Tcpreplay is a suite of powerful tools, but with that power comes complexity. While I have done my best to write good man pages for tcpreplay and it's associated utilities, I understand that many people may want more information then I can provide in the man pages. Additionally, this FAQ attempts to cover material which I feel will be of use to people using tcpreplay, as well as common questions that occur on the Tcpreplay-Users <email@example.com> mailing list.
Recently, other people and projects have developed better versions of two applications that shipped with tcpreplay 2.x:
The source code is available in tarball format on the tcpreplay homepage: http://tcpreplay.sourceforge.net/ I also encourage users familiar with Subversion to try checking out the latest code as it often has additional features and bugfixes not found in the tarballs.
svn checkout https://www.synfin.net/svn/tcpreplay/trunk tcpreplay
The tcpreplay project does not maintain binaries for any platforms. However some operating systems such as Debian GNU/Linux (apt-get) and OS X (fink) have packages available. Try searching on Google.
Not really. We had one user port the code over for an old version of tcpreplay to Windows. Now we're looking for someone to help merge and maintain the code in to the main development tree. If you're interested in helping with this please contact Aaron Turner or the tcpreplay-users list. Other then that, you can download the tcpreplay-win32.zip file from the website and give it a go. Please understand that the Win32 port of tcpreplay comes with no support whatsoever, so if you run into a problem you're on your own.
Tcpreplay is licensed under a three clause BSD-style license. For details see the docs/LICENSE file included with the source code.
In the simplest terms, tcpreplay is a tool to send network traffic stored in pcap format back onto the network; basically the exact opposite of tcpdump. Just to make things more confusing, tcpreplay is also a suite of tools: tcpreplay, tcpprep, tcprewrite and flowreplay.
Originally, tcpreplay was written to test network intrusion detection systems (NIDS), however tcpreplay has been used to test firewalls, routers, and other network devices. With the addition of flowreplay, most5 any udp or tcp service on a server can be tested as well.
A lot of people wanted a tool like tcpreplay, but wanted to be able to replay traffic to a server. Since tcpreplay was unable to do this, I developed flowreplay which replays the data portion of the flow, but recreates the connection to the specified server(s). This makes flowreplay an ideal tool to test host intrusion detection systems (HIDS) as well as captured exploits and security patches when the actual exploit code is not available. Please note that flowreplay is still alpha quality code which means it doesn't work very well (some would argue it doesn't work at all) and is currently missing some important features. Feel free to try flowreplay, but unless you're willing and able to contribute, don't bother complaining that it doesn't work.
Tcpreplay has had quite a few authors over the past five or so years. One of the advantages of the BSD and GPL licenses is that if someone becomes unable or unwilling to continue development, anyone else can take over.
Originally, Matt Undy of Anzen Computing wrote tcpreplay. Matt released version 1.0.1 sometime in 1999. Sometime after that, Anzen Computing was (at least partially) purchased by NFR and development ceased.
Then in 2001, two people independently started work on tcpreplay: Matt Bing of NFR and Aaron Turner of OneSecure. After developing a series of patches (the -adt branch), Aaron attempted to send the patches in to be included in the main development tree.
After some discussion between Aaron and Matt Bing, they decided to continue development together. Since then, two major rewrites have occured, and more then thirty new features have been added, including the addition of a number of accessory tools.
Today, Aaron continues active development of the code.