.net/ I also encourage users familiar with Subversion to try checking out the latest code as it often has additional features and bugfixes not found in the tarballs.

svn checkout https://www.synfin.net/svn/tcpreplay/trunk tcpreplay

1.5 What requirements does tcpreplay have?

  1. You'll need recent versions of the libnet2 and libpcap3 libraries.
  2. To support the packet decoding feature you'll need tcpdump4 installed.
  3. You'll also need a compatible operating system. Basically, any UNIX-like or UNIX-based operating system should work. Linux, *BSD, Solaris, OS X and others should all work. If you find any compatibility issues with any UNIX-like/based OS, please let me know.

1.6 Are there binaries available?

The tcpreplay project does not maintain binaries for any platforms. However some operating systems such as Debian GNU/Linux (apt-get) and OS X (fink) have packages available. Try searching on Google.

1.7 Is there a Microsoft Windows port?

Not really. We had one user port the code over for an old version of tcpreplay to Windows. Now we're looking for someone to help merge and maintain the code in to the main development tree. If you're interested in helping with this please contact Aaron Turner or the tcpreplay-users list. Other then that, you can download the tcpreplay-win32.zip file from the website and give it a go. Please understand that the Win32 port of tcpreplay comes with no support whatsoever, so if you run into a problem you're on your own.

1.8 How is tcpreplay licensed?

Tcpreplay is licensed under a three clause BSD-style license. For details see the docs/LICENSE file included with the source code.

1.9 What is tcpreplay?

In the simplest terms, tcpreplay is a tool to send network traffic stored in pcap format back onto the network; basically the exact opposite of tcpdump. Just to make things more confusing, tcpreplay is also a suite of tools: tcpreplay, tcpprep, tcprewrite and flowreplay.

1.10 What are some uses for tcpreplay?

Originally, tcpreplay was written to test network intrusion detection systems (NIDS), however tcpreplay has been used to test firewalls, routers, and other network devices. With the addition of flowreplay, most5 any udp or tcp service on a server can be tested as well.

1.11 What are some uses for flowreplay?

A lot of people wanted a tool like tcpreplay, but wanted to be able to replay traffic to a server. Since tcpreplay was unable to do this, I developed flowreplay which replays the data portion of the flow, but recreates the connection to the specified server(s). This makes flowreplay an ideal tool to test host intrusion detection systems (HIDS) as well as captured exploits and security patches when the actual exploit code is not available. Please note that flowreplay is still alpha quality code which means it doesn't work very well (some would argue it doesn't work at all) and is currently missing some important features. Feel free to try flowreplay, but unless you're willing and able to contribute, don't bother complaining that it doesn't work.

1.12 What is the history of tcpreplay?

Tcpreplay has had quite a few authors over the past five or so years. One of the advantages of the BSD and GPL licenses is that if someone becomes unable or unwilling to continue development, anyone else can take over.

Originally, Matt Undy of Anzen Computing wrote tcpreplay. Matt released version 1.0.1 sometime in 1999. Sometime after that, Anzen Computing was (at least partially) purchased by NFR and development ceased.

Then in 2001, two people independently started work on tcpreplay: Matt Bing of NFR and Aaron Turner of OneSecure. After developing a series of patches (the -adt branch), Aaron attempted to send the patches in to be included in the main development tree.

After some discussion between Aaron and Matt Bing, they decided to continue development together. Since then, two major rewrites have occured, and more then thirty new features have been added, including the addition of a number of accessory tools.

Today, Aaron continues active development of the code.



Footnotes

... flowreplay1
Flowreplay is still ``alpha'' quality and is not usable for most situations. Anyone interested in helping me develop flowreplay is encouraged to contact me.
... libnet2
http://www.packetfactory.net/libnet/
... libpcap3
http://www.tcpdump.org/
... tcpdump4
http://www.tcpdump.org/
... most5
Note the flowreplay does not support protocols such as ftp which use multiple connections.
Aaron Turner 2006-07-17